This whole "network security" meme is a failed experiment needing to be called out as the ridiculous farce that it is. Firewalls are the equivalent of mounting castle defense against an airforce. It does not work and never has. The opportunity cost of squandering resources on castle building vs standing up an opposing airforce is both high and sad.
Host-based firewalls are even more amusing. They come enabled by default. High probability any application installed needing to listen() is going to automatically punch a hole to do so as vendors have zero interest in dealing with firewall support nightmares. This begs the obvious.. what is the effective difference between listen() and firewalled-listen() ?
If you really want a secure internal system then lock down services/listeners and configure each system to use only secure communication protocols. If this is not possible set IPsec = required and secure the transport E2E only.
The further away from application domain you apply security the increasingly worthless that security is.
For that matter, all of everything constructed by human beings...is full of defects, or potential defects, or security vulnerabilities. Your house, for example. You have a lock on your front door, but it takes a thief just a few seconds to kick the door in. Or your car...a thief can break into it in seconds, even if you have electronic theft protection. I'd call those "security vulnerabilities."
So what do we do? We improve security until it becomes "just secure enough" that we can live with the risks, and move on.
Who cares about the security of an untrusted and untrustworthy app in the first place?
What difference does it make if it was written by the most competent team of programmers in the world if while operating as designed still treats the end user with contempt?
I don't give a shit about "bad publicity" or either of these two idiots -- the gate agent or the passenger.
Next time, guy could just try doing as he's told by those in charge of the situation.
Perhaps once an idiot gate agent plays the "safety threat" card against you for an equally nonsensical reason you might come to develop a slightly different outlook on the situation.
Moving to IPv6 means more challenges. Having to retest firewalls and it's rules, making sense of the IPv6 addresses and then figuring out what looks normal and what looks like bad (generated) traffic when looking at PCAP's.
I will be happy when IPv4 is gone and the constant cheap attacks and probes to random addresses are no longer viable at least not on the scale of IPv4.
How does blocking work when everybody can have a trillion addresses? Can people have a trillion addresses? Do they have a block allocated to each user/system? Does it matter? So many questions.
In IPv6 land users are assigned prefixes rather than IP addresses so you block the prefix rather than the IP address.
Their implementation of DHCPv6-PD blows. It's incompatible with openWRT, Netgear, pfSense router firmware.
There seems to be problems with Comcast IPv6 that I can see.
Lease query is fucked up/does not work at all so if your cable modem reboots while the lease is still valid the CMTS has forgotten all about it and won't let any traffic pass until you transmit a renewal request for your PD. It seems some consumer router gear uses Ethernet/media detection to notice the link has bounced and refresh the lease...otherwise your basically SOL and have to manually do it.
I don't think it is fair to blame Comcast for a systems shitty/buggy support for DHCPv6 prefix delegation. Comcast is not doing anything magical or non-standard. Vanilla ISC DHCPv6 client has worked flawless for me.
Incidentally have maintained same IPv6 prefix for over a year now since they turned up v6.
Then this premature change of the lease will fall out of sync
To be fair if the client is fucked up and not properly renewing lease sometime before it expires I don't see how that's Comcast's fault. If you don't ask for renewal you won't get one.
With all the IPV6 address space available, why not give out a static IPV6 prefix, but no, they want to change it frequently.
Exactly they should hand out addresses or at least make them very sticky so that anything short of some kind of reorganization/renumbering does not result in a new prefix. It really sucks even if radvd is sync'd there are still implementation problems with the zero lifetime pulling and hosts if using SLAAC locally.
This is completely contrary to their IPV4 DHCP servers which will basically give you the same IP address forever until you change the MAC address on the router.
If you allow your IPv4 lease to expire good luck getting the same address back. At least on the two occasions I've had my system down long enough for it to happen and was greeted with a new address. It may very well be certain areas are configured differently and so mileages vary.
So screw Comcast's IPV6. I'll stick with my hurricane electric tunnel and it's static IPV6 prefix until my router breaks.
The HE tunnels were awesome. I was sad when I shut mine down.
