All true enough, but it still seems like a tremendously short-sighted decision for their "next generation" operating system.
For one thing, gigabit is only going to become more common. You don't need a crystal ball to realise that. Hardware which is crippled by this design decision was already readily available when Vista was released! Most modern motherboards have gigE onboard, and have done so for a while. Heck, most "enthusiast" boards have two gigE NICs onboard, because they're so friggin' cheap and widespread.
A fairly obvious future application of high-speed networking plus multimedia is, of course, streaming hi-def videos across a network. This might not to be too bad in its current form, as from what I've read this throttling only applies to sending data, so consuming it should be okay... but there's bound to be use cases where this will be a problem. What's more, the whole point of the DRM rubbish that resulted in this re-engineered audio system is to be able to enjoy hi-def content on your Vista PC.
My guess is they knew it was completely screwed, but figured most people wouldn't care for quite a while (is there any actual hardware which Vista trusts enough to let you play HD content on it yet? And is there enough HD content to be worth the effort, anyway?), and they'd be able to fix it by the time it became a real issue. They're probably right. Failing that, well, hardware will be ten times more powerful then, so it won't be a problem any more.
Just FYI, that link -- http://www.uoregon.edu/~koch/texshop/ -- works for me(tm). Maybe it was a temporary problem. Is it working for you now, or something mysterious afoot?
I use postfix, in which it's default behaviour. Although now that you mention it, the default settings are a little more lax than I'd prefer, so I'm going to tweak them a bit. I'm not sure what version this appeared in, but it's been around for an awfully long time. I think even the version in woody had this feature.
That said, it only tracks errors per-session; every new connection the client makes results in a reset counter. So, it could be improved. But making a new connection slows things down on its own.
True enough, but there is a difference. "passwd" and friends are needed for proper functioning of the system, so the risk they pose has to weighed against the benefit of taking that risk. And FWIW, I don't run man setuid/setgid on any of my systems, because the performance benefit of caching man pages doesn't, for me, outweigh the risk of privilege escalation.
Considering SecuROM: it allows you to run a game, which you bought and are fully entitled to run. Why is it acceptable that you have to run software which has the potential to compromise the security of your system in order to run a game that you've paid for? Do they sell it to you cheaper because making you take this risk increases their sales? Not that I've seen -- games are getting more expensive just like everything else, despite the increasing size of the market. And the potential for bugs to exist in software as complicated as this is pretty high.
Also, with the examples you gave, you have a choice. If passwd and chfn are too big a risk for you, then disable them. Require all logins to be authenticated using something other than a password; don't let people change their own account info via chfn. The only choice they give you with these copy protection schemes is not to play the game at all.
Actually, that's not true: the other choice is to wait for it to be cracked. In that case, it's usually more convenient to obtain a pre-cracked, pirated version, than it is to buy the game.
Same. I actually don't buy games I can't pirate first, because I want to know it's worth the money. Budget titles I might take a punt on, but if you're asking $80-90 (au) for a game, it'd better have some decent longevity to it. I've been burned too many times by games that have a cool demo that suggests the full version will have more depth... only to discover the full version is the same thing over and over again.
A good example would be Doom 3. I'd be pissed if I'd bought it based on a demo. Fortunately I didn't, and I got bored of it after a few levels. Yeah, for $20 or something it would've been cool, but not at full premium price. No fucking way.
Something vaguely interesting to me: the 1.3 patch for Silent Hunter 4 removes the copy protection check. I've been playing it with a nocd for ages (originally pirated, but I've bought a copy too) so this doesn't really make any difference to me. But what I found interesting is the number of people on the Subsim.com forums who gave kudos to Ubisoft for removing the copy protection. I'd always figured I was one of just a small minority that actually find copy protection annoying, and that everyone else just didn't mind it at all. But the reaction on the forums suggests to me that a lot of people do find it annoying, and I'm just a part of the minority which choose not to put up with it.
That said, obviously a lot of publishers would prefer to release shit games with good demos and sell lots of copies, rather than just making good games people want to buy. But, I don't feel any moral responsibility to support that particular business model. Make a good game that I like, and I'll buy it. Simple.
Okay, fair enough -- brute-force attacks do happen. I wonder what criteria the spammers use to decide which systems to try it on? All but one of the servers I administer are in Australia, so maybe it's a regional thing. I have one in the US which is reasonably well connected, but that doesn't receive brute-force attacks either, and the domains it hosts are.org and.net, not.au ones. Is your personal domain one which someone might think hosts a lot of email accounts? I wonder if real human beings actually scan lists of domain names and pick which ones they want to try brute-forcing?
The servers I'm looking at at the moment are pretty low volume, and reject about 5-10,000 messages a day (over the last few days). Brute-force attacks on these would be pretty obvious, but looking at the 687 addresses which were tried only once during the last 48 days, there's a vanishingly small number that don't refer to a name I recognise (and I've only been with the organisation for 2 years).
Over any reasonable period of time, your list of IPs will converge with the union of all dynamic IP addresses assigned to consumers.
True, but if you automatically remove addresses after a week or so it wouldn't be so bad. Plus, there's a lot of people out there who think this would be a benefit of such a system, not a drawback.
I still think brute-force attacks are a waste of time, and only stupid spammers would try it.
Another fairly obvious reason why accepting mail and then sending NDRs for invalid addresses is a horrible idea just occurred to me. Your personal domain receives 20,000 delivery attempts to invalid addresses daily. I'll guess that virtually all of these are from spam using made-up from addresses, and a good proportion of those from addresses will be actual email addresses belonging to innocent people.
