Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer? 237
Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent
intrusion of malware, while allowing carefully examined data transfer
from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would
perhaps go through several Raspberry Pi computers running Linux; the computers
could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?
Futurepower(R) (Score:2)
Answer (Score:5, Insightful)
Re: (Score:2, Insightful)
I was told the only secure computer is one that is never turned on, never connected to a network, and sits in a safe where no one has access to it.
Anything else, is just slowing things down, not prevention.
If something can be exploited, it will eventually be exploited. All it will take is a lazy user who thinks the USB stick in his pocket will be OK to use "this once" and be wrong.
Re: (Score:2)
Better put that in a faraday cage too, otherwise I might induce current into the circuits remotely and try to read the output RF interference.
Re: (Score:2)
You might not need shadow passwords if your computer is not connected to a network. Or a power cord. And is buried in six feet of concrete.
Re: (Score:2)
The answer is there is no way to do it. If a computer is on a network it isn't secure and it can't be isolated. A "network" is the anthesis of isolation. If you connect it to the Internet, game over man.
See the pilot episodes of Battlestar Galactica...
Re: (Score:2)
You're talking about direct connections, yet the entire concept of DMZ as a security principle disagrees with you.
Uh? (Score:2)
Really, the manufacturers track threats and release mitigations better than you can, and are built for exactly what you're asking. Daisy-chain ones from different vendors if you're really anal.
Re: (Score:2)
Seriously, this is just begging for an ad from Cisco
"Cisco Routers for the Desperate: Router and Switch Management, the Easy Way" [amzn.to] by Michael W. Lucas.
Isn't this what Qubes is for? (Score:5, Interesting)
Separates different browser and email tasks into virtualized jails.
https://www.qubes-os.org/ [qubes-os.org]
Kinda like Sandboxie. Speaking of which, sandboxie?
Re:Isn't this what Qubes is for? (Score:4, Interesting)
Yep, and it's almost usable, too. OTOH, Qubes is focused on the workstation. For network-level isolation, it's really hard to beat two firewalls from different manufacturers and code bases back-to-back.
Think Internet--PaloAlto--Sophos UTM--LAN (Substitute any two other unrelated NG firewalls)
Systems on the inside initiate all connections; no reaching in. That means having staging DBs, etc. on the outside that are polled from the inside by transfer routines that parse and validate everything outside of the application that receives the data. Anything that does not positively match expected input is dropped. If you really want to be serious, all systems log externally to a log host with WORM drives that has had the transmit pin on the NIC physically cut (mostly kidding -- hi Marcus!).
Remote access is terminal services or equivalent to a concentrator on the outside and a second hop internally with separate authentication at each hop. Absolutely no VPN or other tunneling that supports direct traffic flow from outside to inside.
SecureID or other token-based auth is mandatory.
Stupidly expensive and a pain to configure and maintain correctly, but very secure. If you need to ask, you probably don't need it and can't afford it.
Re:Isn't this what Qubes is for? (Score:5, Funny)
that has had the transmit pin on the NIC physically cut
ACK! What a terrible idea!
Re: (Score:2)
What is even more expensive is your employees. You have to make sure to pay anyone with access to the inside enough that they're not too easily bribed.
Re: (Score:2)
These "run every app in a VM" kits are snake oil. All they do is expand the attack surface making it easier for an attacker to get in. Sure, by virtue of being slightly different you might dodge some bullets temporarily, but once they're reliable enough to go mainstream, attackers will flock to them. The only real solution is less code and fewer interfaces.
Re: (Score:2)
All they do is expand the attack surface making it easier for an attacker to get in.
They do the opposite. If your jail is for Email, and the only thing installed is your email client, and the libraries needed to support it, that *greatly* reduces your attack surface. Heck, run it in a jail with no shell binaries, that alone will kill off most exploits.
A long time ago we used to build secure internet-facing public FTP servers this way. Strip out pretty much everything except a limited shell, that Gnu multi-tool shell thing and an FTP server. A few lines in rc to bring up the network, a sin
uhhh (Score:5, Insightful)
Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux
You are so incredibly out of your depth you don't even know it.
Re: (Score:2, Insightful)
Re: (Score:2, Interesting)
I guess his idea would be to use multiple brands of packet scanners and shit. ...which sounds just fine, except that.. uh. those scanners suck and if you only want to move files between them anyways, why not just set up a network where the raspberry pi is a ftp or smb or whatever share.
basically that's what he wants anyways. a file share between the two machines.
here's another idea though, just make a bluetooth obex file share from the computer that you browse the internet with. or a 3rd computer. enable bt
Re: (Score:2)
While he's at it he could increase the speed of this system by splitting connections across multiple ports on the network interface. It's crazy enough to work!