Source control, IDEs, build systems and bug trackers... are all very ancient tools that tend to make people more productive so they can spend more time coding... leaving me puzzled and confused by TFA's point.
He seems to be saying enabling infrastructure to manage a product lifecycle is more difficult or at least non-trivial vs. problem space itself... Suppose if your one of thousands of shops churning out proverbial flashlight and fart apps this could well be the case...otherwise it is hard to understand how it can be true. While supporting infrastructure can and does become very complex for large development efforts there are usually tooling peeps on staff who specialize in each subdomain.
What makes matters worse you go on to hate DSL's, use NoSQL databases... which leaves me little choice but to assume you hate everything good and nice.
Either that or you got screwed working for some grossly understaffed rinky dink company with reams of old code nobody understands who lied when they used the word "developer" in job description...LOL.. happens...a..lot.....
It's those ads that pay for Goggle to give so many of it's services away for free. It may be wrong, it may be right, it really doesn't matter because it's the very definition of "it is what it is". It's the price you pay for using a "smart" phone because you won't find one that doesn't have privacy implications.
Supporting a service with advertisements is quite a bit different than supporting a service by stalking your users.
Privacy is an essential pillar of the social contract. The right to be left alone and not continuously stalked are basic human rights people are just not going to give up because some marketing company thinks it would be swell if they did.
"Snowden" proved lots of people (A lot more than I could ever imagine frankly) give a shit.
It's a trade off of modern life, if you want the cool toys, you can't play anonymous secret super agent spy. (Which leads to the "what are you doing that makes you think anyone gives a fuck" question, but that is a separate issue entirely.)
With technical knowledge and time you can have a smart phone with some confidence it will not be spying and doing shit behind your back (Excluding baseband processor of course). Android is after all just Linux. iptables and tcpdump run just fine on it and enough people care enough to spend their time on infrastructure like the Cyanogen build system to make it work. All that is needed are viable alternatives... which have never been cheaper or easier to produce.
There is a story and an opportunity for weaning users away from the current crop of locked down vendor controlled mobile operating systems.
Vendors Intentionally hold back useful and needed features to make carriers and app vendors happy. Features that can be leveraged to effect change. Useful "cloud" data synchronization and backup services can be replaced with a federated service which user can either select a provider or run their own rather than one thing owned and operated by a single organization. The death by a thousand cuts (of everything wanting to constantly call home with your data) that drains batteries and devours data plans without providing much if anything in return does not have to exist anymore than "Goto Meeting" is necessary to access computers from remote.
The error is in overstating the value of Google and understating the value of a network of peers.
I know nothing about satellite receivers or equipment purchasing options for digital DVRs. Generic DVRs for years have included IR blasters to control a library of set top boxes including satellite receivers. A bit lame...
The lifetime sub is for one device. Cable subscribers end up having to replace their devices when the cable company changes technology, such as analog to digital, clear QAM to CableCARD, and CableCARD to SDV.
Cable cards are backwards compatible, have been around for a decade thus far and currently in no danger of going anywhere anytime soon.
SDV compliments rather than replacing cable card and still required to use SDV. For most people SDV means an additional box plugged into any available receiver/DVR USB port.
The NSA may be allowed all access to all information that an airlines has, including the full PAN, however, the airlines doesn't store the full PAN, if they were PCI-DSS compliant.
There is no prohibition against storage of PAN (e.g. card number) in the PCI-DSS. You are forbidden only from storing CVV2 and full track data from the mag stripe.
Ukrainian line despite the obvious abuse of the word terrorist to mean "rebel fighter" and
This horse left the barn years ago. It isn't just being misused here it is being misused universally everywhere in every conflict and increasingly by many an overzealous prosecutor.
Language is hardly a static affair forever anchored to ancient texts.
IP's with out ISP logs are useless and even if they have them ones from public networks are dead ends unless they have full logs as well.
Perhaps some 20 years ago when millions browsed the web from AOL behind a complex series of proxy server.
Today everyone has always on broadband at home with long lived IP addresses. Knowing the user or household associated with an IP with some degree of accuracy seems to me to be anything but useless.
