Well that would be great except for the fact that a team from Johns Hopkins has proved that this makes the communications much easier to decode. This basically comes down to a weakness in the actual algorithms that are being used to encrypt this traffic. The problem is that if you want a highly secure algorithm, you need to pad a fair amount of bogus data into the stream to prevent analysis of this type, however that becomes quite expensive as processors have to encrypt and decrypt it, plus you have to pay for more bandwidth to transmit the conversation.

The technology hasn’t been implemented yet, so the Johns Hopkin team is hoping that this will slow down implementation until a better solution can be found.

Link to the story at NewScientistTech, which happens to quote one of my geek heroes, Phil Zimmerman, creator of PGP(Pretty Good Privacy).

Every once in a while you may do such a good job of this presentation that you’ll be asked to present it at a conference. Or, depending on the Machiavellian nature of internal politics, you may have a peer request that you send them your powerpoint so that they can present it to other executives and act like the work to produce this document is actually their own.

In those cases, it’s useful to know how to sanitize a document of it’s tantalizing private data. Now if you don’t know much about Microsoft Office you may think you can just delete some of that data and it will be gone. But alas, poor Yoric, Microsoft is going to try to save your butt and may retain your changes just in case you decide later on that you want to undo those changes. Well you know who’s great at keeping their secrets? The NSA.

Yup, that’s right, the NSA put out a guide on how to avoid all this. And those persistent scientists over at FAS have a copy of it they obtained, probably via the Freedom of Information Protection Act. So, without further ado, here is Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF

If Vista wasn’t such a bloated disgusting piece of crap and XP wasn’t so damn stable, supportable, affordable, eminently usable and hackable then perhaps this would be a great thing. Because this could be the end of malware. It would take time, but developers will get tired of users complaining about all the stupid pop-ups, so they’d start developing in a more secure manner. Then the only things that would be popping up these UAC prompts would be serious geek tools and malware.

Gizmodo covered this feature here, but the commenter’s don’t seem very convinced.

Truly great languages do receive updates less frequently as they age.  That’s because such a large base of programmers have learned the earlier libraries and being the bright chaps they are, they requested more and more features.  Until at a certain point the product becomes so eminently usable that very little else needs to be added for most users.

Now there are going to be specific requirements for each project and that’s where the development comes in.  But god bless these bright chaps, because not only do many Perl programmers write this custom code, but they frequently check it back into CPAN as modules.

So other people who program similar projects with these precise requirements don’t have to reinvent the 7-spoke, 16″, lithium-greased, carbon steel wheel.  You see, Perl provided the wheel to everyone who worked with the base language.  But not everyone needs a 7-spoke, 16″, lithium-greased, carbon steel wheel.  Especially when they’re writing really secure code that has to be analyzed line by line for security risks.  Or if they want to write really small code that will work on a mobile phone or embedded code.

Why is this good for business?

Do you really want your programmers to have to re-learn their code-base every 5 years?  I knew lots of people who used to know how to do some Visual C++ and Visual Basic development back in the .com days.  Then along came Java.  In the midst of this came a lot of middleware that provided common libraries for programmers.  And then came .net.  Now, most Java developers don’t do Microsoft stuff, but these days some .net guys do perl and some java guys do some .net.

But trying to find and hire people that will mesh with whatever mix of code your shop is currently running is difficult for technical managers.  It’s completely impossible for HR and non-technical managers.

Now I’m not saying that hiring Perl developers is necessarily any easier.  And I’m not trying to be a Luddite either.  All I’m saying is that new revisions of products come out when current needs aren’t being met.  So we haven’t needed another Perl for a while now.

And Sterling hits on a brilliant point about how poorly the TIOBE index measures current market needs or the current state of code development.  Go figure that a free language doesn’t have a bunch of PR geeks hiring Search Engine Optimization guys to drive up the results of people’s searches.  Microsoft and Sun are literally spending millions of dollars to try in tilt these sort of comparison’s in their favor because it helps them make money.  Then we have to spend our money to learn the new skills, license the new libraries, call for support on their poorly written new projects, etc. etc.

