campaigns of various politicians (or alternatively, causing the contents of those accounts to mysteriously evaporate),
As much as I (still) like the idea, I realize that sucking money out of politicians' bank accounts would be a prime candidate if the PTO ever started accepting bad ideas. It's rather like taking a baseball bat to a wasp's nest... Even if you did manage to get away from it unscathed, your neighbours would hate you for the rest of your life.
The problem is that hackers don't make enough money. If hackers were regularly making 'donations' of a few (dozen) thousands of dollars to the campaigns of various politicians (or alternatively, causing the contents of those accounts to mysteriously evaporate), Capitol Hill would be a lot nicer to the hacker community.
I mean just look at the lot of lying, and cheating stock brokers and corporate executives... If they were as poor as the average hacker, they'd be in a pound-your-ass prison faster than you could say 'enron'.
Many years ago, (mid 80s) a friend of mine was working at a lab which, among other things, had a small handfull of UNIX boxes (SGI, SUN, Vax). He managed to finagle me the right to use the equipment in off times to do some of my own computing research (strange sorting techniques, mostly).
While using the machines, I noticed that there were some problems with the way that they were set up, so I also spent some time cleaning up the admin (for whatever reason, I also got the root PW).
In time, his boss found out what I was doing and he came to me with a speech along the lines of:
I notice that you've been doing some work on our machines, but in doing some inquiries, it seems that you're not a member of this lab this department, or -- for that matter, not even a current staff or student at the University. This means that if something were to go wrong, theres nobody who could really take responsibility for you being here or what you're doing, and I really don't have the right to ask you to do specific things.
So either you're going to have to accept payment for what you're doing here, or I'm going to have to stop comming here.
With some surprise and shock, I chose the former option. He then asked me how much I wanted to be paid for my time.
I quoted him a number which was a bit over twice the minimum wage, and he frowned at me. After thinking for a moment, he offered me a different number -- about twice what I'd offered him. His explanation was that he wanted to pay me enough to ensure that I wouldn't be hired out from under him by the first yokum to come along.
I think that it's very human to underestimate the value of the work that we do -- especially when we enjoy doing that work. All I would really suggest is that you trust that they see value in the work that you're doing, and they know far better than you how much money it's making them (My guess is "lots"). Be willing to stretch yourself in accepting that valuation, and asking enough that you're not regretting the decision later and don't have to make a pained choice later on between staying with a project that you enjoy or going off to a 'real' job that might be less enjoyabe, but would better support your lifestyle.
How much money is it reasonable to ask for, for doing work which I'd end up doing (albeit more slowly) even if I wasn't getting paid?
Don't feel guilty about being paid for doing what you like to do. The whole point of this is that they are making enough money off of your work that they're willing to pay you to do it better/faster/stronger.
It's not like they're going to lose money by paying you do do this. Consider this as both coverage for what you've done so far, as well as the money that the project is going to make for them in the future.
If you think that Perens got minimum wage for the work he did at HP (It was Perens who worked at HP, right?) you've got news waiting for you.
People seem to forget that recall doesn't necessarily (or even usually) mean pulling the prodct off of the market. It's very common that a recall just means a repair of some sort that (usually) increases the safety of a product.
I have to admit that 'pulling off the market' was my first reaction to the recall announcement. Then I read the original news articles and I hit myself... "Oh yeah -- that kind of a recall."
I'm not quite with the "governments should make laws forcing Open Source down people's throats",
In this case, at least, the government isn't really forcing open source down people's throats. What they are doing with the 30% mandate is they're seeding the space with enough PCs running Open Source that the market can't just blithely ignore the existence of anything non-MS.
At that point, people really have a choice. If OS turns their crank, then they know that the market will support most/all that they want/need to do. If MS-Windows really is better, there's still 70% of machines that can be left running Windows.
Right now, with MS both owning the market and also coming up with all sorts of incentives for companies to build sites that only support Windows, there are a lot of people who don't thing that there's a real choice for them.