If your server generated NDRs for these invalid addresses rather than just rejecting them, you'd be sending thousands of NDRs to random people every single day. Which is to say, people who know their servers are subject to brute-force attacks should be even more careful to limit NDR generation than people who's mail servers aren't, rather than use it as an excuse not to.
So, while I fully retract my ignorant assertion that brute-force attacks aren't tried anymore, I still maintain that sending nonsense backscatter to thousands of people who never even heard of your domain before is a really crappy way to "protect" your address lists. To me, "I'm too lazy to configure my server properly" is a far, far better excuse than "but if I do that the spammers will harvest all our email addresses!"
Totally agree. DynDNS are in a difficult position because of the service they provide, but frankly, I don't think they should be providing the service if they can't do it properly. Instead, they're putting a bandaid over a symptom of the problem rather than fixing the problem itself.
If you want to run your own mail server for the added control, or because you like to tinker with things, or whatever, that's fine -- but you have to also take responsibility for it and run it properly. If you're not willing to take that responsibility, find someone who will. Expecting the rest of the internet to put up with the crap generated by your server because "it's too hard to configure it properly" is just selfish.
The rest of us take the time to make sure our inbound MXs are able to verify addresses before accepting the mail -- why should you be any different, just because you're too cheap to pay for a proper service or too lazy to work out how to configure your server? (Using "you" in a general form, not directed at you, megaditto.)
I use sitename@example.com when I register on a website, and everything@example.com gets sent through to my account. So how am I going to determine whether foo@example.com is valid or not?
You just stated that everything@example.com is valid. What's the problem? If you actually do accept everything@example.com, then anything ending @example.com is by definition valid. In this case, you're not going to be generating NDRs, and therefore aren't part of the problem. I do this as well, so I know where you're coming from, but I completely fail to see why you're so upset. Unless you're lying and you don't actually accept everything@example.com -- in which case, you must somewhere have a list of the addresses you do accept, and therefore you should make that list available to any server which accepts mail for your domain.
Bunk. Even if it was true, it's still no excuse for ignoring your responsibilities.
I run the mail servers for several domains, and brute-force attacks just don't happen. It's fairly obvious why, if you think about it. Dictionary attacks against common names are possible, but I've not seen evidence to suggest that's happening.
Firstly, I want to get back to "responsibilities". By this I mean that anyone who's connected to the internet has a basic responsibility to make at least a good-faith attempt to prevent their system being used against other people. This goes doubly for people who intentionally run publically accessible servers (e.g. mail servers and web servers). You should treat any mail system which indiscriminately generates NDRs the same way you'd treat an open relay, because that's effectively what it is. You are deliberately making a server available which will accept mail from anyone on the internet, and send it to anyone else on the
internet*. This is reckless irresponsibility.
* - most NDR messages include at least part of the original message's text; at the very least, the subject line. So a system which generates backscatter does in fact carry some payload chosen by an anonymous third party.
Even if brute-force attacks on your mail server's address list do occur, there are ways to mitigate the effects of it that don't turn your system into a spam engine.
Having a look through the last 48 days logs on one of my servers, there's 2,308 addresses which were rejected because they're non-existent. The vast majority are either formerly valid addresses (i.e. of people who used to work here), or slightly mangled versions of valid addresses (presumably badly parsed). Particularly common are things starting with "3D" (presumably parsed from quoted-printable data which contains =3D) or people's surnames (smith@example.com) -- our email addresses are in the format firstname.lastname@example.com, and it would appear that some harvesters consider periods before the @ to be invalid.
The second part highlights why brute-force is impractical: the namespace before the @ is absolutely massive, and only a tiny fraction will be valid addresses. If you have no idea what format email addresses in the target domain take, you have no choice but to try everything, and that will take far longer than a week. Add to this the proliferation of very small domains with only a handful of email addresses (i.e. personal domains, promotional domains). Even with a vast botnet, trying to harvest addresses by brute force against a mail server is so horribly inefficient as to not be worthwhile. There's much easier ways to harvest addresses.
Then there's technical issues with that kind of harvesting. First, any reasonable mail server will start responding slower to a client which is making repeated errors, before finally shutting them off. This means you have to make lots of connections. Second, brute force or dictionary attacks stick out like a sore thumb versus normal mail traffic, making it trivial to block any IP which is trying to harvest addresses in this manner. The only possible way to do these sorts of attacks would be to use a vast distributed botnet, and even then it's not going to work. It would be easy (and fun) to build a system that watches for such attacks and blacklists any IP involved. Anyone harvesting in this way would then be betraying the IPs of most of their bots during the harvest! Then there's lots of clever things one can do: once you have a known harvester, start okaying its invalid addresses and add them to your list of spamtraps. Not only is the spammer not collecting any valid addresses, but you're poisoning their address list!
Brute-force attacks are too easy to detect, and too easy to use against the attacker. There's much, much easier and more efficient ways to harvest email addresses. Possibly it could be used if you're targeting a specific company or domain and can do some research into their configuration, but even then there
What, people that don't believe God created the universe have to somehow test their theory on how it came to be, but people who do believe in God don't have to? Talk about double standards.
Now I know why lying is bad and I feel wronged when someone does it to me. You totally explained the concept of holiness. Amazing!
