I said that YouTube was a bad idea early on, because of the discrepancies between YouTube's policies and the policies surrounding government content. You cannot save YouTube videos on your hard drive without violating their TOS. This is another example of the discrepancy. Disturbingly, this administration is not pushing YouTube to modify their policies for the White House channel.
"No, that's stupid, because a malware writer certainly has the requisite level of knowledge to bypass the problem. The "iptables-save" example I gave was something I ran into the first day I used an SELinux-enabled system, and it took me all of 10 minutes to figure out the workaround."
And now the malware writer must convince the user to do something that the user was not planning to do, beyond simply opening the virus. Now the user must open virus, then write their own SELinux bypass on the malware author's instruction, and only then can the attack be completed. I never said this would cure every possible attack, I said it helped.
"Add in the fact that most (if not all) of the default policies are just plain stupid (why is it OK to "cp" over a file in/var/lib/dhclient but not "mv" over it?), and you see why the first thing most admins do is disable SELinux."
Not if they are competent when it comes to security. Mandatory ACLs and auditing are not something most sysadmins who have security concerns want to disable, especially when there is option of permissive mode which leaves auditing enabled. Sysadmins who are hoping that their firewall is enough to keep them secure -- the sort of thinking that has viruses spreading on USB keys -- might be turning SELinux off, but not anyone with more experience than that, unless they prefer some other ACL/auditing solution.
Besides, I thought this was a conversation about non-enterprise users, who do not have sysadmins there configuring their computers?
"I think you are a bit confused. Once a malware writer figures the workaround, then there is no SELinux log that anything happened, because SELinux only logs "prevents" by default. And, although you can have it log "permits", nobody has that much disk space."
Except that the workaround will require social engineering, assuming a reasonably sane SELinux policy from the distro, which is the best one can hope for in a non-enterprise installation. Social engineering is not a problem that can be solved by SELinux, nor is SELinux intended to solve it. For home users, SELinux prevents quiet attacks (or should prevent them if the distro policy maintainers are decent, like Dan Walsh), and for enterprise users it allows the effects of social engineering to be dulled and the user who was "engineered" to be traced more easily.
That depends on how you weight the issues surrounding what McCarthy did. We are talking about a man who undermined basic rights, including the right to free speech, all in the name of catching people suspected of "anti-American." One of the reasons why America is a haven for political refugees is that we do not, or are not supposed to, persecute people for what they say and who they associate with, especially in political matters such as communism. It does not matter whether or not McCarthy captured communists, because the US government is not supposed to be in the business of hunting people down over their political beliefs. It is irrelevant whether statistically or economically what he did led to a numerical benefit if the basic rights that we take for granted were snatched away in the process. I would sooner see America stop existing entirely than see the right to speak freely and the right to hold any political position taken get away from the citizens of the USA.
"So, when I want to use vi to edit one of the text files that are used to configure Firefox, I can't?"
Not necessarily; you can make a policy that allows vi to edit those files. Policy tuning is tricky though, and you don't want to accidentally create an attack vector (not that Vi is a likely vector, but another editor might be).
"Although this might be more secure, I call it just a pain in the ass."
I have heard the same about using a non-root account. Security always takes away some convenience.
"If this same sort of hack works with the Mozilla SELinux policy, then all you would need to do is read the files from the ~/.mozilla directory, write out any changes to someplace like/tmp, then "download" the files from/tmp using Firefox and store it in the correct place in ~/.mozilla. I'll bet, though, that all that would be required is the "pipe it through a trusted program" hack would work, too."
This is the idea -- you want to ensure that if something is writing to those files, and it is potentially dangerous, it is something that users need to have some minimum level of knowledge to do. Firefox writing to those files is normal; vi writing to them is potentially abnormal, and so you want to ensure that if it does happen, it is being done by someone who is aware of what is going on, or at least someone who is aware THAT it is going on. Without any SELinux policies, the edit could happen quietly, without the user ever knowing it happened.
SELinux goes a long way toward containing viruses, as long as the distro maintains decent default policies. For example, only files from the Mozilla packages should be able to modify ~/.mozilla/ or any files in that directory, and Fedora's SELinux policy puts those files in their own context. A virus attempting to install some sort of keylogger in Firefox is forced to attack through Firefox (or another Mozilla program); compare with malware in Windows, that could attack through specially crafted music file and install a keylogger in IE.
