Where we run into the most challenges (across many different applications/workloads) is in disk i/o. I can't wait for SSDs to get larger/cheaper as that will be a game changer.
Interesting. I'm not seeing what you are. There have been some enormous innovations from Dell and HP lately, especially on bringing down the price of storage. Have you seen the Dell MD3xxx? You can hook up to four hosts to up to 96 hard drives using redundant SAS? For a small price that things packs an awful lot of performance that used to cost a heck of a lot of money. For smaller implementations it packs quite a punch.
Agreed, engineering time, components testing, multiple warranty options, global distribution channels for repairs/parts, etc. are not bloat. However, to each their own.
Get the guy that left for Apple's DC to do some on-the-side consulting for you. It will be well worth every penny and it's a win-win-win. At the very least, have him help you hire your next person. If you don't know what you're doing, it's going to be tough to hire someone who does. If you hire the wrong person you may end up squandering everything.
In the BUILD presentation and everyone I've seen MS has consistently said that both the touch UI and traditional mouse and keyboard UI will be first-class citizens. Watch the presentation, they say it and show it when they build an app, live on stage using Visual Studio 2011.
Not to be off-topic, but I and my IT co-workers started doing this a few years back (among other conventions we decided on). We couldn't be happier. It sorts nicely and is easier for the eye to find things in long lists. Sometimes others don't get it, but it takes them about one second to figure it out. I also set my Windows boxes to display short dates in this format and it makes working with files (especially images) a bit easier imho.
They're shutting down all sorts of things. See http://www.googlelabs.com/ this includes:
- Google Breadcrumb
Fast Flip
Aardvark
Google Sets
City Tours
Places Directory
Image Swirl
Google News Timeline
App Inventor for Android (possibly open sourcing?)
Google Squared
Google Talk Guru
Script Converter (replaced)
Realtime Mytracks
Sputnik
This sucks, I've always liked the little projects they have going on there. It sounds like they have some other things cooking though, and I'm happy to see them open sourcing some of it.
Windows search on 7 works great. It indexes documents, emails, programs, etc. I've been really impressed by it. However, for Outlook I still prefer Xobni (www.xobni.com), although I'm not happy that they're making you get an account these days.
Just as an informational item, there are lots of options with Windows. A few that come to mind:
1) www.dropbox.com - Replicate a folder to the DropBox cloud.
2) www.Office365.com - Office 2010 in the cloud (yes, Word, Excel, and PowerPoint in a browser) with lots of awesome features. For example, get a live.com account with Mesh and you can use it interchangeably with the documents on your PC. Mesh works a lot like DropBox. It also has SharePoint like features where you can open documents that are hosted on live.com or Office365.com right from Word, Excel, PowerPoint, OneNote, etc. and save them to the cloud. Not to mention Exchange and SharePoint can be had with it and there are mobile apps, etc. Lots of SMBs I run across are using this. Anyone can get a Live account with Mesh and 25 GB of storage/5GB of Mesh if I recall.
3) SharePoint - Save any type of document to a company's private cloud with tight integration for Office 2003+ with versioning and a ton of other workflow/business features baked in. I've worked on docs in SharePoint on one computer, switched to another and kept on going.