You feel "wronged" because it puts you at a disadvantage; basically, it's a threat to your existence or well-being. You trusted someone, and then found out that they abused that trust. In most cases in our society that's not too dangerous as we don't wind up in life-or-death situations very often, so it may not threaten your existence as such, but when people lie it's usually to gain an advantage over you.
You also seem to be trying to claim that "lying is bad" is a universal truth that everybody feels, but that's ludicrous. Haven't you ever heard of con artists? You know, people who base their entire lives around lying and cheating other people? People who feel no sense of remorse or shame or guilt for doing this -- often completely destroying people's lives in order to get a bunch of money? What about politicians? I know they don't all lie all the time, but many of them play very fast and loose with the truth. Do you really think they actually feel "bad" for doing it?
Morality is so clearly a product of society, I can't help but think you're trolling. For example, most western societies have pretty strong views on sex with minors, but there's plenty of cultures where such things are commonplace and expected. Homophobes are another good example of people with very strong-held convictions that particular acts or behaviour are Wrong, yet other people view it completely differently. I'm actually amazed someone would attempt to make an argument that anything relating to morality and "right or wrong" are somehow ingrained in us as a universal, unchanging truth.
I don't have a problem with reconciling God and science, but some of your comments there were just too stupid to ignore. Unless you were actually trolling, please put a big more thought into it next time.
The cells in your body are constantly reproducing. Is this true of all life? Maybe. I guess that's why the only way we'll really be sure is when it's brought back to Earth and takes over the planet.
Why would you buy the album.. if you already have all the songs?
Most of the CDs I buy are of albums I already have as mp3s, largely collected during high school and uni when I didn't have money for frivolous things like that. The majority of the rest of the CDs I buy are from artists I have a few tracks from which I've downloaded (usually long ago, again) and wanted to get the album those songs came from.
Same goes for lots of computer games; I buy the ones I like, but often play ones I don't feel are worth their full list price. I have a copy of Oblivion still shrink-wrapped because I'd played it for some time before deciding it was worth the money. I loved Silent Hunter 3 but never bought it because it used StarForce copy protection, and I think they're even more ethically bankrupt than I am; but SH4 doesn't so I bought that happily... and again, that box is unopened because I downloaded it and never needed the actual media. Heck, I actually pre-ordered the last Hitman, but the release in.au was delayed sufficiently that I'd played through the entire game before my copy of that arrived.
Possibly I'm a statistical anomaly, but I think everyone has a limit of what they feel morally comfortable with. So, I have some albums I've downloaded and kind of like, but probably won't buy; if I had to make a choice whether to legally own it or never listen to it again, I'd choose the latter. But since I don't have to make that choice, I'm comfortable enjoying them on occasion despite not paying for them.
Re:What value DO the entry level certs have?
on
Network Warrior
·
· Score: 1
I don't think I can really offer any good advice, I'm not a hirer or particularly good at getting jobs or anything, but I'll contribute my 2 cents all the same. At the very least, someone might decide to argue with me and accidentally contribute something useful.
Since you don't really have much experience in what you want to be doing, I think a cert is probably a good way to get a foot in the door. As the GP said, if you're choosing between two candidates with limited experience, the certs are likely to tip the balance. At the very least it demonstrates you're willing to put in some time in trying to make this a career, rather than just trying it out to see whether you like it or not.
The main benefit though is that going for a cert might give you some solid goals of "things to learn and understand", rather than just following whatever happens to take your interest at the time. Not everything a network admin does is interesting to them, but if you're missing boring but important knowledge, you might have a hard time. Of course, "boring" varies between individuals. It largely depends on how you prefer to learn though.
If you want to be really pro-active, it might be worth finding some local (or not so local) companies you think you'd like to work at, and politely ask them what kinds of things they look for in prospective employees, and in particular if there's any certifications they've found to be worth having. You may find that all the companies local to you say that they completely disregard certifications, and at least then you'll have a better idea of whether they're worth obtaining.
Another thing to consider is going for lower level roles, e.g. helpdesk positions in small-mid sized companies. If you're lucky you might find yourself working with some pretty knowledgeable people, and get a chance to look at a real network and pick their brains. Plus, you'd be getting paid at the same time, which can't hurt. For most of these types of roles, customer service skills (i.e. being friendly and accommodating to people) is the most important thing, and it sounds like you probably know enough to be useful the moment you step in the door.
Wow, that's bulletproof! The only way I could see any spammers possibly getting past this would be by harnessing legions of zombies in a massive distributed botnet with near infinite CPU capacity.
Not to mention the whole "hey everyone, change your mail systems so you can mail to me" thing, which puts a serious crimp in any grand scheme to replace SMTP. If we are going to replace SMTP, then I'd suggest completely replacing it with a protocol that requires the sender to store the message on their own server until you decide you want to read it (aka Dan Bernstein's Internet Mail 2000). For trusted senders, you can have your server automatically download the message so you can grab it locally when you want, but this measure alone will make all those dynamic-IP zombies much less useful for spammers.
It could also make IP-based blacklist more effective: any mail which is hosted on a server which is a known spam carrier can be retroactively removed from your mailbox before you have to see it.
Yep, absolutely correct. There's no mechanism within HTTP for a server to send you content you didn't explicitly request. Which is both a good and a bad thing, I suppose. (But mostly good.)
