Maybe someone should sell a SmoothWall to Bernie. I'm betting he will mail his firewall for its snailmail address and threaten to subpoena it for caching those webpages with defamatory material.
Eventually, he will probably subpoena his firewalls' uplink provider to cease and desist and urge them to cut the link. Or, maybe he could just go to irc.smoothwall.org and then we can all sit back and watch those two pitbulls have a go at each other... rotfl
I can tell the difference between a firewall
and anti-virus software. You also assume that
all the machines behind my firewall are windows boxes.
First, there could be other ways to gain access. Think kernel-bugs, malformed packets exploiting weaknesses in iptables/ipchains, etc. Jeez... come to think of it, we recently experienced both of these fairly recently didn't we ?
But I digress. For attacks from the inside, windows-boxes are no neccesity. A real underestimated threat are people from the inside, whether disgruntled / curious / gullible / whatever is beside the point. Second, other OS'es applications have their vulnerabilities too. Keywords: java / javascript / irc-script / p2p-clients, you name it. Not as abundant as for windows, sure, but still far from nonexistant.
Sure, when taken very literally I fully agree with you: IF root is guaranteed the only user, any filepermission settings are moot.
However, the point I'd like to make is this: Who DOES guarantee that there is no way whatsoever that a non-root user gets in ? I'm not intimately familiar with smoothwall, but there are numerous services that run as different users than root and may (in future?) prove exploitable. Think MTA's, bind, apache et al, ntpd, whatever. I'm not saying Smoothwall uses these services, I'm just saying they might be.
Things get even more complicated when two different exploits can be combined; for instance the recent kernel bug (related to IPfiltering) combined with an exploitable local service "that only runs on the inside interface".
This is not academic, stuff like this is really possible, maybe even happening as we speak.
In any event, not using shadow passwords takes away one barrier. Just one maybe, but it still theoretically weakens the setup.
But ask yourself this question, would you trust a guy that goes to great lengths (LIDS) to ensure security yet omits even the simplest basic things (shadow, filepermissions) while doing it ?
Would you trust him to implement LIDS in a safe manner ? Maybe he "forgets" some important settings somewhere "because that's irrelevant".
To me this sounds like hiring 3 well-armed bodyguards for some personal protection, while walking around with sticks of dynamite strapped to your chest. If you permit my analogy.
"I know best myself, keep your advice to yourself" ?
I'm not doing any more GPL stuff
Oh, I'm sure you'll be greatly missed with this approach.
fuck the community
Back to you then
they blew it
Don't believe in the free press and in peer review, then ? Who blew it, exactly ?
I've gone proprietary
Your security-approach kind of warrants a great future in the "proprietary" world, I'll bet.
no more GPL
No more Smoothwall
Sorry but this guys social skills need to get a makeover, therefore I replied in similar wording. I'm not usually this blunt, but in this case I gladly made an exception.
This is IMHO a bad answer, real bad. If anything, it clearly demonstrates
Smoothwalls' disregard for very basic security rules, laid out way way
back, and agreed upon by most, if not all, experts.
First, security isn't something you can buy in a black box, it is a
fine-grained process with different levels. One cannot disregard it on one
level "just because it is dealt with on another level". Case in point, the
lack of shadow-passwords. On one hand, every little exploit in ANY running
service (and history has proven there always comes along an exploit,
whether sooner or later) will immediately escalate to a full root exploit
because of the readable passwords-file. Nowadays computers can bruteforce
crack a Crypt-password in very little time...
But, it get even more dubious; why in the world has Smoothwall chosen to
disable a mechanism that is SO standard nowadays that (probably) all
linux distributions on earth have implemented it ?
That must one hell of a good reason to be worth it...
Saying "But only root has access so what's the problem anyways?" is
symptomatic of general bad security-desicions, ones like "I don't secure
the machines on my LAN because I have a firewall, don't I ?", "I click
blindly on any and all attachments because I use a virusscanner." and "I
don't need a burglary-insurance because I have perfect locks."
