So far I've had a only good experiences with LinkedIn, which is a business-centric social networking site.
They're trying to become more commercial lately, so it's possible the service might become less useful for non-paying members, but no sign of that yet beyond certain new limitations on free "groups" features.
Thanks for the heads-up, that is an interesting product, at a cheap price.
I probably won't buy one, basing my decision in part on
this review. Instead I'll save my money and buy a "prosumer" DV camcorder with Firewire and MPEG2.
Except that perhaps many of the largest users of an OS designed as "proactively secure" might maybe be paranoid enough about security not to announce their choice on a public web page?
There have been a limited number of malicious applications (keyloggers, spyware) which have been able to take advantage of the IE proxy settings and standard explorer DLL's to "phone home" in an environment where outbound access is restricted.
This paper appears to document the same basic problem, and is strictly a difference of degree, not kind.
By the same token, if you give notice that you intend to quit, your boss has the right to fire you immediately (but still has to pay any back pay he owes you and/or unused vacation time)
.
It's better than that, at least in most states.
If you leave voluntarily or are fired "for cause", you cannot collect unemployment.
If you give notice that you intend to leave voluntarily, and your boss choses to instead fire you before the date you state in your notice, that does not qualify as "for cause" nor as "leaving voluntarily", and you can collect unemployment. This has been upheld by several court cases.
When former employees collect unemployment compensation, the unemployment insurance rate paid by their former employer increases. So always file for unemployment if you are eligible.
They don't have to share all the data.
They can set it up on a virtual network connected to the US computers. They send the information for only the specific passport requested.
Thus no foreign place would have more information than the current procedure.
This does open up the possibility of fishing -- remote customs database clients sending info requests for the passport info on people who are not actually present.
There's an easy fix for that risk -- embed a smartchip in the passport with public key crypto support, so when I go to a foreign border, their reader can query my passport, and get back a crytographic key (challenge, etc). They then sign this with their public key and forward to US Customs. When decrypted the passport datablock says "I am Nonesuch's passport, tell the nice people at the Canadian Border what you are willing to share about Mr. Nonesuch".
Why don't they just make their spider lie about its identity, the same way that mozilla and konqueror can do?
Because that would be unethical?
Also, because it wouldn't solve the problem. Changing the user-agent would just make it slightly more difficult for websites to determine that the client is google (source IP, PoF, robots.txt, etc could all reveal that).
I just don't see why a website should need to know that a spider rather than a browser is looking at it
Websites do need to know that a spider is looking at it, and the RFCs require that a legitimate well-behaved spider fetch and obey robots.txt and identify itself in the user-agent string.
Yes, there are evil spiders, but it is a little late in the game for Google to turn evil, they'd face an immense backlash if they tried.
Were I a system administrator, I would null route all of these services at the firewall, and would log any attempt to access them from within my network and kill the connection of the PC that attempted them - then proceed to LART the user that did so in a fashion that would make the BOFH wince. Their main purpose is to allow stupid lusers to do an end-run around the "meeny stupid-head network admin who won't let me access MY computer" (because he is doing his job of maintaining network security).
Although not a replacement for null-routing, GoToMyPC offers a free service where a company can register their Internet address blocks with GoToMyPC as not being permitted to register with the service.
Any attempts to connect to the poll.gotomypc.com server are refused, and queries are redirected to the appropriate contact inside your company.
LogMeIn doesn't have an equivalent free service, they do provide something called "LogMeIn Scout" which claims to scan your network for remote access apps.
Once I get that working, I might try out port knocking so I can allow an arbitrary IP address through the firewall when I'm out and about and want to use my machine.
I am not a fan of port-knocking.
Just stick an IPSEC gateway in front of your machine, and only allow inbound SSH from traffic than passed through the IPSEC gateway. Simple, auditable, and secure.
I have a box dedicated to file storage only. I secure it in the following manner (well, in the process of doing so.)
1. I run OpenBSD and know how to admin it. It runs ONLY SSH and Samba...
Where the OpenBSD site says "Only one remote hole in the default install, in more than 8 years!", that "one remote hole" was in SSH (because Samba is not enabled in the default install).
3. Connections to the machine are made via SSH, you must have both a password and a PK authentication. The client has to port forward the appropriate ports for Samba to work.
4. Firewall scrubs packets (prevents some potential TCP/IP exploit tricks)and only allows connections to and from my internal network and my machine at work from the outside.
