Hrm. I'm gonna have to disagree with this one. Fraud can and did cost many people their pensions, and that is painful. But I would rather lose all my money than be forced to jump from the 100th floor of a flaming building.
With commands like 'kill', 'killall', 'bash', 'dig', 'cut' and 'wipe' we have clearly frightened our legislators. And with commands like 'head', 'tail', 'latex' and 'gawk' they think we are perverts too.
I understand your hesitance and agree that such a scenario would be bad. Except - give me a root shell on any OS and I own it. Unless that changes, they can fuck with the GUI all they want.
if you think that kind of policy is useful at stopping _malicious_ user activity, you're completely in dream land. Users have _PHYSICAL ACCESS_ to their machines. There's nothing that the IT dept can do to stop them from installing or using anything they want on their machines. A competent malicious user will do anything they want on that machine.
The purpose of a policy is not to prevent, but to prohibit. If a user violates the policy, there is something in writing that says they can be terminated.
Like it or not, most compromises come from inside, most likely for the very reason you mention - users have physical access to their machines. However, you are incorrect that nothing can be done about that. Bios passwords can be set, cases can be locked, floppy drives can be disabled, and machines can be physically located in full view of supervisors and other employees to ensure that no one tampers with them. These measures are not meant to assume that everyone is going to try to go around them, but to offer deterence when someone thinks about trying.
Access control can and should be used to prevent users from having privileges to install applications on their own.
All the IT dept can do is try and limit the fallout from _accidental_ user mistakes, set up a good secure network architecture & provide some competent monitoring to try and discover if anything out of the ordinary is occurring.
This comment is enough reason to prevent you from working in computer security at any company. Management can't rely upon good intentions of the workers. Monitoring is important, but that does not replace the importance of controlling access.
How do you expect HIDS to prevent virii from infecting local machines when any user can bring any program into the building and install it from floppy or CD?
I didn't mean that "personal firewalls" have absolutely no merit - they can detect when an app tries to access the Internet, and they are better than nothing. I actually recommend them to clients in Win32-only shops where otherwise they are only protected by their router.
a long list of security issues for Linux (as many, if not more, than Windows)
The Linux kernel has more issues? No. Applications that run on Linux? Possibly. Now compare the number of apps on each platform. Linux is more secure than Windows if you:
a. do not install tons of server programs that you are not going to run
b. use tcpwrappers to initiate programs that can use it and use hosts.[allow/deny] to control access to those programs.
I appreciate that he is trying to improve open source by poking at the least developed parts and inspire improvement. However, I have a few responses about some of these points:
2. Prompting for filesystem scan. If someone is kicking the power cord out of your system - desktop or server, you have other issues than whether to hit <y> to delete an inode.
4. Make it easier for the user to find out how to do things. Nautilus already does a nice job of this, and can be built upon.
5. Cleaner redraws. I really don't see that problem and my computer (PIII@500) is probably slower than most/. users'. I do have a 64 MB GeForce2, but that is by no means a cutting edge card. Older hardware may have problems, but I have to say that with prices the way they are and will continue to be this problem will be solved simply by time, if it really even exists.
6. Die stray processes, die. I think proc.s do a pretty good job of cleaning up behind themselves on Linux - better than on Windows. Rebooting fixes this and MS users are used to that. I really can't comment more other than saying I run procexp on NT to cleanup manually and only reboot every 3 weeks or so and I never even have to think about this on Linux.
7. Sharing files. *sigh* I am a security prof. so I really don't like the idea of easily opening up fileshares, but hey, if that is what users want go right ahead. XP does this fairly well, making you click a message that states you understand the security risks involved in sharing a volume. Maybe a default, read-only single user share could be enabled with a click after the user is presented with a warning.
8. Sound support - this was fixed a long time ago, wasn't it? The last several distros I installed have foung my sound card and made playing CD's and mp3's almost automatic. OK - I had to tell XMMS which sound output to use. No biggie.
10. X configuration. It would be nice to use a windows style slide to select resolution and a drop-down for the number of colors. Users will really like that.
The problem isn't that you are fixing your machine. The problem is that IT should be preventing you from doing so, and should be held accountable if they are unable to do it themselves.
Your company *ought* to have a computer use policy that prohibits you from installing software, making changes that exceed your privileges, or trying to escalate privileges yourself beyond those provided. You should always be able to request privilege escalation when your job functions require it, but your system should be locked down to prevent malicious user activity.
Most compromises of computer and network security come from within a company and your company is apparently not addressing that fact. Not to mention they can't fix a problem in the first place. Sorry to hear that.
How about a kind of drag-net that is pulled along by two or three satellites at similar orbit and hangs toward Earth on the lower end. Might be trickier to draw together effectively, tho.
It seems the best way to start is by collecting the debris into repositories. I would suggest using some sort of netting that can be spanned between collector satellites (four - one on each corner) and moved in sync to sweep paths along hotspots clean. Then bring the corners together and draw a perimeter string closed for packaging.