Sorry, but I in my opinion you missed the boat big time, Smoothwall.
Your mileage may vary of course, but this is my personal opinion.
From a technical point of view, the fact that the CDrom played it okay is interesting...
I gathered that CDroms don't have the specific error correction CD audio players have (even when playing instead of ripping). Was I misinformed ?
This however leaves only one question to ask; who is stopping anyone from implementing Reed-Solomon error correction in software, correcting the ripped audio on the fly before it is written as.wav file ?
I believe such code might be VERY cpu-intensive, but in this era of realtime video-decoding and SSE / 3Dnow equipped CPUs that should no longer be a problem, right ?
P.S. Did posting this idea make me guilty of breaking the DMCA ? Because, I'd like to visit the US sometime. I'd be a pity...;-\
Correct me if I'm wrong but, I cannot imagine ANY means of connecting to the internet being THAT expensive.
Even if you'd use a dialup, and dial long-distance with that to boost, the costs would not be even close to 59 cents per second. (which is 59x60x60=$2124 per hour!!!)
> Actually you don't have any rights to do
> anything with any computer system except as
> specifically authorized.
Well let's see... If I am contracted to administer a computer, I'm not going to check with management if I'm allowed to run various programs (think ifconfig, vi, less, rm, mv...) because that is essential to my work there. Thus, authorization to use the various computers' binaries is IMPLICIT.
That is notwithstanding the fact that I am obliged (in case of doubt) to prove that all I did was reasonably neccessary for me to do my job, and do it in a good manner, too. In this case, the binary was probably neither pre-installed, nor productive, and possibly arguably counter-productive even. So, I think this was not proper use, I'd have to agree with you.
However, your point that one would need authorization for everything cannot be upheld: it would create an unworkable situation.
I _will_ pay for products, _if_ I'm not feeling cheated by the seller.
What is the current price for a music CD in the US ? I'll tell you what we (Europe; Netherlands) have to pay: Hfl. 44 which translates to, uhm, 20 Euro. I'm not too sure what the Dollar does nowadays in respect to the Euro, but they're not too far apart. If that isn't bad enough, lookup the price of a blank CD and do the math.
This industry has, for the past 15 years, charged us way too much money for their products. Classical albums, which are royalty-free, are even more expensive than "normal" albums, etc., etc. Doesn't that make you think something is up...?
They get NO sympathy from me, for all I care they can all go bankrupt in the next five years, I'm totally fed up with this.
I do not agree. First, competition in -especially- the gaming-industy is very tough; so much so that maybe prospective new employers are not exactly interested in the employee themselves, but in what he/she knows about their former employer and its products.
Secondly, I think that head-hunting is a serious problem for some employers. And in this case, it isn't like the company is forbidding its staff to look elsewhere, it's shielding the staff from all too enthusiastic competition.
Don't you agree that it's rather the prerogative of the employee to start "looking around", instead of having competitors luring people away, people that just might be quite happy where they are ?
Nokia makes a profit from their GSMs, don't they ?
Still, those phones are more or less given away by service providers, which may be the key point here too.
I think you shouldn't focus on the game features, but on the whole picture:
It is, or rather will be, a DVD player, a TiVo-like device, a Set-Top box, an internet appliance, AND a game box to boost.
One of Nokias important markets will probably be TV cable companies. Couple that with the gigantic potential in marketing and distribution Nokia already has and with all the features of the box, and this could just work nicely. Quite nicely even...
Ehm... To me "open hardware" means not "everyone and his brother can and will mess with the specs" (so all clones would be incompatible to each other) but rather "all specs of the hardware are fully open", thus facilitating writing software / APIs that drive it.
But of course, one can definitely argue over what "open" means in this context...
This proposal just may have even worse implications than I initially thought...
If you study it, wouldn't this make "attempting to repair any electronics device" illegal, WHEN you're not using the schematic ?
Because, that is reverse-engineering, too.
Imagine you cannot legally repair your TV by 'reverse-engineering' all the wiring connections.