So an attacker with a new "0-day" exploit against OpenSSH who also owns your work network, or any router in between your work and your home, can own your box. Relatively low-risk.
I just ran an analysis of long-lived sessions covering the past week (we kill all TCP/IP sessions that run longer than 200,000 seconds), and every single HTTPS (TCP/443) session which lasted longer than 86,400 seconds was Instant Messaging... mostly AIM, some Yahoo.
Please note that I wrote: tunneling over HTTPS, not HTTP. I.e., over TCP/443, encrypted by SSL. Actually, in our case users most often use proxies; i.e., they tunnel over CONNECT requests. Snort signatures doesn't help a bit here, neither does "censorware".
The majority of the unusual TCP/443 weirdness isn't really SSL -- the client does send a "CONNECT", but then doesn't actually use SSL negotiation inside that session, they use the open socket to talk the native protocol "in the clear". So a Snort signature for SSH would still see SSH negotiation happening on port 443, and alert on that anomoly.
Where "Censorware" comes in handy is in taking the destination IP address of that CONNECT message and telling you the classification/reputation of that hostname or IP address -- is that an online banking firm, a "proxy avoidance" tunnel service, or a porn site?
For the record: I'm not interested in catching people because they `skipped work' or whatever they are doing outside. IMO, this is a matter for their supervisor -- any supervisor who doesn't recognize that his staff isn't working on their assignments isn't worth his salary anyhow and will be cheated on. Neither I'm interested in outbound connections -- there are lots of possibilities to get data out of house. I'm really worried about reverse tunneling, where people connect from the outside back into the Intranet, bypassing all security checks.
Yeah, that's a real issue. Of course we see more incidents of that with services like GoToMyPC, LogMeIn, or "WebEx Remote Support" than with smart insiders setting up their own tunnels...
An example case: I had the case of a sysadmin who automatically connected every 15 minutes to his home machine, enabling himself to log in back to his work system via reverse tunneling. It was `to be able to check for problems'. He didn't want to use the available VPN solution (CP SecureClient) because we forbid routing on the VPN client side and he wanted arbitrary routing into his home network. (And thus with two hops from the Internet into the company backbone...) If it wouldn't have been due to the regularity -- i.e., if he would have used a more irregular connection pattern -- and if it wouldn't have been a seperately protected and checked department network; we wouldn't have recognized him for a long time.
I feed proxy logs through a set of custom perl scripts which report on the top resources users, including inbound/outbound/session count/duration and the like, but not timing patterns like this... yet.
If you want to discuss this further, feel free to email, the address given in my profile is valid.
(1) Almost no session lasts as long, they're interrupted before. (2) Besides, there are a lot valid long-running HTTPS (most of them are Web Service connections) and ssh connections. Even if I'm checking `just' the multi-hour connections, it's still several thousands per day. (I don't talk about solutions for small or mid-sized companies. This should have been clear from my OP already.) (3) And in the global networks of our clients, 8 to 5 does not cut it either -- which timezone? Matching internal IPs to timezones is almost impossible (read: not cost effective).
How big a company are you talking about? tens of thousands of clients? more?
Looking at logs for big corporation outbound HTTP/HTTPS sessions, only 0.1% of "web" TCP/IP connections stay active for longer than ten minutes, and sessions lasting five or more hours are a tiny fraction of those.
You can eliminate the majority of the false positives by looking at the destination IP and destination port (assuming paypal.com doesn't have a tunnel server listening on TCP/443) or even just interviewing the employee who uses the workstation initiating the unusual traffic.
Miminal effort means automatically; since no manual check of outbound communication in any realistic setting can be done. I.e., one needs to detect timing patterns in communication that's different from normal traffic: If one has thousands of https connections, one can't check them all, to see which ones carries an ssh connection that has itself tunnels and which ones won't. One needs monitoring tools for this. Signature-based IDSs like snort or ISS Real-Secure doesn't cut it for that task: too much false positives since timing-based signatures are notoriously difficult to create; been there, done that.
It's trivial to set up a Snort signature to look for SSH negotation on what is supposed to be a HTTPS session; Smart people would tunnel SSH inside SSL to get around this, but that takes extra effort, which just makes them look that much more "guilty" when they finally do get caught.
Therefore: I'm looking for such monitoring tools to detect tunneling automatically.
To be honest, I find it much easier to post-process long term logs of firewall permitted sessions, find the users who show patterns that stand out as unusual, and then start collecting realtime sniffer data and other evidence to determine what they are *really* doing. If it turns out to be benign, the user never knows they were investigated. If not, the packet captures and analysis are handed off to the appropriate internal enforcement group (HR, audit, management, whatever) for resolution.
