Group: Members
Posts: 4,558
Joined: 11-April 07
From: Texas
Member No.: 4,581
1) Will you be addressing security questions about Apple platforms ?
2) My sister is working on establishing a small scale internet presence for her business and I mentioned internet security and trying to avoid being low hanging fruit for the hooligans.... obv she asked how to avoid becoming said fruit and I had to confess my complete stupidity in this matter. Do you have any recommended reading for her that might help her do the common sense things to avoid the usual stuff ?
Group: Members
Posts: 4,088
Joined: 4-February 07
From: The Carter
Member No.: 4,252
Any and all questions about Apple/OSX security issues are more than welcome.
OSX actually is currently considered *less* secure than Windows because people have gotten around to porting the tactics that were used in Windows IE exploits to Apple, which is not as of yet inoculated against browser based attacks on the operating-system level.
Regarding setting up a net presence, its fairly easy to avoid getting torn up if you make an effort to address three basic concepts:
1) limit access to what the world can access. eg: set up a firewall. realistically, all 99% of websites need is one IP address and 3 ports open; one for the web server, another for a secure web server (https), and a third for incoming mail (if thats how you are rolling).
2) have sane and secure methods for accessing it for administration. make sure any and all development takes place over encrypted channels. only allow access to the infrastructure through the firewall from a very small range of ips, only allow access through methods that encrypt the password (sftp, scp, ssh).
3) sanitize the data coming in. thanks to web2.0 being a complete fucknest of poorly conceived, overdeveloped, underaudited, Machiavelian cocktail of semi-modular code blocks, its never been more important to introduce a little-discussed concept (in the developer world); the IPS layer.
IPS stands for Intrusion Protection System. its basically a component of your firewall that actively inspects the incoming content for signs of attack and basically stops it in its tracks. any site with DB layer on the backend absolutely must deploy one of these, i cannot stress this enough. not only can attackers piggyback commands onto the urls they visit that allow them to spew out the contents of your database (all of it btw), they can also introduce new, hidden content onto your website that actually attacks and exploits people visiting it.
this is exceedingly standard btw. the basic premise is called a 'sql injection attack' and its quite literally the hydrogen bomb of web attacks.
example of a sql injection attack:
WARNING: the particular methods in this video are 2+ years old, well publicized, and will get you sent to directly to the clink if you try it out, however the overall concept (input sanitization) remains a huge issue and although the attack payloads are introduced in more sophisticated ways today, the end result is essentially the same.
this is probably the single biggest threat you have to guard against, but there are a slew of free products that accomplish input validation/sanitizing, and all of them can block the major arcana of current sql injection threats.
aside from that, be sure you hire someone competent to scan the site before its 'live'. these scans are rarely costly and when done by someone who knows what they are doing, you can generally sleep pretty well once they sign off. consider having them do monthly scans as well, as threats change of course.
lastly make an effort to embrace a linux based solution if you can. the overhead from keeping up on windows threats is exhausting. if youre married to MS for this, its not the end of the world, but its my opinion that it lowers the bar for security considerably, so really avoid it if you can find people capable of doing site development in a Linux/Apache/Mysql/PHP environment.
--------------------
whys the sky blue? whys water wet? why did judas rat to romans while jesus slept?
Group: Members
Posts: 4,558
Joined: 11-April 07
From: Texas
Member No.: 4,581
I would be lying if I said I was reading this and nodding my head like I knew what was going on, I actually had that sinking feeling of "holy fuck I am clueless".... but serious thanks for the pro response, will be reading up and trying to digest these things.
Group: Members
Posts: 13,687
Joined: 24-October 07
From: Dallas-Fort Worth
Member No.: 6,093
QUOTE(MaxDreidel @ Jun 10 2009, 06:20 PM)
I would be lying if I said I was reading this and nodding my head like I knew what was going on, I actually had that sinking feeling of "holy fuck I am clueless".... but serious thanks for the pro response, will be reading up and trying to digest these things.
wow i totally understood everything max. maybe you just should leave the expert computer chat to sonatine and I
Any and all questions about Apple/OSX security issues are more than welcome.
OSX actually is currently considered *less* secure than Windows because people have gotten around to porting the tactics that were used in Windows IE exploits to Apple, which is not as of yet inoculated against browser based attacks on the operating-system level.
Apple must have added a whole bunch of bullshit to that BSD kernel in order to make it less secure than Windows.
There was a big hacking contest a few months ago with events for getting root access to fully patched versions of IE and Firefox in Vista and Safari on OS X. One dude blew everyone away by demolishing all three separately. In the interview he gave afterward, he mocked OS X's security model. He had nice things to say about Chrome.
"I see in the near future a crisis approaching that unnerves me and causes me to tremble for the safety of my country. . . . corporations have been enthroned and an era of corruption in high places will follow, and the money power of the country will endeavor to prolong its reign by working upon the prejudices of the people until all wealth is aggregated in a few hands and the Republic is destroyed." -Abraham Lincoln 1864
Group: Members
Posts: 4,088
Joined: 4-February 07
From: The Carter
Member No.: 4,252
QUOTE(DirtyB @ Jun 18 2009, 11:25 AM)
QUOTE(sonatine @ Jun 10 2009, 03:49 AM)
Any and all questions about Apple/OSX security issues are more than welcome.