PUBLIC
13
-
Orde van Advocaten SubCA Administrative CA-
Orde van Advocaten SubCA System CA-
Renault Nissan Nederland CA-
SNG CA-
Stichting TTP Infos CA-
TenneT CA 2011-
TRIAL DigiNotar PKIoverheid Organisatie TEST CA - G2-
TRIAL DigiNotar PKIoverheid Organisatie TEST CA G2-
TU Delft CA
5.3
Plain text left in script to generate signatures on roguecertificates5.4
Timeline
06-Jun-2011 Possibly first exploration by the attacker(s)
17-Jun-2011 Servers in the DMZ in control of the attacker(s)
19-Jun-2011 Incident detected by DigiNotar by daily audit procedure
02-Jul-2011 First attempt creating a rogue certificate
10-Jul-2011 The first succeeded rogue certificate (*.Google.com)
20-Jul-2011 Last known succeeded rogue certificate was created
22-Jul-2011 Last outbound traffic to attacker(s) IP (not confirmed)
22-Jul-2011 Start investigation by IT-security firm (not confirmed)
27-Jul-2011 Delivery of security report of IT-security firm
27-Jul-2011 First rogue *.google.com OSCP request
28-Jul-2011 First seen that rogue certificates were verified from Iran
04-Aug-2011 Start massive activity of *.google.com on OCSP responder
27-Aug-2011 First mention of *.google.com certificate in blog
29-Aug-2011 GOVCERT.NL is notified by CERT-BUND
29-Aug-2011 The *.google.com certificate is revoked
30-Aug-2011 Start investigation by Fox-IT
30-Aug-2011 Incident response sensor active
01-Sep-2011 OSCP based on white list
The attacker(s) had acquired the domain administrator rights. Because all CA servers were members of the same Windows domain, the attacker had administrative access to all of them. Due to the limited time of the ongoing investigation we were unable to determine whether all CA servers were used by the attacker(s). Evidence was found that the following CAs
were misused by the attacker(s):-
DigiNotar Cyber CA-
DigiNotar Extended Validation CA-
DigiNotar Public CA - G2-
DigiNotar Public CA 2025-
Koninklijke Notariele Beroepsorganisatie CA-
Stichting TTP Infos CAThe security of the following CAs was compromised, but no evidence of misuse was found (this list is incomplete):-
Algemene Relatie Services System CA-
CCV CA-
DigiNotar PKIoverheid CA Organisatie - G2-
DigiNotar PKIoverheid CA Overheid en Bedrijven-
DigiNotar Qualified CA-
DigiNotar Root CA-
DigiNotar Root CA Administrative CA-
DigiNotar Root CA G2-
DigiNotar Root CA System CA-
DigiNotar Services 1024 CA-
DigiNotar Services CA-
EASEE-gas CA-
Hypotrust CA-
MinIenM Autonome Apparaten CA - G2-
MinIenM Organisatie CA - G2-
Ministerie van Justitie JEP1 CA-
Nederlandse Orde van Advocaten - Dutch Bar Association-
Orde van Advocaten SubCA Administrative CA-
Orde van Advocaten SubCA System CA-
Renault Nissan Nederland CA-
SNG CA-
TenneT CA 2011-
TRIAL DigiNotar PKIoverheid Organisatie TEST CA - G2-
TU Delft CA
For some of these CAs extra security measures were in place (like the CCV CA). This makes it moreunlikely they were misused.
Before we all blindly agree that Google does no evil, let's give it another decade or two and let history be the judge. In the post that you refer to (a great read, btw), it wasn't clear that IBM's actions would turn out to be very evil until years later. I doubt Watson knew at the time what he was getting into. However, as soon as it started to become clear IBM should have ran screaming from it and they didn't.
To me, this sounds similar to recent concerns over our ISPs (including Google) and the NSA, China, and more. I have to run to the airport for a few hours or I'd post more about it. Here's a great talk though about how some of these data are used by our own law enforcement in the US, not just the NSA, but your local and state authorities: DEFCON 18: Your ISP and the Government: Best Friends Forever 1/3
If they can trick any registrar into issuing a certificate, they can then masquerade as that domain
It's worth watching Moxie's talk on defeating SSL. He demonstrates just how easy it is to get a certificate for any domain you want. He also shows just how broken it is and how (in most cases) revocation is a joke. It's a little outdated now, but still relevant and well worth watching imho: DEFCON 17: More Tricks For Defeating SSL
During his BlackHat 2011 talk BlackHat USA 2011: SSL And The Future Of Authenticity he discusses how SSL was born (it's funny and sad) and proposes using Convergence (which can work along with existing CAs) to help shore up security.
What makes me happy is that as a community we all seem to be much more aware of these issues, hopefully we'll be able to move forward on making the Internet more secure and trustworthy for everyone.
