Seriously though, this book is written by three Microsoft security researchers, I guess that said enough.
Assumption is the mother of all fuck-ups. You consider the security researchers incompetent because they are (or were) part of the Microsoft team? So, because some Linux kernel coders make mistakes which lead to 'r00t3d' boxes, all Linux kernel coders are incompetent?
I think you're thinking a little bit simplistic here.
I think you're thinking a little bit simplistic here.
No, I think he's being a lot simplistic here, but that's just part of the larger mindset of Slashdot. "Linux GOOD! Microsoft BAD!" It's become the sheep's favorite thing to say during intense meetings on this Animal Farm we call Slashdot. You can lead a zealot to the truth, but you cannot make him think.
You can lead a zealot to the truth, but you cannot make him think.
I always think of the rabid anti-MS posters as like terrorists (though harmless and without enough conviction to actually *do* something) as they have no thought to any other side to a story than what they've been told to believe (MS is the enemy, always), without letting any facts or alternative ideas get in the way (all workers at MS must be incompetant).
zealots are bad people. all of them. even the kiddies who mindlessly slate MS and pr
terrorists...as they have no thought to any other side to a story than what they've been told to believe... without letting any facts or alternative ideas get in the way....
The story of The Man in the Tinfoil Hat [trilobyte-mag.com] is a poignant one here... The relevant quote is (emphasis mine)...
"I'm going to give you the best advice you'll ever get for survival in this field. Here it is: Never ask the lunatic if he's crazy. I repeat, never ask the lunatic if he's crazy. Of course he's going to say 'NO.' What do you expect? You're always going to get a self-serving, agenda-driven answer.
People are 'crazy' because they can't, and don't, see the lunacy that drives their lives. Never ask the lunatic if his illusions are real. Of course he's going to say 'YES.' If his problems aren't real, then he's crazy. But since he's not crazy, the delusions are real. In a nutshell (no pun intended): the more absurd the belief, the more deeply it must be held, the more aggressively it must be promoted and angrily defended if the patient is to see himself as right and sane. Get it?"
As the author of that article puts it further down:
"If MS (and all its staff) is not evil and incompetent, then the zealots are crazy."
I am a Linux user and advocate, but I still find these assertions silly...
Never ask the lunatic if he's crazy. I repeat, never ask the lunatic if he's crazy. Of course he's going to say 'NO.' What do you expect?
Faulty logic. It is a two way street. Just because you assume somebody is a lunatic (Never ask a lunatic) doesnt mean they are. You may be the lunatic.
I suppose the point is that no-one will ever say 'Yes' - logic alone will not convince a lunatic or a zealot (even if you are the lunatic or the zealot).
The key points are: 1. You will always believe that you are not the lunatic. 2. When you identify someone who you believe is a lunatic, asking them if they are is fruitless - they will say 'No'. 3. When you attempt to educate them with logic (regardless of whether you are sane, and the logic is fine, or you are a lunatic and the logic
No kidding. I like MS jokes/digs/etc. as much as the next guy, but one of the best programmers I know works for Microsoft R&D. The guy is truly insane. In college he single-handedly won like 3 categories in a regional ACM sponsored programming contest.
You consider the security researchers incompetent because they are (or were) part of the Microsoft team?
Giving credit where credit is due, Microsoft has put together an awesome team of researchers in many areas, including security. The list of people who work for MSR is a who's who of CS. The problem is that these guys ain't them. They might have a lot of practical knowledge about how to make Windows secure (and practical knowledge is often the best kind...) but I'm not sure I'd call them researchers
Actually Microsoft have done some VERY GOOD security books. I guess the MS coders can't read:-)
One of the first security books I read (1985 - 19.5 years ago) is Microsoft Press: "Out of the Inner Circle" by Bill Landreth ( http://www.amazon.com/exec/obidos/tg/detail/-/0914 845365/qid=1099435817/sr=1-1/ref=sr_1_1/103-306444 7-0498204?v=glance&s=books )
It's still definitive at cataloging the diffeent ""hacker"" personalities and motives.
