Forgot your password?
typodupeerror

Comment: Badly written comparison (Score 1) 312

by Deleriux (#36365754) Attached to: How Apple's iOS Went From Insecure To Most Secure

iOS 4 [8], the latest version of iOS, includes ASLR, DEP, a sandbox, and code signing

Having never used IOS long enough to compare with other systems, it might impress on the phone front, but I am unconvinced its really competing against the Desktop. In fact, its an apples and oranges comparison anyway.

Firstly, having read the article - its incredibly lacking in exposure to many operating systems. After this, the technologies quoted are all available in most modern distros of Linux, plus more including resource limitations to prevent abusing memory or CPU and mandatory access control mechanisms.

From a security perspective seeing as with a smart phone you are carrying your online persona outside with you its at much greater risk of data theft than with a fixed desktop.

Comment: Detection and Accounting (Score 1) 219

by Deleriux (#35044190) Attached to: How Do You Protect Servers From a Rogue Admin?

Because someone is in a position of trust, with privileges raised to do their job, doesnt mean you cannot do anything if the trust is breached.

You need to account for the commands and time spent on a box that an admin might do, so that if there ever was a breach of trust there is sufficiently strong logs to detect how and when and what happened. If people know that their work is (if needed) being recorded theres less incentive to do damage that might be criminally motivated.

You also need to detect and be reported of activity that would not typically fall within the boundaries of an admins daily routine (such as deleting large quantities of files perhaps, or execution of of programs (like shred) that you wouldn't typically use.

You have not mentioned the platforms you are working with, or if your talking about a platform - or just some CMS but Linux for example has audit, you can set this up to monitor virtually anything you might want to watch for. It takes a little more creativity to audit from a thresholds perspective (where work is permitted but too many events at once is a threat) but it can be done. Audit can be locked once you've finished setting up the ruleset meaning the box needs to be rebooted for you to change the ruleset at all.

There are also pam modules for linux (like pam_tty) that can log literally every character a user pressed into their terminal (including non-space characters like escape and backspace) which can be useful to help determine the impact of incidents that you might be after avoiding.

SELinux on Linux on newer distros (typically thinking enterprise linux 6) has flexible support for role based access controls, which can further restrict an admins abilities exactly down to least privilege needed to do their job. Learning SELinux to the extent you can really do this efficiently might be a commitment though you might not have the time for - although I certainly recommend learning about Mandatory Access Control policies, especially for situations like this.

Transport these logs to a remote machine, if necessary one nobody has access to without some form of local authorization (like using pam_usb). Theres no point doing logging just on the audited box that a potential admin has access to.

Detection can be more difficult. Prelude is a open source security application that offers some stuff you might find of benefit here, other than that rolling your own scripts might help too - depending on your skills and experience in such things.

Finally, and more importantly - people who are given positions of trust like this should be trustworthy. This is purely a management problem, but screen your guys effectively. Dont hand the keys to the city to some bloke you pulled in off the street without doing at least some background checking.

Comment: Re:Article is a joke and false (Score 2) 132

by Deleriux (#35007916) Attached to: Fedora 15 Changes Network Device Naming Scheme

Whilst this solution does not particularly offer any more device consistency with what is already in Fedora, the idea here I believe is to make the ethernet configuration stateless in addition to consistent.

This is not the case at the moment, as the network scripts add udev rules binding ethX named devices against the MAC address of the underlying device itself (so Mac AA:BB:CC:DD:EE:FF is always ethX). This additionally offers no indication of which PCI device this is referring to, and on ethernet cards with multiple ports, which port the ethernet device is associated against.

I think this is over-engineering a solution if your only after seeking for device naming consistency across reboots, but it makes more sense when you understand that what Fedora want to do is be able to make their logical naming schemes for network devices map to the physical devices, in addition to providing device naming consistency.

Comment: I've tried it and I was disappointed. (Score 1) 93

by Deleriux (#31886326) Attached to: Anatomy of Linux Kernel Shared Memory

KSM is a great idea, much of its abilities are available in Fedora 12. I tried it and I had higher expectations to be honest.

That is not to say that it is no good - its great but there is a bit of a cost analsysis that should be done before implementing it. You dont get something for nothing - and in this case ultimately your offloading the higher memory usage onto the CPU. Depending on your hypervisor setup this might not be such a bad thing of course.

In my somewhat narrow testing of it I found that:-

a) Even with the same O/S images running multiple times the memory I saved was about 5-10%.

b) It effectively used about 50% of one CPU running the feature.

I think that to really see a benefit to this you have to be running a huge hypervisor with a ton of memory and cpus and a lot of guests as there is a plateau which beforehand makes it quite inefficient to use the features seeing as (at least with my results) the payback is less than 10% anyway.