Specifically, tunnelling over ssh port forwarding and tunnelling over stunnel (HTTPS proxy forwarder). I would also like to know if that tool prefers false negatives or false positives.
For starters, invest in some "censorware", web filtering software like Websense. These products, even if not set to block, will categorize your traffic and produce reports showing connections to known "evasion" sites (http-tunnel.com) and also to destinations which are uncategorized or in address ranges assigned to DSL, cablemodem, and other dynamic blocks where you wouldn't expect to find an employee browsing to for a legitimate business reason.
Since you present yourself as knowledgeable and are surely `worth your salt', you hopefully can enlighten me with pointers to such tools. Even though I'm working since 15 years as security consultant, I've yet to see something that allows such a discovery task to be done with `minimal effort'. (Of course; I know that the task can be done, but the effort is seldomly worth the result.)
Most of what I have, I've built for customers under contract and cannot publish -- all I can say is that they thought the effort was worth the expense.
The simple approach to finding people abusing the system is to look for activity that doesn't fit normal patterns of use -- long lived sessions with lots of data flowing in both directions just are not something you normally see on TCP/80 and TCP/443. These patterns indicate something abnormal, usually IM, sometimes something more sinister.
I'm waiting for the day that machines come built such that when the power dies, an emergency battery kicks in just long enough to dump the RAM state to a nonvolatile cache, and then when power resumes, restore the system from there. Like VirtualPC.
Heck, having that be a user-accessible feature supported by the OS ("Save and Shutdown") would make a lot of sense too.
Way back in the days of Windows 3.0, there were actually ISA cards available which could provide exactly this feature.
Some of the "mini" versions of multi-user systems from the 1980s had similar features, so when you accidentally kicked the power cord out from the wall, you didn't abend sessions for the whole department.
Does not mean it's a good idea! Not a single machine where I work uses the on-board NIC, from servers down to desktops. And all of our machines have a two year lifecycle, tops. We generally plug in a 3Com card of some type.
The smallest of the Sun 1U rackmount Sparc servers do not even have a PCI slot to take a NIC -- no expansion at all, but two on-board 100M interfaces are plenty for most data center deployments of these small boxes.
I'm surprised that they didn't have their own little UPSes to bring the system down cleanly before. Sure, the facility is supposed to provide power at all times, even if there's a power grid interruption, but that doesn't get tested very often and isn't under your control. Furthermore, in the event that the facility's power is actually going to go out, there isn't any way for the machines to find this out and shut down cleanly.
Unfortunately, this would defeat the purpose of the "Big Red Button", which is there to quickly and definitively cut of all power to all line-powered devices in the data center.
When you've got an analyst smoking and twitching next to one of the racks as 110VAC courses through her veins, you don't want to have to go hunting to figure out which UPS is supplying the juice.
You just need 1 open TCP port to enable an SSH connection to your home machine via your firewall's port forwarding. Then you can create any number of SSH port forwards to handle any kind of traffic you like. As a bonus, it's AES encrypted so your boss can't spy on it.:)
That works great... right up until the day they terminate you "for cause", resulting in losing not only your primary source of income, but also any chance at severance or collecting unemployment.
Any network security product or admin worth their salt can detect this kind of "tunnelling" activity with minimal effort. Whether they "choose" to notice this is a different matter, until your productivity drops or an excuse is needed to trim staff.
But in any case in my last pda evaluation I once again ran up against an annoyance factor that doesn't go away. I do not like Windows for PDAs, in any shape or form. I like Palm OS much more. But Palm make it hugely difficult to change the battery, even though the basic battery is just an ordinary LiIon. Why? Even the T5, which has flash memory and so can survive battery change, has a battery that requires watch-like dismantling to change. I do not like relying on a device which is only as reliable as a nonexchangeable battery.
The new Treo 650 has a swappable battery (1800 mAh, $50), switching batteries is just like a cell phone; push a latch, pull off the back panel, swap it out.
Data will not be lost while the battery is out, the 650 uses NVRAM. Just like a cell phone, you can't maintain an active call or data connection with the battery out:)
There arn't a lot of consumer x86 boards out there which will redirect console to a com port, I have an old PPro board which will do it, but not to the extent it will let you enter and config the bios.
Pretty much every modern "server" motherboard or complete rackmount PC will have a serial console option in the BIOS. Dell, Compaq, Toshiba, Intel, all have this feature in their servers.