... mine looks really good on the outside, classic tall tower lines, a little underpowered due to age but still quite useable, all the peripherals still work, I have access to critical internals, but the over-all configuration is still sort of arcane, and once a month the system reboots itself for no apparent reason.
<2^flaimbait> While the Peguin people where sleeping with sweet dreams of their malware free existence, the Redmond gang where preparing to plug every hole in their ship, longing for the day they would say "They had it comming!". </2^flaimbait>
is that a euphamism for 'the most boring book to hit the world since Inside OLE2?'
I never got more than a quarter of the way through that, i fell asleep every time i tried to pick it up.
i saw internal MS OLE training i saw Kraig Brockshmit did back in about 95 - jesus it was boring. we are talking boredom in an entirely new area of bordem till then undiscovered by man
i got it dirt cheap as i used to work at MS. I met KB at what i think was the first MSJ conference in the UK (cambridge? there was a company doing demos of VR headsets there).
Pretzel, sorry Petzold was there too and it was only then that i realised that those pics of a windows tatoo on him arm were true
Maybe I'm missing something, but when did M$ OS become a network OS? I haven't seen any winblows routers or switches? The book should be Windows Penetration testing, and to fix that problem, just press the off button. I get sick and tired of hearing M@ included in the same sentence as network. It's a stinking OS, not a router. M@ couldn't compete with Cisco, Juniper, etc...
You know, funny you should say that. I had a PII-450 with 3x 3Com NICs running RRAS (Routing and Remote Access) on Win2K that I was using for an internal router for 3 different subnets for over 2 and a half years. It was shuttling the data between the subnets with virtually no latency and I never had any down time. Literally just set it and forget it. One of the few times I was seriously impressed by MS
hmmm....that's fine for a little network, but when you have 1000 users it wouldn't work....Honestly we have had to reboot our NT systems once a month just so they don't get flakey. If Windows is not actually writting data to the harddrives then it's probably a good OS...
And it wasn't. Apperantly the drive crapped out a long time ago, and everything was running from memory. Btw the time I had to reboot it, the system wouldn't come back up. Finally got the company to cough up the money to get a Catalyst 3550 to replace it.
Informative, yes. (Best laugh I've had this month;)
Informative anecdotal evidence to "If Windows is not actually writting data to the harddrives then it's probably a good OS..."
If the OS does what you want it to do it is a good OS. If the OS does what it wants to do it is a bad OS.
It is possible for Windows to behave like a good OS.
In terms of writing to disk, standard instructions to our users is that if the system starts acting funny, do not log off, do not go through the normal shutdown sequence, do n
A "network" OS is not an NOS because it runs on network devices such as hubs, routers, switches, etc. A NOS is an NOS because it runs on networked computers and is built to facilitate easy, secure, and fast communication between them via services such as centralized authentication and authorization (one username/password combo to access resources across multiple systems) auditing, configuration management, etc. Windows Server in its "base" install form is not an NOS, but an OS. When you install Active Di
I'd have to say no to AD being a NOS. It is a computer running services over the network. Is AD deciding the best route for packets? Am i able to set up an ACL in AD that will disallow non authorized LAN IP's from traversing my routers? M$ OS will NEVER be a Network Operating System. It will always be a desktop OS that runs services which utilizes the network to communicate to other OS's which are also on the network.
I migrated a Fortune500 division off OS/2 to NT4.
At that same time, we connected to the 'net on a dedicated T1. I had submitted a request and proposal for a Raptor/NT4.0 based firewall on Compaq hardware (around $15,000).
I didn't have time to wait as committees batted it back and forth not understanding the 'Internet' or what we were doing with it.
I didn't have time to play corporate bureacracy.
I grabbed an old 486 off the shelf and threw 2 token ring cards and an ethernet card in it. I put Linux on
"Written by three Microsoft security researchers, the book provides a great overview as well as an in-depth coverage of assessing security via penetration testing."