I don't think that is so different.
Where would one draw the line ?
At age 3, I personally reverse-engineered a flashlight to find that if either the switch, battery or bulb is absent, it won't function.;-)
Wouldn't an email to [postmaster|hostmaster|noc|admin|root]@home.com
from any account at another ISP who isn't filtered by @home solve this problem rather easily...?
I'm sure any admin usually has multiple accounts all over the place.
I never really chose between them. I was totally stunned and exited by the KDE movement when it started and since then I always stuck to it, from Beta 2 onwards. Already at Beta 3 I installed it on our business' development machines and it kinda stuck there. Partly because it is very easy to migrate to for windows users, partly because -even that early- it was really quite stable, and perfectly useable.
I guess the first attempt to install Gnome (gtk+ more precisely) -long ago- failing miserably, sealed Gnome's fate in my case... Mea culpa I guess, but as time is scarce, I never got around to it anymore, but okay, that's no excuse.
KDE works for me. I disliked the licensing wars, and I *really* dislike the tendency to knock KDE "because it is too windows-ish". As if that could ever be a valid point. Choose on merit, not on resemblance. One does not judge DVD disks by ascertaining that they resemble CDroms, or does one ?
So, basically, he's saying (analogy) that a city that has 10.000 criminals arrested yearly, is a much UNsafer place than one where only 100 arrests are made per year. The question is, who is to say that the police in the second city is trying hard enough to find criminals ? Maybe they're all still on the streets, not hampered by any law enforcement agency whatsoever. Or maybe the city-plan is SO complex and illogic that the police get lost all the time trying to find their way. It's all FUD...
Slashdot Mirror
LOL !
Maybe someone should sell a SmoothWall to Bernie. I'm betting he will mail his firewall for its snailmail address and threaten to subpoena it for caching those webpages with defamatory material.
Eventually, he will probably subpoena his firewalls' uplink provider to cease and desist and urge them to cut the link. Or, maybe he could just go to irc.smoothwall.org and then we can all sit back and watch those two pitbulls have a go at each other... rotfl
I can tell the difference between a firewall
and anti-virus software. You also assume that
all the machines behind my firewall are windows boxes.
First, there could be other ways to gain access. Think kernel-bugs, malformed packets exploiting weaknesses in iptables/ipchains, etc. Jeez... come to think of it, we recently experienced both of these fairly recently didn't we ?
But I digress. For attacks from the inside, windows-boxes are no neccesity. A real underestimated threat are people from the inside, whether disgruntled / curious / gullible / whatever is beside the point. Second, other OS'es applications have their vulnerabilities too. Keywords: java / javascript / irc-script / p2p-clients, you name it. Not as abundant as for windows, sure, but still far from nonexistant.
There are two seperate issues at hand:
* system does not use shadow passwords for local access.
* system stores ppp password in a world-readable file.
Thus, there is no contest to needing the password in the pap-secrets file in plaintext, but there IS one regarding the filepermissions on said file.
The shadow issue is another one, albeit at least as important as the former IMHO.
Sure, when taken very literally I fully agree with you: IF root is guaranteed the only user, any filepermission settings are moot.
However, the point I'd like to make is this: Who DOES guarantee that there is no way whatsoever that a non-root user gets in ? I'm not intimately familiar with smoothwall, but there are numerous services that run as different users than root and may (in future?) prove exploitable. Think MTA's, bind, apache et al, ntpd, whatever. I'm not saying Smoothwall uses these services, I'm just saying they might be.
Things get even more complicated when two different exploits can be combined; for instance the recent kernel bug (related to IPfiltering) combined with an exploitable local service "that only runs on the inside interface".
This is not academic, stuff like this is really possible, maybe even happening as we speak.
In any event, not using shadow passwords takes away one barrier. Just one maybe, but it still theoretically weakens the setup.
Well, yeah, LIDS is difficult to defeat.
But ask yourself this question, would you trust a guy that goes to great lengths (LIDS) to ensure security yet omits even the simplest basic things (shadow, filepermissions) while doing it ?
