I can understand why you'd be concerned about the possiblity of your website serving exploit code to unsuspecting users. However, I'd like to point out that the problem is not unique to your site, nor does it only affect sites that allow users to post images. I've posted a writeup about a security incident I investigated that involved a malicious WMF being distributed through syndicated advertisements, and I know the same thing happened when the GDI vulnerability was discovered.
The bottom line is that it's very difficult to lock down all the attack vectors for something like this, and your website is probably no worse than anyone else's at this.
You say the backup solutions "seem to" get around file copying restrictions? There aren't any restrictions. Simply connect your iPod to your PC (I'm assuming Windows since I don't have a Mac handy).
When it mounts the iPod as a new drive, open that folder in explorer and then select Tools -> Folder Options from the menu bar. Click the View tab and select "Show hidden files and folders", then click OK.
Now you should see an additional folder on your iPod drive called iPod_Control. Open it up and find your music files in a set of subdirectories under the iPod_Control/Music/FXX folders, where XX is a bunch of two digit numbers.
The file names may or may not make much sense, but never fear. If you have ID3 tags in the files, you can just copy the files from the iPod onto your hard drive, then import them into a jukebox that understands ID3, and they'll be perfectly readable again.
Don't use this to pirate music. I only mention it because I thought it was odd that every iPod owner on Slashdot didn't know about it yet.
I can tell you that it's not the job of an auditor or "security tester" to regurgitate Nessus reports.
In fact, it's downright unethical if that's what
really happened here. We're being payed for our expertise and our advice, not on how well we click the "Scan" button.
As long as you're using the school's network, you have to abide by the school's policies. If they ask you not to do it, you pretty much have to comply if you want to keep your net connection.
Still, it's probably worth a polite note to the network administrator to request "clarification".
State your case concisely (they're usually busy) and politely, and you may get lucky.
RedHat announced this a couple of months ago. Since then, pretty much everyone I know who based their organization on RedHat is desperately seeking a solution. Fedora seems attractive, until you realize that their support policy only provides around 9 months of support for any release. The Fedora Legacy Project wants to increase this to 18 months, but so far they are just getting organized, so it remains to be seen how reliable they will be.
This is a bad situation for those of us using RedHat Linux, but there *is* hope.
This is ludicrous. I implemented an Internet-based
software download/install system in 1994 while on
a contracting job with NASA. If you google, you'll
find references to my system, called Cicero. There were probably others before me, though I don't know of any. I hope this patent gets revoked.
Can you please provide a reference to allow us to verify your assertion that the doctrine of fair use does not apply to exact copies? I have not been able to find this anywhere online. In fact, I know that fair use applies to certain situations in which an exact digital copy is the only possible solution, such as your right to create archival backups of your computer's hard drive.
Actually, I don't have the fax number. One of the nice things about the EFF Action Center is that there is a nice little "email, fax or print" selector at the end of the form. I sent this through that form, and asked it to fax my letter. I highly recommend this form, since faxes are regarded somewhat more highly than email.
[This is the text of the letter I faxed to the FCC
yesterday. Please feel free to copy it and send it
yourself if you like, or visit the EFF's Action Center and use their spiffy online form. They haven't voted yet; it's not too late!]
Commissioner Jonathan S. Adelstein
Federal Communications Commission
445 12th Street, NW
Washington, D.C. 20554
Dear Jonathan Adelstein,
Commissioner Kevin J. Martin
Federal Communications Commission
445 12th Street, NW
Washington, D.C. 20554
Dear Kevin Martin,
Commissioner Michael J. Copps
Federal Communications Commission
445 12th Street, NW
Washington, D.C. 20554
Chairman Michael K. Powell
Federal Communications Commission
445 12th Street, NW
Washington, D.C. 20554
Dear Michael Powell,
Please allow me to take a few moments of your time in order to express
my opposition to the proposed adoption of the "broadcast flag" for
digital televisions. I strongly believe that this misuse of
technology will do little but stifle legitimate innovation (including
slowing the adoption of digital television) and infringe on the
consumer's fair-use rights.
