You must really not be in the trenches much. You are way off base. I would say more than 90% of the stuff that I see is from IE problems.
1. Documents with embedded Macro viruses.
Haven't seen one of these in *years*. All office versions since 2000 have made major steps to reduce malicious code in documents, and they were few and far between in the first place.
2. False email attachments
There's been a huge upsurge lately in server side virus scanning for email, and you just don't see a lot of spyware in email.
3. RPC Vulnerabilities
Not really since windows 2000.
4. Buffer overflows on network services (e.g. IIS)
How many XP machines do you see with IIS?
Honestly, though there may be a higher percentage of vulnerabilities in other products, the VAST majority of actual infections happen b/c of IE. No IE, no spyware.
The number 2 cause of infections on end user machines I would say is the "Click here to download and install the RAD SCREENSAVER OF THE MONTH" bug, or the "Click here to get (spyware supported) WEATHER REPORTS, FREE FREE FREE ON YOUR TASKBAR" bug.
From personal expierence with NIS+ and LDAP, as well as implementing windows 2003 servers:
If you are running any kind of internet service at all, be it FTP, web, mail, dns, proxy, bgp, whatever, then for the love of god, use linux. It's more secure and makes more sense, not to mention being easier to administer.
HOWEVER, if you're in a situation where you are centrally controlling a large number (10+) of windows desktops with as many or more users, then Microsoft's Active Directory is by far the best thing out there. It's the only thing I will reccomend a Microsoft server product for, and I will never reccomend a linux-based solution for centrailzed computer and user management, as long as the desktops are running windows.
In my opinion, it's one of the only things that Microsoft has really gotten right. And the only reasons to use LDAP in a windows client environment are because 1.) you're a zealot who, rather than using the best tool, would rather use linux, 2.) you're on a restrictive budget (trust me, you're going to spend more than $[windows server 2003] worth of labor setting up an ldap solution), or 3.) you're just a plain 'ol glutton for punishment.
~Will
Re:This is not exactly a good thing
on
Sci-Fi on the Cheap
·
· Score: 4, Insightful
See, here's the thing though... I like star trek: TNG. Why? Because, it suggests that sometime in the future, mankind will unite, currency will be replaced by an understanding of needs and a willingness to participate in society, all the earth will stand as one. A place where we explore, not invade, a place where we bring peace, not capitalism to other cultures.
Maybe TNG isn't as Sci-Fi as the elitests would like, but it's comforting in a time of uncertainty.
If everyone works the equivalent of 1.5 people then[...]
In the Sysadmin world, we call this.5 of a person "shell scripts".
It's a dichotomy - you get really good at shell scripts so that you can make your life easier, take care of some of the tedious stuff automatically, and then they expect you to fill your free time with more work! Whatever happened to "if I'm smart enough to make the system work for me, I deserve to do less work"?
I'm 6 or so years behind highschool now, too, and I agree with your post. While in highschool, I ended up conforming, fitting in, and playing along with the in crowd so that I'd be socially accepted, even though before I had moved to this area, I had been the geek kid. I didn't want to be the geek kid by the time 10th grade and the big move happened.
I look back and wonder, though... I was pulling a 4.5 in a catholic kick-your-ass-5-hours-of-homework school in 9th grade, and by the time I graduated from public school, I only had a 3.6 - which sounds good, but trust me, I never lifted a finger... I wonder what would have happened if I hadn't broken out of my shell. If I had sat in my room, programming and playing DnD, rather than hanging out with friends and going on the occasional date. I bet I'm a better adjusted person, but I also bet I gave up something along the way.
You're right, of course. By "provide", i was just trying to get across the whole "anyone who you voluntarially give access to the software also has to have access to the source" angle.
You don't have to open everything. Just the stuff that is a derrivative of the GPLed program.
And even that's not entirely accurate. If you take GPL'd code, modify it, and use it in house, you don't have to release it. The ONLY time that you'd have to release code is when you're distributing a derivative work. For example, if you modify code, and then turn around and sell it, when you sell it, you also have to provide a copy of the source to the people who buy it. If you release it for download, you have to release your changes. That's it.
Worse than worms?!? Worms can get into your system, slave it, erase or steal data, slow it down, advertise to you, and any number of other things! What's worse than lost data, identity theft, popups, and a slow computer? Strangulation via TCP/IP?
When I read the line in the submission: Do you run a mail server using Postfix? If so, then you should..., I internally finished it with "...blow your head off?".