"Or you could, oh I don't know, not let morons near your computer?"
Which is just not feasible sometimes. Every few weeks, someone I am working with -- yes, some of us must work with others on our computers -- brings me some files on a thumb drive. I have no choice but to plug that drive into my computer and deal with it, other than not getting my work done at all.
"Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick."
When I used to repair computers, I found that doing this invariably led to questions like, "Why can't I install [insert well known program name here]?" Windows systems really are not oriented toward this sort of security for single users who cannot just call up their helpdesk whenever they need some software installed.
"If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an.exe."
Except that in OSX and Linux (and BSD and Solaris and all *nix systems) files have to be explicitly declared executable. A user receiving LatestPopSong.mp3.sh would just sit there confused and asking, "Why does it keep opening this song in a text editor? Why does my music player keep getting confused?" In distros that enable SELinux, you can have even more security -- for example, a policy that prevents programs which are not part of Firefox from writing to the Firefox configuration, which would prevent typical virus-installing-keylogger-in-web browser attacks that seem to be so common today; such a policy could be maintained by the distro packagers themselves; in fact, Fedora already gives the.mozilla/ folder a different context. Sure, you can create such a security policy in Windows, but it is not done by default.
Yes, if administered by experts, Windows can remain secure even when connected to the Internet, I will not deny that. Most single user Windows installations are not administered by experts, and unlike big name Linux distros, Microsoft does not have thousands of people tuning the Windows security policies, nor do they have tens of thousands (perhaps hundreds of thousands) of people fixing bugs.
Except that this worm spreads through usb devices and is inherently not-Internet oriented. The only really safe way to use Windows is to constantly reimage your computer or to run in a virtual machine that can be reimaged every time it runs. Within 2 years, it will be feasible to run games in a VM on typical desktop hardware (once IOMMUs are common).
This is by far the most rational post I have seen on this topic. Yes, place the computer in the living room, and spend time with them in that room. Even if you are not doing the same thing as them, just being in the same room has benefits. There is some evidence (still being studied) that spending time in a different room than your kids is harmful to their development and increases the likelihood of them engaging in risky behavior (unprotected sex, for example).
My reasoning was more of the 12 year old variety: Wow, the bad guys on Reboot are Megabyte and Gigabyte! And I want to be even cooler, so I'll be Terabyte!!!
He probably wants a new assignment that involves less time at a computer. Did you RTFA? He was spending 18 hours a day on his computer, and was online every day of the week. His relationship with his wife was strained because he had to be available on his computer as often as possible to avoid suspicion and to keep his credibility up. He had to report his vacations to the people he was trying to bust weeks ahead of time, to keep up that reputation. To me, that sounds like the sort of assignment that you only participate in once, if only to keep your heart healthy.
As far as I know, the general idea was that the transactions would happen so quickly that even if someone was watching, the money would be long gone before anyone could track it. Keep in mind that these stories are published long after the arrest occurs, so by the time you learn about what happened, the criminals have moved deeper underground.
"Now, most parents do indeed want to keep kids away from it, yet they willingly turn over the keys (computer) and let kids drive the Indy 500 (internet). They just can't be bothered to actually administer and moderate what their kids are doing."
How do you monitor what your children do online? That is the equivalent of trying to keep track of everyone that your children associate with, everywhere that they go with their friends, everything that they say, etc. It is just not possible to do that, and it never was.
Two things: first, this is a parental issue, not a government issue. Parents should be instructing their children to close any browser window that has pornography in it; second, and this is somewhat based on the first, is that teenagers going through puberty are not going to be harmed by viewing pornography (it is debatable whether or not prepubescent children would be). It is a matter of maturity, and again, only the parents can really judge whether or not their kid is mature enough to view "mature content." If a 15 year old is looking at pornography that they downloaded over the Internet, what is the problem? This material is only of interest to sexually mature people, and teenagers generally fall into that category.
Yes, these things take a while to sort themselves out. There is simply no other way to protect the rights of the citizens while maintaining a meaningful and functional government. Subtle violations of your rights take longer, because there is more disagreement over whether or not your rights were violated at all -- you might think that the DMCA is a violation of your rights, but there are plenty of people out there who feel that it is not and that in fact, the DMCA protects the rights of the citizens (copyrights precede free speech in the constitution), including you.
Seriously, why do people think the system is deficient just because problems are not solved instantly?