IDK how a kernel.org discussion turns into Windows bashing (oh, wait, that's what I love about/.). Anyway: this is what UAC is for. Even if the user executes a malicious program it has a much harder time changing system files and settings and compromising the whole box rather than just that user's profile. I can tell you from the 1,000's of WIndows boxes that we admin that it does make an enormous difference. Is it perfect? No, but it's a hell of a lot better than XP.
Windows 7 and Windows Server 2008 R2 . It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system
I'm no atmospheric scientist (although I did take several atmospheric science classes in college, including the 4-credit labs...), but here's what I see:
There is a group of people that claim that the majority of PhD's on this topic are wrong. They have various claims and cling to a couple of "studies" with little evidence. For some reason, some of them see this as a political issue; probably because of Al Gore's movie (idk?). When I read these comments, they do not sound like scientists, they sound like politicians attacking the messengers. Obviously not always, but I see numerous examples of this all over the place.
The other side tends to use math, science, and logic to build what sounds like a coherent case.
I imagine that this was what it was like when people were arguing about whether the earth was flat or the center of the Universe.
What is brittle about Perspectives or Convergence? I'm genuinely interested since I'm by not an expert in this field, but I it seems to be getting a lot of attention lately. I'd love to hear some counterpoints to the notary-based systems (especially since they can still coexist with PKI using CAs).
If the government was to do this they would also have the power to intercept these private communications. Granted.... it's only transport layer encryption.
Another reason to take a good, long look at Moxie Marlinspike's Convergence system. Basically, it does away with CAs in favor of a trusted and anonymous notary-based system.
Incoming RDP is not on by default; it never has been afaik. You have to turn it on (in XP, Visa, 7, 2003/2008). The RDC client is installed by default, but it's only used to connect to other Windows boxes.
Slashdot Mirror
Where we run into the most challenges (across many different applications/workloads) is in disk i/o. I can't wait for SSDs to get larger/cheaper as that will be a game changer.
Interesting. I'm not seeing what you are. There have been some enormous innovations from Dell and HP lately, especially on bringing down the price of storage. Have you seen the Dell MD3xxx? You can hook up to four hosts to up to 96 hard drives using redundant SAS? For a small price that things packs an awful lot of performance that used to cost a heck of a lot of money. For smaller implementations it packs quite a punch.
Agreed, engineering time, components testing, multiple warranty options, global distribution channels for repairs/parts, etc. are not bloat. However, to each their own.
Get the guy that left for Apple's DC to do some on-the-side consulting for you. It will be well worth every penny and it's a win-win-win. At the very least, have him help you hire your next person. If you don't know what you're doing, it's going to be tough to hire someone who does. If you hire the wrong person you may end up squandering everything.
In the BUILD presentation and everyone I've seen MS has consistently said that both the touch UI and traditional mouse and keyboard UI will be first-class citizens. Watch the presentation, they say it and show it when they build an app, live on stage using Visual Studio 2011.
Not to be off-topic, but I and my IT co-workers started doing this a few years back (among other conventions we decided on). We couldn't be happier. It sorts nicely and is easier for the eye to find things in long lists. Sometimes others don't get it, but it takes them about one second to figure it out. I also set my Windows boxes to display short dates in this format and it makes working with files (especially images) a bit easier imho.
I had missed it (removed manually) but it looks like MS is doing the responsible thing: http://www.microsoft.com/technet/security/advisory/2607712.mspx
They're shutting down all sorts of things. See http://www.googlelabs.com/ this includes: - Google Breadcrumb
Fast Flip
Aardvark
Google Sets
City Tours
Places Directory
Image Swirl
Google News Timeline
App Inventor for Android (possibly open sourcing?)
Google Squared
Google Talk Guru
Script Converter (replaced)
Realtime Mytracks
Sputnik
This sucks, I've always liked the little projects they have going on there. It sounds like they have some other things cooking though, and I'm happy to see them open sourcing some of it.
