TechBait

A network DMZ, or demilitarized zone, is a place between the Internet and an entity’s internal network. It is a place where a server can be set up on a different protected network segment. It provides a service to the outside, like FTP file hosting access for customers, a mail server for offsite personnel, webservers, or proxy servers, and shares this data internally through a protected funnel. This is desirable since if the DMZ server is compromised by a malicious person out on the Internet, they won’t have access to the rest of the internal network and it gives the internal IT people time to sever the external connection and fix the problem, clean the system, or rebuild the system without fear that he or she has already moved on to wreak havoc on the rest of the internal network.

You can set this up by using either a single or dual firewall approach. A single firewall approach requires the DMZ host to have at least 3 network cards. One card goes to the Internet Service Provider, the other goes to the DMZ host, and the third to the internal network router. The firewall needs to have enough computing power and memory to be able to handle the traffic and all associated filtering to and from the 2 network cards. A dual firewall approach is more secure and consists of 2 firewall computers or devices. One goes from the ISP to the DMZ machine or segment, while the second is on the back end and sits between the DMZ machine or segment and the internal network router. The IT staff can further mix things up by using different firewall vendors for each firewall so that neither has the same vulnerabilities and it can slow down and hamper attackers which could use the same methods to defeat both firewalls if they are identical.

Buffer overflow attacks are legendary in computer security. Programmers write lots of software which expects some sort of user input. This inputted data needs to be assigned an area of memory, called a buffer. The size of the buffer is assigned in anticipation of how much data will be provided to the input query. If the programmer hasn’t added checks to verify the size of the input data, then an attacker can provide so much data that it causes an overflow. In some cases the program just fails, but in other cases commands can be sent in with the overflow that are executed with the permissions of the host program, which can in many cases be root level access. This is why system services running as root are targeted by this sort of attack.

Code audits can sniff out vulnerabilities that would otherwise make this sort of attack easier. This is a case of an ounce of prevention being worth more than a pound of cure. In reality it is more than an ounce of prevention and is rarely done. The next best course of action is to regularly check system logs for suspicious activity. Filesystem integrity checking tools can assist in identifying if a system has already been breached by showing which files have been modified. The chroot jail could have prevented this because by running the service this way the attacker wouldn’t have had full filesystem access and most of the critical files would have been insulted from the attack. Many server programs now come with native chroot functionality.

Linux contains kernel modules which help to defend against this type of attack.

The chroot command is a shortened form of the two words, “change root”. What this command does is it allowes a sysadmin to rope off a section of the filesystem for users to play in. this is sometimes called a “chroot jail”, and I have heard it referred to as a “sandbox” or “user sandbox”. If a user logs in and it is set up to send them here, this area appears to them as the entire filesystem, but in reality it is really just a branch off the real filesystem. It contains only tose commands are directories that the sysadmin wants them to see and have access to. This allows a prudent and careful sysadmin to allow system access while not relying solely on the UNIX permissions model. It is another level of system defense. Think of it as allowing access in a “ned to know” way. They only see parts of the system that they “need to know”.

System services can be run in chroot mode since if a system service were to be the target of a buffer overflow attack, it could compromise the entire system of the perpetrator of the attack were then able to have access to the entire system sans the security that the attack immobilized. Had the attack succeeded and the service was not restricted to the chroot jail, the attacker would have a shell into the system which inherited the service’s permissions, which in many cases is root level access. If the attacker’s shell were limited to the chroot jail, their access to the system is very limited and the damage they can do is minimized. perhaps if they realized this they would just go away and look for a juicer unprotected target.

The UNIX sudo command allows the administrator to limit what commands a user may run under root (administrator) privileges on the system. The /etc/sudoers file contains entries which affect what commands are allowed to be run in this manner. Different users can be allowed to have different levels of access, and the true root, or administrator, password never has to be divulged.

Sudo will also log all of the attempted accesses of every command that it runs, thus leaving an audit trail that a suspicious administrator can check on in case an attempted system breach is suspected.