Would you trust him to implement LIDS in a safe manner ? Maybe he "forgets" some important settings somewhere "because that's irrelevant".
To me this sounds like hiring 3 well-armed bodyguards for some personal protection, while walking around with sticks of dynamite strapped to your chest. If you permit my analogy.
Security starts at the basics, or not at all.
I've not been to bed for 47 hrs
Thanks, that -might- explain the attitude...
not needed thanks
"I know best myself, keep your advice to yourself" ?
I'm not doing any more GPL stuff
Oh, I'm sure you'll be greatly missed with this approach.
fuck the community
Back to you then
they blew it
Don't believe in the free press and in peer review, then ? Who blew it, exactly ?
I've gone proprietary
Your security-approach kind of warrants a great future in the "proprietary" world, I'll bet.
no more GPL
No more Smoothwall
Sorry but this guys social skills need to get a makeover, therefore I replied in similar wording. I'm not usually this blunt, but in this case I gladly made an exception.
This is IMHO a bad answer, real bad. If anything, it clearly demonstrates
Smoothwalls' disregard for very basic security rules, laid out way way
back, and agreed upon by most, if not all, experts.
First, security isn't something you can buy in a black box, it is a
fine-grained process with different levels. One cannot disregard it on one
level "just because it is dealt with on another level". Case in point, the
lack of shadow-passwords. On one hand, every little exploit in ANY running
service (and history has proven there always comes along an exploit,
whether sooner or later) will immediately escalate to a full root exploit
because of the readable passwords-file. Nowadays computers can bruteforce
crack a Crypt-password in very little time...
But, it get even more dubious; why in the world has Smoothwall chosen to
disable a mechanism that is SO standard nowadays that (probably) all
linux distributions on earth have implemented it ?
That must one hell of a good reason to be worth it...
Saying "But only root has access so what's the problem anyways?" is
symptomatic of general bad security-desicions, ones like "I don't secure
the machines on my LAN because I have a firewall, don't I ?", "I click
blindly on any and all attachments because I use a virusscanner." and "I
don't need a burglary-insurance because I have perfect locks."
Sorry, but I in my opinion you missed the boat big time, Smoothwall.
Your mileage may vary of course, but this is my personal opinion.
From a technical point of view, the fact that the CDrom played it okay is interesting...
I gathered that CDroms don't have the specific error correction CD audio players have (even when playing instead of ripping). Was I misinformed ?
Nice explanation !
.wav file ?
;-\
This however leaves only one question to ask; who is stopping anyone from implementing Reed-Solomon error correction in software, correcting the ripped audio on the fly before it is written as
I believe such code might be VERY cpu-intensive, but in this era of realtime video-decoding and SSE / 3Dnow equipped CPUs that should no longer be a problem, right ?
P.S. Did posting this idea make me guilty of breaking the DMCA ? Because, I'd like to visit the US sometime. I'd be a pity...
Correct me if I'm wrong but, I cannot imagine ANY means of connecting to the internet being THAT expensive.
Even if you'd use a dialup, and dial long-distance with that to boost, the costs would not be even close to 59 cents per second. (which is 59x60x60=$2124 per hour!!!)
How did they come up with those figures ?!?
> Actually you don't have any rights to do
> anything with any computer system except as
> specifically authorized.
Well let's see... If I am contracted to administer a computer, I'm not going to check with management if I'm allowed to run various programs (think ifconfig, vi, less, rm, mv...) because that is essential to my work there. Thus, authorization to use the various computers' binaries is IMPLICIT.
That is notwithstanding the fact that I am obliged (in case of doubt) to prove that all I did was reasonably neccessary for me to do my job, and do it in a good manner, too. In this case, the binary was probably neither pre-installed, nor productive, and possibly arguably counter-productive even. So, I think this was not proper use, I'd have to agree with you.
However, your point that one would need authorization for everything cannot be upheld: it would create an unworkable situation.