What NASA needs to do from that point depends on what they want with the junk. Just launching it out of orbit or toward the moon won't make the problem go away. Maybe there is a way to incinerate the collected garbage while in orbit. Just as long as flaming debris doesn't come back our way.
at least my computer doesn't consistently bluescreen anymore
You brought your computer to work? That PC probably doesn't belong to you, but to your company. If the antivirus is causing a problem, open a problem ticket with your company's IT department, or complain to your manager if the IT department is unresponsive.
Antivirus sucks - get used to it. I recently rebuilt a machine for a client who was hit with the 'E' variant of klez and it wrecked every data file and most system files on his local drive. If properly deployed on decent hardware, AV software (I recommend NAV) is tolerable - and NECESSARY!
Corporations have no choice but to deploy AV software, and that is their decision, not yours. If your uptime is affected, get used to opening problem tickets and putting your feet up until it gets fixed - or find a job working for a company whose IT department has a damn clue.
IMO this is the most insightful comment about this article that I have read. You are exactly on point.
IDS is not a simple technology and anyone who expects to filter and analyze WAN traffic with the click of a mouse should scurry away with their MCSE between their legs. IDS takes tuning. Snort was originally written with the intent that its users would write their own rules to adapt to their own environments. (Apologies to Marty if I am not 100% accurate here.) Instead, so many excellent rules have been written and distributed that the work has been done already for most of us and the project has grown stable and accurate enough to go commercial - and compete impressively.
IDS is a science and an art, not a prepackaged app that you can stick a label on: "good", "fair", "sucks!". YMMV according to the time and research you invest in making the product work to its full potential.
In smaller shops, yes the admin should be responsible for securing pretty much everything IT related - workstations, servers, mail, applications, what-have-you.
However, security is an expansive and important part of IT and in larger organizations, the admin should be the admin and security should be handled by security personnel.
and then I realized I already have nine computers at home. Now if they offered it on T.V. and said the girl with the pretty smile was waiting to take my credit card info... THEN I would be persuaded.
Slashdot Mirror
videolan is good, but i prefer ogle. menus work flawlessly and, like videolan, no fbi bs
Haven't any of their editors seen a magazine cover in the last two years?
My penis is 12" long
Do we have to get into this whole inches vs. centimeters discussion *again*?
USENET, just like for everything else. comp.os.ms-windows.*
More like buy a cheap box like a PII or even Pentium (like $100). One beauty of Linux is you don't need a P4 to run it, especially as a router.
That does it - I'm gonna patent the letter "o" so everytime Microsoft, Oracle or Forgent uses their name they have to pay me a royalty :P
Hrm. I'm gonna have to disagree with this one. Fraud can and did cost many people their pensions, and that is painful. But I would rather lose all my money than be forced to jump from the 100th floor of a flaming building.
With commands like 'kill', 'killall', 'bash', 'dig', 'cut' and 'wipe' we have clearly frightened our legislators. And with commands like 'head', 'tail', 'latex' and 'gawk' they think we are perverts too.
I understand your hesitance and agree that such a scenario would be bad. Except - give me a root shell on any OS and I own it. Unless that changes, they can fuck with the GUI all they want.
if you think that kind of policy is useful at stopping _malicious_ user activity, you're completely in dream land. Users have _PHYSICAL ACCESS_ to their machines. There's nothing that the IT dept can do to stop them from installing or using anything they want on their machines. A competent malicious user will do anything they want on that machine.
The purpose of a policy is not to prevent, but to prohibit. If a user violates the policy, there is something in writing that says they can be terminated.
Like it or not, most compromises come from inside, most likely for the very reason you mention - users have physical access to their machines. However, you are incorrect that nothing can be done about that. Bios passwords can be set, cases can be locked, floppy drives can be disabled, and machines can be physically located in full view of supervisors and other employees to ensure that no one tampers with them. These measures are not meant to assume that everyone is going to try to go around them, but to offer deterence when someone thinks about trying.
Access control can and should be used to prevent users from having privileges to install applications on their own.
All the IT dept can do is try and limit the fallout from _accidental_ user mistakes, set up a good secure network architecture & provide some competent monitoring to try and discover if anything out of the ordinary is occurring.
This comment is enough reason to prevent you from working in computer security at any company. Management can't rely upon good intentions of the workers. Monitoring is important, but that does not replace the importance of controlling access.
How do you expect HIDS to prevent virii from infecting local machines when any user can bring any program into the building and install it from floppy or CD?
I didn't mean that "personal firewalls" have absolutely no merit - they can detect when an app tries to access the Internet, and they are better than nothing. I actually recommend them to clients in Win32-only shops where otherwise they are only protected by their router.
a long list of security issues for Linux (as many, if not more, than Windows)
The Linux kernel has more issues? No. Applications that run on Linux? Possibly. Now compare the number of apps on each platform. Linux is more secure than Windows if you:
a. do not install tons of server programs that you are not going to run
b. use tcpwrappers to initiate programs that can use it and use hosts.[allow/deny] to control access to those programs.
c. use Bastille to harden the box
d. use ipchains/tables to control access to your PC or network - don't feed me crap about a personal firewall; this is an actual firewall.
just my $.02
I appreciate that he is trying to improve open source by poking at the least developed parts and inspire improvement. However, I have a few responses about some of these points:
/. users'. I do have a 64 MB GeForce2, but that is by no means a cutting edge card. Older hardware may have problems, but I have to say that with prices the way they are and will continue to be this problem will be solved simply by time, if it really even exists.