One of the most serious problems with the "broadcast flag" proposal is
that it places control over marketplace innovation in the hands of the
MPAA, an organization with no vested interest in innovation. In fact,
the MPAA can be viewed as having more of an interest in the LACK of
innovation, in that they are rooted firmly in the current technology
and content distribution model. Allowing the MPAA to veto new features
in digital television equipment is like giving organized crime the
power to veto new wiretap laws. As a business organization, the MPAA
will always act in the interest of it's members, and not the public.
The result is that marketplace innovation will suffer, and consumers
will have to make do with fewer features and no way to exercise their
legally protected fair-use rights.
In conclusion, I urge to you avoid "broadcast flag" technology at all
costs. It is a system tailor-made to appeal to the Hollywood content
providers, striving to protect their distribution-based business model
in the face of new technologies. Rather than adapt to the realities
of the current situation, they choose to adapt the current situation
to that which they desire to be reality. This situation is
unworkable, in that it places unreasonable restrictions on both
consumer electronics manufacturers and the consumers themselves.
Please do not adopt the "broadcast flag" technology. It benefits only
the MPAA, and abridges the rights of consumers.
Thank you for your time and attention to this matter.
I love the Fisher Space Pen. I carry the original model around in my pocket nearly all the time. It's very compact when stowed, it writes in any position (even upside down) and is shiny and cool looking.;-)
I also have a matte black version with the Smithsonian logo stamped in gold, which is also snazzy looking.
The idea of a government using games or puzzles as recuitment devices isn't farfetched at all. In fact, during WWII, the British Government Code & Cipher School ran crossword puzzle contests
whose secret goal was to identify people with the
ability and interest to be trained as cryptologists. Some of these people went on to work at Bletchley Park, breaking Axis radio ciphers like Shark and Enigma.
Of course, that's a far cry from your standard arcade video game. I doubt there's much value to recruiting skilled video game players into the military. Now, if you want to talk about using games to recruit someone, a hacking game like
Dark Signs would be a better target for the paranoid among us.
I'm a big geek, too, and on my recent visit to the Smithsonian Museum of American History, I was very pleasantly surprised to find the following items:
A Jacquard loom. This is a big freakin' thing, and includes some giant punched cards (compared to "modern"
cards, that is). The display also has two examples of silk weaving done on the loom. One is the famous portrait of Jacquard himself, and the other is a much more finely detailed weaving of some folks showing off the famous Jacquard portrait. Amazingly, this is all in the Textiles exhibit, not the information technology exhibit!
A Scheutz Difference Engine. Built in 1853, it uses the same principle of differences, but a different mechanical design than Babbage's. The Scheutzes (father and son) knew Babbage, though, and he apparently approved of their invention. They were even somewhat commercially successful, unlike Poor Old C.B.
A Hollerith card sorter used for the US Census. I've read about them, but was interested to finally see one.
The very first Integrated Circuit, built by Jack Kilby in his lab at Texas Instruments. It's a freakishly kludged together thing by today's standards, nothing more than a hand-carved hunk of silicon about.25" long. It's got tiny gold wires sprouting up out of it, because Kilby hadn't yet figured out how to print the connecting circuitry onto the chip itself. This was just his proof-of-concept that you could make electrical components out of solid hunks of semiconductor.
An original Apple (the type now known as the Apple I) in it's period wooden case.
Actually, the entire first floor of the museum is devoted to the history of American technology and science, so an open-minded geek could probably spend the whole day on that floor (like I did).
BTW, as a geek, you might be tempted to check out the International Spy Museum. Don't. It blows. It's mostly comprised of things you read on the wall, which you could get from a good book. There are some interesting exhibits, but at $13/person it's a bit steep. Also, they have serious overcrowding problems that tended to get in my way of enjoying the place.
This isn't a new idea. Various people or groups
dissatisfied with Bugtraq have created their own
alternative lists over the years. No one pays
much attention to any of them. For a good example,
check out BugDev.
I applaud your initiative, but honestly, I don't
see either the need or the point.