Last summer I purchased a fully loaded top of the line HP HDX 18 Premium Series notebook under the HP employee discount before being laid off by Hewlett Packard when they closed the New Jersey software development site at which I worked.  Windows 7 wasn’t released yet but the machine came with a free upgrade.  I eventually sent away for the upgrade and I have my disks, but I have been sitting on it since I rely on my machine for, like, everything and I am always wary of Windows OS upgrades.  I have yet to back the thing up and have an emergency plan should something go wrong.  I found this interesting upgrade article from PC Magazine.  The time draws close.  Wish me luck.

Windows 7 is going to be the first Windows OS to treat the GPU more as an equal to the CPU, according to Nvidia product manager Chris Daniel.  He also says that with Windows 7, Microsoft is “really opening up the immense parallel computing horsepower of the GPU natively right in the operating system.”

This is obviously great news for graphics ungry users like engineers and digital artists.  We already know that this will be great for gamers.

Windows 7 introduces a new API called DirectX Compute, which enables the system to fully use the parallel processing in modern graphics cards from Nvidia, ATI, and others.

In ye olden days of PC lore, when computer processors didn’t include the math coprocessor for cost purposes, anything requiring floating point math calculation took FOREVER to complete.  I know this because I had an old Packard Bell 486SX laptop with the old CPU which did not have the coprocessor built in.  A 486DX would have had the floating point instructions built into the main CPU.

I had a 3D architectural program that would let you build houses and rooms in 2D, then it would render them in 3D for a walkthrough.  The 3D rendering required floating point math, and it took a long time to render on the non floating point CPU.  This old laptop did, however, have a spot for a math coprocessor.  I purchased and installed it, and the 3D rendering phase of that program took off.   Not long after that, math coprocessing instructions were built into the main CPU as a standard feature.  This was before the days of these 3D graphics cards with their unreal floating point performance.  These cards’ instructions are utilized by many games’ routines which are specifically built for accessing these features.  In DOS and some older Windows versions like Windows 95, the games (like DOOM) would basically create their own operating environment which the OS would shell out to, in order to have access to 32 bit and graphics functions.  Later on, Microsoft introduced the DirectX API for direct access to the graphics features via the OS itself.  Now it seems that they are taking it one step further.  I am not totally clear on how the games, which are essentially Windows apps, could access the graphics features via regular DirectX, but regular apps require this new API?  I probably am missing a step somewhere in there.   I’m sure that there are new GPU features that they allow access to, or improve the access.  Maybe this new API merely makes it easier to access for regular (non games) applications programmers.  I really do not know at this time.  I have not studied the API.

Chris Daniel further claims that Directx Compute will “enable use of advanced technologies like SLI-based, multi-GPU gaming, 3D Vision, and PhysX real-time physics.”  So, this will bring parallel computing to the masses.

Well, that’s great news for graphics hungry Windows users who have top shelf graphics hardware.  I guess that that $6000 Alienware gaming laptop is again calling my name.

According to many articles, including this one, Apple tried to have Microsoft stop running ads touting how expensive it is to buy an Apple notebook.  The ads showed a frustrating shopping trip of a twenty something who wanted a laptop for under $1000.  She was frustrated at the Apple Store, and ended up buying an HP Pavilion running Windows for $699 at a local electronics store.  Well, I have to back that up.  Apple’s products are expensive.  Now, many Apple fans will say that there are good reasons for that, and there are.  This doesn’t alter the fact that the average consumer sees things in dollars and cents, pounds and pence, euros and whatever.  I really can’t believe the nerve of Apple, though.  After running those commercials where the pudgy facsimile of Bill Gates, representing the PC, was constantly bested by that pretty boy who was in Galaxy Quest, they had the gall to complain about Microsoft running ads that were ACCURATE vis a vie pricing?  Give me a break, Apple!  Apple should be touting WHY their machines are priced higher.  You know, their OS is tailor made for the hardware and that there are less driver issues and incompatibilities because they have a closed system and control all that stuff.  If Apple freed up the hardware and just marketed the OS, then Macs would be on the shelves for PC prices, but Apple is not MS and would never be viable enough without their hardware business.  It is a slightly different business model.  It has worked for them and I do not begrudge them this.  I do begrudge them crying “No fair!” to what amounted to accurate Microsoft advertising.

Apple, you are better than that.