Surely the airlines/booking agents should not be passing the PAN to anyone else if they are following PCI-DSS (which is mandatory if you want to accept card payments)?
What part of "any tangible thing" and third party doctrine does one suppose is non-applicable to card numbers?
Government is not bound by rules of the road created by industry.
Expect human reaction to computers pretending to be human to be angry and creped out.
When you do this you are essentially selling a lie to the customer even though it is clear machine is a machine and not a person the emulation of a person is still perceived as deception and therefore offensive.
If airlines feel compelled to waste their money on something other than reasonably usable kiosk terminals why not invest it to reverse multi-decades trend of making experience of flying as lame, oppressive and uncomfortable as possible?
For those that say that the ads have become manipulative, sorry but how are they different than old TV?
Well for one thing on old TV ads didn't pretend to be part of the show you were watching. Viewing them didn't turn your computer into a botnet, track your every move or adorn your sets control knobs and television cabinet with vendor advertising. TV ads also lack self awareness.
Slashdot Mirror
This whole "network security" meme is a failed experiment needing to be called out as the ridiculous farce that it is. Firewalls are the equivalent of mounting castle defense against an airforce. It does not work and never has. The opportunity cost of squandering resources on castle building vs standing up an opposing airforce is both high and sad.
Host-based firewalls are even more amusing. They come enabled by default. High probability any application installed needing to listen() is going to automatically punch a hole to do so as vendors have zero interest in dealing with firewall support nightmares. This begs the obvious.. what is the effective difference between listen() and firewalled-listen() ?
If you really want a secure internal system then lock down services/listeners and configure each system to use only secure communication protocols. If this is not possible set IPsec = required and secure the transport E2E only.
The further away from application domain you apply security the increasingly worthless that security is.
The only broadband nightmare I have is the reality of continuous non-stop rate hikes of 10-15% every 6 months. No other "utility" even comes close.
For that matter, all of everything constructed by human beings...is full of defects, or potential defects, or security vulnerabilities. Your house, for example. You have a lock on your front door, but it takes a thief just a few seconds to kick the door in. Or your car...a thief can break into it in seconds, even if you have electronic theft protection. I'd call those "security vulnerabilities."
So what do we do? We improve security until it becomes "just secure enough" that we can live with the risks, and move on.
Who cares about the security of an untrusted and untrustworthy app in the first place?
What difference does it make if it was written by the most competent team of programmers in the world if while operating as designed still treats the end user with contempt?
TFA is being much nicer than Google and many app vendors deserve.
The whole ecosystem system is engineered to reward bad behavior /w complete lack of usable access controls speaking for itself.
They need only do the minimum required to keep all hell from breaking loose and too many people bailing on the platform as a result.
Is it impossible for a congressional computer which is obviously connected to the public Internet to be a botnet slave?
Maybe your a botnet slave? How would we know if you weren't?
For all we know someone else outside of congress controls this computer/router/whatever
It's controlled by a Gremlin in the Kremlin. Mothra Russ1a p0wn3 a11.
Bahahahahahhaa.... lol... like actual Congress-people would know how to edit wiki pages.
They obviously don't.. hence need for bracketbot to clean up their mess.
Can you name one person who died at Fukushima due to radiation poisoning or cancer? Just one will do, thanks.
If you can't name a specific person does this mean something important?
I don't give a shit about "bad publicity" or either of these two idiots -- the gate agent or the passenger.
Next time, guy could just try doing as he's told by those in charge of the situation.
Perhaps once an idiot gate agent plays the "safety threat" card against you for an equally nonsensical reason you might come to develop a slightly different outlook on the situation.
Kept waiting for the punch line until I realized there wasn't one. Anyone who abuses their position to pull a stunt like this deserves to be fired.
Moving to IPv6 means more challenges. Having to retest firewalls and it's rules, making sense of the IPv6 addresses and then figuring out what looks normal and what looks like bad (generated) traffic when looking at PCAP's.
I will be happy when IPv4 is gone and the constant cheap attacks and probes to random addresses are no longer viable at least not on the scale of IPv4.