Perhaps because the Chinese are known to be engaged in an active espionage campaign and have attempted to gain access to government computer systems multiple times in the past (at least that is what is publicly acknowledged)? Frankly, as others have pointed out, invading congress is pointless since channels like CSPAN broadcast congressional meetings, including committee hearings, and the minutes from congressional meetings are available at the LOC.
Exactly. When I saw this headline, I expected a solid critique of the use of ASP.NET (there are certainly reasons to criticize this), but instead, it looks like a 12 year old wrote it. The website uses JPG compression, has some extra whitespace, and uses -- gasp -- gzip? That is about as important as how often I clip my toenails.
This is definitely something that needs to be curtailed -- these are not adults making a rational decision about these pictures, these are teenagers who think it is exciting. Arresting them will not stop the behavior, it will just drive it underground. What is needed is better parenting and education.
Frame fail -- you can view child pornography as long as you report it immediately and destroy it as soon as it has been collected as evidence by the police.
But the effect of tough times are job cuts. Those managers that value competence are not going to lay off their most competent (or seemingly competent) employees when the budget gets tight.
I'm running Kontact on Fedora 10, and Gmail is the only IMAP implementation to give me these problems. What bothers me the most is that there is no consistency in these errors -- sometimes people get them, sometimes they don't, sometimes there is an error every few hours, sometimes I go weeks with no errors.
"Although google apps is not perfect, I have never once heard of the kind of issues you are describing. I would posit that the issue is your client."
The reason you are wrong to assume it is my client is that I use IMAP to check my work email and school email, and this problem ONLY happens with Google. I am not alone, either; in fact, it is documented that Google's IMAP implementation is poor:
As recently as last night I was receiving an error about my "Sent Mail" folder not existing, despite it having been there a few hours earlier and the error was gone, as inexplicably as it came, this morning. I have also had this error occur with all my mail folders, which made checking my email impossible. As I said, I have never seen another IMAP implementation with these sorts of problems.
I said that YouTube was a bad idea early on, because of the discrepancies between YouTube's policies and the policies surrounding government content. You cannot save YouTube videos on your hard drive without violating their TOS. This is another example of the discrepancy. Disturbingly, this administration is not pushing YouTube to modify their policies for the White House channel.
"No, that's stupid, because a malware writer certainly has the requisite level of knowledge to bypass the problem. The "iptables-save" example I gave was something I ran into the first day I used an SELinux-enabled system, and it took me all of 10 minutes to figure out the workaround."
/var/lib/dhclient but not "mv" over it?), and you see why the first thing most admins do is disable SELinux."
And now the malware writer must convince the user to do something that the user was not planning to do, beyond simply opening the virus. Now the user must open virus, then write their own SELinux bypass on the malware author's instruction, and only then can the attack be completed. I never said this would cure every possible attack, I said it helped.
"Add in the fact that most (if not all) of the default policies are just plain stupid (why is it OK to "cp" over a file in
Not if they are competent when it comes to security. Mandatory ACLs and auditing are not something most sysadmins who have security concerns want to disable, especially when there is option of permissive mode which leaves auditing enabled. Sysadmins who are hoping that their firewall is enough to keep them secure -- the sort of thinking that has viruses spreading on USB keys -- might be turning SELinux off, but not anyone with more experience than that, unless they prefer some other ACL/auditing solution.
Besides, I thought this was a conversation about non-enterprise users, who do not have sysadmins there configuring their computers?
"I think you are a bit confused. Once a malware writer figures the workaround, then there is no SELinux log that anything happened, because SELinux only logs "prevents" by default. And, although you can have it log "permits", nobody has that much disk space."
Except that the workaround will require social engineering, assuming a reasonably sane SELinux policy from the distro, which is the best one can hope for in a non-enterprise installation. Social engineering is not a problem that can be solved by SELinux, nor is SELinux intended to solve it. For home users, SELinux prevents quiet attacks (or should prevent them if the distro policy maintainers are decent, like Dan Walsh), and for enterprise users it allows the effects of social engineering to be dulled and the user who was "engineered" to be traced more easily.
HOW did the /. moderators get a backwards 'd'?!!