In summary, Perl still kicks much ass and it’s not going anywhere any time soon because the price is right, it does the heavy lifting, has a good community full of nice people like the Perl Monks and Larry Wall is god.

A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away.
Antoine de Saint-Exupery

ERROR:

# /usr/local/sbin/visudo
visudo: /usr/local/etc/sudoers: Read-only file system
# hostname
appserver.sierraleone.appserver-devapp1

SITUATION:

I’m in a Solaris zone. Modifications must be made in the Global Zone
# /usr/sbin/zoneadm list
global
apache
macau
ireland
rhodesia
uruguay
sierraleone
kenya
testing
westernsahara
algeria
canada
newguinea
oman
haiti
vietnam
antarctica
liberia
# /bin/grep benicio /etc/passwd
# /bin/hostname

appserver-devapp1

visudo works just fine in the global zone. I just had to log out of the individual container.
There are security ramifications to how I did this. I happened to be adding a developer to a box where he already had access to many of the systems.

I think there could be two ways to handle this. I could setup individualized local sudoers in each container, but that does get a bit cumbersome. The only other thing I can think of is to come up with some sort of username/usergroup security hierarchy so that the end users would use different users in different zone. That is equally cumbersome and worse it puts pressure on the end users to modify their behaviour due to a design problem.

I’ll do some research and try to see if Sun has an idea on how best to manage this or if a smarter admin has already posted a tutorial about this.

Dropping the traffic instead of rejecting it costs the spammers/hackers more resources and saves you a tiny bit too. Here’s the original post.

For years I was on the anti-spam team for Sprint Nextel’s production network. That is, we protected Sprint Nextel’s customers, not Sprint Nextel’s employees. During that time we trialed Microsoft’s Hosted Spam Protection, ala bigfish.com, but eventually went with Ironport appliances that also strip off virus ridden email. Frankly bigfish.com was fairly unimpressive, with up to 16hour delays of email and zero responsiveness to complaints. I only bring this up, because when I was in San Bruno meeting with Ironport’s senior IT guys, they really helped me understand how the cute black hats are gone and the mafia has moved in.

The environment has changed. We will some day look back to the early days of virus authoring and probably even spyware authoring as just a bunch of pranksters playing around. Kids flexing their IT muscles because their professors couldn’t challenge them with a lab big enough or a problem complex enough. I already tell stories of the early days when Cult of the Dead Cow were spoofing everyone with their Pave The Planet movement to other geeky friends. Nevermind the kid who tried to convince me that he was Eli Ladopoulos, aka Ac1dphreak, yet he couldn’t ferry files to me over the internet and instead snail-mailed me a 3.5″ floppy of junk.

Unfortunately, the current threats are people who are working for organized crime syndicates around the world. Some of them run their own DNS servers, some of them own whole blocks of IP ranges and they are all just looking for straight out money.

Until identity theft, online extortion and destruction of intellectual property is perceived by law enforcement as actual crimes, then we’re all stuck in a reactive mode. Yes, some of the spam kings are getting big sentences when they rarely find them, but law enforcement really needs to start taking these things seriously. As do insurance companies. If my computer was destroyed by a virus today, it would take around $500 worth of my time to get it back up and running. If my identity was stolen I could easily lose ten’s of thousands of dollars in actual real money, lower credit scores and problems with future employment. But if I filed a report with the FBI, I’m not very sure that they would take it seriously. And if I filed the report with my insurance I believe I’d have a very hard time justifying the amounts of legitimate damage to them.

While I am concerned about the security of my personal information I am much more concerned about my responsibility as a Systems Integrator. I have an obligation to the people within my organization and to the people my organization serves to protect their information with all the tools available to me. I can’t fix law enforcement or insurance problems but I can design correctly, publicly advocate better policies and protect my end users from these criminals.

the impetus of this change is on enough pissed off customers and not on the legislation or executive branches. just my opinion.

http://www.kuro5hin.org/story/2004/7/6/14354/09182