Re: (Score:3)
He needs 7 RPi so he will be protected behind 7 proxies and cannot be h4x0red!!1!!!!!1!!
IPX/SPX (Score:5, Funny)
Make the secure network IPX, nobody has seen it in 20 years, any malicious code running on the internet connected side won't even look for it.
I know, security by obscurity...
Also BSD not Linux.
Double Down (Score:2, Funny)
IPX on Token Ring, using Banyan Vines for file sharing. Run the server on OS/2. OpenVMS groupware.
Poor little virii won't know up from down.
Re: (Score:2)
Needs more AS-400 and System/32!
Re: (Score:2)
It was actually a pretty standard thing in the Novell world when the internet first got big. Internet traffic in IP, local in IPX.
Re: (Score:2)
Running netmare was a privilege? Who knew?
Re: (Score:2)
Gen sys on netmare 2 from 360k floppies...nobody ever did that twice, except everybody who forgot one thing the first time. You needed a running server with disk images to avoid it.
Virtualization (Score:2)
Why use multiple computers? What's the problem with Virtualization? Virtualize the firewall, slap on a tight-ass linux with bare minimums to perform routing/firewalling for the host machine. Works great for me. Very tiny attack surface (SSH at the very most, if even that.)
Re: (Score:2)
For security purposes it's only the appearance of several computers instead of actually being so. That's not a flaw, it's just not designed to do what you want it to do.
Using a data diode, and careful controls (Score:5, Interesting)
If you really care about isolation, like the kind we are talking about for SIPRnet and so on then you need to use data diodes and controls.
A data diode is a hardware device that only allows transfers in one direction. That way you can make sure that when you are bringing data in to the network, no egress can happen, and such. They are very specialty, and very expensive.
However more important than that is proper controls. That means policies and procedures that are followed rigorously. You have to make sure that people are extremely careful with how data is moved from one network to another and what data is moved. You need a process that specifies things like who can decide data to be moved, who approves it, who reviews it, how this is all done and so on.
If this is really important, well don't try to do it yourself based on some posts on Slashdot, you need to hire some experts. You also need to spend lots of time in the design and planning stages, you need to careful consider and document how everything will be set up and all the controls in place.
Re:Using a data diode, and careful controls (Score:4, Informative)
However more important than that is proper controls.
This right here is the most important sentence in this entire Slashdot story. Security is not about patching, isolating, and airgapping. Security is a complex process that gets more and more complex the more people are involved.
The best airgapped system will fall, the best designed DMZ will get infiltrated and even the masters of IT infiltration will fall victim to a malicious or ignorant insider if security processes and controls aren't in place.
Re: (Score:2)
I observed the admin on an oil rig keep a USB stick in the usb-slot on his KVM for secure/nosecure computer use to "ease data transfer" :p
He was issued one that required him to unlock it to mount, but he found that tedious so he replaced it with one he bought on ebay
Automount between secure and insecure every time he switched... he saw no issue with this.
Re: (Score:2, Informative)
If the security depended on the USB stick itself to not automount (trusting the external device), then he wasn't the only person at fault.
Re: Using a data diode, and careful controls (Score:2)
The "secure" system was winxp. We were fucked all around :p
You need to explain your purpose (Score:2)
There are many solutions each with its own pros and cons. But without understanding what it is you are doing you are really wasting everyones time. Go into the details and help us understand the purpose and situation to what it is you wish to achieve and /. will do it's best to help you.
Re: (Score:2)
What do you want to accomplish? Details are indeed the key. If you need to get data submitted from publically available servers, you're opening completely different attack vectors than someone who only needs to get data out of their internal servers to external targets.
Taking as a given no solution offered in the comments will be guaranteed to solve your needs, since we don't know what they are, there are some good safeguards that are standard in IT.
Step 1: Put managed systems between your LAN and the inter
Foolishness. (Score:5, Interesting)
What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers?
Print it out and type it back into the computer you want to transfer it to.
Windows computers on the isolated network...
If you are using Windows then you are forfeiting a major advantage: absolute control of your system. Windows cannot even be trusted to respect it's own system settings let alone be worthy of being trusted. You should be suspicious of software written by corporations because their motive is profit, not security or even user satisfaction.