Please stop this shit ! Wake me up ! Help ! Help ! ;-|
I _will_ pay for products, _if_ I'm not feeling cheated by the seller.
What is the current price for a music CD in the US ? I'll tell you what we (Europe; Netherlands) have to pay: Hfl. 44 which translates to, uhm, 20 Euro. I'm not too sure what the Dollar does nowadays in respect to the Euro, but they're not too far apart. If that isn't bad enough, lookup the price of a blank CD and do the math.
This industry has, for the past 15 years, charged us way too much money for their products. Classical albums, which are royalty-free, are even more expensive than "normal" albums, etc., etc. Doesn't that make you think something is up...?
They get NO sympathy from me, for all I care they can all go bankrupt in the next five years, I'm totally fed up with this.
I do not agree. First, competition in -especially- the gaming-industy is very tough; so much so that maybe prospective new employers are not exactly interested in the employee themselves, but in what he/she knows about their former employer and its products.
Secondly, I think that head-hunting is a serious problem for some employers. And in this case, it isn't like the company is forbidding its staff to look elsewhere, it's shielding the staff from all too enthusiastic competition.
Don't you agree that it's rather the prerogative of the employee to start "looking around", instead of having competitors luring people away, people that just might be quite happy where they are ?
Nokia makes a profit from their GSMs, don't they ?
Still, those phones are more or less given away by service providers, which may be the key point here too.
I think you shouldn't focus on the game features, but on the whole picture:
It is, or rather will be, a DVD player, a TiVo-like device, a Set-Top box, an internet appliance, AND a game box to boost.
One of Nokias important markets will probably be TV cable companies. Couple that with the gigantic potential in marketing and distribution Nokia already has and with all the features of the box, and this could just work nicely. Quite nicely even...
Ehm... To me "open hardware" means not "everyone and his brother can and will mess with the specs" (so all clones would be incompatible to each other) but rather "all specs of the hardware are fully open", thus facilitating writing software / APIs that drive it.
But of course, one can definitely argue over what "open" means in this context...
Come to think of it,
;-)
This proposal just may have even worse implications than I initially thought...
If you study it, wouldn't this make "attempting to repair any electronics device" illegal, WHEN you're not using the schematic ?
Because, that is reverse-engineering, too.
Imagine you cannot legally repair your TV by 'reverse-engineering' all the wiring connections.
I don't think that is so different.
Where would one draw the line ?
At age 3, I personally reverse-engineered a flashlight to find that if either the switch, battery or bulb is absent, it won't function.
Wouldn't an email to [postmaster|hostmaster|noc|admin|root]@home.com
from any account at another ISP who isn't filtered by @home solve this problem rather easily...?
I'm sure any admin usually has multiple accounts all over the place.
I never really chose between them. I was totally stunned and exited by the KDE movement when it started and since then I always stuck to it, from Beta 2 onwards. Already at Beta 3 I installed it on our business' development machines and it kinda stuck there. Partly because it is very easy to migrate to for windows users, partly because -even that early- it was really quite stable, and perfectly useable.
I guess the first attempt to install Gnome (gtk+ more precisely) -long ago- failing miserably, sealed Gnome's fate in my case... Mea culpa I guess, but as time is scarce, I never got around to it anymore, but okay, that's no excuse.
KDE works for me. I disliked the licensing wars, and I *really* dislike the tendency to knock KDE "because it is too windows-ish". As if that could ever be a valid point. Choose on merit, not on resemblance. One does not judge DVD disks by ascertaining that they resemble CDroms, or does one ?
my 0.02 euro
So, basically, he's saying (analogy) that a city that has 10.000 criminals arrested yearly, is a much UNsafer place than one where only 100 arrests are made per year.
The question is, who is to say that the police in the second city is trying hard enough to find criminals ?
Maybe they're all still on the streets, not hampered by any law enforcement agency whatsoever.
Or maybe the city-plan is SO complex and illogic that the police get lost all the time trying to find their way.
It's all FUD...