A real free market requires choice, and I think that this provides that.
Did your grandfather fall into a vat at the hot dog factory?
No, He went down with his ship... and (presumably) was eaten by some fishes
(who were eaten by some fishes
and swallowed by a whale
[[ for those of you who remember 'The Point']])
Although the employees of the new company will own anything that they create from here on in, they do NOT own the copyright in their old code (unless the employer left it with them initially). Under the GPL, this doesn't create that much of an issue, other than the fact that if someone tries to steal the code, it would be the responsibility of the bankrupt company to sue for the copyright violation on any old code that they own the copyright to.
It's not that hard to take down a spammer who causes you problems beyond just sending you unwanted email... I had one friend who had a spammer run a couple hundred thousand emails thru his system (a bug had made it into an open relay). It took one stern call to the ISP hosting the advertised websites to get his hosting and DNS cut off at the knees.
This is more than just sending off a single email to a scantly watched abuse email.. This means getting hold of a real person and explaining, realistisay, what sort of legal liabilities they might be open to if they continue to support the spammer's actions.
(Hacking laws, aiding and abetting, Trademark infringement and vicarious liability) often fit in there.
If more people would do this, life would get a lot harder for spammers.
For those few of you who don't know, Murphy's law is: "Anything that can go wrong will".
Many years ago I ran across a listing of many corollaries to Murphy's law:
Many of them apply to security admin (some directly), like:
If it can go wrong, it will. If it can't go wrong, it might.
Investment in security will continue until the cost of security
exceeds the cost of the breach -- or until someone insists on getting some
'useful work' done.
Create a system that even a fool can use and only a fool will use it.
A foolproof system is no match for a sufficiently determined fool.
Unforeseeable errors are infinite. Foreseeable errors are, by definition, finite.
One of the first rules of security admin is 'presume that any given layer
will fail'. This is why you have a DMZ (with or without application-layer
firewalls). It's not that you expect your firewall to fail, it's just
that you don't bet your company on it not failing.
Similarly: allowing VPN users unfettered access to the internal network
is allowing any of the bugs they catch on the outside in. This is why
VPN's should go into their own DMZ that allows access to only necessary
ports/services into the local network.
Application level firewalls aren't bad but they ARE more complicated
than simpler firewalls. As such they're more prone to complicated failures.
IDSs (intrusion detection Systems) are a nice last resort. They don't
(usually) stop attacks but they do look for signs of anomalous activity and
warn you -- allowing you to take corrective action faster. IPSs are
essentially IDSs with the ability to block suspicious actions almost in
real time -- Unfortunately, the cost of a false positive with an IPS is
far higher than with an IDS (i.e. Denial of service).
One problem with IPSs is that they open you up to a denial of Service
attack of feigning a real attack == thus causing the IPS to lock down the
'attacked' service or machine.
Application level firewalls have some nice things about them -- they make
it harder to do things like buffer overflows on your system, but that doesn't
mean that the 100% prevent someone from breaking into your system. As a worst
case, their complexity is their Achilles heel. an attacker may find a way to hack the firewall itself
then you're just a Owned as if they'd hacked your web server to start with.
any salesman who tels you that an Application level firewall is so good that you
no longer need a DMZ is just that -- a salesman who doesn't understand the
principles of security and is spouting blather put together by their PR group
to sound really good to a C[EFT]O who also doesn't understand the principles
of security.
To understand the principle of things like DMZs, consider the history of WW2
resistance cells. Having the resistance be one big group would have made
administration much easier, but it would have made them vulnerable to
infiltration by one or two German agents, or the capture of one or two leaders
who knew who everybody was.
Instead, The Resistance compartmentalized into small cells. Thus capture of
even central leaders would only lead to the compromise of one or two cells, instead
of an entire region.
Similarly, DMZs and other functional groupings of your network mean that
'capture' of one section means that you don't have to worry about having
your ENTIRE company to clean up. It also means that you (hopefully) have
a bastion of (hopefully) clean systems from which to start your cleanup campaign.