I think it's more a problem with JavaScript and CSS -- particular JavaScript. If you're including an external JS file (via <script src=...>) then it's quite possible that that script will want to change the document's onLoad behaviour, or refer to a variable or function that was defined in a different script which was included earlier... which means you can't complete loading the document until all the JavaScript files have been loaded. A lot of the advertising uses JS included in separate script files; and heavy (aka bloated) sites are likely to have their own scripting separated into multiple files, too.
CSS has a similar problem; styles defined after other ones take precedence (at least, I think that's the case -- I could be making it up), therefore they need to be parsed in order. At the very least, you need to have all of the stylesheets parsed before you can work out what the layout is supposed to be. Although, I have noticed some sites are temporarily displayed without styling, particularly on my N800 (Opera).
I think a lot of browsers meet these requirements by simply loading the docs one at a time, in order. Simpler to program, but potentially less efficient. Regardless, if one of the servers hosting a JS file you need is slow, then you don't really have much choice but to wait for it.
Most non-trivial networks will use spanning tree, and something like "bpduguard" on all ports which aren't expected to be connected to another switch. If you connect the switch to itself (or another switch), the BPDUs will cause it to shut down the receiving port, at least for a while. No flood.
Mind you, not all networks do this, and I have managed to put a loop in a network once or twice. Makes the LEDs blink a lot. Very pretty.
remember MS have never done anything original, they buy it all in, including the entire team who built NT
Lazy Bill Gates, always buying staff instead of making them himself from scratch. Now Steve Jobs, he busied himself scoring around the clock with dozens -- nay, hundreds! -- of women for years before founding Apple. That's what I call being original!
I recently re-installed my laptop to give it to my parents. It came with XP Professional, but I couldn't find the installation disc (if it even came with one). So I just used the XP Pro image I happened to have lying around. This required a VLK of course, so the key on the sticker on the laptop doesn't work. Just used a keygen to get it to install.
So, that laptop would be classified as running a pirated copy of Windows, just because they still try to prevent you "stealing" their software by limiting access to the shiny discs (and because I was too lazy to download an OEM image so the key would work). Furthermore, I don't have to activate this version of Windows, so yet again: the pirated version is more convenient than the legit product.
Re:Gentoo also recently disclosed security breach
on
Ubuntu Servers Hacked
·
· Score: 1
That's because nobody uses OpenBSD. It's too hard to find any boxes to hack!
Not necessarily; ESX is used by big companies in mission-critical roles, and VMWare not only sell the product, but also support for it. Before they can declare hardware is compatible with it, they need to be damned sure that the hardware they say you can use with it works 100% reliably with it. That means lots of testing in all the possible configurations under heavy loads and in as many failure scenarios as they can... which is going to severely restrict the amount of hardware you're going to put on your compatibility list. IIRC, a lot of the stuff on their list is for complete systems, i.e. particular models of IBM and HP servers, etc. So they not only certify that the individual drivers work, but the entire system.
Also, it's very likely they need to modify the drivers to work properly with ESX. Which is to say, they don't write their own driver for every piece of hardware (they use the Linux ones), but they do modify them to work with the VMkernel.
All conjecture, but I strongly suspect both of these points are correct, and both contribute to the limited list of supported hardware.
Of course you can use open source software, you just can't use it in every conceivable way you might want to use it. Nokia can use the Linux kernel in their Internet Tablets; Debian, RedHat, Ubuntu et al can use the Linux kernel to run their operating systems; VMWare can utilise the Linux kernel in their ESX Server product... provided they comply with the terms of the license.
In fact, the point of making it open source is to ensure that you can use it in particular ways: if someone distributes software which makes use of an open source program, you should be able to make changes to that open source program and utilise that with the software. The ability to do that is what the license is designed to protect.
VMWare also runs under Windows last time I checked
ESX server does not under Windows. They have several products, most of which do, but ESX Server is (sold as) an operating system unto itself, and does not install or run under any other OS. It does however use a Linux kernel to boot, which then hands control over to the "VMkernel". The question is whether this "VMkernel" is itself derived from the Linux kernel, or otherwise so co-dependent on it (as in, a kernel module) that it cannot function without it.
I have written software that ONLY runs on Linux. So does that mean that my software must be GPL?
This copyright does *not* cover user programs that use kernel
services by normal system calls - this is merely considered normal use
of the kernel, and does *not* fall under the heading of "derived work".
Even if that's the case, the license for the BIOS doesn't state that any derived works must be released under the GPL. So, all the dickheads that have made comments like the parent in an attempt to be "insightful" can go fuck themselves because it's completely irrelevant. Your computer's BIOS almost certainly does not use the GPL for its license. Even if it did, the BIOS is not being distributed with the kernel or by distros, therefore they don't have to comply with a distribution license, anyway (the GPL specifically only applies to distributing GPL'd software, not merely using it).
Furthermore, the kernel copyright, while being (I think) standard GPLv2, includes this message:
NOTE! This copyright does *not* cover user programs that use kernel
services by normal system calls - this is merely considered normal use
of the kernel, and does *not* fall under the heading of "derived work".
I don't see how it could possibly be any clearer that programs running on top of the kernel as regular applications (as opposed to those that intertwine themselves with it, e.g. kernel modules) are not considered derived works.
Apache doesn't need the Linux kernel in order to run. It needs a platform which supports certain APIs. Or are you completely unaware that Apache also runs on BSDs, Solaris -- pretty much every UNIX or unix-like system -- as well as even Win32? Or do you think they have a special Linux kernel embedded in it on other platforms so it can run?
