Warning: include_once(/home/antonaylward/InfoSecBlog/public/wp-content/plugins/wordpress-support/wordpress-support.php): failed to open stream: Permission denied in /home/antonaylward/InfoSecBlog/public/wp-settings.php on line 304

Warning: include_once(): Failed opening '/home/antonaylward/InfoSecBlog/public/wp-content/plugins/wordpress-support/wordpress-support.php' for inclusion (include_path='.:/usr/local/lib/php:/usr/local/php5/lib/pear') in /home/antonaylward/InfoSecBlog/public/wp-settings.php on line 304
Windows « The InfoSec Blog
The InfoSec Blog

The 11 tiniest, most powerful computers your money can buy

Posted by Anton Aylward


I have my doubts about many things and the arguments here and in the comments section loom large.

Yes, I can see that business sees no need for an 'arms race' escalation of desktops once the basics are there. A few people, gamers, developers, might want personal workstations that they can load up with memory and high performance graphics engines, but for the rest of us, its ho-hum. That Intel and AMD are producing chips with more cores, more cache, integrated graphics and more, well Moore's Law applies to transistor density, doesn't it, and they have to do something to soak up all those extra transistors on the chips.

As for smaller packaging, what do these people think smart phones and tablets and watches are?

Gimme a brake!
My phone has more computing power than was used by the Manhattan project to develop the first nuclear bomb.

These are interesting, but the real application of chip density is going to have to be doing other things serving the desktop. its going to be

1. IoT
2. Servers
3. backbone/communications

And for #1 & #3 Windows will become if not an impediment, then irrelevant.
Its possible a very stripped down Linux can serve for #1 & #3, but somewhere along the line I suspect people might wake up and adopt a proper RTOS such as QNX much in the same way that Linux has come to dominate #2. It is, however, possible, the Microsoft will, not that Gates and Balmer are out of the scene, adopt something Linux like or
work with Linux so as to stay relevant in new markets. The Windows tablet isn't the success they hoped for and the buyout of Nokia seemed more to take Nokia out of the market than become an asset for Microsoft to enter the phone market and compete with Apple and Samsung. many big forms that do have lots of Windows workstations are turning to running
SAMBA on Big Iron because (a) its cheaper than a huge array of Windows Servers that present reliability and administrative overhead, and (b) its scalable. Linux isn't the 'rough beast' that Balmer made out and Microsoft's 'center cannot hold' the way it has in the past.

OpenBSD forks, prunes, fixes OpenSSL

Posted by Anton Aylward


Interesting, eh?

At the very least, this will apply a 'many eyes' to some of the SSL code and so long as the ssh pruning isn't wholesale slash-and-burn that cutting it back may prove efficacious for two reasons.

Less code can be simpler code, with decreased likelihood of there being a bug due to complexity and interaction.

Getting rid of the special cases such as VMS and Windows also reduces the complexity.

Managing Software

Posted by Anton Aylward

Last month, this question came up in a discussion forum I'm involved with:

Another challenge to which i want to get an answer to is, do developers
always need Admin rights to perform their testing? Is there not a way to
give them privilege access and yet have them get their work done. I am
afraid that if Admin rights are given, they would download software's at
the free will and introduce malicious code in the organization.

The short answer is "no".
The long answer leads to "no" in a roundabout manner.

Unless your developers are developing admin software they should not need admin rights to test it.

The Decline of the Physical Desktop

Posted by Anton Aylward


What's interesting here is that this isn't preaching "The Cloud" and only mentions VDI in one paragraph (2 in the one-line expanded version).

Also interesting is the real message: "Microsoft has lost it".

Peter Drucker, the management guru, pointed out that the very last buggy-whip manufacturer in the age of automobiles was very efficient in its processes - it *HAD* to be to have survived that long. (One could say the same about sharks!)

"Keeping desktop systems in good working order is still a labour of Sysiphus .."

Indeed. But LinuxDesktop and Mac/OSX seem to be avoiding most of the problems that plague Microsoft.

A prediction, however.
The problem with DOS/Windows was that the end user was the admin and  could fiddle with everything, including download and install new code. We are moving that self-same problem onto smart-phones and tablets. Android may be based on Linux, but its the same 'end user in control' model that we had with Windows. Its going to be a malware circus.

