峨眉山报国寺、金顶、万佛顶、万年寺

到成都峨眉山参加一个市场活动，住在红珠山宾馆，这里有茂林修竹，小溪流水，附近空气清新，景色怡人，更有报国寺、卧虎寺等古刹名寺。下面是报国寺门票上所印“峨眉山报国寺简介”：

报国寺，原名会宗堂，为明光道人于万历四十三年（公元1615年）所建。祀普贤、广成子、楚狂牌位，无塑像，取释、道、儒三教会宗之意。清顺治时，行僧闻达禅师重修。康熙四十二年（公元1703年），取佛经中“四恩”之一的报国恩意，更名“报国寺”。由康熙御题，知县王藩代书“报国寺”金字横匾悬于山门之上。

寺周古楠修竹掩映，十分庄严伟丽。山门、弥勒殿、大雄殿、七佛殿、普贤殿以及客舍僧寮百间，布局井然，排列有序。还配有花影厅、七香轩、吟翠楼、待月山房等庭院建筑，并有花木点缀其间，即崇宏又雅丽，不啻为“名山起点”的第一大寺。

从雷洞坪作缆车到达金顶，缆车从云中钻出来，眼前立刻充满了晶莹透亮的雪松，还有蓝的多年没有见过的天空。站在金顶上，可以望见远远的贡嘎雪山，白皑皑的，纯洁的贡嘎雪山。

乘坐小火车到了万佛顶，撞钟三下祈福许愿。下得塔来，远望那无边的云海，心里有些恍惚的感觉，分不清是云是海，是俗境、还是仙界。

下午到万年寺，不愧是四大佛教圣地，每座寺院都宏伟壮观，别具特色：

万年寺为东晋隆安三年（公元399年）慧持禅师开建的普贤寺。唐慧通禅师于僖宗光启三年（公元887年）重建，改名白水寺。宋太平兴国五年（公元980年），茂真禅师扩建，改名白水普贤寺。内敕铸普贤骑象铜像，通高7.4米，象身长4.7米，重62吨。明万历二十八年（公元1600年）奉慈圣诏，遣中贵二人，赐金台泉禅师，仿印度热那寺样式，建无梁砖殿，殿壁两侧上方有横珑，上三层供铁佛3000；下三层供500罗汉，寺内还珍藏有一枚明万历皇帝赐的铜印；嘉靖年间锡兰（今斯里兰卡）友人送的“伽叶佛牙”、贝叶经，都是针对的文物。

万年寺右临石笋峰，群峰竟秀，古木葱茏，秋来层林尽染，“白云轻飞，黄叶点水”，颇有诗情画意，故称“白水秋风”。

[Chinese]SOX Compliance and Related Organizations

这几天还在看萨班斯法案的东西，SEC要求上市公司以及向它提交财务报表的公司都要符合萨班斯SOX法案，其中的404条款和302条款提到了符合过程中IT控制的责任，但是没有提具体应该部署哪些“控制”。推荐大家参照COSO的符合性框架，COSO的符合性框架只提了五个层次的框架，但是还是没有指明到底应该部署哪些控制。于是关于具体控制选择指导就落到了CoBIT的肩上。ITGI的白皮书中特意强调没有”one-size-fits-all”的解决方案，每个企业应该根据自己的实际情况来决定IT控制的选择。但是，你的选择对不对呢？要看外部审计公司的审定。按照这个逻辑，这些外部审计公司（他们同时还作咨询业务）岂不是既是规则制订者，又是裁决者了。本身违反了SOD（Segregation of Duties）原则。这个看法可能不全面，甚至不对，大家批评指正。