Security

Real-Time Keyloggers 205

Posted by kdawson
from the taking-a-leaf-from-twitter dept.
The NY Times has a story and a blog backgrounder focusing on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. The capability came to light in a court filing (PDF) by Project Honey Pot against "John Doe" thieves. The case was filed in order to compel the banks — which are almost as secretive as the cyber-crooks — to reveal information such as IP addresses that could lead back to the miscreants. Or at least allow victims to be notified. Real-time keyloggers were first discovered in the wild last year, but the court filing and the Times article should bring new attention to the threat. The technique menaces the 2-factor authentication that some banks have instituted: "By going real time, hackers now can get around some of the roadblocks that companies have put in their way. Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA's SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula. If [your] computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can't see."
Businesses

If You Live By Free, You Will Die By Free 251

Posted by ScuttleMonkey
from the give-it-away-now dept.
Hugh Pickens writes "Internet entrepreneur Mark Cuban writes that the problem with companies who have built their business around Free is that the more success you have in delivering free, the more expensive it is to stay at the top. '"They will be Facebook to your Myspace, or Myspace to your Friendster or Google to your Yahoo," writes Cuban. "Someone out there with a better idea will raise a bunch of money, give it away for free, build scale and charge less to reach the audience."' Cuban says that even Google, who lives and dies by free, knows that 'at some point your Black Swan competitor will appear and they will kick your ass' and that is exactly why Google invests in everything and anything they possibly can that they believe can create another business they can depend on in the future searching for the 'next big Google thing.' Cuban says that for any company that lives by Free, their best choice is to run the company as profitably as possible, focusing only on those things that generate revenue and put cash in the bank. '"When you succeed with Free, you are going to die by Free. Your best bet is to recognize where you are in your company's lifecycle and maximize your profits rather than try to extend your stay at the top," writes Cuban. "Like every company in the free space, your lifecycle has come to its conclusion. Don't fight it. Admit it. Profit from it."'"

Comment: Depends how many VMS your running. (Score 5, Informative) 272

by Deleriux (#27292273) Attached to: Reasonable Hardware For Home VM Experimentation?

I personally use qemu-kvm and im quite happy with it. Thats running on a dual core machine with 2G of ram (probably not enough ram though!).

For the KVM stuff you need have chips which support Intels VT or AMDS AMD-V so your processor is the most important aspect. A quad core would probably be suitable too if you can buy that.

For just experimentation usage its a fantastic alternative to VMWare (I personally got sick of having to recompile the module every time my Kernel got updated).

On my box myself i've had about 6 CentOS VMs running at once but frankly there were not doing much most of the time. Ultimately its going to boil down to how much load you inflict on VMS underneath, my experience with it has not been very load heavy so I could probably stretch to 9vms on my hardware which is probably on the lower end of the consumer range these days.

The most important bits are your CPU and RAM. If your after something low spec you can do dual core 2g ram but you could easily beef that up to quad core 8G RAM to give you something you can throw more at.

Oh and Qemu without KVM is painstakingly slow - I wouldn't suggest it at all.

The Internet

How To Keep a Web Site Local? 297

Posted by kdawson
from the first-ban-google dept.
Cornwallis writes "The universal accessibility of the Internet is one of its attractions. But what do you do when you don't want your board to be Slashdotted? Back in the day it was great to run a local BBS where friends and neighbors could dial in using their 9600-baud modems to pick up mail or share games or stories. Now, my Web-based board gets slammed by people from all over the world who have no reason to access it, can't possibly take advantage of the locally focused services it offers, and generally take up my time because I have to block their accounts or explain to them why they can't have access. This despite the fact that the board explains quite clearly that it is for local use only and couldn't possibly be of interest to them. Other than putting thousands of entries in my hosts file to block IP ranges, what options do I have to restrict access to locals only? Or isn't that feasible?"
Games

The Most Influential Games In History? 254

Posted by Soulskill
from the aside-from-duke-nuken-forever dept.
Kotaku reports on a list published recently by Guinness World Records which credits Super Mario Kart as the most influential console game in history. "Tetris ranks in at number two, according to the list, and the original Grand Theft Auto is in the number three spot. Where does Super Mario Bros. turn up? Way down at number 17, beneath Grand Theft Auto: San Andreas." Several other franchises have multiple entries on the list, such as Final Fantasy and Resident Evil. What console games have influenced you the most?
Data Storage

USB Flash Drive Comparison Part 2 — FAT32 Vs. NTFS 198

Posted by timothy
from the get-your-data-past-the-border-guards dept.
Dampeal writes "Ok, a little while back I ran a somewhat large USB Flash Drive Comparison with 21 drives compared, today I got part two of that comparison. I've taken the 8gig and 4 gig drives, nine in total, and formatted them FAT32, NTFS and ExFAT and ran all of the tests over again for a comparison of how the file systems work on the drives." Good news — after some exhaustively graphed testing scenarios, the author comes to a nice conclusion for lazy people, writing "[I]n my opinion the all around best choice is FAT32, or the default for most all USB drives out there today, it seems to give us the best average performance overall."
Windows

Windows Vista Service Pack 2 Expected Tomorrow 149

Posted by timothy
from the tomorrow's-tomorrow's-yesterday dept.
arcticstoat writes "After dishing out a few copies of the beta of Windows Vista Service Pack 2 to select customers in October, Microsoft has now decided to let the general public get their hands on the beta of the service pack, starting from tomorrow. The beta of the service pack will be made available via Microsoft's Customer Preview Program on 4 December, and it includes all the updates since Service Pack 1, as well as a few other bits and pieces. Most notably, Microsoft says that Service Pack 2 'improves performance for Wi-Fi connection after resuming from sleep mode,' and adds the Bluetooth 2.1 Feature Pack, ID strings for VIA's Nano CPU and support for the exFAT file system for large flash devices."

Money is the root of all evil, and man needs roots.

Working...