Depending on how big your network is, there are various ways of grouping things.
For me, the minimal grouping would be:
Server DMZ (Internet facing servers). This both protects your inner network
from 0wnership of your servers and protects your servers from 0wnership of your
inner network.
VPN DMZ (how much do you trust all of your employees' home network? If they catch a virus on the road, you don't want your entire company 0wned.
Just because it's not mentioned, doesn't mean it's not there. Like someone else said, it's more a question of defaults.
Any recent Linux distribution will have IPTables installed (ealier versions had ipchains).
Starting around RH7.3, RedHat started running lokkit by default on system setup. What lokkit does is, for any setting other than 'none', it locks out all/most incomming connections, but lets you specify that you want to allow specific ports inbound (like SMTP, FTP, SSH).
Like they said, it doesn't replace the work of an enterprise security admin, but it does make for a decent first attempt for most home/SOHO users. I used it as the starting point for my own rules.
This is one of those times when a good general-purpose IPTables firewall is a good idea. Actually one solution to your problem would be NAT (which is a VERY general word).
In this case you might be able to solve your problem with pairs of nat boxes.
Let's presume tha the virus talks back on port 1022 and your office servers are at 1.2.3.4, and that's the port that you're using... In front of your remote boxes you'd put a firewall that (among other things) would translate outbound connections to 1.2.3.4:1022 into connections to port 1020.
On your local end, set up your firewalls to transalate incomming connections to 1.2.3.4:1020 into connections to 1.2.3.4:1022. At that point, your boxes think that they've got a clean link to each other and you don't have to reprogram the entire application.. You also have a good excuse for putting firewalls on the remote system (if they didn't have one before).
If your system has to use port 80 to get through a PHB run ISP, then so be it. If you absolutely have to, you can always run an effective VPN on port 80 and forward as many ports as you want to through that.
I actually ran into something like that where a client of mine had his machines behind a firewall that only let out a couple of ports including 80 and 20(ftp) let litte more than that back in. Luckily he had a box running Linux, so the solution was for me to run an SSH server on port 20 and havd him go:
ssh -R 12345:localhost:22 -p 20 my.ip.address.com
Once he logged in to my box, I could go:
ssh -p12345 localhost
Voila! I was then able to get into his machines and do the needed diagnostics.
Sometimes an ISP wil get a PHB idea to be 'really useful' but will get it wrong. A couple of weeks ago, mine got the bright idea to put a (simple) IPS system onto the DSL network. If they saw your box 'probe' too many machines, they'd automagically cut you off of the net. Unfortunately they didn't bother to check what port was being probed, and their IPS matched the way that a number of FPS-type games query game servers.
It took about a day of not being able to reach their help line before they puled that 'service'.
(and it's all in one sentence, too)
Claims cannot be transferred at all and a transferee of vouchers may not redeem more than $10,000 in transferred vouchers.
yes, but it was a Metor until after the crash -- so it would have been a meteor that crashed, and a meteorite that gets found afterwords. In the same way, it would be a spaceship that crashes and mangled bits of metal that get found.
:-)
IBM is definitely seeking (an) injunction(s) against SCO. Reading the new counterclaim, I don't see any signs that they're seeking a preliminary injunction. I don't know that this necessarily precludes their filing for a preliminary injunction. The motion for a preliminary injunction would be a separate act.
One of those things is SCO's continued distribution of GPLed code on their site, even after every tech/geek site has raved about how this is in violation.
SCO's actions against/about Linux have left them in something of a legal bind: When they sold Linux to their previous customer base, they sold service contracts to them.These service contracts bound SCO to release updates for Caldera Linux for a period of time. Given their claims that they made about Linux, the only really appropriate thing for them to do would have been to refund the purchace/support price of the software that they sold, and stop distributing Linux, but that solution would have left them in a financial bind, and would have caused their stock to nose-dive (not what they wanted).