Specifically, the parent said VMkernel is a Linux kernel module, which is quite distinct from an application which happens to run on Linux.
Not specifically arguing against your point, but comparing Apache or Oracle to a kernel module completely misses the point.
Slashdot Mirror
All true enough, but it still seems like a tremendously short-sighted decision for their "next generation" operating system.
For one thing, gigabit is only going to become more common. You don't need a crystal ball to realise that. Hardware which is crippled by this design decision was already readily available when Vista was released! Most modern motherboards have gigE onboard, and have done so for a while. Heck, most "enthusiast" boards have two gigE NICs onboard, because they're so friggin' cheap and widespread.
A fairly obvious future application of high-speed networking plus multimedia is, of course, streaming hi-def videos across a network. This might not to be too bad in its current form, as from what I've read this throttling only applies to sending data, so consuming it should be okay... but there's bound to be use cases where this will be a problem. What's more, the whole point of the DRM rubbish that resulted in this re-engineered audio system is to be able to enjoy hi-def content on your Vista PC.
My guess is they knew it was completely screwed, but figured most people wouldn't care for quite a while (is there any actual hardware which Vista trusts enough to let you play HD content on it yet? And is there enough HD content to be worth the effort, anyway?), and they'd be able to fix it by the time it became a real issue. They're probably right. Failing that, well, hardware will be ten times more powerful then, so it won't be a problem any more.
Just FYI, that link -- http://www.uoregon.edu/~koch/texshop/ -- works for me(tm). Maybe it was a temporary problem. Is it working for you now, or something mysterious afoot?
I use postfix, in which it's default behaviour. Although now that you mention it, the default settings are a little more lax than I'd prefer, so I'm going to tweak them a bit. I'm not sure what version this appeared in, but it's been around for an awfully long time. I think even the version in woody had this feature.
That said, it only tracks errors per-session; every new connection the client makes results in a reset counter. So, it could be improved. But making a new connection slows things down on its own.
http://www.postfix.org/rate.html#slowdown
True enough, but there is a difference. "passwd" and friends are needed for proper functioning of the system, so the risk they pose has to weighed against the benefit of taking that risk. And FWIW, I don't run man setuid/setgid on any of my systems, because the performance benefit of caching man pages doesn't, for me, outweigh the risk of privilege escalation.
Considering SecuROM: it allows you to run a game, which you bought and are fully entitled to run. Why is it acceptable that you have to run software which has the potential to compromise the security of your system in order to run a game that you've paid for? Do they sell it to you cheaper because making you take this risk increases their sales? Not that I've seen -- games are getting more expensive just like everything else, despite the increasing size of the market. And the potential for bugs to exist in software as complicated as this is pretty high.
Also, with the examples you gave, you have a choice. If passwd and chfn are too big a risk for you, then disable them. Require all logins to be authenticated using something other than a password; don't let people change their own account info via chfn. The only choice they give you with these copy protection schemes is not to play the game at all.
Actually, that's not true: the other choice is to wait for it to be cracked. In that case, it's usually more convenient to obtain a pre-cracked, pirated version, than it is to buy the game.
Same. I actually don't buy games I can't pirate first, because I want to know it's worth the money. Budget titles I might take a punt on, but if you're asking $80-90 (au) for a game, it'd better have some decent longevity to it. I've been burned too many times by games that have a cool demo that suggests the full version will have more depth... only to discover the full version is the same thing over and over again.
A good example would be Doom 3. I'd be pissed if I'd bought it based on a demo. Fortunately I didn't, and I got bored of it after a few levels. Yeah, for $20 or something it would've been cool, but not at full premium price. No fucking way.
Something vaguely interesting to me: the 1.3 patch for Silent Hunter 4 removes the copy protection check. I've been playing it with a nocd for ages (originally pirated, but I've bought a copy too) so this doesn't really make any difference to me. But what I found interesting is the number of people on the Subsim.com forums who gave kudos to Ubisoft for removing the copy protection. I'd always figured I was one of just a small minority that actually find copy protection annoying, and that everyone else just didn't mind it at all. But the reaction on the forums suggests to me that a lot of people do find it annoying, and I'm just a part of the minority which choose not to put up with it.
That said, obviously a lot of publishers would prefer to release shit games with good demos and sell lots of copies, rather than just making good games people want to buy. But, I don't feel any moral responsibility to support that particular business model. Make a good game that I like, and I'll buy it. Simple.
Okay, fair enough -- brute-force attacks do happen. I wonder what criteria the spammers use to decide which systems to try it on? All but one of the servers I administer are in Australia, so maybe it's a regional thing. I have one in the US which is reasonably well connected, but that doesn't receive brute-force attacks either, and the domains it hosts are .org and .net, not .au ones. Is your personal domain one which someone might think hosts a lot of email accounts? I wonder if real human beings actually scan lists of domain names and pick which ones they want to try brute-forcing?
The servers I'm looking at at the moment are pretty low volume, and reject about 5-10,000 messages a day (over the last few days). Brute-force attacks on these would be pretty obvious, but looking at the 687 addresses which were tried only once during the last 48 days, there's a vanishingly small number that don't refer to a name I recognise (and I've only been with the organisation for 2 years).
Over any reasonable period of time, your list of IPs will converge with the union of all dynamic IP addresses assigned to consumers.True, but if you automatically remove addresses after a week or so it wouldn't be so bad. Plus, there's a lot of people out there who think this would be a benefit of such a system, not a drawback.