Enhanced by Zemanta

Fwd: How Quality Drives the Rise and fall of hi-tech products

Posted by Anton Aylward


I'm dubious.
On the one hand I recall a book titled "In Search of Stupidity", which I strongly recommends reading, its about the hi-tech years that this article covers and takes a different view of how "quality" addressed market share.

On the gripping hand, I also lived though the years that book describes and can add detail. One detail is this. MS-Word was crap. Most offices/secretaries preferred WordPerfect, but MS-Word outsold WP by aggressive marketing - nothing else. The quality of MS-Word was the pits and its still full of bugs. Each release formatted historic documents in a different way, which is no-no in the legal (and other) profession. Its handling of nested indents in style sheets is a mess, so much so that many industries such as MILSPEC contractors simply don't use style sheets.

I'm dubious about his claim that Linux has fewer add-on products.

Heinlein has a comment about democracy being like adding zeros.
If you look at those supposed products or Windows you'll find many of them are "me-too" duplicates. We haven't reached that stage yet with portable devices but we are getting there. When you get there, yes you do have one market leader; when people are spoilt for choice like that then a review or a friend's recommendation can trip the balance, and that too can propagate. This has little to do with 'quality' and a lot to do with a cross between humans 'herd instinct' and the way crystals form in a super-saturated medium.

Are *YOU* ready to give up yet?

Posted by Anton Aylward

Apparently (ISC)2 did this survey ... which means they asked the likes of us ....


Faced with an attack surface that seems to be growing at an overwhelming rate, many security professionals are beginning to wonder whether their jobs are too much for them, according to a study published last week.

Right. If you view this from a technical, bottom-up POV, then yes.

Conducted by Frost & Sullivan, the 2011 (ISC)2 Global Information Security Workforce Study (GISWS) says new threats stemming from mobile devices, the cloud, social networking, and insecure applications have led to "information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain."

Patching madness, all the hands-on ... Yes I can see that even the octopoid whiz-kids are going to feel like the proverbial one-armed paper-hanger.

Which tells me they are doing it wrong!

Two decades ago a significant part of my job was installing and configuring firewalls and putting in AV. But the only firewall I've touched in the last decade is the one under my desk at home, and that was when I was installing a new desk. Being a Linux user here I don't bother with AV.

"Hands on"? Well yes, I installed a new server on my LAN yesterday.
No, I think I'll scrub it, I don't like Ubuntu after all. I'm putting
in Asterix. That means re-doing my VLAN and the firewall rules.
So yes, I do "hands on".  Sometimes.

At client sites I do proper security work. Configuring firewalls, installing Windows patches, that's no longer "security work". The IT department does that. Its evolved[1] into the job of the network admin and the Windows/host admin. They do the hands-on. We work with the policy and translate that into what has to be done.

Application vulnerabilities ranked as the No. 1 threat to organizations among 72 percent of respondents, while only 20 percent said they are involved in secure software development.

Which illustrates my point.
I can code; many of us came to security via paths that involved being coders, system and network admins. I was a good coder, but as a coder I had little "leverage" to "Get Things Done Right". If I was "involved" in secure software development I would not have as much leverage as I might have if I took a 'hands off' roles and worked with management to set up and environment for producing secure software by the use of  training and orientation, policy, tools, testing and so forth. BTDT.

There simply are not enough of us - and never will be - to make security work "bottom up" the way the US government seems to be trying   We can only succeed "top down", by convincing the board and management that it matters, by building a "culture of security".

Own view of Enterprise Information Security Ar...

One view of Enterprise Information Security Architecure (EISA) Framework.

This is not news. I'm not saying anything new or revolutionary, no matter how many "geeks" I may upset by saying that Policy and Culture and Management matter "more". But if you are one of those people who are overworked, think about this:

Wouldn't your job be easier if the upper echelons of your organizations, the managers, VPs and Directors, were committed to InfoSec, took it seriously, allocated budget and resources, and worked strategically instead of only waking up in response to some incident, and even then just "patching over" instead of doing things properly?

Information Security should be Business Driven, not Technology Driven.

[1] Or devolved, depending on how you look at it.

Related articles

Enhanced by Zemanta

Why would anyone choose Linux when they already have Windows?