Their second condrum was the GPL itself. The GPL may have required them to make a promise to keep the source code available for 2 years. This requirement would have only come into being, however, if they distributed copies of Caldera linux in binary-only format. If they distributed the source with the binaries, then that requirement wouldn't stand.
Nonetheless, SCO has also continued to distribute binary copies of their update RPMS. This would actually be necessary to keep up the facade of owning Linux but it's clearly in violation of the GPL given that they're now attempting to limit distribution of Linux with their legal shenanigans.
So the quick answer is that they're continuing to distribute Linux because it's in their short-term financial interest. Given that they probably know that they're going to get their butt kicked in court, I don't think that they're seriously worrying about the long term implications.
Slashdot Mirror
As much as I (still) like the idea, I realize that sucking money out of politicians' bank accounts would be a prime candidate if the PTO ever started accepting bad ideas. It's rather like taking a baseball bat to a wasp's nest... Even if you did manage to get away from it unscathed, your neighbours would hate you for the rest of your life.
I mean just look at the lot of lying, and cheating stock brokers and corporate executives... If they were as poor as the average hacker, they'd be in a pound-your-ass prison faster than you could say 'enron'.
Many years ago, (mid 80s) a friend of mine was working at a lab which, among other things, had a small handfull of UNIX boxes (SGI, SUN, Vax). He managed to finagle me the right to use the equipment in off times to do some of my own computing research (strange sorting techniques, mostly).
While using the machines, I noticed that there were some problems with the way that they were set up, so I also spent some time cleaning up the admin (for whatever reason, I also got the root PW).
In time, his boss found out what I was doing and he came to me with a speech along the lines of: I notice that you've been doing some work on our machines, but in doing some inquiries, it seems that you're not a member of this lab this department, or -- for that matter, not even a current staff or student at the University. This means that if something were to go wrong, theres nobody who could really take responsibility for you being here or what you're doing, and I really don't have the right to ask you to do specific things.
So either you're going to have to accept payment for what you're doing here, or I'm going to have to stop comming here. With some surprise and shock, I chose the former option. He then asked me how much I wanted to be paid for my time.
I quoted him a number which was a bit over twice the minimum wage, and he frowned at me. After thinking for a moment, he offered me a different number -- about twice what I'd offered him. His explanation was that he wanted to pay me enough to ensure that I wouldn't be hired out from under him by the first yokum to come along.
I think that it's very human to underestimate the value of the work that we do -- especially when we enjoy doing that work. All I would really suggest is that you trust that they see value in the work that you're doing, and they know far better than you how much money it's making them (My guess is "lots"). Be willing to stretch yourself in accepting that valuation, and asking enough that you're not regretting the decision later and don't have to make a pained choice later on between staying with a project that you enjoy or going off to a 'real' job that might be less enjoyabe, but would better support your lifestyle.
Don't feel guilty about being paid for doing what you like to do. The whole point of this is that they are making enough money off of your work that they're willing to pay you to do it better/faster/stronger.
It's not like they're going to lose money by paying you do do this. Consider this as both coverage for what you've done so far, as well as the money that the project is going to make for them in the future.
If you think that Perens got minimum wage for the work he did at HP (It was Perens who worked at HP, right?) you've got news waiting for you.
I have to admit that 'pulling off the market' was my first reaction to the recall announcement. Then I read the original news articles and I hit myself... "Oh yeah -- that kind of a recall."
In this case, at least, the government isn't really forcing open source down people's throats. What they are doing with the 30% mandate is they're seeding the space with enough PCs running Open Source that the market can't just blithely ignore the existence of anything non-MS.
At that point, people really have a choice. If OS turns their crank, then they know that the market will support most/all that they want/need to do. If MS-Windows really is better, there's still 70% of machines that can be left running Windows.
Right now, with MS both owning the market and also coming up with all sorts of incentives for companies to build sites that only support Windows, there are a lot of people who don't thing that there's a real choice for them.
A real free market requires choice, and I think that this provides that.
No, He went down with his ship... and (presumably) was eaten by some fishes
(who were eaten by some fishes
and swallowed by a whale
[[ for those of you who remember 'The Point']])
Not a big issue, but worth noting.
