>To replicate, cut and paste this into your URL bar:
>data:text/html,
>Then type one or two letters in the password field (not more) and try to submit.

Chrome 6.0.472.63 works
Opera 10.62-6438 fails
Firefox 3.6.10 fails

(All on Linux x86-64

If you can't afford such writers, mount /var/log (or /var/adm depending on your system) on a remote with a different authentication with the directories as 500(-r-x------) and files as 300(--wx------) with a specific user for whichever syslog variant you use. Then chattr -i on the remote system so that the directory is immutable. On the remote system (if using rolling logs) don't forget to change the logrotate (or other appropriate cron configuration files)

Works every time for system security stuff.

You can tailor the logs for as much or as little as you need. Until the cracker can compromise your remote logging system (which should have different root passwords, no sudo/ssh credentials and no other rot access than the physical console), everything is recorded. Once it is cracked, you will know when it happened, because without the proper credentials on the logging system nothing can be erased.

Tripwire/dnotify/inotify are your friends if you take the time to learn them and if you take the time to set them up properly.

The slash and burn technique serves to cover up all sources of incriminating evidence, and better yet, hides the true motivation of the attacker unless they actually take the time to leave a message behind. You are not likely to find a trail of breadcrumbs laying around if their intent was business rather than pleasure.

Oh, really? See The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (by Clifford Stoll).

Web-based clients are insecure simply because you don't have physical control over them. You don't control the network, the routers, or the client machine. Give me (or some malware author) the client machine, and who cares what you signed on the server or how?

These are military personnel voting (absentee) from overseas. I can guarantee you that I can control the originating network, the terminating network and the client machine.

And by the way, the system extends to 150 million clients running every kind of hardware, software, and configuration imaginable, maybe 25% of which are infected with malware, and to which we have no access and over which we have no control.

See above. If the machines which are eligible to be used to cast the vote are not under some sort of control, there is no way of doing this. However, the number of machines can easily be limited to the command and control structure, which makes this facet of the problem trivial.

If you are talking about people being to vote from home, I heartily agree with Bruce Schneier that the problem may well be intractable, not for reasons of malware, but for the impossibility of testing every potential configuration.

If you limit the problem to the overseas (or otherwise deployed) military, where the time between the absentee ballot becoming available and the last available date to return it, the problem becomes manageable, simply because the change management process for the available terminals can be controlled. Hell, simply send (under cover) a live cd with the software on it to each deployed service member. Now, no malware, no unknown configuration (at least what matters) and enhanced security.

BTW, see my post below.

The "web site was hacked".

Who in their right mind uses a web served application for something such as this?

This calls for a secured, encrypted application, with a protocol that maintains it's own data security.

It can be done. I built one for the government in 2001:

• No remote login
• No ports open except for the three being used for the protocol:
  • Incoming request for software
  • Outgoing Datalink
  • Incoming Datalink
• Special protocol used for the communication
• End to end encryption (with AES-CBC signing on all packets except the software download link)
• Active firewall and IPDS

On a server with one side connected to a classified network (here it would be the counting facility) and one connected to an unclassified network (here it would be the Internet). Gee, it took me and another guy less than 2 weeks from design to active testing.

You would need physical access to the server in order to compromise the end to end system.

Total cost of the demonstration system (excluding our ~60 hours total development) was less than $2000 in 2001. Imagine what we could do with modern equipment.

Cisco's GUI stuff doesn't really generate any scripts, but the commands it creates are the same things you'd type into a CLI. And the resulting configuration is just as human-readable (barring any weird naming conventions) as one built using the CLI. I've actually learned an awful lot about the Cisco CLI by using their GUI.

Actually, Cisco's GUI stuff does generate the scripts and then stores the necessary commands in the config file.

Where it falls down completely is that none of them (IOS, ASA, CatOS or PIX) are capable of making all configuration choices. Take a moderately complicated config (split-tunnel VPN) and none of them can create it from the GUI. However, at least it does not overwrite and manual changes.

I can understand about military situations being distinctly different from civilian ones. But this seems really dumb. What you want is people who can see patterns in stuff happening that nobody else would notice. You want human intrusion detection.

What you want is people whose training and experience says this smells wrong to me. Those are somewhat common among the higher echelon. What you really want is someone who will stand up to their decision.

The most dangerous cyber attacks are very subtle. I think talent and familiarity with the technical details are much more important than the ability to make quick decisions under intense pressure.

The two are not mutually exclusive. I can (and have and will) make the quick decision (regardless of the pressure) because those that sit above me do not want to second guess my decisions (ask any current or former military about what REMF means). My decision is for me to justify, and I had better be prepared to do so at any time.

The ability to make decisions under a lot of pressure can be an important skill,

Agreed

but spotting things that are subtly off, in my experience, requires intimate familiarity with the environment.

Agreed

A person's technical experience has a much greater correlation with that familiarity than combat experience.

FALSE. My technical expertise determines whether I can identify the threat. My technical (and OPERATIONS RESEARCH) expertise determines whether I can respond to the threat. My experience with the environment determines how I respond to the threat.

Ignore any of the three and see what you get.

As the first reply said, is there a citation for that supposed ruling?

You would be more credible if you responded with something that actually backed up your assertion.

Instead, you provided a strawman argument:

The relevant Supreme Court cases (CITATIONS NOT PROVIDED) dealt with the race riots of the 60s and early 70s. During these riots certain black men and white men said things to one another, and were sued for issuing death threats (CITATIONS NOT PROVIDED). The SCOTUS (sic) reviewed the cases upon appeal and determined that "during the course of political protests, speech can become heated" but is nevertheless protected by the First Amendment. The men were let go without punishment.

Without CITATIONS as to the exact situation that was at issue, you are saying that all assault convictions should be voided on the basis of free speech.

I don't know about you, but if someone comes to me and says something to the effect of "I intend to do you bodily harm", I will call the paramedics or the morgue, whichever is appropriate.

Fedora's way too experimental compared to Mandriva. There's no reason for MDV to merge with Fedora as Mandriva has always been a lot more stable and conservative as compared to Fedora.

That is because Fedora is to RHEL as other distributions "testing" is to "stable". On Red Hat style distributions, if you want stability (without the support costs), you use CentOS or Scientific Linux. If you want to be bleeding edge (like I do on my personal system), you use the latest version of Fedora (I am not so "bleeding edge" as to use the beta - Fedora 13 with custom kernels works just fine :-]).

Fedora and stable?, use Fedora 12 or one of the LTS versions of any of the distributions. I started my distribution experience with Red Hat and will stay with it.

"Why not just grab a copy of The GNU Image Processor from the web to get the intern working on some of these images you want?"

Better yet, why not refer to it's correct name: The GNU Image Manipulation Program.

About GIMP Introduction to GIMP
GIMP is an acronym for GNU Image Manipulation Program. It is a freely distributed program for such tasks as photo retouching, image composition and image authoring.
It has many capabilities. It can be used as a simple paint program, an expert quality photo retouching program, an online batch processing system, a mass production image renderer, an image format converter, etc.
GIMP is expandable and extensible. It is designed to be augmented with plug-ins and extensions to do just about anything. The advanced scripting interface allows everything from the simplest task to the most complex image manipulation procedures to be easily scripted.
GIMP is written and developed under X11 on UNIX platforms. But basically the same code also runs on MS Windows and Mac OS X.

From the GIMP website: http://www.gimp.org/about/introduction.html