Comment Re:Thank God.... (Score 1) 265
http://meta.wikimedia.org/wiki/Wikimedia_servers
Hey... 1995 called, it wants its browser plugins back.
This, a million times over.
people need to stop thinking of web apps in terms of "Internet explorer users". people FINALLY moved into the idea that you MIGHT have to support Firefox+IE, but need to stop thinking of the browser as a single platform.
"Barely holds 1% of the market"
Really? I'd like to know where you get your stats from.
According to numerous sources, including W3's OS Statistics ( http://www.w3schools.com/browsers/browsers_os.asp )
DESKTOP linux users number about 5%. and that doesn't include the VAST number of servers.
Linux in the server market outnumbers windows. http://en.wikipedia.org/wiki/Usage_share_of_operating_systems in the last few months "Linux/unix and variants" passed 50% of ALL server use.
with most of the people in Internet Security working on a platform that's NOT windows, there's good reason it's as well secured as it is. (that and anybody can find/fix a bug in the open source world. but that's another topic entirely
These logs are stored indefinitely; access is very restricted.
to whom? what you have to keep in mind is that computers operate as single minded entities. when you approach a machine like that: security is currently an afterthought. this tells me that there is somebody that holds access above the other users, basically missing the point here.
I can look this password up if my role allows it, but the lookup is also logged
Again, that means that there's somebody administering the logging system. and I almost assure you that even if their logins are listed somewhere: they have full access to remove those entries and make it look like it never happened.
as a hypothetical situation, say I have a machine that stores credit card numbers on a DSS approved network that's locked down in the ways you describe above. at the admin level, it would take me minutes to provision a machine to replicate the target. I don't mean replicate as in contents, I mean replicate to the network view.
the replicated machine can be tunneled into place and act as if it was the machine in question. as the admin: I already know what traffic flows the machine needs to produce on a regular basis (SNMP uptime's, network traffic counters, heartbeats, etc) so I can inject artificial traffic in it's place.
at this point, I can reverse firewall the unit preventing it for calling for help or reporting the changes I make. I can snapshot the drive and move it offsite, while making the changes to the snapshot to remove my presence from the machine and set the loader to write over itself with the snap. reboot into the snap and pull the zombie as the machine comes back up:
and what will the monitoring/auditing/reporting software see? nothing. everything will check out, MAC addresses will match, SNMP keys will match, even the statistics reported will look like they fit into the graphs.
Until CPU's are made to understand the "two key" approach to authentication, any machine will be susceptible to weak physical security.
Machines have less problems. I'd like to be a machine. -- Andy Warhol