This is more than just sending off a single email to a scantly watched abuse email.. This means getting hold of a real person and explaining, realistisay, what sort of legal liabilities they might be open to if they continue to support the spammer's actions. (Hacking laws, aiding and abetting, Trademark infringement and vicarious liability) often fit in there.
If more people would do this, life would get a lot harder for spammers.
You're confusing quantity with quality.
sigh... Please enclose links in appropriate HTML glue (not that it matters, given that the techtv sitemay be already slashdotted)
If he plugs the upper middle hole, it should look more like the 'spider' has two eye groups. Like this (GIMP edited image).
I think that th problm is that his '' ky isn't working proprly (th ky btwn 'w' and 'r').
Many years ago I ran across a listing of many corollaries to Murphy's law: Many of them apply to security admin (some directly), like:
One of the first rules of security admin is 'presume that any given layer will fail'. This is why you have a DMZ (with or without application-layer firewalls). It's not that you expect your firewall to fail, it's just that you don't bet your company on it not failing.
Similarly: allowing VPN users unfettered access to the internal network is allowing any of the bugs they catch on the outside in. This is why VPN's should go into their own DMZ that allows access to only necessary ports/services into the local network.
Application level firewalls aren't bad but they ARE more complicated than simpler firewalls. As such they're more prone to complicated failures.
IDSs (intrusion detection Systems) are a nice last resort. They don't (usually) stop attacks but they do look for signs of anomalous activity and warn you -- allowing you to take corrective action faster. IPSs are essentially IDSs with the ability to block suspicious actions almost in real time -- Unfortunately, the cost of a false positive with an IPS is far higher than with an IDS (i.e. Denial of service).
One problem with IPSs is that they open you up to a denial of Service attack of feigning a real attack == thus causing the IPS to lock down the 'attacked' service or machine.
Application level firewalls have some nice things about them -- they make it harder to do things like buffer overflows on your system, but that doesn't mean that the 100% prevent someone from breaking into your system. As a worst case, their complexity is their Achilles heel. an attacker may find a way to hack the firewall itself then you're just a Owned as if they'd hacked your web server to start with.
any salesman who tels you that an Application level firewall is so good that you no longer need a DMZ is just that -- a salesman who doesn't understand the principles of security and is spouting blather put together by their PR group to sound really good to a C[EFT]O who also doesn't understand the principles of security.
To understand the principle of things like DMZs, consider the history of WW2 resistance cells. Having the resistance be one big group would have made administration much easier, but it would have made them vulnerable to infiltration by one or two German agents, or the capture of one or two leaders who knew who everybody was.
Instead, The Resistance compartmentalized into small cells. Thus capture of even central leaders would only lead to the compromise of one or two cells, instead of an entire region.
Similarly, DMZs and other functional groupings of your network mean that 'capture' of one section means that you don't have to worry about having your ENTIRE company to clean up. It also means that you (hopefully) have a bastion of (hopefully) clean systems from which to start your cleanup campaign.
Depending on how big your network is, there are various ways of grouping things. For me, the minimal grouping would be:
Just because it's not mentioned, doesn't mean it's not there. Like someone else said, it's more a question of defaults.
Any recent Linux distribution will have IPTables installed (ealier versions had ipchains).
Starting around RH7.3, RedHat started running lokkit by default on system setup. What lokkit does is, for any setting other than 'none', it locks out all/most incomming connections, but lets you specify that you want to allow specific ports inbound (like SMTP, FTP, SSH).
Like they said, it doesn't replace the work of an enterprise security admin, but it does make for a decent first attempt for most home/SOHO users. I used it as the starting point for my own rules.
In this case you might be able to solve your problem with pairs of nat boxes.
Let's presume tha the virus talks back on port 1022 and your office servers are at 1.2.3.4, and that's the port that you're using. .. In front of your remote boxes you'd put a firewall that (among other things) would translate outbound connections to 1.2.3.4:1022 into connections to port 1020.