That depends on how you weight the issues surrounding what McCarthy did. We are talking about a man who undermined basic rights, including the right to free speech, all in the name of catching people suspected of "anti-American." One of the reasons why America is a haven for political refugees is that we do not, or are not supposed to, persecute people for what they say and who they associate with, especially in political matters such as communism. It does not matter whether or not McCarthy captured communists, because the US government is not supposed to be in the business of hunting people down over their political beliefs. It is irrelevant whether statistically or economically what he did led to a numerical benefit if the basic rights that we take for granted were snatched away in the process. I would sooner see America stop existing entirely than see the right to speak freely and the right to hold any political position taken get away from the citizens of the USA.
"So, when I want to use vi to edit one of the text files that are used to configure Firefox, I can't?"
/tmp, then "download" the files from /tmp using Firefox and store it in the correct place in ~/.mozilla. I'll bet, though, that all that would be required is the "pipe it through a trusted program" hack would work, too."
Not necessarily; you can make a policy that allows vi to edit those files. Policy tuning is tricky though, and you don't want to accidentally create an attack vector (not that Vi is a likely vector, but another editor might be).
"Although this might be more secure, I call it just a pain in the ass."
I have heard the same about using a non-root account. Security always takes away some convenience. "If this same sort of hack works with the Mozilla SELinux policy, then all you would need to do is read the files from the ~/.mozilla directory, write out any changes to someplace like
This is the idea -- you want to ensure that if something is writing to those files, and it is potentially dangerous, it is something that users need to have some minimum level of knowledge to do. Firefox writing to those files is normal; vi writing to them is potentially abnormal, and so you want to ensure that if it does happen, it is being done by someone who is aware of what is going on, or at least someone who is aware THAT it is going on. Without any SELinux policies, the edit could happen quietly, without the user ever knowing it happened.
I am not sure about Vista, but in Windows XP, you would create a "Software Restriction Policy:"
http://technet.microsoft.com/en-us/library/bb457006.aspx
As I said in my comment, this is not something a typical home user is going to be doing on their own.
SELinux goes a long way toward containing viruses, as long as the distro maintains decent default policies. For example, only files from the Mozilla packages should be able to modify ~/.mozilla/ or any files in that directory, and Fedora's SELinux policy puts those files in their own context. A virus attempting to install some sort of keylogger in Firefox is forced to attack through Firefox (or another Mozilla program); compare with malware in Windows, that could attack through specially crafted music file and install a keylogger in IE.
"Or you could, oh I don't know, not let morons near your computer?"
.exe."
.mozilla/ folder a different context. Sure, you can create such a security policy in Windows, but it is not done by default.
Which is just not feasible sometimes. Every few weeks, someone I am working with -- yes, some of us must work with others on our computers -- brings me some files on a thumb drive. I have no choice but to plug that drive into my computer and deal with it, other than not getting my work done at all.
"Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick."
When I used to repair computers, I found that doing this invariably led to questions like, "Why can't I install [insert well known program name here]?" Windows systems really are not oriented toward this sort of security for single users who cannot just call up their helpdesk whenever they need some software installed.
"If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an
Except that in OSX and Linux (and BSD and Solaris and all *nix systems) files have to be explicitly declared executable. A user receiving LatestPopSong.mp3.sh would just sit there confused and asking, "Why does it keep opening this song in a text editor? Why does my music player keep getting confused?" In distros that enable SELinux, you can have even more security -- for example, a policy that prevents programs which are not part of Firefox from writing to the Firefox configuration, which would prevent typical virus-installing-keylogger-in-web browser attacks that seem to be so common today; such a policy could be maintained by the distro packagers themselves; in fact, Fedora already gives the
Yes, if administered by experts, Windows can remain secure even when connected to the Internet, I will not deny that. Most single user Windows installations are not administered by experts, and unlike big name Linux distros, Microsoft does not have thousands of people tuning the Windows security policies, nor do they have tens of thousands (perhaps hundreds of thousands) of people fixing bugs.
Except that this worm spreads through usb devices and is inherently not-Internet oriented. The only really safe way to use Windows is to constantly reimage your computer or to run in a virtual machine that can be reimaged every time it runs. Within 2 years, it will be feasible to run games in a VM on typical desktop hardware (once IOMMUs are common).
Average married slashdotter sounds like a very small sample set...
This is by far the most rational post I have seen on this topic. Yes, place the computer in the living room, and spend time with them in that room. Even if you are not doing the same thing as them, just being in the same room has benefits. There is some evidence (still being studied) that spending time in a different room than your kids is harmful to their development and increases the likelihood of them engaging in risky behavior (unprotected sex, for example).