When I worked at a webhosting company, I dealt with email extensively (and I still run my own qmail-vpop-courrier-squirrelmail-qmailadmin server). When email would break, and people would call in asking why it took so much effort/time/whatever to fix, we'd have to explain to them:
1.) Email is the killer application of the internet. Not everyone uses mysql. EVERYONE uses email. Without email, the internet is useless to a large group of netziens. 2.) Email is the *MOST COMPLICATED* thing that happens on the internet. More shit happens to an email to get it from person A's outlook to person B's outlook than anything else I can think of. It's dependant on DNS, Firewalls, rbl's, sender white/blacklisting, spam scoring, format checking, forwarding, local user checking, virtual user table matching, queueing, delivery via web/pop3/imap, sending via web/smtp through firewalls with sender verification/temporary IP whitelisting, mailbox sorting, listservs, distribution lists, digesting, etc.
And that's every server it passes through!
Email was origionally very simple. telnet 25 helo foo.bar.com mail from rcpt to data . go. Since then, there have been 189218953 extentions and addons to the protocols and standards, and the same number of un-regulated features and whizbangs added, all while trying to keep the end user experience of the "send-recieve all" button the same. Add to that, the worlds most popular, and worst, mail server (sendmail) has come up with a config file and a set of rules/instructions/etc that have spawned a cottege industry of book publishers trying to explain them (I own an *800 page* book on sendmail). There is no worse sentax in the world than a sendmail.cf, perl included.
So: to answer your question, it's complicated because it's complicated. However, once you get all your stuff installed correctly, managing through something like qmailmgr is pretty easy.
Not to mention.. They've announced that there will be XYZ feature in longhorn, and then announced that they're not going to be able to get it done in time. Most notably, the database driven filesystem - that would have been a nice, next-gen feature (in 2004). Now, not only are they falling into the current times, and destined to fall behind the times, if they announce that they'll add it into longhorn later, people will think it's buggy and incomplete.
True, and to be honest, the hardware QoS in the linksys is good, but not great. For example, with torrents running, I can ssh into my webserver and it feels like i'm sitting at the terminal. However, you can see from the picture - I gave port 80 traffic high priority, but... websurfing is still sluggish with torrents at full tilt.
All in all, though, I have to say that I'm amazed at the versatility of the WRT54G for the price. Since cisco bought linksys, their low end products are really adding features you wouldn't expect to find in non-enterprise class routers. The new firmware also has, for example, a feature that can put every wireless connection in it's own subnet (which i'm sure is just giving out dhcp info of subnetmask 255.255.255.255). It's a simple task, but it's something you don't see in cheapies, or didn't see. I use the feature in business situations where people might be inclined to bring viruses into the network from home.
I just spent like an hour working the numbers out.
On pricewatch, I found a vendor selling 160GB Maxtor HDDs new for $69.
6 drives seems to lend its self to optimal price vs. size vs. redundancy.
6 x $69 = $414
Now, I am going to go for a RAID-5 array, with one hot spare. So, 4 disks of data, one for parity, and one for a hot spare:
4 x 160GB = 640GB
Take whatever you've got laying around the house (I know I have a 600 Mhz celeron doing nothing, which probably can serve as a file server... may want something faster, I think I have a P-III 800Mhz hanging around.) I also have a Promise Ultra-TX2 somewhere 'round here. It's very common - I think it came free with a 40GB hard drive sometime ago. Ask a friend if you don't have one. You'll also need an OS drive, but I'm sure I have a 20 GB drive here somewhere...
You may need to buy a new case. Antec has a real nice full tower case that comes with 6 3.5" bays and a 500 watt power supply for about $115.
Install linux on the OS drive, then make sure you have md in the kernel. fdisk all the 160's and set them to partition type "fd (linux raid auto-detect)" Configure your/etc/raidtab:
modeprobe md, make sure it's loaded, then: cd/dev; MAKEDEV md mkraid/dev/md0 make sure it's done syncing (use cat/proc/mdstat - or make a script: while true; do clear; cat/proc/mdstat; done) then mke2fs -j/dev/md0 (or if you want to share to windows boxen, format accordingly).
So, $115 + $415 = $530 (plus spare parts and time) for a 640GB raid array with redundancy and a hot spare. You can get a cool 800GB if you don't need the hot spare (but it's pretty nerd-cool).
If you up the ante to 10 drives, you can have a 1TB array (1120GB) with one parity and two hot-spares, for a cost of under $700, extra ATA card notwithstanding.
The owner blamed it on pirated music, but I think he was just looking to blame those damn kids - I think it's more likely that when he opened his store, the only cd stores around were sam goody and musicland, or whatever was in the mall, and those places were selling CDs at $21.99/ea. Now, there's a best buy, a circuit city, and three super walmarts that have popped up in the area, not to mention online stores that cater to his demographic.
As an onsite support tech, I can tell you that in a lot of ways, I'd much rather be going to people's businesses (and maybe homes) than talking to them in the store or on the phone.
When on the phone, there's a certain level of anonymity that customers feel they have, and you're much more likely to get screamed at on the phone than while onsite. When you're onsite, most customers are aware that 1.) they need you more than you need them, as they've called you out to their business, and 2.) you're getting paid hourly, so screaming wastes their time and money. Also, 3.) it's kind of unspoken that the people you talk to on the phone aren't as good as the people in the field, or they'd be in the field.