How does blocking work when everybody can have a trillion addresses? Can people have a trillion addresses? Do they have a block allocated to each user/system? Does it matter? So many questions.
In IPv6 land users are assigned prefixes rather than IP addresses so you block the prefix rather than the IP address.
Their implementation of DHCPv6-PD blows. It's incompatible with openWRT, Netgear, pfSense router firmware.
There seems to be problems with Comcast IPv6 that I can see.
Lease query is fucked up/does not work at all so if your cable modem reboots while the lease is still valid the CMTS has forgotten all about it and won't let any traffic pass until you transmit a renewal request for your PD. It seems some consumer router gear uses Ethernet/media detection to notice the link has bounced and refresh the lease...otherwise your basically SOL and have to manually do it.
I don't think it is fair to blame Comcast for a systems shitty/buggy support for DHCPv6 prefix delegation. Comcast is not doing anything magical or non-standard. Vanilla ISC DHCPv6 client has worked flawless for me.
Incidentally have maintained same IPv6 prefix for over a year now since they turned up v6.
Then this premature change of the lease will fall out of sync
To be fair if the client is fucked up and not properly renewing lease sometime before it expires I don't see how that's Comcast's fault. If you don't ask for renewal you won't get one.
With all the IPV6 address space available, why not give out a static IPV6 prefix, but no, they want to change it frequently.
Exactly they should hand out addresses or at least make them very sticky so that anything short of some kind of reorganization/renumbering does not result in a new prefix. It really sucks even if radvd is sync'd there are still implementation problems with the zero lifetime pulling and hosts if using SLAAC locally.
This is completely contrary to their IPV4 DHCP servers which will basically give you the same IP address forever until you change the MAC address on the router.
If you allow your IPv4 lease to expire good luck getting the same address back. At least on the two occasions I've had my system down long enough for it to happen and was greeted with a new address. It may very well be certain areas are configured differently and so mileages vary.
So screw Comcast's IPV6. I'll stick with my hurricane electric tunnel and it's static IPV6 prefix until my router breaks.
The HE tunnels were awesome. I was sad when I shut mine down.
So any advantages to running an IPv6 tunnel other than so say you use IPv6?
None, turn it off and get a real IPv6 connection unless you need it for something.
When content sees higher latency and lower throughput from crappy tunnels it only serves as a disincentive for continued adoption.
Source control, IDEs, build systems and bug trackers... are all very ancient tools that tend to make people more productive so they can spend more time coding... leaving me puzzled and confused by TFA's point.
He seems to be saying enabling infrastructure to manage a product lifecycle is more difficult or at least non-trivial vs. problem space itself... Suppose if your one of thousands of shops churning out proverbial flashlight and fart apps this could well be the case...otherwise it is hard to understand how it can be true. While supporting infrastructure can and does become very complex for large development efforts there are usually tooling peeps on staff who specialize in each subdomain.
What makes matters worse you go on to hate DSL's, use NoSQL databases... which leaves me little choice but to assume you hate everything good and nice.
Either that or you got screwed working for some grossly understaffed rinky dink company with reams of old code nobody understands who lied when they used the word "developer" in job description...LOL.. happens...a..lot.....
It's those ads that pay for Goggle to give so many of it's services away for free. It may be wrong, it may be right, it really doesn't matter because it's the very definition of "it is what it is". It's the price you pay for using a "smart" phone because you won't find one that doesn't have privacy implications.
Supporting a service with advertisements is quite a bit different than supporting a service by stalking your users.
Privacy is an essential pillar of the social contract. The right to be left alone and not continuously stalked are basic human rights
people are just not going to give up because some marketing company thinks it would be swell if they did.
"Snowden" proved lots of people (A lot more than I could ever imagine frankly) give a shit.
It's a trade off of modern life, if you want the cool toys, you can't play anonymous secret super agent spy. (Which leads to the "what are you doing that makes you think anyone gives a fuck" question, but that is a separate issue entirely.)
With technical knowledge and time you can have a smart phone with some confidence it will not be spying and doing shit behind your back (Excluding baseband processor of course). Android is after all just Linux. iptables and tcpdump run just fine on it and enough people care enough to spend their time on infrastructure like the Cyanogen build system to make it work. All that is needed are viable alternatives... which have never been cheaper or easier to produce.