"I have been fascinated by leadership dynamics throughout my working career. [...] A concern is that we often get to hear the same leadership issues over and over again, yet leaders continue to lead with mediocrity and passiveness".
His Billness will not take this lightly! These guys can kiss their jobs at Microsoft Research goodbye!:-)
Being relitvely novice at network security I only have an extremely humble opinion but at the same time I must say that Mr. Chavaukin strikes me to be an extremeley adept man on this subject. Having just finished the Security Warrior I have learned a lot and I find his (and his co-author Mr. Pekari) insights and information to be extremely astute. No, I will take no grain of salt regarding his comments about the book in question, untill I have achieved a decent status in the matter I will refer to Mr. Chavaukin's comments eagerly!
As you say you are a security novice, I would suggest you take a look at the Common Criteria for information security evaluation [nist.gov]. This is what most security evaluations are assessed against. Threat Analysis/Risk Assessmeny (TARA) consultants are in high demand and can earn a lot of $$ these days.
First, one takes all relevant MS security bulletins. Next one invent some text around it. Publish it and makes people pay for it. So you make money from you're mistakes.
Funny: I doubt most hackers who contributed to this masterpiece will ever see a paycheck. Probably they are mention in the hall of shame. (As ought to be)
by Anonymous Coward writes:
on Tuesday November 02, 2004 @06:28PM (#10705022)
With all these folks pointing out the funny irony of all this, I'm here with what I think are valid questions --
What's up with creating an inherently insecure system and selling a book on security? Shouldn't they use that same advice to create better products? Almost like the conspiracy theory of making someone ill and then selling them the cure.
Maybe the book brings up interesting points and great ideas...but it's like asking me to believe everything Baghdad Bob said.
Ben Smith (one of the authors) is also actively involved in Microsoft's private trainer newsgroups, and has always been a good source of information for security related questions that are way, way out of what "the theory" is normally limited to.
The utility of the book comes from not just spreading the word about security, but having to do so in forums and formats that require it to be relevant, useable and correct.
As a security consultant and trainer myself I can attest to the gap between theory and practice and the need to put security issues in to terms that are able to be applied in the real world.
Comments above that assume that just because someone works for Microsoft, they don't know how things work in reality are generalisations made out of ignorance or jealousy. This book is a good example that the truth about Microsoft employees, like security, is often misunderstood.
Comments above that assume that just because someone works for Microsoft, they don't know how things work in reality are generalisations made out of ignorance or jealousy.
*cough*bull$hit*cough*
NO asshat. They're made out of the billions...if not trillions...of dollars ISPs and software companies waste every year providing free tech support for Microsoft users so Microsoft can spend their time and oh-so-precious profits acting like leaders instead of BEING leaders.
Outlook eats itself randomly? really?? I've never seen that--and I've been supporting it for years.Outlook.pst files--pre-2000--yes, they had a 2GB limit,and quite frankly it was much less..But Outlook..used with either pop mail or exchange..has NEVER been a problem for me--unless the clueless user forgets how to use it or deletes their.pst file because they don't think they need it.
Popups--that's a problem everywhere, even at home, but between SP2 and the google toolbar, it's minimal.
Yeah - I've always wondered about things like this. In a company as large as Microsoft, they must have *many* security experts, in turn with many different views. I imagine they have a lot of infighting when decisions like this are made. Perhaps explains some of the inconsistency in their security initiatives over time.
Also, I think most of the changes in SP2 were made to protect the home user - port scans can be quite useful for sys admins, but stopping home PCs from using raw sockets will probably stem
Yeah - I've always wondered about things like this. In a company as large as Microsoft, they must have *many* security experts, in turn with many different views. I imagine they have a lot of infighting when decisions like this are made.
Ben Smith has had the same kind of problems with buy-in at Microsoft that you'd expect at any very large company. As with Windows, Office, IE code, etc. - just because they have some of the best security experts in the world working there doesn't mean that all of their re
This reminds of a question I've been pondering lately, which I believe would be on topic.
I have a box on a public IP -- speaking as a person who cannot devote 24/7 to security, are there any good automated tools to verify its "openness" in terms of security vulnerabilities?