Windows search on 7 works great. It indexes documents, emails, programs, etc. I've been really impressed by it. However, for Outlook I still prefer Xobni (www.xobni.com), although I'm not happy that they're making you get an account these days.
Just as an informational item, there are lots of options with Windows. A few that come to mind:
1) www.dropbox.com - Replicate a folder to the DropBox cloud.
2) www.Office365.com - Office 2010 in the cloud (yes, Word, Excel, and PowerPoint in a browser) with lots of awesome features. For example, get a live.com account with Mesh and you can use it interchangeably with the documents on your PC. Mesh works a lot like DropBox. It also has SharePoint like features where you can open documents that are hosted on live.com or Office365.com right from Word, Excel, PowerPoint, OneNote, etc. and save them to the cloud. Not to mention Exchange and SharePoint can be had with it and there are mobile apps, etc. Lots of SMBs I run across are using this. Anyone can get a Live account with Mesh and 25 GB of storage/5GB of Mesh if I recall.
3) SharePoint - Save any type of document to a company's private cloud with tight integration for Office 2003+ with versioning and a ton of other workflow/business features baked in. I've worked on docs in SharePoint on one computer, switched to another and kept on going.
The Siberian Rapids would probably wipe us out.
What the heck are the Siberian Rapids? I tried Google with no luck.
PUBLIC 13 - Orde van Advocaten SubCA Administrative CA- Orde van Advocaten SubCA System CA- Renault Nissan Nederland CA- SNG CA- Stichting TTP Infos CA- TenneT CA 2011- TRIAL DigiNotar PKIoverheid Organisatie TEST CA - G2- TRIAL DigiNotar PKIoverheid Organisatie TEST CA G2- TU Delft CA 5.3 Plain text left in script to generate signatures on roguecertificates5.4 Timeline
06-Jun-2011 Possibly first exploration by the attacker(s)
17-Jun-2011 Servers in the DMZ in control of the attacker(s)
19-Jun-2011 Incident detected by DigiNotar by daily audit procedure 02-Jul-2011 First attempt creating a rogue certificate
10-Jul-2011 The first succeeded rogue certificate (*.Google.com)
20-Jul-2011 Last known succeeded rogue certificate was created
22-Jul-2011 Last outbound traffic to attacker(s) IP (not confirmed)
22-Jul-2011 Start investigation by IT-security firm (not confirmed)
27-Jul-2011 Delivery of security report of IT-security firm
27-Jul-2011 First rogue *.google.com OSCP request
28-Jul-2011 First seen that rogue certificates were verified from Iran
04-Aug-2011 Start massive activity of *.google.com on OCSP responder
27-Aug-2011 First mention of *.google.com certificate in blog
29-Aug-2011 GOVCERT.NL is notified by CERT-BUND
29-Aug-2011 The *.google.com certificate is revoked
30-Aug-2011 Start investigation by Fox-IT
30-Aug-2011 Incident response sensor active
01-Sep-2011 OSCP based on white list
The words "criminal negligence" come to mind.
3.2
Compromised CAs
The attacker(s) had acquired the domain administrator rights. Because all CA servers were members of the same Windows domain, the attacker had administrative access to all of them. Due to the limited time of the ongoing investigation we were unable to determine whether all CA servers were used by the attacker(s). Evidence was found that the following CAs were misused by the attacker(s):-
DigiNotar Cyber CA-
DigiNotar Extended Validation CA-
DigiNotar Public CA - G2-
DigiNotar Public CA 2025-
Koninklijke Notariele Beroepsorganisatie CA-
Stichting TTP Infos CAThe security of the following CAs was compromised, but no evidence of misuse was found (this list is incomplete):-
Algemene Relatie Services System CA-
CCV CA-
DigiNotar PKIoverheid CA Organisatie - G2-
DigiNotar PKIoverheid CA Overheid en Bedrijven-
DigiNotar Qualified CA-
DigiNotar Root CA-
DigiNotar Root CA Administrative CA-
DigiNotar Root CA G2-
DigiNotar Root CA System CA-
DigiNotar Services 1024 CA-
DigiNotar Services CA-
EASEE-gas CA-
Hypotrust CA-
MinIenM Autonome Apparaten CA - G2-
MinIenM Organisatie CA - G2-
Ministerie van Justitie JEP1 CA-
Nederlandse Orde van Advocaten - Dutch Bar Association-
Orde van Advocaten SubCA Administrative CA-
Orde van Advocaten SubCA System CA-
Renault Nissan Nederland CA-
SNG CA-
TenneT CA 2011-
TRIAL DigiNotar PKIoverheid Organisatie TEST CA - G2-
TU Delft CA
For some of these CAs extra security measures were in place (like the CCV CA). This makes it moreunlikely they were misused.