下面是顺手记下的几个相关组织的情况。

* COSO :: The Committee of Sponsoring Organization of the Treadway Commission, 隶属于美国国会的反对虚假财务报告委员会（NCFR）. COSO是一个通过商业道德、有效的内部控制和公司治理结构以致力于改善财务报告的美国民间组织。COSO形成于1985年。研究导致虚假财务报告的偶发因素，并为上市公司及其独立审计师，为SEC（美国证券交易委员会）和其他监管机构以及教育机构提供建议。该委员会由美国五个主要财务职业协会共同主办：AAA（美国会计学会）、AICPA（美国注册会计师协会）、FEI（财务经理协会）、IIA（内部审计师协会）和 NAA（全国会计师协会，现为 IMA、管理会计师协会）。它完全独立于各主办组织。代表来自于工业、公共会计、投资公司和NYSE（纽约证券交易所）。由于该委员会的第一任主席是 James C．Treadway，因此通常称为Treadway委员会。
* PCAOB :: Public Company Accounting Oversight Board 公众公司会计监管委员会
* ITGI :: IT Governance Institute 信息技术治理研究院（学会），该组织由很多咨询公司和大企业的资深人士组成，其出版的SOX符合与IT控制白皮书非常值得大家读一读。其他不少讲萨班斯SOX符合性的PPT，图都是取材于该白皮书。网址是http://www.itgi.org

萨班斯法案有很多误称，想一下子完全拼写正确可不那么容易。看看下面这么多的错别字：

SOX Humor: What is common among the following words: SarbanesOxley, sarbanes ox, Sabanes Oxley, Sabannes Oxley, sabanas, Saban Oxley, Sabane Oxley, sarban oxly, sorbonne oxley, sarban oxley, sarbannes oxley, sarbane-oxley, sarbanis oxley, sarbanne oxley, sarbanes oaxley, sarban oaxley, sarbanese oxley, sarbonnes oaxley, sorbanne oaxley, serbanes oaxley, sarbane oaxley, Sarbaines Oxley, sarbanesh oxley, Sarbaines Oxely, sarbenes oxley, Sorbane Oxley, Sarbanes Oakley, Sarbane Oxly, Sarbonnes Oxley, Sarbanas Oxlay, sarbane oakley, akslays, sarbain aksley, sarban aksleys, sarbane ausley, sarbans auxey, sarbarnes auxley, sarbin axlays, sabranes oxl, sabarnes axley, sabines exley, sabones osley, sarbone, sarboness, sardane, serbanss, serbians, sirbanes, sirbaness, sirbans, sirbanss, sirbens Oxley, sirbenss Oxley, sorbain Oxley, sorbaine Oxley, sorbanes Oxley, sorbaness Oxley, sorbenes Oxley, sorbeness Oxley, sorbian Oxley?

在国内萨班斯，萨宾斯的称呼也是都有的，不能说那个对，那个不对。你喜欢那个就用那个就是了

历史档案-我为Sun打补丁

下面的短文是大概98年什么时候写的，那时候刚开始接受几台Sun Solaris机器的安全维护，”菜鸟”上路，边学边练，倒也开心，感觉天天都有新的收获。这个短文是为中计报的工程师手记专栏写的，但是没有发表。翻出来也挺有意思。98年时候的电信机房还是Sun的天下，工程师学的、用的都是Solaris。现在不同了，IBM签下越来越多的移动公司，HP也斩获大部分市场份额，Sun节节败退的感觉。

给系统打补丁是管理员的日常工作，尤其是选择了SUN工作站和Solaris以后，在获得了易用性的同时，也将自己和“补丁（patch）”“补丁包（patch-cluster）”紧紧联系在了一起。系统已经有半年多没有打过新补丁了，然而期间报导的系统漏洞却一个接一个地不停，尤其是几个关键系统程序的安全漏洞，像rpc.statd，automountd，rpc.ttdbserver，in.named等，并且我们的几个服务器在检查中连续出现被攻击甚至入侵的征兆。我感到越来越不安，决定下载一个最新的补丁包给系统们升升级，也安慰安慰自己。 Read the rest of this entry »

[Chinese]Skype与中国固网运营商的合作模式

如前面的预测，Skype果然开始了与国内运营商的合作谈判，但是谈判会如何进行呢？国际上，将会越来越多的大大小小的厂商会推出基于P2P技术的各种新产品，竞争地位的运营商推出相应的应用来挑战主导运营商，都会全力来赶这趟P2P大潮。电信和网通两大主导固网运营商在信产部条文保护时间内，必须尽快研究拿出战略性的、全局性的对策，并迅速执行落实，不能停留在试探性的、测试性的“控制”活动上。疏导不受控业务的同时，开拓可控的P2P业务平台，以及相应的计费运营模式。时间越来越紧迫了。 Read the rest of this entry »