My reasoning was more of the 12 year old variety: Wow, the bad guys on Reboot are Megabyte and Gigabyte! And I want to be even cooler, so I'll be Terabyte!!!
He probably wants a new assignment that involves less time at a computer. Did you RTFA? He was spending 18 hours a day on his computer, and was online every day of the week. His relationship with his wife was strained because he had to be available on his computer as often as possible to avoid suspicion and to keep his credibility up. He had to report his vacations to the people he was trying to bust weeks ahead of time, to keep up that reputation. To me, that sounds like the sort of assignment that you only participate in once, if only to keep your heart healthy.
As far as I know, the general idea was that the transactions would happen so quickly that even if someone was watching, the money would be long gone before anyone could track it. Keep in mind that these stories are published long after the arrest occurs, so by the time you learn about what happened, the criminals have moved deeper underground.
Aw "terabyte" was my original handle...and I thought it was clever because it sounded like "terror."
"Now, most parents do indeed want to keep kids away from it, yet they willingly turn over the keys (computer) and let kids drive the Indy 500 (internet). They just can't be bothered to actually administer and moderate what their kids are doing."
How do you monitor what your children do online? That is the equivalent of trying to keep track of everyone that your children associate with, everywhere that they go with their friends, everything that they say, etc. It is just not possible to do that, and it never was.
Two things: first, this is a parental issue, not a government issue. Parents should be instructing their children to close any browser window that has pornography in it; second, and this is somewhat based on the first, is that teenagers going through puberty are not going to be harmed by viewing pornography (it is debatable whether or not prepubescent children would be). It is a matter of maturity, and again, only the parents can really judge whether or not their kid is mature enough to view "mature content." If a 15 year old is looking at pornography that they downloaded over the Internet, what is the problem? This material is only of interest to sexually mature people, and teenagers generally fall into that category.
Yes, these things take a while to sort themselves out. There is simply no other way to protect the rights of the citizens while maintaining a meaningful and functional government. Subtle violations of your rights take longer, because there is more disagreement over whether or not your rights were violated at all -- you might think that the DMCA is a violation of your rights, but there are plenty of people out there who feel that it is not and that in fact, the DMCA protects the rights of the citizens (copyrights precede free speech in the constitution), including you.
Seriously, why do people think the system is deficient just because problems are not solved instantly?
Perhaps because the Chinese are known to be engaged in an active espionage campaign and have attempted to gain access to government computer systems multiple times in the past (at least that is what is publicly acknowledged)? Frankly, as others have pointed out, invading congress is pointless since channels like CSPAN broadcast congressional meetings, including committee hearings, and the minutes from congressional meetings are available at the LOC.
Exactly. When I saw this headline, I expected a solid critique of the use of ASP.NET (there are certainly reasons to criticize this), but instead, it looks like a 12 year old wrote it. The website uses JPG compression, has some extra whitespace, and uses -- gasp -- gzip? That is about as important as how often I clip my toenails.
This is definitely something that needs to be curtailed -- these are not adults making a rational decision about these pictures, these are teenagers who think it is exciting. Arresting them will not stop the behavior, it will just drive it underground. What is needed is better parenting and education.
Of course, that is always the case...
Frame fail -- you can view child pornography as long as you report it immediately and destroy it as soon as it has been collected as evidence by the police.
But the effect of tough times are job cuts. Those managers that value competence are not going to lay off their most competent (or seemingly competent) employees when the budget gets tight.
I'm running Kontact on Fedora 10, and Gmail is the only IMAP implementation to give me these problems. What bothers me the most is that there is no consistency in these errors -- sometimes people get them, sometimes they don't, sometimes there is an error every few hours, sometimes I go weeks with no errors.
"Although google apps is not perfect, I have never once heard of the kind of issues you are describing. I would posit that the issue is your client."
The reason you are wrong to assume it is my client is that I use IMAP to check my work email and school email, and this problem ONLY happens with Google. I am not alone, either; in fact, it is documented that Google's IMAP implementation is poor:
http://www.wired.com/software/webservices/news/2007/10/imap
As recently as last night I was receiving an error about my "Sent Mail" folder not existing, despite it having been there a few hours earlier and the error was gone, as inexplicably as it came, this morning. I have also had this error occur with all my mail folders, which made checking my email impossible. As I said, I have never seen another IMAP implementation with these sorts of problems.