I'm not talking about just potential root exploits and the like, but also about things like file permissions, which I find are hard to get exactly right on Unix (read: Linux with no special ACL stuff installed), where the file system does not support inheritance of security attributes.
Many Linux distros come with a script that's run nightly to report potential vulnerabilities, changed files etc. There are also tools like Snort and Tripwire. I also use Munin and check it daily for signs of DOS attacks and other suspicious activity (eg., a sudden increase in the number of listening ports).
What other automated tools do people here recommend?
I use OpenBSD, with pf blocking stuff from the Internet, I don't worry about getting rooted/hacked. Now, way back then I used Linux at work before firewalls and stuff, my linux box kept filling up the disk (too many services running I didn't know about), then it got hacked via a ftp vulnerability. My advice is: use OpenBSD as a firewall, sleep well. As a side benefit, the man pages are excellent.
Good recommendation -- unfortunately (1) I can't afford to pay for buying and co-locating an additional box to act as firewall for my Linux box, and my Linux box is definitely not going to become OpenBSD in the near term; and (2) blocking malicious network traffic is only part of being secure.
I used to run the Center for Internet Security benchmarking tools on a regular basis to audit my systems (particularly after applying patches to see what they had opened up). They can be found at http://www.cisecurity.org/ [cisecurity.org].
I would say, try nessus [nessus.org]. It is a very good vulnerability mapping tool. I use it to test various *nix/windows boxes. It has a lot of options which sometimes overwhelming at the beginning. But, once you get used to it, you'll never leave without it.
Retina [eeye.com] is another excellent tool, but pricey.
nmap and nessus are always in my 'bag'. use it on a regular basis.
Microsoft Baseline Security Analyzer [microsoft.com] scans security issues for the OS and any MS software you have installed. There are command-line options, so it could be run as a scheduled task.
Oops, from the topic I thought you were talking about a Windows box. Upon re-reading your post I see you seem to be talking about a Linux box. My mistake.
Their idea of an offer you can't refuse is an offer... and you'd better
not refuse.
FP - obilgatory NS at redmund? (Score:3, Funny)
But they're experts! (Score:0)
*ducks to avoid flying astroturf*
Re: (Score:-1, Troll)
Re:Save some money! (Score:0)
Nice amazon referrer link, (Score:5, Informative)
Here's a whore free link [amazon.com] and some healthy capitalist competition to boot [pcprotection.ca].
What about... (Score:5, Funny)
What about Kama Sutra?
Seriously though, this book is written by three Microsoft security researchers, I guess that said enough.
Is this a case of do as we say, not as we do.
Re:What about... Linux code? (Score:5, Insightful)
Assumption is the mother of all fuck-ups. You consider the security researchers incompetent because they are (or were) part of the Microsoft team?
So, because some Linux kernel coders make mistakes which lead to 'r00t3d' boxes, all Linux kernel coders are incompetent?
I think you're thinking a little bit simplistic here.
Re:What about... Linux code? (Score:5, Interesting)
No, I think he's being a lot simplistic here, but that's just part of the larger mindset of Slashdot. "Linux GOOD! Microsoft BAD!" It's become the sheep's favorite thing to say during intense meetings on this Animal Farm we call Slashdot. You can lead a zealot to the truth, but you cannot make him think.
Re:What about... Linux code? (Score:0)
I always think of the rabid anti-MS posters as like terrorists (though harmless and without enough conviction to actually *do* something) as they have no thought to any other side to a story than what they've been told to believe (MS is the enemy, always), without letting any facts or alternative ideas get in the way (all workers at MS must be incompetant).
zealots are bad people. all of them. even the kiddies who mindlessly slate MS and pr
Re:What about... Linux code? (Score:4, Interesting)
The story of The Man in the Tinfoil Hat [trilobyte-mag.com] is a poignant one here... The relevant quote is (emphasis mine)...
As the author of that article puts it further down:
"If MS (and all its staff) is not evil and incompetent, then the zealots are crazy."