Re: (Score:3)
Print it out and type it back into the computer you want to transfer it to.
Just transfer it via serial port, and make sure you leave the software open when you're done since that will block access to the serial port preventing malicious software from using it.
Dual firewalls (Score:2)
WAN -> Firewall -> Firewall -> LAN. Each firewall from a different company, and some tinkering with the router configuration to make even compromised computers not sure where they are.
Also helps if you use machines with a completely alien architecture to what everyone else is running. Viva la Alpha, MIPS, etc. It's not that you can't attack them, it's just that your custom forged 'PC' is now in the .000000000000001% bracket of commonality with everything else out there. Do you know how much of a ba
Re: (Score:2)
Security through obscurity is TOTALLY the way to go.
I recommend using Siemens PCS 7, WinCC and STEP7 industrial software (which isn't widely used), and air-gap it all to prevent access to Siemens S7 PLCs running custom, specialized code that nobody else could possibly know or have.. Totally secure- especially is you have all your contractors screened for special security clearance.
Totally unbreakable.
(See also: https://en.wikipedia.org/wiki/... [wikipedia.org] )
TL;DR: If someone big wants to hack/infiltrate you, you will
Re: (Score:2)
Never said it was unbreakable, just making it a little bit more difficult.
And correct me if I'm wrong, but Stuxnet runs on Windows, which is a monoculture...
Re: (Score:2)
Stuxnet was multi-platform, from Windows 0-day all the way through to PLC level code.
But, ya.
Way Way Way too complicated (Score:2)
You need to go much simpler, for a lot of reasons. Humans need to use it. Humans need to choose to use it. Humans need to not go around it.
I think you need to base your solution around a presumed-infected node. I find working with the weeds to be better than trying to design a planter that weeds can't find.
Given "Machine A" as the user's actual workstation, internal, no outside access.
Given "Machine B" as the external-facing node, with whatever internet access you deem necessary, and we'll presume that
Re:Way Way Way too complicated (Score:4, Insightful)
I've never heard of any malware jumping through an FTP connection.
Any transfer protocol implementation could have buffer overflows or any vulnerability that anything else has. Why is FTP more magic than SMB?
Re: (Score:2)
Have you ever heard of malware that jumps through an ftp connection?
Re: (Score:2)
Does that make it somehow less possible? No. There just hasn't been any reason for someone to try...yet. If you're protecting against all possibilities, then you need to think about theoretical rather than actual.
Re: (Score:2)
You don't know how to read. Step one was surface area. Read step two.
You also don't know how to think. You won't find something to protect against all theorhetical possibilities. That's not a real thing in life. It's like money. They aren't impossible to counterfit -- obviously. If the mint can print them, someone else can print them too. The idea is to make printing them dependent on an easily tracked material'ink/device, so that it's easy to find counterfitters. It's nothing more than a cat-and-m
Re: (Score:2)
FTP is one of the least secure file protocols in active use. Second only to maybe SMB, and that only because it was not designed to be exposed to the Internet.
Re: (Score:2)
So. . .then you're saying that it's perfect for uni-direction transfers within a closed network? Good point.
Re: (Score:2)
Malware has managed to jump air gaps between very disparate architecture using USB sticks. Sure it was a highly targeted attack to a very specific nuclear facility, but it was done. Maybe next time they'll indeed target the FTP link for that.
Re: (Score:2)
We're not trying to stop ethan hunt here. Set your bar.
Hardware one way links (Score:2)
The answer is simple (Score:2)
Place a tinfoil hat on each machine on your network. Voila! Problem solved.
Read up on the NSA and GCHQ over the decades (Score:3)
Work out what products and services are now for sale or have been found in the wild and could be used to extract your secure data.
Methods are shared with other "trusted" nations, staff keep methods get sold/kept for later private sector work.
Very advanced and unexpected methods are on the open market, back market, out in the wild.
Look at how governments failed to secure their own data and why.
Internet-facing computers had plain text data so it could be shared with trusted contractors and other agencies.
Internet connected computers got found doing interesting things and interesting people collected all tools on "secure" staging systems by following the networks back.
A USB stick gets dropped around a site of interest so staff walk in and bypass all security.
Nobody smart thought to test the "modem" or "hard disk" or just trusted the altered computer hardware that got "shipped" in.
A company hires staff without vetting and staff walk out will all the data.
A company finds a very secure building but low cost cleaning staff hold doors open for "workers" who can use an elevator and tell a nice story about needing to get back in to their office.