[Chinese] SIG (Security Immunity Gateway) of Huawei

下面是从华为公司网站上看到的关于华为安全免疫系统 SIG 的描述：

从网络蠕虫病毒的最大源头－－终端用户计算机入手，检测用户计算机的安全状态。对不安全的计算机，提示其进行系统加固或杀毒操作。对于已经感染蠕虫病毒的计算机，根据安全接入策略，从网络接入层暂时隔离或限制，从而解决网络上蠕虫病毒泛滥的问题。

同时SIG系统还能够检测非法的VoIP用户，从接入层杜绝非法VoIP泛滥，减少国家和运营商的损失。

使用SIG，我们可以实现以下三点目标：
1、从最为复杂的问题出发点–用户的终端PC入手，自动检测用户终端病毒，加强弱点管理。
2、自动进行病毒检测，对终端用户提供增值服务。
3、提供阻断非法VOIP功能，提高运营商增量收入。

从 这段功能描述上看， SIG有些像思科公司的NAC计划，从终端入手治理网络安全威胁。可是，就非法VoIP的检测、阻断的功能描述上看，不知道这样的产品如何推向市场？与运 营商合作、由运营商推向自己的ADSL注册用户、阻断非法VoIP来帮助运营商提高增量收入（不知道华为SIG如何定义非法和合法VoIP）？那用户肯定 不愿意安装啊，我使用ADSL，就是想VoIP，我还想视频呢。

原来记得华为的NAC对应方案应该是EAD（端点准入防御），EAD面向用户侧的终端、SIG（从名字上看）面向运营商侧的网关设备？或许应该这样理解。

前面提到过国内桌面管理市场上的厂商，例如国外的CA, Microsoft, Landesk, BigFix, 国内的联创和华为等，看来大家的产品定位还是挺有”特色“的。

UTM (Unified Threat Management) Definition

According to IDC, UTM (Unified Threat Management) security appliances are defined as:

UTM security appliance products include multiple security features integrated into one box. To be included in this category, as opposed to other segments, the appliance MUST contain the ability to perform network firewalling, network intrusion detection and prevention, and gateway antivirus (AV). All of the capabilities in the appliance need not be utilised, but the functions must exist inherently in the appliance. In these products, the individual components cannot be separated. 

Basically, UTM security appliances are charactered as some integration of the follow 6 features in one boxes:

• * Firewall – these devices are typically deployed at the network perimeter, and therefore robust, stateful firewall capabilities with NAT are required.
• * VPN – often deployed as branch office solutions on a corporate WAN, the ability to create a small number of secure VPN tunnels is essential.
• * IDS/IPS – a firewall only enforces policy, and if that policy includes allowing inbound HTTP traffic to Web servers on the DMZ, then there is nothing the firewall can do to prevent HTTP exploits from subverting the target Web server. The IPS capability will detect and block such attempted exploits at the network perimeter, preventing the malicious traffic from ever reaching the server. An IDS-only capability can detect exploits and raise alerts, but will be unable to block the malicious traffic.
• * Anti Virus – gateway Anti Virus prevents inbound virus traffic at the edge of the network, thus reinforcing desktop security solutions and blocking viruses before they reach the desktop. This solution can also prevent infected machines from propagating viruses outside the corporate network.
• * Anti Spam – gateway Anti Spam can tag inbound e-mail, allowing it to be handled more effectively by desktop filtering solutions, or can block suspected spam mails completely. This solution can also prevent internal hosts from sending spam mail outside the corporate network.
• * URL Filtering – using a constantly-updated database of categorised URLs, a gateway URL filtering solution can prevent employees from accessing objectionable or inappropriate Web sites from the corporate network  
• * Content Filtering – by scanning Web and mail traffic for specific content, a gateway content filtering solution can prevent objectionable or inappropriate material from passing into, or out of, the corporate network.