Microsoft’s COO, Kevin Turner, is claiming that Microsoft is going to open a chain of retail stores right next to Apple stores in the Fall.   Turner also claims that Microsoft has hired a retail team to implement the plan.

Wow.  I smell a big flop coming.  Why does Microsoft need it’s own retail stores?  I can understand the sporting spirit in taking on Apple (as if they didn’t already have their hands full of Google and the Chrome OS and browser, not to mention search, and advertising, and…), but all I foresee in these stores is overpriced Windows and XBOX stuff.  It will be fun though, and I welcome this move by Microsoft because you know, they keep this industry entertaining.  I also endorse vigorous competition between technology behemoths.  The consumer usually wins when they duke it out like this.  I just hope that the stockholders don’t get left holding the bag.

This week there was news that Google is coming out with a Linux based operating system to challenge Windows on certain devices, like low cost netbooks.  This is a good thing.  Linux itself could never pose much of a challenge to Microsoft because the various Linux distributions were way too small and lacked the money and resources to pour into things like device driver development, device support, or even partnerships which would bring so called “killer apps” to Linux.  Linux was more successful on the server side since it is a fabulous server operating system.  Windows Server has gotten better over the years, and it is a much more robust platform than it once was.  It is also very easy to administer.  Linux is more powerful and just more of a multiuser operating system.

Back to the desktop.  As an IT guy and UNIX devotee, I tried Linux as my desktop for several years.  It was good fun, but I grew frustrated with the lack of things like video codecs and device driver support.  I eventually went back to Windows as my desktop OS as windows became more stable.   To go off on a minor tangent, Windows NT 3.51 was very robust.  Then to make it better for gaming and to succeed Windows 9x on the desktop, they took devices like graphics and moved them to Ring zero of the kernel, thus making the whole thing more crash prone.  They also were careless with their service pack updates.  The infamous Windows NT 4 Service Pack 2 broke many systems so bad that you couldn’t log in, and in many cases cause the more infamous Blue Screen of Death (BSOD).  I swore off Windows for several years after that.  I worked in a software company where we got all of the Microsoft OS’s in prerelease versions, and could see it improving after Microsoft was forced into some internal reorganizations when Bill Gates had to eat crow too many times in public due to Windows crashes and all of the bad PR they were getting.  It slowly came back.  They started testing service packs more, having limited releases to certain customers and external testers before releasing them out for general consumption.  Windows XP was very good.  I like Vista, but many people still feel that Windows XP is just a better workstation/desktop OS.  Windows 7 is supposed to fix Vista’s perceived flaws.

So, here comes Google.  Google is taking the rock solid and fast Linux OS and combining it with their own technology.  Will it unseat Windows?  I’m sure that many Microsoft execs are not sleeping well at night these days.  Google owns the Internet, and they are now poised to make great strides on the desktop.  They have the deep pockets to augment Linux and fix it’s desktop flaws, as well as make it “sexy” enough for mass consumption.  They have to be careful though since if they mess up, it will damage their brand.

I am impressed with the Google web browser, Chrome.  It is light weight and nice for quick browsing.  I am interested in the form that this Google-Linux will take.  I can hardly wait to load it on an old PC and take it for a test run.  That being said, Google has proven that it can be very evil in the realm of search engine based Internet domination.  They have the power to ruin Internet based business overnight, on a whim.  Since they are the biggest web search player, and Internet traffic is king to many online ventures, a simple change up in their search algorithms can literally ruin many people’s hard work in an instant, if they, say, vanish from hard won search rankings.  Their constantly changing Adwords keyword charges and page rankings have also become somewhat burdensome.  They defend this by saying that they are only looking out for the web surfers and minimizing SPAM, but this is not always the case.  They are so huge, and frankly I don’t like any one player being too huge.

So, I am glad that Google is challenging Microsoft, which will make Windows better and keep Microsoft honest, and I am equally glad that Microsoft has introduced their Bing search engine to at least try to challenge Google.  I do think that Google is far more of a threat to Windows dominance than Bing is to the Google search engine.

Only time will tell how all of this will play out, but you never know.  When Google was new you could have never convinced me that they would be what they are today.  You never know who is thinking up the next big thing in their garage startup company.