Create an Account
username: password:
 
  MemeStreams Logo

It's always easy to manipulate people's feelings. - Laura Bush

search

Decius
Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
   Sci-Fi/Fantasy Films
  Music
   Electronic Music
Business
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Management
  Markets & Investing
Games
Health and Wellness
Home and Garden
  Parenting
Miscellaneous
  Humor
  MemeStreams
Current Events
  War on Terrorism
Recreation
  Cars and Trucks
  Travel
Local Information
  United States
   SF Bay Area
    SF Bay Area News
Science
  Biology
  History
  Math
  Nano Tech
  Physics
Society
  Economics
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
Sports
(Technology)
  Computer Security
  Macintosh
  Spam
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Current Topic: Technology

RE: Seeking your Opinon, Are 1/3 of security practices worthless?
Topic: Technology 1:26 pm EST, Feb 18, 2008

Tsudohnimh wrote:
Interesting article describing a talk given by "Peter Tippett-- who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton AntiVirus -- said that about one third of today's security practices are based on outmoded or outdated concepts that don't apply to today's computing environments."

Tippet uses several analogies concerning outdate vuln research and disclosure and the discarding of hackable technologies. On the surface this sounds good but I'm curious to hear the opinion of some of the security professionals in Memestreams.

Is he entirely off base? Does he make some valid points? Are his analogies far fetched?

I'd love to hear what you think.

Perennially, some self promoter, often a well credentialed and widely respected person, but a self promoter nonetheless, will stand up and claim that everything that everyone in the information security industry is doing is wrong and it all needs to change. These people are frequently discussed here. They usually don't have anything constructive to offer. I do my best to debunk them when they come up but people seem to want to hold onto these things. Its a bit like the fair tax... People want to feel like they are privy to a different perspective which offers easy answers to complicated problems and they don't want to hear that life isn't that simple.

As for this collection of points, you can rest assured that patch management people are more concerned about vulnerabilities that might actually be exploited than they are about issues that are esoteric, and scoring systems like CVSS take this into account. Is he proposing a change to that scoring system? No, we're on to another topic.

I'm not sure that I follow his point about passwords. You have to have them. I've always advocated proactive cracking instead of policies about length because that gets you closer to the actual threat you are combating. Rules about length are just an approximation. Does he explain what he thinks people should do instead? No, we're on to another topic.

I agree with his point about imperfect solutions still being helpful, and the analogy about seatbelts is a good one, but show me a perfect security solution and I'll quit this job, move to France, and learn to bake bread. He goes on to make an aloof reference to "studies" that show that patch management doesn't reduce the risk of exploitation. What studies? There are no such studies!

At the bottom he offers us his silver bullet: "For example, only 8 percent of companies have enabled their routers to do 'default deny' on inbound traffic."

What a silly comment. They do default deny on their firewalls, where the security policy is manageable, rather than on their routers, which aren't designed as packet filters and only offer that feature as an aside. Firewalls, and routers, are in fact the s... [ Read More (0.1k in body) ]

RE: Seeking your Opinon, Are 1/3 of security practices worthless?


UNIX tips: Learn 10 good UNIX usage habits
Topic: Technology 11:16 am EST, Feb  7, 2008

When you use a system often, you tend to fall into set usage patterns. Sometimes, you do not start the habit of doing things in the best possible way. Sometimes, you even pick up bad practices that lead to clutter and clumsiness. One of the best ways to correct such inadequacies is to conscientiously pick up good habits that counteract them. This article suggests 10 UNIX command-line habits worth picking up -- good habits that help you break many common usage foibles and make you more productive at the command line in the process. Each habit is described in more detail following the list of good habits.

More here.
I only knew three of these.

UNIX tips: Learn 10 good UNIX usage habits


New Unit of Reviewed Code Quality
Topic: Technology 11:00 am EST, Feb  6, 2008

Now I can finally tell my non-technical friends and family what my company does.

New Unit of Reviewed Code Quality


Slashdot Founder Questions Crowds Wisdom - Bits - Technology - New York Times Blog
Topic: Technology 7:42 pm EST, Jan 30, 2008

“A lot of these community news sites are all about Ron Paul,” he said. “Ron Paul may be a valid candidate. But what that is really demonstrating is that you are seeing 1 or 2 percent of a community shaping where the whole community is going. A small dedicated group of people can manipulate these sites very easily.”

Mr. Malda said that Digg must move to deemphasize that vocal minority in the overall voting. But then it would inevitably alienate its core user base. “All these sites start with a nucleus of dedicated people. Then as the gawkers join in you see a dilution. People who were there originally feel alienated and feel that the thing they helped created is being perverted.”