Posted by Anton Aylward


I could go through a litany of complaints I have about Linux. I could
complain about the confusing number of distributions. I could complain
about the propensity of Linux proponents to cause unnecessary confusion
by abbreviating or using acronyms for Linux-only functions. I could
complain about the silly confusing names they give applications.

How come Linux gets berated for this?
There's a plethora, a confusing plethora, of Microsoft products, since, compared to Linux, that world is unbundled.

But Microsoft aside, look at the auto industry; it was once said that you could order over a quarter of a million different variations given the options on some Chrysler models. There are still many distributor/vendors, and different dealers/outlets offer different deals, trade-ins, offers and options. The auto industry has more acronyms than the computer industry and lots of special functions and tools.

For example, the spring inside my seat-belt buckle slipped out of place so that the buckle wont lock the clip in place. The way the buckle is built you can't take it apart, so the whole assembly has to be replaced. The bolt that fastens it into the seat assembly (remember, the seat has to be able to gyre and gymble without altering the tension of the belt, so the belt is bolted to the seat, not the frame of the car) is a special one, the only one (except for the other seat belt) in the car. Of course it take a special tool. As it turns out, the tool costs more than the over-priced replacement seat-belt assembly. And since it is for that purpose only on that model series (apparently it was changed for another equally unique bolt and matching tool in later models) my mechanic did not have that tool in in his toolbox. He tells me that this is normal, that the auto manufacturers have any twists and turns like this that serve to lock out the independent mechanic by forcing up the cost of operations.

I look at the computer industry and think how easy it actually is to move between vendors of hardware and software. I really can't see why if you are an office worker familiar with MS-Word you will be unable to do any work if faced with OpenOffice - or WordPerfect or WordPro. Once upon a time both Apple and Microsoft "sold" the GUI interface as being something that was "obvious" and wouldn't need training and thick documentation. Whether or not that's so, moving from one word processor to another, one mail user interface to another, has nothing to do with the underlying OS or the names and acronyms used.

As the article says:

An operating system exists only to create an environment for
applications; nothing more, nothing less. Most people sit down at a
computer and just start using it without worrying about what operating
system it is running.

So why the fuss? Gnome and KDE have "skins" that can make them look like OSX or any of the Microsoft Operating systems. The various distributions of Linux are more like the various offerings of the auto industry, they mostly resemble each other and copy ideas from one another. If you can drive a Ford - sorry, SUSE - you can drive a Chrysler - sorry, Mandriva. Or even a Volvo/BSD. And since I've seen Americans cope in England after just a few minutes, I'll add MGB/LinOS.

So Why Linux?

The article has a theme about moving from Windows to Linux. What it doesn't touch on is why one might want to move.

The reason for most people is that they get a new computer. They are probably going to have to change OS - from W/95 or W/XP to Vista. This is likely to be even more traumatic than if they changed to Linux with an appropriate skin. I've certainly seen many reports of application-only users who had their system "regressed" from a Vista they didn't like to to their "old" system which was actually Linux looking like XP. The reality is that most users see the applications and neither see nor want to see the OS. The same applies for most car drivers. They just want to drive.

When Mark Kaelin says that John Sheesley can crash Linux over and over - so what? The issue isn't that someone with John's background and expertise can crash Linux, its how stable Linux is for an ordinary user. And compared to Windows, it seems to be about 15 years further down the road. Windows seems to emphasise 'dressing'. Perhaps that's why Mark Shuttleworth wants to address the image of the desktop.
Its worth reading some of John's articles - he's not rabidly anti-Linux. Or rabidly anti-Microsoft.

When Mark points out that viruses and malware exist for Linux he omits to note that these are 'proof of concept' things that neither exist nor could exist in the wild. The underlying architecture of Linux makes it more resilient to whole classes of malware. The idea that its 'immune' because it doesn't have the market share is a myth.

I've asked many people in the business world why they don't use Linux, and all in all their reasons tend to be emotional not logical.

But to be fair, if security and reliability and security are deciding issues, as many Linux enthusiast claim, then why aren't they using BSD? I ask that of them and I get an emotional response similar to the one I see when I ask Windows enthusiasts about Linux.

Reblog this post [with Zemanta]