A nice sale is made of advance private sector crypto that is junk due to government backdoors.
Work out who wants your secrets. Another nation? Your own nation? Competitor? Someone who can afford to hire ex and former clandestine service professionals? A long term dual citizen?
Groups on the internet with no funding but who have unlimited time and very advanced skills?
A cult? Faith? Political groups? Private sector competition? SJW with funding?
What will they want? Collect it all? Some files? Production work? Prototypes and concepts? Will they have an expert to guide them in your network? Or have to collect everything and sort/sell/copy later?
Look back at how the NSA and GCHQ finally learned how to kept their secrets in the 1970-80's
What did the security services finally get right and understand after decades of walk outs and complex staff issues? What failed with all the trust in contractors after the 1990's?
If your company or data is interesting or has value someone is going to be looking. Down a network, a walk in from the street or as new staff.
Keep your secrets using compartmentalization.
If a server needs to have internet facing work, make sure its only for that project. If it has to have everything on it, hire a really good cryptographer.
Someone who is working for you, not with the government, not part time for a university, not as contractor, not some outside brand, not for some other nation.
Try and secure your work and use the networks the best you can.
Try and keep any future projects away from the production networks.
Think about your modems, your storage, what hardware got "shipped" in over the years? Other nations and the clandestine services thought of all that.
Set up really interesting fake projects and see who asks or looks?
Mid and low ranking staff ask too many questions hinting at terms they should not know? Do they just want a promotion or are they trying to get access?
CCTV shows new people wondering around at strange times?
A USB device found? Someone wanting to do charity work or to sell something been on site a lot? They want to give a quick presentation from a usb stick?
Staff getting amazing new friends who really want to see their office? Data is collected by placing a trusted physical device internally well past any average protection.
After a while a type writer, paper, a vault and guards could be a good idea for the best ideas.
Fill your computer networks with encrypted bait and see what walks in or out.
If virtualization is too risky... (Score:2)
If virtualization is too risky, maybe you need to consider total isolation: faraday cage and tinfoil hat. Anything you use to transfer files can be compromised and transfer malware.
If you're only concerned about mainstream exploits, then make your own custom file-shoveler solution: browse, etc. on a net exposed computer, download to an external hard drive, then switch the hard drive to the isolated PC and scan with whatever you trust before moving it into the "green zone." Drives aren't smart enough to ex
USB file transfer cables are still a thing (Score:3)
It can be used so that the "secure" computer can see only one main directory (plus it's subdirectories) on the conventionally networked computer.
It has the added bonus that many machines have ports on the front so it can be plainly visible when the link is in place.
There is commercial software to do this .. (Score:2)
The Orange Book will help, but it's not sufficient (Score:2)
We have confidentiality standards, but that's not all of security. Nevertheless, having a B2-level machine between two mutually untrusting worlds provides you with a good place to review incoming exceutables and outgoing information. Do it using two humans, one called a sysadmin, the other a security administrator. Both must sign off before moving anything from one world (category/level, container) to another.
No go solve all the other problems in security (;-))
Run wireshark as root (Score:2)
And examine every packet carefully.
Know the scope of your problem... (Score:2)
Re: (Score:2)
What's the goal? (Score:3)
It seems to me that we have a very simple and common piece of equipment for isolating one network from another while also allowing connectivity: a firewall.
You can get firewalls that scan traffic for patterns of attack, or compares the data being transferred against malware signatures. Granted, that's not perfect. It won't provide anything close to "perfect" security. But still, what do you anticipate your setup would provide that a good firewall wouldn't?
For example, you reference passing traffic through several Raspberry Pi devices, which essentially has each one acting as a firewall. Yeah, you can make all your internet traffic pass through multiple different firewalls, each with their own security scanning engines, but your adding expense and complexity for diminishing returns on improving security.
So what are you trying to do? What kind of security are you trying to provide, and what kind of attack vector are you anticipating?
Zero days (Score:2)
...go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware
If you had a 100% effective way of checking for malware, then you wouldn't need to airgap your computer at all, just run this magical malware detector on the computer.
The thing about zero-day exploits is that since they are previously unknown, there's no way to catch them with any certainty.
If you want to keep your computer completely safe from network malware, keep it completely air gapped and off the network.
Microsoft ... (Score:5, Interesting)
Microsoft has done some work around this on the Windows side.
They build a locked-down domain that requires Ipsec for all communication, and use it to build secure hosts called Privileged access workstations (PAWs) from known good media.