OSX actually is currently considered *less* secure than Windows because people have gotten around to porting the tactics that were used in Windows IE exploits to Apple, which is not as of yet inoculated against browser based attacks on the operating-system level.
Apple must have added a whole bunch of bullshit to that BSD kernel in order to make it less secure than Windows.
There was a big hacking contest a few months ago with events for getting root access to fully patched versions of IE and Firefox in Vista and Safari on OS X. One dude blew everyone away by demolishing all three separately. In the interview he gave afterward, he mocked OS X's security model. He had nice things to say about Chrome.
here is my rosetta stone for understanding how browser based attacks had come so far; explorer basically runs with admin privs for all practical purposes, but chroots itself badly (one way of looking at it), or you can simply say it runs under the unprivileged user account but has *hooks* in it that run with admin privileges. so basically the race is to introduce hostile payloads to those hooks that get bounced back to kernel land, priv memory rings, so on and essentially end up having them be executed with unfettered authority.
so for over a decade, Windows has had a high profile and very bloody war on two fronts; introducing functionality using that explorer based shell & mitigating the damage from that new code and from its legacy architecture. ok obv, ldo.
now, as for apple, on the plus side of course, i dont *think* apple has all those sketchy APIs in place that execute code with elevated privs in its browser, but the downside is that the lack of aggressive attacks have left apple "soft" in terms of mitigating attacks which jump up the priv ladder once you can execute local code.
so apple has always really been a soft target albeit once that didnt have a lot of people pursuing it.
throw in third party software focusing on rich media and web2.0 and you basically have the makings for a bloodbath.
--------------------
whys the sky blue? whys water wet? why did judas rat to romans while jesus slept?
so for over a decade, Windows has had a high profile and very bloody war on two fronts; introducing functionality using that explorer based shell & mitigating the damage from that new code and from its legacy architecture.
The good news on that front (as far as I understand it) is that Windows 7 runs legacy apps in a virtual machine, allowing 20 years of old bullshit to be stripped out of the kernel. That VM runs in a protected sandbox or can be completely disabled.
And the word is that the upgrade from Vista to Windows 7 Home Premium will only be 50 bucks.
--------------------
"I see in the near future a crisis approaching that unnerves me and causes me to tremble for the safety of my country. . . . corporations have been enthroned and an era of corruption in high places will follow, and the money power of the country will endeavor to prolong its reign by working upon the prejudices of the people until all wealth is aggregated in a few hands and the Republic is destroyed." -Abraham Lincoln 1864
Group: Members
Posts: 4,088
Joined: 4-February 07
From: The Carter
Member No.: 4,252
QUOTE(DirtyB @ Jun 18 2009, 02:29 PM)
QUOTE(sonatine @ Jun 17 2009, 07:27 PM)
so for over a decade, Windows has had a high profile and very bloody war on two fronts; introducing functionality using that explorer based shell & mitigating the damage from that new code and from its legacy architecture.
The good news on that front (as far as I understand it) is that Windows 7 runs legacy apps in a virtual machine, allowing 20 years of old bullshit to be stripped out of the kernel. That VM runs in a protected sandbox or can be completely disabled.
And the word is that the upgrade from Vista to Windows 7 Home Premium will only be 50 bucks.
VMs are totally where its at. The one article Ive been meaning to write/post since this forum started is how to set up VMs at zero cost so you can basically run a secure poker env on the same machine you use to torrent Soviet amateur porn etc without fear of any activity tainting the integrity of the sensitive VM, and how to monitor both VMs for tampering.
--------------------
whys the sky blue? whys water wet? why did judas rat to romans while jesus slept?
Group: Members
Posts: 4,558
Joined: 11-April 07
From: Texas
Member No.: 4,581
QUOTE(sonatine @ Jun 18 2009, 04:38 AM)
QUOTE(DirtyB @ Jun 18 2009, 02:29 PM)
QUOTE(sonatine @ Jun 17 2009, 07:27 PM)
so for over a decade, Windows has had a high profile and very bloody war on two fronts; introducing functionality using that explorer based shell & mitigating the damage from that new code and from its legacy architecture.
The good news on that front (as far as I understand it) is that Windows 7 runs legacy apps in a virtual machine, allowing 20 years of old bullshit to be stripped out of the kernel. That VM runs in a protected sandbox or can be completely disabled.
And the word is that the upgrade from Vista to Windows 7 Home Premium will only be 50 bucks.
VMs are totally where its at. The one article Ive been meaning to write/post since this forum started is how to set up VMs at zero cost so you can basically run a secure poker env on the same machine you use to torrent Soviet amateur porn etc without fear of any activity tainting the integrity of the sensitive VM, and how to monitor both VMs for tampering.