I see. In that case, I guess the answer to your question depends on the definition of "cluster". Regardless of the definition, though, your work sounds very useful. It's even cool, which is better. 8-)
SELinux is fairly well known and has been available for some time. The original release was greeted with some amount of fanfare and hoopla, even. If there were a secret NSA backdoor, it would have been found by now.
IMO, the bigger question is: "will the extra security measures get in the way of doing what you need to do?" And
probably the corollary: "If you're going to have to disable any of those features, is it still worth using this distribution?"
I think you're talking about net-over-power. The
story is about the reverse, power-over-net. Neat, but I'm
not in favor of accidentally frying my ethernet card by
plugging int he wrong cable. Hope they use a different
connector!
Just an idea... Put a reverse proxy in front of the
Tivo. Don't let the Tivo talk to machines outside
your local network, just internal machines
(including the proxy). Use SKey on the proxy
for free easy 2 factor authentication. If you use
apache, you can set it up to use PAM (pluggable
authentication modules), and get an SKey PAM
module for it. I know that all these pieces
exist, but I've never used Apache w/PAM, nor
have I used the SKey PAM module. Should be
a good starting point, though.
I'm all for slimming down the Win32 API. It's
monsterous, and a simplification would be of
great benefit in the long run. But what will
happen to application compatibility in the short
term? I guess executable code that calls the "old" API
won't run on Longhorn? If that's true, how will users know in advance which of their programs will run?
Comments from anyone with insight on this are very welcome.
I read the paper, and found it to be a very
elegant solution to the problem. I, too, have
wished to have multiple tunnels on the same port.
I only hope that this patch makes it into
OpenSSH (and OpenSSH-portable, of course). I think
it'll need some testing, but it seems like a good
idea well executed.
They also require a 4 digit pin number. Kinda defeats the purpose, huh?
That does not defeat the purpose at all. The concept of using two different authentication mechanisms together is called two-factor authentication. Not only is it a well-established Information Security principle, it's also considered a Best Practice.
After all, if someone steals your finger, at
least they won't know your PIN!
n.b. the dangers of relying on Slashdot for
critical security decisions...
You didn't specify what your requirements for this
project are, but I'd say that in order to make an
informed decision, you should at least know
this much:
Where you want/need access control (how many
doors, for example)
How many people need access, and which ones need 24 hour access vs. time-limited access
How critical is the space that you will control access to? For most uses, biometrics are
probably overkill. Keycards work well for many
applications and are usually much more reliable.
My advice is to think seriously about what you actually need, and don't try to solve problems you don't have. Make sure you get something that meets your real requirements, is stable and reliable, and fits in your budget.
Another review...
on
802.11 Security
·
· Score: 3, Interesting
I reviewed this a while ago on my site. In case
you're interested in a slightly different take, check it out here.
Quick take: ehh. It's good for small, Unix savvy
sites, but windows shops or large installations should probably look elsewhere.
I use Total Choice Hosting. So far, I'd say that
I've been able to get everything I need. I run
InfosecBooks.Com,
which needs PHP, Apache, MySQL, SSH and some other stuff. It's good, the people are quite responsive, and it's dirt cheap.
Slashdot Mirror
I can understand why you'd be concerned about the possiblity of your website serving exploit code to unsuspecting users. However, I'd like to point out that the problem is not unique to your site, nor does it only affect sites that allow users to post images. I've posted a writeup about a security incident I investigated that involved a malicious WMF being distributed through syndicated advertisements, and I know the same thing happened when the GDI vulnerability was discovered. The bottom line is that it's very difficult to lock down all the attack vectors for something like this, and your website is probably no worse than anyone else's at this.
When it mounts the iPod as a new drive, open that folder in explorer and then select Tools -> Folder Options from the menu bar. Click the View tab and select "Show hidden files and folders", then click OK.
Now you should see an additional folder on your iPod drive called iPod_Control. Open it up and find your music files in a set of subdirectories under the iPod_Control/Music/FXX folders, where XX is a bunch of two digit numbers.
The file names may or may not make much sense, but never fear. If you have ID3 tags in the files, you can just copy the files from the iPod onto your hard drive, then import them into a jukebox that understands ID3, and they'll be perfectly readable again.