Their reference material is here:
http://aka.ms/cyberpaw [aka.ms]
The configuration and software bits will obviously be different from Windows to Linux, but the underlying ideas should be the same.
Those are:
* restrict network communications with IPSec
* no internet access on the PAWs
* build everything in the red forest, including the PAWs, from known good media.
There has been a great deal of discussion about the "right" (tm) way to bring data into and out of the red forest. You can argue for moving this data in via bastion host file servers, but I don't like that. If I'm going to all of the trouble to air gap a network then I want it to be an air gap. That means USB sticks and sneakernet.
I'm not familiar with the intricacies of the recent Intel AMT vulnerabilities, but I _assume_ that requiring IPSec for communications at the OS layer won't prevent that vulnerability. I'd be delighted to be wrong.
.
(Save the Microsoft bashing for another post. I work for them. They buy my groceries. They aren't paying or pushing me to write this. In fact, I should be working.)
What is the Best Way to A and Inverse-Of-A? (Score:2)
You are literally asking what is the best way to "isolate" something, and then allow "data transfer" from that thing. The thing you are asking to allow completely negates the first action. These things are literally opposites.
Did this question make anyone else sad? I always wonder if this means today was a slow news day.
Use Security Standards EAL7 (Score:2)
While there's a lot wrong with the Common Criteria process some of the underlying concepts are good. EAL7 essentially relies on the implementation of a security concept that is provably correct. This is opposed to trying to harden/secure a general purpose system. This is why people use Data Diodes, which are essentially one way network connections.
Security Concept = Only allow data to travel in one direction. You can then prove that data can't get from the high side to the low side
Implementation cut one of
FWTK (Score:3)
I have used various versions of the FWTK [fwtk.org] to isolate test networks. There is an independent version of the code here [sourceforge.net].
If you (can find and) use the old version, beware of the author's [ranum.com] reflections on his code.
As this has long been abandonware, I'd say that all of this code should be running in a chroot() as nobody should you use it. Also note that you'll need the -m32 compiler flag (in addition to many other changes) to get a clean build.
Re: SneakerNET? (Score:4, Insightful)
That's not nearly enough. Malware like Stuxnet shows how far attackers go to breach air gaps and similar forms of isolation. (SneakerNet is one, sometimes weak, form of air gap.)
Re: SneakerNET? (Score:5, Insightful)
Indeed. Any system, even if airgapped can be penetrated, especially if there are insiders that can be bribed or blackmailed. It all comes down to deciding who you can trust. Do you trust your hardware? Do you trust the people that wrote Linux?
The scenario described in TFA is silly. Using a computer as a firewall does not work as well as using a firewall as a firewall. A computer-as-firewall running a general purpose OS is going to have a much larger attack surface. If you aren't going to airgap, then get a real dedicated firewall, and then disable ALL the ports. Then use port knocking [wikipedia.org] to open specific ports to encrypted communication with only pre-verified clients.
If that isn't enough, then you can also wrap your computer in tin foil.
Re: SneakerNET? (Score:5, Informative)
That they ask this question, in this manner, makes me uncertain that they can even configure a dedicated appliance properly. They probably aren't even remotely familiar with a specific vendor's myriad choices and methods. Juniper is not the same as Cisco, for example.
My suggestion is to hire a qualified professional. If they have to ask Slashdot, they are not a qualified professional. This is not meant to be an insult, they probably are very good at something else. If you're going to take security seriously, hire a professional. If you're not going to hire a professional, don't even bother trying something like this.
If they don't hire a professional, and attempt this, they might just as well ready their PR team to deal with the near certain eventual outcome of data exfiltration. It's going to happen. Hire a damned professional and be prepared to buy some equipment.
Re: SneakerNET? (Score:4, Funny)
Excellent. Consider that stolen.
Re: (Score:2)
That they ask this question, in this manner, makes me uncertain that they can even configure a dedicated appliance properly.
That they ask this question, in this manner, tells me that they do not have an understanding of what they want versus how reality works. If this "project" is anything other than a personal learning project and has importance (monetary or otherwise) then you are absolutely correct. Pay someone who understands the problem space to architect a solution that provides the desired outcome, if reality even allows for the goals and desired outcome to be met.
It should be noted that many people are considered securit
Re: (Score:2)
Thus the term qualified professional.
This is definitely something they shouldn't do themselves.
Re: (Score:3)
Yeah -- they ask on stackoverflow.com... ;^/
Re: (Score:2)
Do they have a security section?
Re: (Score:2)
Re: (Score:2)
Use a cell phone, email it to yourself, and you're done.
