Jonathan's Pancheria

dotcom Thousandaire

He’s said it before in many different ways, but I finally found a bunch of statements in a single posting of his that summarizes his what I think is very correct thinking about terrorism prevention:

The problem with building security around specific targets and tactics is that its only effective if we happen to guess the plot correctly. If we spend billions defending [target type A] and terrorists bomb [target type B] instead, we’ve wasted our money. If we focus on [event type X] and terrorists attack [event type Y], we’ve wasted our money.

[…]

The following three things are true about terrorism. One, the number of potential terrorist targets is infinite. Two, the odds of the terrorists going after any one target is zero. And three, the cost to the terrorist of switching targets is zero.

We need to defend against the broad threat of terrorism, not against specific movie plots. Security is most effective when it doesn’t require us to guess. We need to focus resources on intelligence and investigation: identifying terrorists, cutting off their funding and stopping them regardless of what their plans are. We need to focus resources on emergency response: lessening the impact of a terrorist attack, regardless of what it is. And we need to face the geopolitical consequences of our foreign policy.

In 2006, UK police arrested the liquid bombers not through diligent airport security, but through intelligence and investigation. It didn’t matter what the bombers’ target was. It didn’t matter what their tactic was. They would have been arrested regardless. That’s smart security. Now we confiscate liquids at airports, just in case another group happens to attack the exact same target in exactly the same way. That’s just illogical.

The problem is it’s much harder to make it look like you’re doing something so when the next attack comes you can say how much work you were doing protecting target type A and event type X, and the only way you could have prevented the attacks on target type B and event type Y would be more resources.

Published on 04/09/2008 at 06:23PM under . Tags , ,

Here are some quick steps I did to do initial lockdown of a freshly created Joyent Accelerator:

Change passwords

  • Sign in as admin via secure shell to the default account, change its password
  • su to root and change the root password
  • Go into virtualmin→webmin→Webmin Users→Click on the admin user. Then set Password Authentication to Unix Authentication in the dropdown box, like in this screenshot: Hit the Save button at the bottom of the page. After you do this, you will have to log back in to webmin. Alternately, you could just set the password to be the same as the one you used for the admin user you secure shell’ed in, if you are worried about webmin having access to the Solaris password authentication system. But then you also have to worry about keeping the passwords in sync.

Shut off unnecessary services

  • Disable apache: I am not ready to run a webserver yet, so I shut off apache by su’ing to root and running # svcadm disable cswapache2
  • Make postfix only accept mail from localhost: Webmin→Server→Postfix Configuration→General. Set the text box on “Network interfaces for receiving mail” to localhost, like in this image: then save. Then stop and restart postfix

When I was done, my netstat -a -f inet display showed only the following listening ports:

  • *.s s h: s s h daemon
  • *.10000: webmin
  • localhost.smtp: smtp, but can only be accessed via localhost
  • localhost.3306: mysql daemon

Published on 25/05/2007 at 04:37AM under . Tags , , , , , , ,

Having worked at some places with what I would call “restrictive access policies” regarding internet sites and ports that can be accessed, as well as the software and configuration of computers issued to employees, I am led to the following question for companies that develop software:

If you do not trust your software developers with their own computer, how can you trust them to write the software products you sell?

If you are worried about me setting up my own printers, or installing software on my computer, or where I browse, then how can you trust the commercial software that I write for you? Sure, there are criminal penalties for the latter, but are you saying that the only way I will behave in a lawful manner is under pain of imprisonment?

Published on 03/10/2006 at 08:38PM under . Tags , , ,

Powered by Typo – Thème Frédéric de Villamil | Photo L. Lemos