Noob question here but will the performance of the VM be the same as your real platform ?
Edit: Never mind, I failed to follow forum rules and Google before speaking. I will now commence Googling. Disregard.
Group: Members
Posts: 4,088
Joined: 4-February 07
From: The Carter
Member No.: 4,252
QUOTE(MaxDreidel @ Jun 18 2009, 02:11 PM)
QUOTE(sonatine @ Jun 18 2009, 04:38 AM)
QUOTE(DirtyB @ Jun 18 2009, 02:29 PM)
QUOTE(sonatine @ Jun 17 2009, 07:27 PM)
so for over a decade, Windows has had a high profile and very bloody war on two fronts; introducing functionality using that explorer based shell & mitigating the damage from that new code and from its legacy architecture.
The good news on that front (as far as I understand it) is that Windows 7 runs legacy apps in a virtual machine, allowing 20 years of old bullshit to be stripped out of the kernel. That VM runs in a protected sandbox or can be completely disabled.
And the word is that the upgrade from Vista to Windows 7 Home Premium will only be 50 bucks.
VMs are totally where its at. The one article Ive been meaning to write/post since this forum started is how to set up VMs at zero cost so you can basically run a secure poker env on the same machine you use to torrent Soviet amateur porn etc without fear of any activity tainting the integrity of the sensitive VM, and how to monitor both VMs for tampering.
Noob question here but will the performance of the VM be the same as your real platform ?
Edit: Never mind, I failed to follow forum rules and Google before speaking. I will now commence Googling. Disregard.
I dont mind conversation at all, I just want to spend more time discussing problems and solutions than explaining basic definitions of terms and so on.
Here is the thing; traditionally you dont see an impact on performance until you have exhausted a resource. If youre 12 tabling on a PC because the machine starts to wheeze when you try to open up more tables, then youre going to have to drop back to 8 or 6 tables under the VM.
I basically spent 8 straight years ignoring VMs because I felt the performance hit was unacceptable, and I had a lot of company.
With regards to basic desktop use, a few things have perminantly changed this reality;
1) RAM is dirt cheap. I run VMware server, which is something like their top of the line app, and I believe it uses less than 40-60megs total, which leaves me over 7 gigs to allocate to VMs. The standalone VMplayer app, which does nothing but play VMs (VMware Server is payware but has extra functionality), has an even lower memory footprint. I'll research the exact figures for each and post them in the article I want to do that gets down in that direction but you get the idea.
2) CPUs are now multi-celled. Many CPUs are now dual, quad, or even eight "core" CPUs, meaning there are basically up to 8 small CPUs running at any given time. The irony of this is that very few applications actually have the code that supports running across multiple CPUs. Its referred to as SMP (symmetrical multi-processing I think.. god Im terrible, I used to know this off the top of my head.. ok yeah I just googled it, close enough) compliant and it basically tells the application to spread its computations across several cells so computational workload is fairly evenly distributed. For anything that requires huge number crunching, such as mathmatic applications, weather modeling, rendering video/audio, this is industry standard. However for the rest of us, especially those reading this particular forum, its probably not ever used.
So bottom line in terms of CPU overhead is; on my 8 core Dell server, I can have 6 VMs running (although I never do) and delegate one CPU for each, and 1 gig of ram for each, so even if an application in VM #1 spazzes out, it never impacts the performance of the other 5 VMs, and the base operating system is oblivious to it all as its sitting on the 2 unused CPUs with 2 gigs of RAM to fuck with at its leisure.
3) All CPUs after the F-socket (I have to double check that) support virtualization optimization. Which is to say, all recent CPUs have programming hooks in them specifically designed to make Virtual Machines run faster with less overhead these days.
The downside of that new virtualization code on the CPU is that its actually able to be targetted with an incredibly nasty but thus far fairly exotic attack, but that attack requires the base operating system (the one running the VM containers) be compromised, and obviously thats something that can be largely avoided with proper execution and planning.
--------------------
whys the sky blue? whys water wet? why did judas rat to romans while jesus slept?
Group: Members
Posts: 4,558
Joined: 11-April 07
From: Texas
Member No.: 4,581
QUOTE(Jewdonk @ Jun 18 2009, 09:10 PM)
I have no job skills, no insurance, never had so much as a date during my entire adult life, I live with no less than 7 other dudes, I am 44 years old and change, and I've spent a thousand times more on dogfood than I have on my own daughter.
Is this thread relevant to my interests?
Wow... that is some pretty harsh introspection going on there JD.
I am not even sure if introspection is the proper word for this but I have been dying to use it in a sentence for at least a week now.
I am angling for an excuse to use velarization next.
"I see in the near future a crisis approaching that unnerves me and causes me to tremble for the safety of my country. . . . corporations have been enthroned and an era of corruption in high places will follow, and the money power of the country will endeavor to prolong its reign by working upon the prejudices of the people until all wealth is aggregated in a few hands and the Republic is destroyed." -Abraham Lincoln 1864
Jun 9 2009, 10:16 PM