2. Prompting for filesystem scan. If someone is kicking the power cord out of your system - desktop or server, you have other issues than whether to hit <y> to delete an inode.
4. Make it easier for the user to find out how to do things. Nautilus already does a nice job of this, and can be built upon.
5. Cleaner redraws. I really don't see that problem and my computer (PIII@500) is probably slower than most
6. Die stray processes, die. I think proc.s do a pretty good job of cleaning up behind themselves on Linux - better than on Windows. Rebooting fixes this and MS users are used to that. I really can't comment more other than saying I run procexp on NT to cleanup manually and only reboot every 3 weeks or so and I never even have to think about this on Linux.
7. Sharing files. *sigh* I am a security prof. so I really don't like the idea of easily opening up fileshares, but hey, if that is what users want go right ahead. XP does this fairly well, making you click a message that states you understand the security risks involved in sharing a volume. Maybe a default, read-only single user share could be enabled with a click after the user is presented with a warning.
8. Sound support - this was fixed a long time ago, wasn't it? The last several distros I installed have foung my sound card and made playing CD's and mp3's almost automatic. OK - I had to tell XMMS which sound output to use. No biggie.
10. X configuration. It would be nice to use a windows style slide to select resolution and a drop-down for the number of colors. Users will really like that.
The problem isn't that you are fixing your machine. The problem is that IT should be preventing you from doing so, and should be held accountable if they are unable to do it themselves.
Your company *ought* to have a computer use policy that prohibits you from installing software, making changes that exceed your privileges, or trying to escalate privileges yourself beyond those provided. You should always be able to request privilege escalation when your job functions require it, but your system should be locked down to prevent malicious user activity.
Most compromises of computer and network security come from within a company and your company is apparently not addressing that fact. Not to mention they can't fix a problem in the first place. Sorry to hear that.
How about a kind of drag-net that is pulled along by two or three satellites at similar orbit and hangs toward Earth on the lower end. Might be trickier to draw together effectively, tho.
It seems the best way to start is by collecting the debris into repositories. I would suggest using some sort of netting that can be spanned between collector satellites (four - one on each corner) and moved in sync to sweep paths along hotspots clean. Then bring the corners together and draw a perimeter string closed for packaging.
What NASA needs to do from that point depends on what they want with the junk. Just launching it out of orbit or toward the moon won't make the problem go away. Maybe there is a way to incinerate the collected garbage while in orbit. Just as long as flaming debris doesn't come back our way.
at least my computer doesn't consistently bluescreen anymore
You brought your computer to work? That PC probably doesn't belong to you, but to your company. If the antivirus is causing a problem, open a problem ticket with your company's IT department, or complain to your manager if the IT department is unresponsive.
Antivirus sucks - get used to it. I recently rebuilt a machine for a client who was hit with the 'E' variant of klez and it wrecked every data file and most system files on his local drive. If properly deployed on decent hardware, AV software (I recommend NAV) is tolerable - and NECESSARY!
Corporations have no choice but to deploy AV software, and that is their decision, not yours. If your uptime is affected, get used to opening problem tickets and putting your feet up until it gets fixed - or find a job working for a company whose IT department has a damn clue.
IMO this is the most insightful comment about this article that I have read. You are exactly on point.
IDS is not a simple technology and anyone who expects to filter and analyze WAN traffic with the click of a mouse should scurry away with their MCSE between their legs. IDS takes tuning. Snort was originally written with the intent that its users would write their own rules to adapt to their own environments. (Apologies to Marty if I am not 100% accurate here.) Instead, so many excellent rules have been written and distributed that the work has been done already for most of us and the project has grown stable and accurate enough to go commercial - and compete impressively.
IDS is a science and an art, not a prepackaged app that you can stick a label on: "good", "fair", "sucks!". YMMV according to the time and research you invest in making the product work to its full potential.
Just in case you were somewhat serious, yes! You can use a load balancer and tap even 1 Gb traffic.
Tried to take my 10 yr old nephew on Friday night, but it was sold out praise God. Went to Scooby Doo for the second time instead. Mmm Daphne Buffy.
In smaller shops, yes the admin should be responsible for securing pretty much everything IT related - workstations, servers, mail, applications, what-have-you.
However, security is an expansive and important part of IT and in larger organizations, the admin should be the admin and security should be handled by security personnel.
I bet he said, "Bite my shiny metal ass!"
... 3:00 a.m. - time to wardial Jimmy again ...
No different to a normal phone though
One difference. You can put a normal phone down and walk away. For this one you need pliers.
and then I realized I already have nine computers at home. Now if they offered it on T.V. and said the girl with the pretty smile was waiting to take my credit card info ... THEN I would be persuaded.