Before we all blindly agree that Google does no evil, let's give it another decade or two and let history be the judge. In the post that you refer to (a great read, btw), it wasn't clear that IBM's actions would turn out to be very evil until years later. I doubt Watson knew at the time what he was getting into. However, as soon as it started to become clear IBM should have ran screaming from it and they didn't.
To me, this sounds similar to recent concerns over our ISPs (including Google) and the NSA, China, and more. I have to run to the airport for a few hours or I'd post more about it. Here's a great talk though about how some of these data are used by our own law enforcement in the US, not just the NSA, but your local and state authorities:
DEFCON 18: Your ISP and the Government: Best Friends Forever 1/3
If they can trick any registrar into issuing a certificate, they can then masquerade as that domain
It's worth watching Moxie's talk on defeating SSL. He demonstrates just how easy it is to get a certificate for any domain you want. He also shows just how broken it is and how (in most cases) revocation is a joke. It's a little outdated now, but still relevant and well worth watching imho: DEFCON 17: More Tricks For Defeating SSL
During his BlackHat 2011 talk BlackHat USA 2011: SSL And The Future Of Authenticity he discusses how SSL was born (it's funny and sad) and proposes using Convergence (which can work along with existing CAs) to help shore up security.
What makes me happy is that as a community we all seem to be much more aware of these issues, hopefully we'll be able to move forward on making the Internet more secure and trustworthy for everyone.
UAC, courtesy of Wikipedia:
Windows 7 and Windows Server 2008 R2 . It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system
I read through their description of what happened and at least they're being open and honest about it.
I'm no atmospheric scientist (although I did take several atmospheric science classes in college, including the 4-credit labs...), but here's what I see:
There is a group of people that claim that the majority of PhD's on this topic are wrong. They have various claims and cling to a couple of "studies" with little evidence. For some reason, some of them see this as a political issue; probably because of Al Gore's movie (idk?). When I read these comments, they do not sound like scientists, they sound like politicians attacking the messengers. Obviously not always, but I see numerous examples of this all over the place.
The other side tends to use math, science, and logic to build what sounds like a coherent case.
I imagine that this was what it was like when people were arguing about whether the earth was flat or the center of the Universe.
What is brittle about Perspectives or Convergence? I'm genuinely interested since I'm by not an expert in this field, but I it seems to be getting a lot of attention lately. I'd love to hear some counterpoints to the notary-based systems (especially since they can still coexist with PKI using CAs).
Great point, thanks for the correction.
Most of all it's about taking a 30 percent cut.
If the government was to do this they would also have the power to intercept these private communications. Granted.... it's only transport layer encryption.
Another reason to take a good, long look at Moxie Marlinspike's Convergence system. Basically, it does away with CAs in favor of a trusted and anonymous notary-based system.
.(a really great talk, as always).
See him speak about it at BlackHat USA 2011 here
Read about it here
The official Convergence website (http://convergence.io/). The plugin (AFAIK) is not compatible with FF 6 yet.
Yes, you can and have always been able to afaik. How to disable the Local Administrator account in Windows In Vista and 7 you actually have to go and enable it manually.
Incoming RDP is not on by default; it never has been afaik. You have to turn it on (in XP, Visa, 7, 2003/2008). The RDC client is installed by default, but it's only used to connect to other Windows boxes.