Don't use this to pirate music. I only mention it because I thought it was odd that every iPod owner on Slashdot didn't know about it yet.
I can tell you that it's not the job of an auditor or "security tester" to regurgitate Nessus reports. In fact, it's downright unethical if that's what really happened here. We're being payed for our expertise and our advice, not on how well we click the "Scan" button.
Still, it's probably worth a polite note to the network administrator to request "clarification". State your case concisely (they're usually busy) and politely, and you may get lucky.
This is a bad situation for those of us using RedHat Linux, but there *is* hope.
This is ludicrous. I implemented an Internet-based software download/install system in 1994 while on a contracting job with NASA. If you google, you'll find references to my system, called Cicero. There were probably others before me, though I don't know of any. I hope this patent gets revoked.
Can you please provide a reference to allow us to verify your assertion that the doctrine of fair use does not apply to exact copies? I have not been able to find this anywhere online. In fact, I know that fair use applies to certain situations in which an exact digital copy is the only possible solution, such as your right to create archival backups of your computer's hard drive.
Actually, I don't have the fax number. One of the nice things about the EFF Action Center is that there is a nice little "email, fax or print" selector at the end of the form. I sent this through that form, and asked it to fax my letter. I highly recommend this form, since faxes are regarded somewhat more highly than email.
Commissioner Jonathan S. Adelstein
Federal Communications Commission
445 12th Street, NW
Washington, D.C. 20554
Dear Jonathan Adelstein,
Commissioner Kevin J. Martin
Federal Communications Commission
445 12th Street, NW
Washington, D.C. 20554
Dear Kevin Martin,
Commissioner Michael J. Copps
Federal Communications Commission
445 12th Street, NW
Washington, D.C. 20554
Dear Michael Copps,
Commissioner Kathleen Q. Abernathy
Federal Communications Commission
445 12th Street, NW
Washington, D.C. 20554
Dear Kathleen Abernathy,
Chairman Michael K. Powell
Federal Communications Commission
445 12th Street, NW
Washington, D.C. 20554
Dear Michael Powell,
Please allow me to take a few moments of your time in order to express my opposition to the proposed adoption of the "broadcast flag" for digital televisions. I strongly believe that this misuse of technology will do little but stifle legitimate innovation (including slowing the adoption of digital television) and infringe on the consumer's fair-use rights.
One of the most serious problems with the "broadcast flag" proposal is that it places control over marketplace innovation in the hands of the MPAA, an organization with no vested interest in innovation. In fact, the MPAA can be viewed as having more of an interest in the LACK of innovation, in that they are rooted firmly in the current technology and content distribution model. Allowing the MPAA to veto new features in digital television equipment is like giving organized crime the power to veto new wiretap laws. As a business organization, the MPAA will always act in the interest of it's members, and not the public. The result is that marketplace innovation will suffer, and consumers will have to make do with fewer features and no way to exercise their legally protected fair-use rights.
In conclusion, I urge to you avoid "broadcast flag" technology at all costs. It is a system tailor-made to appeal to the Hollywood content providers, striving to protect their distribution-based business model in the face of new technologies. Rather than adapt to the realities of the current situation, they choose to adapt the current situation to that which they desire to be reality. This situation is unworkable, in that it places unreasonable restrictions on both consumer electronics manufacturers and the consumers themselves. Please do not adopt the "broadcast flag" technology. It benefits only the MPAA, and abridges the rights of consumers.
Thank you for your time and attention to this matter.
Sincerely,
YOUR SIG HERE
I love the Fisher Space Pen. I carry the original model around in my pocket nearly all the time. It's very compact when stowed, it writes in any position (even upside down) and is shiny and cool looking. ;-)
I also have a matte black version with the Smithsonian logo stamped in gold, which is also snazzy looking.
Of course, that's a far cry from your standard arcade video game. I doubt there's much value to recruiting skilled video game players into the military. Now, if you want to talk about using games to recruit someone, a hacking game like Dark Signs would be a better target for the paranoid among us.