I am a Linux user and advocate, but I still find these assertions silly...
Re:What about... Linux code? (Score:0)
Never ask the lunatic if he's crazy. I repeat, never ask the lunatic if he's crazy. Of course he's going to say 'NO.' What do you expect?
Faulty logic. It is a two way street. Just because you assume somebody is a lunatic (Never ask a lunatic) doesnt mean they are. You may be the lunatic.
Re:What about... Linux code? (Score:2)
I suppose the point is that no-one will ever say 'Yes' - logic alone will not convince a lunatic or a zealot (even if you are the lunatic or the zealot).
The key points are:
1. You will always believe that you are not the lunatic.
2. When you identify someone who you believe is a lunatic, asking them if they are is fruitless - they will say 'No'.
3. When you attempt to educate them with logic (regardless of whether you are sane, and the logic is fine, or you are a lunatic and the logic
Re:What about... Linux code? (Score:2)
"Researchers" (Score:3, Interesting)
Giving credit where credit is due, Microsoft has put together an awesome team of researchers in many areas, including security. The list of people who work for MSR is a who's who of CS. The problem is that these guys ain't them. They might have a lot of practical knowledge about how to make Windows secure (and practical knowledge is often the best kind...) but I'm not sure I'd call them researchers
Re:What about... (Score:2, Informative)
One of the first security books I read (1985 - 19.5 years ago) is Microsoft Press:
"Out of the Inner Circle" by Bill Landreth
( http://www.amazon.com/exec/obidos/tg/detail/-/091 4 845365/qid=1099435817/sr=1-1/ref=sr_1_1/103-306444 7-0498204?v=glance&s=books )
It's still definitive at cataloging the diffeent ""hacker"" personalities and motives.
Re:What about... (Score:1)
One of the first security books I read (1985 - 19.5 years ago) is Microsoft Press:
"Out of the Inner Circle" by Bill Landreth
http://www.amazon.com/exec/obidos/tg/detail/-/0914 845365/qid=1099435817/sr=1-1/ref=sr_1_1/103-306444 7-0498204?v=glance&s=books [amazon.com]
It's still definitive at cataluging the diffeent ""hacker"" personalities and motives.
Considering the source ... (Score:1)
from the Internet!
How can that sentence possibly be finessed
into something as big as a book?
Re:What about... (Score:2)
They're in the business of selling references...biased references are good for almost nothing.
penetration (Score:0, Funny)
Now, if they'd only... (Score:3, Funny)
Karma be damned... (Score:5, Funny)
"I've read some pretty bad books on penetration testing [...] Assessing Network Security comes to us direct from the bunkers of Redmond."
Nah, too easy.
"Microsoft security" (Score:5, Funny)
remember now (Score:5, Funny)
remember guys, often times computers are like women.
this is not one of them
Re:remember now (Score:5, Funny)
well, right now... (Score:0)
Oxymoron (Score:-1, Troll)
I'm not the only one who is doing some head scratching am I?
Re:Oxymoron (Score:1)
Oxymoron-A Commercial break. (Score:0)
Using Head and Shoulders Shampoo will get rid of unsightly flakes. No longer will women see you scratching your head, and think...eeewww!
@microsoft.com (Score:4, Informative)
Ben Smith [winnetmag.com],
David LeBlanc [winnetmag.com]
Re:@microsoft.com (Score:-1, Troll)
mikehow@microsoft.com - born loser
Re:@microsoft.com (Score:0)
Windows (Score:2)
Why am I not surprised? :)
Re:Windows (Score:1, Insightful)
Not to be an ass, but so are most computers.
Re:Windows (Score:2, Insightful)
Re:Windows (Score:2)
A book on security from microsoft... ? (Score:5, Funny)
Wouldn't that be sort of like George Bush writing an english book?
Re:A book on security from microsoft... ? (Score:0, Troll)
No, this would be more like George Bush writing a book on ethics.