Re: (Score:2)
Re: (Score:2)
uucp still works great here, delivering e-mail from my SMTP server to my non-internet workstation, as well as handling file transfers.
Main disadvantage are web forms that won't allow bang paths in the user section of e-mail addresses, even though they're perfectly legal.
Re: (Score:3)
Optical fiber is the best isolator. (Score:3)
Optical fiber is the best option to allow large voltage differentials on data networks.
You can transmit data through nodes that have over 100 000 V potential difference.
Re: (Score:3)
Since it got formalized with an RFC.
Re: (Score:3)
Re:Wait... whaaaa? (Score:5, Funny)
Buy a used CDC-6500. Program it via punch cards. Wipe the memory between each job. I'd love to see malware that can attack a punch card deck.And you' d also have to know how to program a CDC-6500.
https://www.geekwire.com/2013/... [geekwire.com]
Re: (Score:2, Informative)
Nah, you didn't have to go there.
My point is that the solution to the author's problem has been available off the shelf for the past couple of decades.
Trying to cobble together something that looks like a firewall from 'secure linux' on Raspberry Pi is just going to set you up for every fail that the industry has run into and solved.
On the other hand, modern commercial firewalls have zones and sftp that satisfy the initial request, but face the same issues of designed-in frailties and owners who do not conf
Re:Wait... whaaaa? (Score:5, Interesting)
I'd love to see malware that can attack a punch card deck.
Did you ever use card decks? It was a common joke to insert malware cards into someone's deck while they were using the restroom. The best counter-measure was to use a marker pen to make a big X on the edges of your deck, so you could visually see if it had been tampered with.
Re: (Score:3)
The same goes for paper tape, cloads, etc. None and nothing is totally immune from tampering...... somehow.
This is why chains of authorities are so important, and why security certificate infrastructure and blockchain so useful..... until spoofed certificates and muddied blockchains are discovered.
Nothing is foolproof because fools are so ingenious.
Re:Wait... whaaaa? (Score:4, Funny)
Buy a used CDC-6500.
My apartment complex has a recyclable weekend once or twice a year for tenants to drop off old electronics. The list of acceptable items include "mainframe" computers. I've been waiting for someone to drop off a mainframe computer. No one ever does. Out of 300+ apartments in Silicon Valley, you would think that someone would have an old mainframe computer that they weren't using.
Re: (Score:2)
Adults with a lifetime history of gainful employment in the Bay Area don't live in apartments.
That's an interesting notion. I've been in my apartment for nearly 12 years, including when I was out of work for two years, underemployed for six months and filed for chapter seven bankruptcy. I had the option to break my lease but I didn't do so because my circumstances were temporary. The day after my bankruptcy finalized, I was working full time again.
Re: (Score:2)
Re: Wait... whaaaa? (Score:2)
I agree. He should definitely start going to storage locker auctions.
For the record, that is a joke. No, don't do this.
Re: (Score:2)
Besides, even if you found a big iron jockey with the collectors bug who happened to live in an apartment or condo, where would he put it?
Well, exactly, that's why he'd be giving it away!
Re: (Score:2)
Re: (Score:2)
Whatever you do, don't program on a Mac. The malware is compatible with everything. Even alien motherships. [yahoo.com]
Re: (Score:2)
Mainframes not vulnerable (I think?) (Score:2)
Re: (Score:2)
Re:Wait... whaaaa? (Score:5, Funny)
Is it 1998?
A useful metaphor in which to consider the problem might be a principle that's used to establish construction standards so that fires don't spread too widely or rapidly in very large buildings and other structures. What they do is they integrate fire-proof barriers at critical points, which block air transfer and heat exchange, and therefore limit the damage that a fire can do.
Stay with me here; this might get a bit arcane....
Imagine if we could apple a similar concept to computing and networks. Imagine if, instead of air and heat exchange, we limited the transfer of data between segmented portions of a network. This 'firewall'—to coin a phrase—would provide us with the ability to operate with relative security, and we could therefore rest assured that the designated secure parts of the network remain secure, while still allowing access to less secure areas via some sort of notional 'gateway'.
Pie in the sky, I know. But still, as an exercise in theoretical modeling, it's fascinating.
Re: (Score:2)
Re: (Score:2)
Multiple points of failure along the way decrease overall security anyway.
Re: (Score:2)
RFC 6214 - Adaptation of RFC 1149 for IPv6
It's important to have modern standards like IPv6 in your networks.