- A Jacquard loom. This is a big freakin' thing, and includes some giant punched cards (compared to "modern"
cards, that is). The display also has two examples of silk weaving done on the loom. One is the famous portrait of Jacquard himself, and the other is a much more finely detailed weaving of some folks showing off the famous Jacquard portrait. Amazingly, this is all in the Textiles exhibit, not the information technology exhibit!
- A Scheutz Difference Engine. Built in 1853, it uses the same principle of differences, but a different mechanical design than Babbage's. The Scheutzes (father and son) knew Babbage, though, and he apparently approved of their invention. They were even somewhat commercially successful, unlike Poor Old C.B.
- A Hollerith card sorter used for the US Census. I've read about them, but was interested to finally see one.
- The very first Integrated Circuit, built by Jack Kilby in his lab at Texas Instruments. It's a freakishly kludged together thing by today's standards, nothing more than a hand-carved hunk of silicon about
.25" long. It's got tiny gold wires sprouting up out of it, because Kilby hadn't yet figured out how to print the connecting circuitry onto the chip itself. This was just his proof-of-concept that you could make electrical components out of solid hunks of semiconductor.
- An original Apple (the type now known as the Apple I) in it's period wooden case.
Actually, the entire first floor of the museum is devoted to the history of American technology and science, so an open-minded geek could probably spend the whole day on that floor (like I did).BTW, as a geek, you might be tempted to check out the International Spy Museum. Don't. It blows. It's mostly comprised of things you read on the wall, which you could get from a good book. There are some interesting exhibits, but at $13/person it's a bit steep. Also, they have serious overcrowding problems that tended to get in my way of enjoying the place.
I applaud your initiative, but honestly, I don't see either the need or the point.
I see. In that case, I guess the answer to your question depends on the definition of "cluster". Regardless of the definition, though, your work sounds very useful. It's even cool, which is better. 8-)
IMO, the bigger question is: "will the extra security measures get in the way of doing what you need to do?" And probably the corollary: "If you're going to have to disable any of those features, is it still worth using this distribution?"
While we are working on this hefty cluster, we wonder if this is the biggest MySQL cluster has ever been built.
They're clearly asking if theirs is the biggest ever built.
IT environments are so complex today, why would anyone think only 10 of anything is "the biggest"?
I think you're talking about net-over-power. The story is about the reverse, power-over-net. Neat, but I'm not in favor of accidentally frying my ethernet card by plugging int he wrong cable. Hope they use a different connector!
Just an idea... Put a reverse proxy in front of the Tivo. Don't let the Tivo talk to machines outside your local network, just internal machines (including the proxy). Use SKey on the proxy for free easy 2 factor authentication. If you use apache, you can set it up to use PAM (pluggable authentication modules), and get an SKey PAM module for it. I know that all these pieces exist, but I've never used Apache w/PAM, nor have I used the SKey PAM module. Should be a good starting point, though.
Comments from anyone with insight on this are very welcome.
I read the paper, and found it to be a very elegant solution to the problem. I, too, have wished to have multiple tunnels on the same port. I only hope that this patch makes it into OpenSSH (and OpenSSH-portable, of course). I think it'll need some testing, but it seems like a good idea well executed.
That does not defeat the purpose at all. The concept of using two different authentication mechanisms together is called two-factor authentication. Not only is it a well-established Information Security principle, it's also considered a Best Practice.
After all, if someone steals your finger, at least they won't know your PIN!
You didn't specify what your requirements for this project are, but I'd say that in order to make an informed decision, you should at least know this much:
- Where you want/need access control (how many
doors, for example)
- How many people need access, and which ones need 24 hour access vs. time-limited access
- How critical is the space that you will control access to? For most uses, biometrics are
probably overkill. Keycards work well for many
applications and are usually much more reliable.
My advice is to think seriously about what you actually need, and don't try to solve problems you don't have. Make sure you get something that meets your real requirements, is stable and reliable, and fits in your budget.Quick take: ehh. It's good for small, Unix savvy sites, but windows shops or large installations should probably look elsewhere.
http://www.totalchoicehosting.com