Now desktop machines, that is another matter. Plus there is the problem that it's tough to accomplish anything in Microsoft Windows without a GUI, though Windows 2003 does address some of these limitations.
Looking outside x86 however sparc64 would suit you, if there is no keyboard in the system it defaults to terminal via the first serial port (or whatever you set in OpenFirmware)
HyperSparc, SuperSparc, UltraSparc, they all did/do serial console. Only Sparc based product I can't say for sure had serial console support was the old Tadpole laptop.
This may be true of other OpenFirmware users (Only Apple springs to mind currently)
Can anybody provide information on how to set up a Mac G4 OpenFirmware for serial console?
How do you do the install if you need to adjust something before your null-modem/network services are loaded? i.e. change bios settings
You describe one task for which you have to use the KVM ports. But how often do you have to do this? Unless you work for a QA department, not very. Most of the time, you can do everything through the serial port -- if you've had the forsight to make your serial port your console.
Actually Dell servers, and most other modern X86 and AMD64 servers, provide a BIOS setting to direct even the initial BIOS messages and configuration screens to serial port.
I'm sure that if you asked nicely, Dell would ship machines pre-configured to serial console, so you never need to have a monitor and keyboard hooked up.
I'm still waiting for two features they never brought over from VHS:
A format that will ALWAYS fast forward when I hit the fast forward button. (same with rewind)
A format that will withstand the destructive force of a toddler. (Though I do applaud the DVD's resistance to heat from a car.)
There's a simple fix to both problems -- a large capacity dvd changer, with a mod chip installed. The PBC (playback control) settings which restrict fastfoward/rewind are disabled as a side-effect of (most) "Region-free" mods.
If you have a 200 or 400 disk changer locked in a cabinet out of the kid's reach, they can change disks at whim without getting their grubby little hands all over the fragile polycarbonate.
Upgrade the cabinet a bit, and you can also keep your collection out of the grubby little housebreaking hands of the local crackhead.
I'm thinking that if they offered this for cheaper than what we pay now, they would get some sales. For example, I don't like paying around $1 per blank dvd but that's about what I pay. I can get a stack of 50 for $40 and with tax it comes to maybe $.83 or so... but that's three times more than I feel they are worth. I would be quite happy paying $.25 each and would buy a lot more than I do. But even at $.75 I would consider switching and I think a lot of other people would.
You can do better, single-layer DVD-R media is cheap if you spend some time hunting bargains.
According to the article, the new media will be more expensive than current media:
The VCTS scheme will also be built into next-generation media, which will slowly replace the non-DRM encoded DVD+R discs over time. The new discs will be
somewhat more expensive than their DRM-free counterparts, explained Jun Ishihara, a product manager for Mitsubishi Chemical Media Co., also known as Verbatim. Likewise, the new players will probably be priced somewhat higher than conventional players, HP executives said, although pricing will be up to individual manufacturers.
Basically, they want us to throw away existing DVD recorders and purchase higher priced hardware and media in order to "protect us" from breaking the new FCC broadcast flag regulations.
God is no less mythical than a potential well, which is itself just a MODEL for attempting to explain the behavior of an electron.
Now, trying to make useful predictions by pretending electrons reside in potential wells will probably be more useful to you than trying to make useful predictions by pretending God controls the universe, but God controls the universe is the simpler explanation.
True only if your definition of "God" is very very simple. For most people, the word "God" presupposes a very complicated (unknowably complicated) being.
A "potential well" has no thoughts or emotions or magical powers, and the concept of "potential well" can be communicated by a straightforward equation.
Slashdot Mirror
Schools strongly discourage "bringing the police into it..."
In my experience, the policy was that if the victim goes to the police, the victim gets suspended from school.
They're trying to become more commercial lately, so it's possible the service might become less useful for non-paying members, but no sign of that yet beyond certain new limitations on free "groups" features.
Most importantly, no spam!
I probably won't buy one, basing my decision in part on this review. Instead I'll save my money and buy a "prosumer" DV camcorder with Firewire and MPEG2.
This paper appears to document the same basic problem, and is strictly a difference of degree, not kind.
If you leave voluntarily or are fired "for cause", you cannot collect unemployment.
If you give notice that you intend to leave voluntarily, and your boss choses to instead fire you before the date you state in your notice, that does not qualify as "for cause" nor as "leaving voluntarily", and you can collect unemployment. This has been upheld by several court cases.