Comment to “Skype Blocked at China”

At a previous post, “Skype’s road to China“, I introduced my view point of Skype at China, not bright as they are at other lands, due to the restrictions of the regulations and market circumstances. Along with the emerging technology/product from Verso, the “blocking of PC-to-phone”, ie. SkypeOut, was reported to be blocked at Shenzhen and other three cities at China.

A lot of report titiled “Skype-blocked at China” were headlined at many of world famouse relevant newpapers and journals. That kind of activity was even regarded as “bureaucratic politics” by Clark, managing director of BDA China.

The blocking of SkypeOut calls from Shenzhen started several days before Verso announced on Sept. 14 the availability of the NetSpective M-Class application filter, which the company billed as “carrier-grade Skype filtering technology.”

While Verso said in its release that the use of Skype is illegal in China, the situation is more nuanced.

Chinese government officials have been generally tolerant of VoIP software, such as Skype, that is used to make calls from one PC to another. But the ability of Skype users to make calls to a phone via the SkypeOut service is more sensitive, because this directly affects the revenue that operators such as China Telecom earn from international phone calls.

On the one hand, the Chinese government owns the carriers and will act to defend their interests, said Duncan Clark, managing director of BDA China, a telecommunications consultancy in Beijing. However, the Chinese government also wants to see the price of making phone calls come down, he said.

“It’s a question of bureaucratic politics,” Clark said.

It’s well known that Skype is different from Vonage, the latter is protected at USA as a VoIP service provider according to the FCC regulations, while the former is not. Because Skype makes money from network infrastructure of other telco companies without any revenue sharing or settlement mechanism.

At China, PC-to-Phone and Phone-to-Phone VoIP services are restricted to be “basic telecom service”, allowed to only a few state run telco companies. Althoug foreign companies will get more penetration opportunities along with WTO openness of telecom market, that would not benefit Skype, unless Skype succeed in transformation to a more transparent and open technology, e.g, communication protocol, key management, billing data output, interop with SIP, and etc.

It’s obvious that Skype represent a killer technology to provide voice and video services at a very lower cost (of course, not zero like what Skype spend on their services). It’s the responsibility of the government (in China, it’s MII) to represent consumers to force the service providers to make use of advanced technologies at the possibly earliest time (if they won’t, new licenses will be issued to other providers). But, as to China Telecom, China Netcom, and other service providers, they won’t give up their monopoly privileges currently have unless they are forced to. So “blocking skype at China” is only a tactic action to prepare themselves for the uncertainty of the future regulations.

The differences between PC and “Phone” are becoming more and more obsecure, so it will be more and more difficult to distinguish “PC to PC“ against “PC to Phone”. That’s why I suggest Skype’s road to China lies at penetrating into those handheld devices with WiMax, WiFi, GRPS, 3G wireless link.

[Chinese]萨班斯来了 zz

下面的文章转载自信息产业网，其中关于主要上市公司在时间表的考虑较为详细。

(肖卓 张萍 人民邮电报， 2005-11-10 08:23:43)

近期，在美国上市的国内企业意识到，他们又将面临一个新的考验，考验来自一个棘手而严厉的“美国规则” — 萨班斯法案。

2002年7月30日，美国总统布什在签署“萨班斯法案”的新闻发布会上曾称“这是自罗斯福总统以来美国商业界影响最为深远的改革法案”。萨班斯究竟何 为？2001年12月，美国最大的能源公司——安然公司，突然申请破产保护；次年6月，美国世界通信爆发会计丑闻事件，诸多上市公司治理结构不平衡和外部 监督缺失，美国资本市场诚信岌岌可危。为此，美国国会和政府加速通过萨班斯法案。它犹如一记重拳，有力地规范了企业的财务制度，并通过加强内部控制，改进 了公司的治理状况。

萨班斯法案是美国自20世纪30年代颁布财务规则以来，最为严厉和企业必须严格遵守的财务法则。事实证明：触犯萨班斯法案，企业高管就有可能面临监禁等法律制裁，公司声誉下跌，投资人失去信心，企业失去再融资能力，最后不得不被迫退市。
Read the rest of this entry »