There is a story and an opportunity for weaning users away from the current crop of locked down vendor controlled mobile operating systems.
Vendors Intentionally hold back useful and needed features to make carriers and app vendors happy. Features that can be leveraged to effect change. Useful "cloud" data synchronization and backup services can be replaced with a federated service which user can either select a provider or run their own rather than one thing owned and operated by a single organization. The death by a thousand cuts (of everything wanting to constantly call home with your data) that drains batteries and devours data plans without providing much if anything in return does not have to exist anymore than "Goto Meeting" is necessary to access computers from remote.
The error is in overstating the value of Google and understating the value of a network of peers.
It's 2014 and we are all still transmitting passwords in clear text web forms over SSL.
Why should anyone believe a person with a clear agenda, no access and no evidence?
Wake me up when you have actual data to collaborate your (conspiracy) theory Israel's estimates are lies.
Israeli's collect the rockets and rocket parts they are able to find. The answer is knowable and evidence obtainable. Have you even tried?
Which customer-owned DVRs work with satellite?
I know nothing about satellite receivers or equipment purchasing options for digital DVRs. Generic DVRs for years have included IR blasters to control a library of set top boxes including satellite receivers. A bit lame...
The lifetime sub is for one device. Cable subscribers end up having to replace their devices when the cable company changes technology, such as analog to digital, clear QAM to CableCARD, and CableCARD to SDV.
Cable cards are backwards compatible, have been around for a decade thus far and currently in no danger of going anywhere anytime soon.
SDV compliments rather than replacing cable card and still required to use SDV. For most people SDV means an additional box plugged into any available receiver/DVR USB port.
The NSA may be allowed all access to all information that an airlines has, including the full PAN, however, the airlines doesn't store the full PAN, if they were PCI-DSS compliant.
There is no prohibition against storage of PAN (e.g. card number) in the PCI-DSS. You are forbidden only from storing CVV2 and full track data from the mag stripe.
Ukrainian line despite the obvious abuse of the word terrorist to mean "rebel fighter" and
This horse left the barn years ago. It isn't just being misused here it is being misused universally everywhere in every conflict and increasingly by many an overzealous prosecutor.
Language is hardly a static affair forever anchored to ancient texts.
IP's with out ISP logs are useless and even if they have them ones from public networks are dead ends unless they have full logs as well.
Perhaps some 20 years ago when millions browsed the web from AOL behind a complex series of proxy server.
Today everyone has always on broadband at home with long lived IP addresses. Knowing the user or household associated with an IP with some degree of accuracy seems to me to be anything but useless.
Surely the airlines/booking agents should not be passing the PAN to anyone else if they are following PCI-DSS (which is mandatory if you want to accept card payments)?
What part of "any tangible thing" and third party doctrine does one suppose is non-applicable to card numbers?
Government is not bound by rules of the road created by industry.
Someone who doesn't pay per month for DVR service. Cable charges extra, satellite charges extra, and TiVo charges per month even for OTA.
This is backwards. By owning your own DVR you save on monthly equipment rentals due to need to rent a cable box for each room/tv set.
Even TIVO offers a lifetime subscription service which pays for itself over first 2-3 years.
Expect human reaction to computers pretending to be human to be angry and creped out.
When you do this you are essentially selling a lie to the customer even though it is clear machine is a machine and not a person the emulation of a person is still perceived as deception and therefore offensive.
If airlines feel compelled to waste their money on something other than reasonably usable kiosk terminals why not invest it to reverse multi-decades trend of making experience of flying as lame, oppressive and uncomfortable as possible?
For those that say that the ads have become manipulative, sorry but how are they different than old TV?
Well for one thing on old TV ads didn't pretend to be part of the show you were watching. Viewing them didn't turn your computer into a botnet, track your every move or adorn your sets control knobs and television cabinet with vendor advertising. TV ads also lack self awareness.
Why unthinkable? Why should free video be so very different from free TV?
Who sits through TV commercials?