On your local end, set up your firewalls to transalate incomming connections to 1.2.3.4:1020 into connections to 1.2.3.4:1022. At that point, your boxes think that they've got a clean link to each other and you don't have to reprogram the entire application.. You also have a good excuse for putting firewalls on the remote system (if they didn't have one before).
If your system has to use port 80 to get through a PHB run ISP, then so be it. If you absolutely have to, you can always run an effective VPN on port 80 and forward as many ports as you want to through that.
I actually ran into something like that where a client of mine had his machines behind a firewall that only let out a couple of ports including 80 and 20(ftp) let litte more than that back in. Luckily he had a box running Linux, so the solution was for me to run an SSH server on port 20 and havd him go:
ssh -R 12345:localhost:22 -p 20 my.ip.address.com
Once he logged in to my box, I could go:
ssh -p12345 localhost
Voila! I was then able to get into his machines and do the needed diagnostics.
Sometimes an ISP wil get a PHB idea to be 'really useful' but will get it wrong. A couple of weeks ago, mine got the bright idea to put a (simple) IPS system onto the DSL network. If they saw your box 'probe' too many machines, they'd automagically cut you off of the net. Unfortunately they didn't bother to check what port was being probed, and their IPS matched the way that a number of FPS-type games query game servers.
It took about a day of not being able to reach their help line before they puled that 'service'.
Not that we'll ever hear about it....
Sometimes being bold is fashionable. Other times, only the brave dare to be bold. . -- Donald Kingsbury Courtship Rite
I think that we are fast approaching the latter time.
Claims cannot be transferred at all and a transferee of vouchers may not redeem more than $10,000 in transferred vouchers.
It's enough to make your disk head spin.
Just like bits of my great-grandfather live on in G.W. Bush. (gee, doesn't that make me feel better??? No!)
Although I agree that BSD lives on, it's not because of the organ transplants into Microsoft's code base.
yes, but it was a Metor until after the crash -- so it would have been a meteor that crashed, and a meteorite that gets found afterwords. In the same way, it would be a spaceship that crashes and mangled bits of metal that get found.
:-)
In the meantime I've set up a (temporary!) bittorrent for the duality divx video.. Get it while it's up.
People who already have the divx copy can (please) use it to seed the bittorrent feed (and keep my ISP from toasting me alive).
Grocklaw has Two different articles on the IBM countersuit. The first one has a pointer to the counterclaim pdf (apparently on the SCO site). The second describes what they've done differently.
IBM is definitely seeking (an) injunction(s) against SCO. Reading the new counterclaim, I don't see any signs that they're seeking a preliminary injunction. I don't know that this necessarily precludes their filing for a preliminary injunction. The motion for a preliminary injunction would be a separate act.
SCO's actions against/about Linux have left them in something of a legal bind: When they sold Linux to their previous customer base, they sold service contracts to them.These service contracts bound SCO to release updates for Caldera Linux for a period of time. Given their claims that they made about Linux, the only really appropriate thing for them to do would have been to refund the purchace/support price of the software that they sold, and stop distributing Linux, but that solution would have left them in a financial bind, and would have caused their stock to nose-dive (not what they wanted).
Their second condrum was the GPL itself. The GPL may have required them to make a promise to keep the source code available for 2 years. This requirement would have only come into being, however, if they distributed copies of Caldera linux in binary-only format. If they distributed the source with the binaries, then that requirement wouldn't stand.
Nonetheless, SCO has also continued to distribute binary copies of their update RPMS. This would actually be necessary to keep up the facade of owning Linux but it's clearly in violation of the GPL given that they're now attempting to limit distribution of Linux with their legal shenanigans.
So the quick answer is that they're continuing to distribute Linux because it's in their short-term financial interest. Given that they probably know that they're going to get their butt kicked in court, I don't think that they're seriously worrying about the long term implications.
What can I say, it's been a couple of decades since I read the book (but it did have a big impact on me.