When former employees collect unemployment compensation, the unemployment insurance rate paid by their former employer increases. So always file for unemployment if you are eligible.
There's an easy fix for that risk -- embed a smartchip in the passport with public key crypto support, so when I go to a foreign border, their reader can query my passport, and get back a crytographic key (challenge, etc). They then sign this with their public key and forward to US Customs. When decrypted the passport datablock says "I am Nonesuch's passport, tell the nice people at the Canadian Border what you are willing to share about Mr. Nonesuch".
Also, because it wouldn't solve the problem. Changing the user-agent would just make it slightly more difficult for websites to determine that the client is google (source IP, PoF, robots.txt, etc could all reveal that).
Websites do need to know that a spider is looking at it, and the RFCs require that a legitimate well-behaved spider fetch and obey robots.txt and identify itself in the user-agent string.Yes, there are evil spiders, but it is a little late in the game for Google to turn evil, they'd face an immense backlash if they tried.
True even if (especially if) you are self-employed.
Any attempts to connect to the poll.gotomypc.com server are refused, and queries are redirected to the appropriate contact inside your company.
LogMeIn doesn't have an equivalent free service, they do provide something called "LogMeIn Scout" which claims to scan your network for remote access apps.
Just stick an IPSEC gateway in front of your machine, and only allow inbound SSH from traffic than passed through the IPSEC gateway.
Simple, auditable, and secure.
Where "Censorware" comes in handy is in taking the destination IP address of that CONNECT message and telling you the classification/reputation of that hostname or IP address -- is that an online banking firm, a "proxy avoidance" tunnel service, or a porn site?
Yeah, that's a real issue. Of course we see more incidents of that with services like GoToMyPC, LogMeIn, or "WebEx Remote Support" than with smart insiders setting up their own tunnels... I feed proxy logs through a set of custom perl scripts which report on the top resources users, including inbound/outbound/session count/duration and the like, but not timing patterns like this... yet.If you want to discuss this further, feel free to email, the address given in my profile is valid.
Looking at logs for big corporation outbound HTTP/HTTPS sessions, only 0.1% of "web" TCP/IP connections stay active for longer than ten minutes, and sessions lasting five or more hours are a tiny fraction of those.
You can eliminate the majority of the false positives by looking at the destination IP and destination port (assuming paypal.com doesn't have a tunnel server listening on TCP/443) or even just interviewing the employee who uses the workstation initiating the unusual traffic.
The simple approach to finding people abusing the system is to look for activity that doesn't fit normal patterns of use -- long lived sessions with lots of data flowing in both directions just are not something you normally see on TCP/80 and TCP/443. These patterns indicate something abnormal, usually IM, sometimes something more sinister.
Some of the "mini" versions of multi-user systems from the 1980s had similar features, so when you accidentally kicked the power cord out from the wall, you didn't abend sessions for the whole department.
When you've got an analyst smoking and twitching next to one of the racks as 110VAC courses through her veins, you don't want to have to go hunting to figure out which UPS is supplying the juice.
Any network security product or admin worth their salt can detect this kind of "tunnelling" activity with minimal effort. Whether they "choose" to notice this is a different matter, until your productivity drops or an excuse is needed to trim staff.
Data will not be lost while the battery is out, the 650 uses NVRAM. Just like a cell phone, you can't maintain an active call or data connection with the battery out :)
Now desktop machines, that is another matter. Plus there is the problem that it's tough to accomplish anything in Microsoft Windows without a GUI, though Windows 2003 does address some of these limitations.
HyperSparc, SuperSparc, UltraSparc, they all did/do serial console. Only Sparc based product I can't say for sure had serial console support was the old Tadpole laptop. Can anybody provide information on how to set up a Mac G4 OpenFirmware for serial console?I'm sure that if you asked nicely, Dell would ship machines pre-configured to serial console, so you never need to have a monitor and keyboard hooked up.
If you have a 200 or 400 disk changer locked in a cabinet out of the kid's reach, they can change disks at whim without getting their grubby little hands all over the fragile polycarbonate.
Upgrade the cabinet a bit, and you can also keep your collection out of the grubby little housebreaking hands of the local crackhead.
According to the article, the new media will be more expensive than current media:
Basically, they want us to throw away existing DVD recorders and purchase higher priced hardware and media in order to "protect us" from breaking the new FCC broadcast flag regulations.A "potential well" has no thoughts or emotions or magical powers, and the concept of "potential well" can be communicated by a straightforward equation.