This is a problem MemeStreams addresses with it's agent. If gawkers were to join the site, the original community would still be interconnected through the agent. Unfortunately, the gawkers aren't joining, and I'm not quite sure how to fix that problem.

Slashdot Founder Questions Crowds Wisdom - Bits - Technology - New York Times Blog


Shape-shifting robot forms from magnetic swarm - tech - 29 January 2008 - New Scientist Tech
Topic: Technology 2:48 pm EST, Jan 30, 2008

Swarms of robots that use electromagnetic forces to cling together and assume different shapes are being developed by US researchers.

The grand goal is to create swarms of microscopic robots capable of morphing into virtually any form by clinging together.

Watch the video!

Shape-shifting robot forms from magnetic swarm - tech - 29 January 2008 - New Scientist Tech


Risking Communications Security: Potential Hazards of the Protect America Act
Topic: Technology 12:44 am EST, Jan 29, 2008

This paper by Bellovin, Blaze, Diffie, Landau, Neumann, and Rexford will appear in a forthcoming issue of IEEE Security and Privacy.

A new US law allows warrantless wiretapping whenever one end of the communication is believed to be outside national borders. This creates serious security risks: danger of exploitation of the system by unauthorized users, danger of criminal misuse by trusted insiders, and danger of misuse by government agents.

Noteworthy first told you about this paper in October, when he recommended an early draft. It is a follow-up on Landau's op-ed in August of last year.

Risking Communications Security: Potential Hazards of the Protect America Act


IP Addresses Are Personal Data, E.U. Regulator Says - washingtonpost.com
Topic: Technology 8:11 am EST, Jan 23, 2008

IP addresses, strings of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday.

Hear, Hear

IP Addresses Are Personal Data, E.U. Regulator Says - washingtonpost.com


web zen
Topic: Technology 4:28 pm EST, Jan 19, 2008

01.18.08 : desktop zen

web zen


Ajax Security Book Out! Awesome buzz!
Topic: Technology 10:48 am EST, Dec 21, 2007

Acidus writes:


Ajax Security is out and the feedback I'm getting is incredible.

Andrew van der Stock The Executive Director of OWASP reviewed a draft of Ajax Security and here is what he had to say about it:

If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserves success. Go buy this book.

Is it just a re-hash of old presentations? No. The book breaks some new ground, and fills in a lot of the blanks in all of our presentations and demos. I hadn’t heard of some of these attacks in book form before. The examples improved my knowledge of DOM and other injections considerably, so there’s something there for the advanced folks as well as the newbies.

I really liked the easy, laid back writing style. Billy and Bryan’s text is straightforward and easy to understand. They get across the concepts in a relatively new area of our field.

The structure flows pretty well, building upon what you’ve already learnt ...
there is advanced stuff, but the authors have to bring the newbie audience along for the ride.

Billy and Bryan spend a bit of time repeating the old hoary “no new attacks in Ajax” meme which is big with the popular kids (mainly because their products can’t detect or scan Ajax code yet and still want money from you), and then spend the rest of the book debunking their own propaganda with a wonderful panache that beats the meme into a bloody pulp and buries it for all time.

Web security guru dre offers up this review of Ajax Security:

It’s quite possible that many Star Wars Ajax security fans will be calling Billy Hoffman, the great “Obi-Wan”, and pdp “Lord Vader” to represent the “light” and “dark” sides that is The Force behind the power wielded by Ajax.

The book, Ajax Security, covered a lot of new material that hadn’t been seen or talked about in the press or the security industry. The authors introduced Ajax security topics with ease and provided greater understanding of how to view Javascript malware, tric... [ Read More (0.2k in body) ]

Ajax Security Book Out! Awesome buzz!


FuseOverAmazon - s3fs - Google Code
Topic: Technology 11:19 am EST, Dec 11, 2007

Is this the right way to get persistent storage in EC2?

FuseOverAmazon

FUSE filesystem backed by Amazon S3
Overview

s3fs is a fuse filesystem that allows you to mount an Amazon S3 bucket as a local filesystem. It stores files "natively" in S3 (i.e., you can use other programs to access the same files). Maximum file size=5G.

Its quite useful and stable, e.g., can be used to easily copy daily backup tarballs to s3.

To use it:

1. get an amazon s3 account!
2. download the source, compile it (I've used fc5/ppc and f7/i386) and slap the binary in, say, /usr/bin/s3fs
3. do this:

/usr/bin/s3fs mybucket -o accessKeyId=aaa -o secretAccessKey=bbb /mnt

That's it! the contents of your amazon bucket "mybucket" should now be accessible read/write in /mnt

FuseOverAmazon - s3fs - Google Code


(Last) Newer << 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 10 - 11 ++ 21 >> Older (First)
 
 
Powered By Industrial Memetics
RSS2.0