Comment Rely on your readers honesty (Score 1) 987
When I discover a good book that is useful to me I always seek a way to reward the author, usually but buying the paper version.
Kinda "magic spell" that is.
Comment Netem and HTB (Score 1) 110
These two queuing disciplines allow you to create a fairly complete WAN simulator.
There are however few gotchas:
There are however few gotchas:
- Precise Bandwidth limitation at high speed required lots of CPU, powerful bus and quality network adapters (read: server class hardware)
- If you want to simulate a complex network and more than two nodes, you'll need IFB (or IMQ) in order to shape incoming traffic and yet some topologies would stay out of reach.
- Keep in mind that there are two types of latencies: the "serialization" latency that depends on packet size and link speed and "processing" latency that depends on packets rate and network hardware processing power. Netem simulates the "processing" one.
- Simulating "serialization" latency would be harder, require more CPU and as a "side" effect would also implement bandwidth limitation. As of today I'm not aware of any project that would accurately simulate "processing" latency in the Linux QoS framework.
All that being said in most cases having a rough simulation is sufficient to validate the behaviour of an application on WAN before deployment.
For those interested there is an excellent, 13years old but still relevant paper about latency: http://rescomp.stanford.edu/~cheshire/rants/Latency.html
Comment what a coincidence! (Score 1) 412
This morning I had my son (4.5y) asking me to get him outside to ride his bicycle.
So I've asked him in turn to plan the whole thing: getting dressed, going to the place where the bicycle is stored, getting the key to open the door etc.
It was hard for him but he managed to have an "executive" plot.
So I think I'll do that little exercise again.
As a side note: would be interesting to conduct similar study on a representative population of executive officers and financial experts.
Hint for parents: to *always* explain why you want your kid to do such or such thing is a wrong path, they must know that there are circumstances (until certain age) that questioning parental authority is not allowed (and *that* could be explained: you are totally accountable on what they do and what happens to them).
Comment Do it and assume it. (Score 1) 918
If at your age you still have the ability and the will to undergo an academic cursus, it means you actually worth more than a youngster in terms of potential.
Comment Easy one! (Score 1) 911
Now we have to convince the audience that FreeBSD, GNU/Linux etc are just browsers!
Comment Apologize (Score 1) 703
This is probably your last chance.
I mean, it has not to be related to the reason you are leaving. But nobody's perfect, there is for sure something about you that was painful to your coworkers, recognize it, beg for pardon.
Comment First questions first (Score 5, Funny) 474
What's your real name allready?
Comment take a tour at OWASP site (Score 5, Informative) 195
Submission + - Producing FW rules from logs
hugetoon writes: Greetings Slashdot community,
To avoid reinventing the wheel I'd like have your opinions on how this should be done.
Rules should be in canonical form: Source,Destination,Service,Action.
Source,Destination and Service are groups of respective objects types.
Action should be "allow" or "deny" but I think it would be better to only have "allow" rules if possible.
I need to go beyond a simple "select...group by".
At least some kind of optimization of groups contents is needed to reduce the number of resulting rules while not authorizing anything other than seen in logs.
The main difficulty I see here is to make sensible decisions when multiple group combinations are possibles.
Some A.I. tricks that would make resulting rule-base easier to read would be welcome.
To avoid reinventing the wheel I'd like have your opinions on how this should be done.
Rules should be in canonical form: Source,Destination,Service,Action.
Source,Destination and Service are groups of respective objects types.
Action should be "allow" or "deny" but I think it would be better to only have "allow" rules if possible.
I need to go beyond a simple "select...group by".
At least some kind of optimization of groups contents is needed to reduce the number of resulting rules while not authorizing anything other than seen in logs.
The main difficulty I see here is to make sensible decisions when multiple group combinations are possibles.
Some A.I. tricks that would make resulting rule-base easier to read would be welcome.
Comment Re:Theft (Score 1) 311
When you put it that way it may seem wrong indeed.
Now please consider the facts from the following perspective:
- I do not need any of M$ products for any particular feature they may provide and I'm perfectly happy with free alternatives...
- Except when I have to exchange with the part of the universe that is captive of M$ formats
- There is so much of people that are captive because M$ have a monopoly
- The M$ created it's monopoly by resorting to illegal activities (convicted guilty in multiple courts)
In this situation I believe that I'm entitled to use M$ products for free in order to achieve interoperability.
Now please consider the facts from the following perspective:
- I do not need any of M$ products for any particular feature they may provide and I'm perfectly happy with free alternatives...
- Except when I have to exchange with the part of the universe that is captive of M$ formats
- There is so much of people that are captive because M$ have a monopoly
- The M$ created it's monopoly by resorting to illegal activities (convicted guilty in multiple courts)
In this situation I believe that I'm entitled to use M$ products for free in order to achieve interoperability.
Comment In IT security field (Score 2, Informative) 517
"Security Engineering" by Ross Anderson http://www.cl.cam.ac.uk/~rja14/book.html/.
The best book ever, truly enlightening.
If you're young enough it will change your life.
The best book ever, truly enlightening.
If you're young enough it will change your life.
Comment Move to France (Score 1) 396
We work 217 days/year here :D
Comment Re:PCI standards and real life (Score 5, Insightful) 98
PCI standart adresses only the environment where card numbers are stored and processed.
You can reduce this perimeter with appripriate segmentation.
I shudder when I think of one company that I worked with. They are a very high level financial institution. Guess what their AIX HMC passwords are? Can you get to them from the outside world? Yep. Could I down their production servers, a year after I worked there? Yep. Are they considered compliant to DSS/PCI standards? Yep.
I suppose AIX servers were in PCI environment (otherwise your comment is out of scope).
Then the situation you describe probabely violates the following requirements:
req. 2.1: "Don't use default passwords"
req. 8.5.4 "Immediately revoke access for any terminated users."
req. 8.5.5 "Remove/disable inactive user accounts at least every 90 days."
req. 8.5.6 "Enable accounts used by vendors for remote maintenance only during the time period needed."
req. 8.5.8 "Do not use group, shared, or generic accounts and passwords."
req. 8.5.9 "Change user passwords at least every 90 days."
req. 8.5.10 "Require a minimum password length of at least seven characters."
About the fact that you can connect to servers from outside: that means no segmentation which in its turn means that the whole internet is to be considered as part of the PCI environment of this company.
Now please tell me by WHOM are they considered compliant?
Being financial institution means that they are provider (and may be merchant too) they certainly have to be audited by a QSA (self assessment questionnaire would not be sufficient) which could mean one of tho things:
The QSA did not his job properly
The company concealed things form the QSA