Re:A book on security from microsoft... ? (Score:0)
Re:A book on security from microsoft... ? (Score:1)
Re:A book on security from microsoft... ? (Score:0)
While the Peguin people where sleeping with sweet dreams of their malware free existence, the Redmond gang where preparing to plug every hole in their ship, longing for the day they would say "They had it comming!".
</2^flaimbait>
-- Non-Suicidal... ok, Anonyoums Coward
Re:A book on security from microsoft... ? (Score:2)
'somewhat dry' (Score:5, Insightful)
I never got more than a quarter of the way through that, i fell asleep every time i tried to pick it up.
i saw internal MS OLE training i saw Kraig Brockshmit did back in about 95 - jesus it was boring. we are talking boredom in an entirely new area of bordem till then undiscovered by man
Re:'somewhat dry' (Score:1)
I almost feel bad for whoever ended up with it when I traded it in at the used book store.
Re:'somewhat dry' (Score:1)
Pretzel, sorry Petzold was there too and it was only then that i realised that those pics of a windows tatoo on him arm were true
Re:'somewhat dry' (Score:0)
When did M$ become a network device? (Score:3, Insightful)
Re:When did M$ become a network device? (Score:3, Informative)
You know, funny you should say that. I had a PII-450 with 3x 3Com NICs running RRAS (Routing and Remote Access) on Win2K that I was using for an internal router for 3 different subnets for over 2 and a half years. It was shuttling the data between the subnets with virtually no latency and I never had any down time. Literally just set it and forget it. One of the few times I was seriously impressed by MS
Re:When did M$ become a network device? (Score:1)
Re:When did M$ become a network device? (Score:4, Funny)
Re:When did M$ become a network device? (Score:1)
Re:When did M$ become a network device? (Score:2)
Informative anecdotal evidence to "If Windows is not actually writting data to the harddrives then it's probably a good OS..."
If the OS does what you want it to do it is a good OS.
If the OS does what it wants to do it is a bad OS.
It is possible for Windows to behave like a good OS.
In terms of writing to disk, standard instructions to our users is that if the system starts acting funny, do not log off, do not go through the normal shutdown sequence, do n
Re:When did M$ become a network device? (Score:2)
Then the people maintaining them are incompetent. They need to get some training, do some reasearch, and determine the root cause of the instability.
If they have no time or budget because upper management is incompetent, then they have my sympathy.
A properly configured and maintained NT system can be as stable as any other NOS. I have run NT systems with no unscheduled downtime for years.
CAVEAT: If you're really
Re:When did M$ become a network device? (Score:0)
Re:When did M$ become a network device? (Score:0)
Re:When did M$ become a network device? (Score:1)
Re:When did M$ become a network device? (Score:1)
This is old news (Score:4, Funny)
From the Author: (Score:4, Funny)
From the referenced BN page [barnesandnoble.com]:
"I have been fascinated by leadership dynamics throughout my working career. [...] A concern is that we often get to hear the same leadership issues over and over again, yet leaders continue to lead with mediocrity and passiveness".
His Billness will not take this lightly! These guys can kiss their jobs at Microsoft Research goodbye! :-)
No grain of salt here (Score:5, Interesting)
No, I will take no grain of salt regarding his comments about the book in question, untill I have achieved a decent status in the matter I will refer to Mr. Chavaukin's comments eagerly!
Re:No grain of salt here (Score:4, Informative)
This is what most security evaluations are assessed against. Threat Analysis/Risk Assessmeny (TARA) consultants are in high demand and can earn a lot of $$ these days.
Meanwhile, back at the MS penetration testing labs (Score:3, Funny)
Re:Meanwhile, back at the MS penetration testing l (Score:0)
Can it be, O brothers (Score:2, Funny)
Creation of the book (Score:1)
Next one invent some text around it.
Publish it and makes people pay for it.
So you make money from you're mistakes.
Funny:
I doubt most hackers who contributed to this masterpiece will ever see a paycheck. Probably they are mention in the hall of shame. (As ought to be)
Seriously, this might be a good book.