I still think brute-force attacks are a waste of time, and only stupid spammers would try it.
Another fairly obvious reason why accepting mail and then sending NDRs for invalid addresses is a horrible idea just occurred to me. Your personal domain receives 20,000 delivery attempts to invalid addresses daily. I'll guess that virtually all of these are from spam using made-up from addresses, and a good proportion of those from addresses will be actual email addresses belonging to innocent people.
If your server generated NDRs for these invalid addresses rather than just rejecting them, you'd be sending thousands of NDRs to random people every single day. Which is to say, people who know their servers are subject to brute-force attacks should be even more careful to limit NDR generation than people who's mail servers aren't, rather than use it as an excuse not to.
So, while I fully retract my ignorant assertion that brute-force attacks aren't tried anymore, I still maintain that sending nonsense backscatter to thousands of people who never even heard of your domain before is a really crappy way to "protect" your address lists. To me, "I'm too lazy to configure my server properly" is a far, far better excuse than "but if I do that the spammers will harvest all our email addresses!"
Totally agree. DynDNS are in a difficult position because of the service they provide, but frankly, I don't think they should be providing the service if they can't do it properly. Instead, they're putting a bandaid over a symptom of the problem rather than fixing the problem itself.
If you want to run your own mail server for the added control, or because you like to tinker with things, or whatever, that's fine -- but you have to also take responsibility for it and run it properly. If you're not willing to take that responsibility, find someone who will. Expecting the rest of the internet to put up with the crap generated by your server because "it's too hard to configure it properly" is just selfish.
The rest of us take the time to make sure our inbound MXs are able to verify addresses before accepting the mail -- why should you be any different, just because you're too cheap to pay for a proper service or too lazy to work out how to configure your server? (Using "you" in a general form, not directed at you, megaditto.)
You just stated that everything@example.com is valid. What's the problem? If you actually do accept everything@example.com, then anything ending @example.com is by definition valid. In this case, you're not going to be generating NDRs, and therefore aren't part of the problem. I do this as well, so I know where you're coming from, but I completely fail to see why you're so upset. Unless you're lying and you don't actually accept everything@example.com -- in which case, you must somewhere have a list of the addresses you do accept, and therefore you should make that list available to any server which accepts mail for your domain.
Bunk. Even if it was true, it's still no excuse for ignoring your responsibilities.
I run the mail servers for several domains, and brute-force attacks just don't happen. It's fairly obvious why, if you think about it. Dictionary attacks against common names are possible, but I've not seen evidence to suggest that's happening.
Firstly, I want to get back to "responsibilities". By this I mean that anyone who's connected to the internet has a basic responsibility to make at least a good-faith attempt to prevent their system being used against other people. This goes doubly for people who intentionally run publically accessible servers (e.g. mail servers and web servers). You should treat any mail system which indiscriminately generates NDRs the same way you'd treat an open relay, because that's effectively what it is. You are deliberately making a server available which will accept mail from anyone on the internet, and send it to anyone else on the internet*. This is reckless irresponsibility.
* - most NDR messages include at least part of the original message's text; at the very least, the subject line. So a system which generates backscatter does in fact carry some payload chosen by an anonymous third party.
Even if brute-force attacks on your mail server's address list do occur, there are ways to mitigate the effects of it that don't turn your system into a spam engine.
Having a look through the last 48 days logs on one of my servers, there's 2,308 addresses which were rejected because they're non-existent. The vast majority are either formerly valid addresses (i.e. of people who used to work here), or slightly mangled versions of valid addresses (presumably badly parsed). Particularly common are things starting with "3D" (presumably parsed from quoted-printable data which contains =3D) or people's surnames (smith@example.com) -- our email addresses are in the format firstname.lastname@example.com, and it would appear that some harvesters consider periods before the @ to be invalid.
The second part highlights why brute-force is impractical: the namespace before the @ is absolutely massive, and only a tiny fraction will be valid addresses. If you have no idea what format email addresses in the target domain take, you have no choice but to try everything, and that will take far longer than a week. Add to this the proliferation of very small domains with only a handful of email addresses (i.e. personal domains, promotional domains). Even with a vast botnet, trying to harvest addresses by brute force against a mail server is so horribly inefficient as to not be worthwhile. There's much easier ways to harvest addresses.
Then there's technical issues with that kind of harvesting. First, any reasonable mail server will start responding slower to a client which is making repeated errors, before finally shutting them off. This means you have to make lots of connections. Second, brute force or dictionary attacks stick out like a sore thumb versus normal mail traffic, making it trivial to block any IP which is trying to harvest addresses in this manner. The only possible way to do these sorts of attacks would be to use a vast distributed botnet, and even then it's not going to work. It would be easy (and fun) to build a system that watches for such attacks and blacklists any IP involved. Anyone harvesting in this way would then be betraying the IPs of most of their bots during the harvest! Then there's lots of clever things one can do: once you have a known harvester, start okaying its invalid addresses and add them to your list of spamtraps. Not only is the spammer not collecting any valid addresses, but you're poisoning their address list!
Brute-force attacks are too easy to detect, and too easy to use against the attacker. There's much, much easier and more efficient ways to harvest email addresses. Possibly it could be used if you're targeting a specific company or domain and can do some research into their configuration, but even then there
What, people that don't believe God created the universe have to somehow test their theory on how it came to be, but people who do believe in God don't have to? Talk about double standards.
Now I know why lying is bad and I feel wronged when someone does it to me. You totally explained the concept of holiness. Amazing!You feel "wronged" because it puts you at a disadvantage; basically, it's a threat to your existence or well-being. You trusted someone, and then found out that they abused that trust. In most cases in our society that's not too dangerous as we don't wind up in life-or-death situations very often, so it may not threaten your existence as such, but when people lie it's usually to gain an advantage over you.
You also seem to be trying to claim that "lying is bad" is a universal truth that everybody feels, but that's ludicrous. Haven't you ever heard of con artists? You know, people who base their entire lives around lying and cheating other people? People who feel no sense of remorse or shame or guilt for doing this -- often completely destroying people's lives in order to get a bunch of money? What about politicians? I know they don't all lie all the time, but many of them play very fast and loose with the truth. Do you really think they actually feel "bad" for doing it?
Morality is so clearly a product of society, I can't help but think you're trolling. For example, most western societies have pretty strong views on sex with minors, but there's plenty of cultures where such things are commonplace and expected. Homophobes are another good example of people with very strong-held convictions that particular acts or behaviour are Wrong, yet other people view it completely differently. I'm actually amazed someone would attempt to make an argument that anything relating to morality and "right or wrong" are somehow ingrained in us as a universal, unchanging truth.
I don't have a problem with reconciling God and science, but some of your comments there were just too stupid to ignore. Unless you were actually trolling, please put a big more thought into it next time.
The cells in your body are constantly reproducing. Is this true of all life? Maybe. I guess that's why the only way we'll really be sure is when it's brought back to Earth and takes over the planet.
Most of the CDs I buy are of albums I already have as mp3s, largely collected during high school and uni when I didn't have money for frivolous things like that. The majority of the rest of the CDs I buy are from artists I have a few tracks from which I've downloaded (usually long ago, again) and wanted to get the album those songs came from.
Same goes for lots of computer games; I buy the ones I like, but often play ones I don't feel are worth their full list price. I have a copy of Oblivion still shrink-wrapped because I'd played it for some time before deciding it was worth the money. I loved Silent Hunter 3 but never bought it because it used StarForce copy protection, and I think they're even more ethically bankrupt than I am; but SH4 doesn't so I bought that happily... and again, that box is unopened because I downloaded it and never needed the actual media. Heck, I actually pre-ordered the last Hitman, but the release in .au was delayed sufficiently that I'd played through the entire game before my copy of that arrived.
Possibly I'm a statistical anomaly, but I think everyone has a limit of what they feel morally comfortable with. So, I have some albums I've downloaded and kind of like, but probably won't buy; if I had to make a choice whether to legally own it or never listen to it again, I'd choose the latter. But since I don't have to make that choice, I'm comfortable enjoying them on occasion despite not paying for them.
I don't think I can really offer any good advice, I'm not a hirer or particularly good at getting jobs or anything, but I'll contribute my 2 cents all the same. At the very least, someone might decide to argue with me and accidentally contribute something useful.
Since you don't really have much experience in what you want to be doing, I think a cert is probably a good way to get a foot in the door. As the GP said, if you're choosing between two candidates with limited experience, the certs are likely to tip the balance. At the very least it demonstrates you're willing to put in some time in trying to make this a career, rather than just trying it out to see whether you like it or not.
The main benefit though is that going for a cert might give you some solid goals of "things to learn and understand", rather than just following whatever happens to take your interest at the time. Not everything a network admin does is interesting to them, but if you're missing boring but important knowledge, you might have a hard time. Of course, "boring" varies between individuals. It largely depends on how you prefer to learn though.
If you want to be really pro-active, it might be worth finding some local (or not so local) companies you think you'd like to work at, and politely ask them what kinds of things they look for in prospective employees, and in particular if there's any certifications they've found to be worth having. You may find that all the companies local to you say that they completely disregard certifications, and at least then you'll have a better idea of whether they're worth obtaining.
Another thing to consider is going for lower level roles, e.g. helpdesk positions in small-mid sized companies. If you're lucky you might find yourself working with some pretty knowledgeable people, and get a chance to look at a real network and pick their brains. Plus, you'd be getting paid at the same time, which can't hurt. For most of these types of roles, customer service skills (i.e. being friendly and accommodating to people) is the most important thing, and it sounds like you probably know enough to be useful the moment you step in the door.
Wow, that's bulletproof! The only way I could see any spammers possibly getting past this would be by harnessing legions of zombies in a massive distributed botnet with near infinite CPU capacity.
Not to mention the whole "hey everyone, change your mail systems so you can mail to me" thing, which puts a serious crimp in any grand scheme to replace SMTP. If we are going to replace SMTP, then I'd suggest completely replacing it with a protocol that requires the sender to store the message on their own server until you decide you want to read it (aka Dan Bernstein's Internet Mail 2000). For trusted senders, you can have your server automatically download the message so you can grab it locally when you want, but this measure alone will make all those dynamic-IP zombies much less useful for spammers.
It could also make IP-based blacklist more effective: any mail which is hosted on a server which is a known spam carrier can be retroactively removed from your mailbox before you have to see it.
Yep, absolutely correct. There's no mechanism within HTTP for a server to send you content you didn't explicitly request. Which is both a good and a bad thing, I suppose. (But mostly good.)