Great Source (Score:2, Funny)
Re:Great Source (Score:0)
Security From MS Press (Score:3, Insightful)
What's up with creating an inherently insecure system and selling a book on security? Shouldn't they use that same advice to create better products? Almost like the conspiracy theory of making someone ill and then selling them the cure.
Maybe the book brings up interesting points and great ideas...but it's like asking me to believe everything Baghdad Bob said.
heh-he-hehe (Score:0)
more to security researchers than lab work (Score:5, Insightful)
The utility of the book comes from not just spreading the word about security, but having to do so in forums and formats that require it to be relevant, useable and correct.
As a security consultant and trainer myself I can attest to the gap between theory and practice and the need to put security issues in to terms that are able to be applied in the real world.
Comments above that assume that just because someone works for Microsoft, they don't know how things work in reality are generalisations made out of ignorance or jealousy. This book is a good example that the truth about Microsoft employees, like security, is often misunderstood.
Re:more to security researchers than lab work (Score:0, Troll)
*cough*bull$hit*cough*
NO asshat. They're made out of the billions...if not trillions...of dollars ISPs and software companies waste every year providing free tech support for Microsoft users so Microsoft can spend their time and oh-so-precious profits acting like leaders instead of BEING leaders.
They're made out of the countless f$ck
Re:more to security researchers than lab work (Score:2, Interesting)
Outlook eats itself randomly? really?? I've never seen that--and I've been supporting it for years.Outlook .pst files--pre-2000--yes, they had a 2GB limit,and quite frankly it was much less..But Outlook..used with either pop mail or exchange..has NEVER been a problem for me--unless the clueless user forgets how to use it or deletes their .pst file because they don't think they need it.
Popups--that's a problem everywhere, even at home, but between SP2 and the google toolbar, it's minimal.
Reinstall the O
oh christ (Score:1, Flamebait)
Wait a minute...
NIGGA (Score:-1, Flamebait)
MS does something right yet... (Score:0)
Stop the bashing, try being constructive!!
Stop the FUD, try the TRUTH
Stop ignoring the flaws in Linux.
Stop using the excuse of open source, when we all know the vast MAJORITY of linux users CANNOT rewrite the source!
Grow up, or stfu, please!
Not all Microserfs are dolts (Score:3, Interesting)
I bet a lot of them do great work FOR the company, but its caught up and diluted by the much larger 'machine' that makes Microsoft go..
port scans? not in sp2 (Score:4, Insightful)
http://seclists.org/lists/nmap-hackers/2004/Jul-S
Re:port scans? not in sp2 (Score:1)
Re:port scans? not in sp2 (Score:2)
Ben Smith has had the same kind of problems with buy-in at Microsoft that you'd expect at any very large company. As with Windows, Office, IE code, etc. - just because they have some of the best security experts in the world working there doesn't mean that all of their re
Fitting Analogy? (Score:0, Flamebait)
duhduh chhh..
Re:Fitting Analogy? (Score:0)
Open source tools? (Score:3, Interesting)
I have a box on a public IP -- speaking as a person who cannot devote 24/7 to security, are there any good automated tools to verify its "openness" in terms of security vulnerabilities?
I'm not talking about just potential root exploits and the like, but also about things like file permissions, which I find are hard to get exactly right on Unix (read: Linux with no special ACL stuff installed), where the file system does not support inheritance of security attributes.
Many Linux distros come with a script that's run nightly to report potential vulnerabilities, changed files etc. There are also tools like Snort and Tripwire. I also use Munin and check it daily for signs of DOS attacks and other suspicious activity (eg., a sudden increase in the number of listening ports).
What other automated tools do people here recommend?
Re:Open source tools? (Score:0)
Re:Open source tools? (Score:2)
Re:Open source tools? (Score:0)
Re:Open source tools? (Score:2)
Re:Open source tools? (Score:1)
Nessus (was: Re:Open source tools?) (Score:1)
Retina [eeye.com] is another excellent tool, but pricey.
nmap and nessus are always in my 'bag'. use it on a regular basis.
Re:Open source tools? (Score:2)
Re:Open source tools? (Score:2)