I think it's more a problem with JavaScript and CSS -- particular JavaScript. If you're including an external JS file (via <script src=...>) then it's quite possible that that script will want to change the document's onLoad behaviour, or refer to a variable or function that was defined in a different script which was included earlier ... which means you can't complete loading the document until all the JavaScript files have been loaded. A lot of the advertising uses JS included in separate script files; and heavy (aka bloated) sites are likely to have their own scripting separated into multiple files, too.
CSS has a similar problem; styles defined after other ones take precedence (at least, I think that's the case -- I could be making it up), therefore they need to be parsed in order. At the very least, you need to have all of the stylesheets parsed before you can work out what the layout is supposed to be. Although, I have noticed some sites are temporarily displayed without styling, particularly on my N800 (Opera).
I think a lot of browsers meet these requirements by simply loading the docs one at a time, in order. Simpler to program, but potentially less efficient. Regardless, if one of the servers hosting a JS file you need is slow, then you don't really have much choice but to wait for it.
Most non-trivial networks will use spanning tree, and something like "bpduguard" on all ports which aren't expected to be connected to another switch. If you connect the switch to itself (or another switch), the BPDUs will cause it to shut down the receiving port, at least for a while. No flood.
Mind you, not all networks do this, and I have managed to put a loop in a network once or twice. Makes the LEDs blink a lot. Very pretty.
Lazy Bill Gates, always buying staff instead of making them himself from scratch. Now Steve Jobs, he busied himself scoring around the clock with dozens -- nay, hundreds! -- of women for years before founding Apple. That's what I call being original!
I recently re-installed my laptop to give it to my parents. It came with XP Professional, but I couldn't find the installation disc (if it even came with one). So I just used the XP Pro image I happened to have lying around. This required a VLK of course, so the key on the sticker on the laptop doesn't work. Just used a keygen to get it to install.
So, that laptop would be classified as running a pirated copy of Windows, just because they still try to prevent you "stealing" their software by limiting access to the shiny discs (and because I was too lazy to download an OEM image so the key would work). Furthermore, I don't have to activate this version of Windows, so yet again: the pirated version is more convenient than the legit product.
That's because nobody uses OpenBSD. It's too hard to find any boxes to hack!
Not necessarily; ESX is used by big companies in mission-critical roles, and VMWare not only sell the product, but also support for it. Before they can declare hardware is compatible with it, they need to be damned sure that the hardware they say you can use with it works 100% reliably with it. That means lots of testing in all the possible configurations under heavy loads and in as many failure scenarios as they can... which is going to severely restrict the amount of hardware you're going to put on your compatibility list. IIRC, a lot of the stuff on their list is for complete systems, i.e. particular models of IBM and HP servers, etc. So they not only certify that the individual drivers work, but the entire system.
Also, it's very likely they need to modify the drivers to work properly with ESX. Which is to say, they don't write their own driver for every piece of hardware (they use the Linux ones), but they do modify them to work with the VMkernel.
All conjecture, but I strongly suspect both of these points are correct, and both contribute to the limited list of supported hardware.
Of course you can use open source software, you just can't use it in every conceivable way you might want to use it. Nokia can use the Linux kernel in their Internet Tablets; Debian, RedHat, Ubuntu et al can use the Linux kernel to run their operating systems; VMWare can utilise the Linux kernel in their ESX Server product... provided they comply with the terms of the license.
In fact, the point of making it open source is to ensure that you can use it in particular ways: if someone distributes software which makes use of an open source program, you should be able to make changes to that open source program and utilise that with the software. The ability to do that is what the license is designed to protect.
ESX server does not under Windows. They have several products, most of which do, but ESX Server is (sold as) an operating system unto itself, and does not install or run under any other OS. It does however use a Linux kernel to boot, which then hands control over to the "VMkernel". The question is whether this "VMkernel" is itself derived from the Linux kernel, or otherwise so co-dependent on it (as in, a kernel module) that it cannot function without it.
I have written software that ONLY runs on Linux. So does that mean that my software must be GPL?The COPYING file clearly states:
This copyright does *not* cover user programs that use kernel services by normal system calls - this is merely considered normal use of the kernel, and does *not* fall under the heading of "derived work".Even if that's the case, the license for the BIOS doesn't state that any derived works must be released under the GPL. So, all the dickheads that have made comments like the parent in an attempt to be "insightful" can go fuck themselves because it's completely irrelevant. Your computer's BIOS almost certainly does not use the GPL for its license. Even if it did, the BIOS is not being distributed with the kernel or by distros, therefore they don't have to comply with a distribution license, anyway (the GPL specifically only applies to distributing GPL'd software, not merely using it).
Furthermore, the kernel copyright, while being (I think) standard GPLv2, includes this message:
NOTE! This copyright does *not* cover user programs that use kernel services by normal system calls - this is merely considered normal use of the kernel, and does *not* fall under the heading of "derived work".I don't see how it could possibly be any clearer that programs running on top of the kernel as regular applications (as opposed to those that intertwine themselves with it, e.g. kernel modules) are not considered derived works.
Apache doesn't need the Linux kernel in order to run. It needs a platform which supports certain APIs. Or are you completely unaware that Apache also runs on BSDs, Solaris -- pretty much every UNIX or unix-like system -- as well as even Win32? Or do you think they have a special Linux kernel embedded in it on other platforms so it can run?
Specifically, the parent said VMkernel is a Linux kernel module, which is quite distinct from an application which happens to run on Linux.
Not specifically arguing against your point, but comparing Apache or Oracle to a kernel module completely misses the point.