So your assessment about being nicer in person is completely, 100% correct, in my experience. The worst part about going out on site is dealing with customers who don't have a store account. I hate dealing with money, and I'm bad at it. I fix computers, that's it. My wife pays the bills, and our understanding is that if I need it to sustain life, I purchase it, and if not, I ask first. Asking customers for $85 or $135 for an hour of work almost wierds me out. And having to sit down at the computer you just fixed, break out calc, and add up ((parts*1.05)+labor), and show them the total still feels odd. Especially since I see about $15/hr of that.
Every once-in-a-while, though, you do get an interesting customer. Last week, I had a customer who invited me into his townhouse, made a comment about getting his "fat ass out of this chair" (his words), and then stood up, grabbed his crotch, and exclaimed, "Holy Shit, the bag's full!". Just as I was beginning to work that one over in my mind, and coming to the conclusion that he had, indeed, grown a third testis since he sat down, he explained that he had had a good bit of his colon removed, and excused himself to the bathroom to empty his colostomy bag. I began cleaning his spyware in earnest at this point.
You don't gt experiences like that from working in store.
I can't host that forever, I do have a limit on my bandwidth, but I'll leave it there for a week or two. It's going to take about 35 more minutes to finish uploading, but it should be done by 10:30 EST June 20.
I hope you check replies to your posts. Your journal is archived, which is teh ghey, cause I have all the GIS episodes, including the supplimental ones. I'm currently 7-zipping them, and I'll upload them to my website soon, please check back.
If you need to get in touch with me re: this, you can email spam(a)dunnclan*net
George Takei: "You see, the show was banned after the 'Star Trek Wars'."
Zapf: "You mean the vast migration of Star Wars fans?"
Nichelle Nichols: "No, that was the 'Star Wars Trek'. By the 23rd century, Star Trek fandom had evolved from a loose association of nerds with skin problems into a full blown religion."
Slashdot Mirror
You must really not be in the trenches much. You are way off base. I would say more than 90% of the stuff that I see is from IE problems.
1. Documents with embedded Macro viruses.
Haven't seen one of these in *years*. All office versions since 2000 have made major steps to reduce malicious code in documents, and they were few and far between in the first place.
2. False email attachments
There's been a huge upsurge lately in server side virus scanning for email, and you just don't see a lot of spyware in email.
3. RPC Vulnerabilities
Not really since windows 2000.
4. Buffer overflows on network services (e.g. IIS)
How many XP machines do you see with IIS?
Honestly, though there may be a higher percentage of vulnerabilities in other products, the VAST majority of actual infections happen b/c of IE. No IE, no spyware.
The number 2 cause of infections on end user machines I would say is the "Click here to download and install the RAD SCREENSAVER OF THE MONTH" bug, or the "Click here to get (spyware supported) WEATHER REPORTS, FREE FREE FREE ON YOUR TASKBAR" bug.
From personal expierence with NIS+ and LDAP, as well as implementing windows 2003 servers:
If you are running any kind of internet service at all, be it FTP, web, mail, dns, proxy, bgp, whatever, then for the love of god, use linux. It's more secure and makes more sense, not to mention being easier to administer.
HOWEVER, if you're in a situation where you are centrally controlling a large number (10+) of windows desktops with as many or more users, then Microsoft's Active Directory is by far the best thing out there. It's the only thing I will reccomend a Microsoft server product for, and I will never reccomend a linux-based solution for centrailzed computer and user management, as long as the desktops are running windows.
In my opinion, it's one of the only things that Microsoft has really gotten right. And the only reasons to use LDAP in a windows client environment are because 1.) you're a zealot who, rather than using the best tool, would rather use linux, 2.) you're on a restrictive budget (trust me, you're going to spend more than $[windows server 2003] worth of labor setting up an ldap solution), or 3.) you're just a plain 'ol glutton for punishment.
~Will
See, here's the thing though... I like star trek: TNG. Why? Because, it suggests that sometime in the future, mankind will unite, currency will be replaced by an understanding of needs and a willingness to participate in society, all the earth will stand as one. A place where we explore, not invade, a place where we bring peace, not capitalism to other cultures.
Maybe TNG isn't as Sci-Fi as the elitests would like, but it's comforting in a time of uncertainty.
Personally, I'd rather drive.
You wouldn't if you lived in a city with 1,000,000 cars and 900,000 parking spaces.
Especially when a wreck on the interstate backs up traffic 25 miles and turns your 1.5 hour commute into a 4 hour commute.
If everyone works the equivalent of 1.5 people then[...]
In the Sysadmin world, we call this
It's a dichotomy - you get really good at shell scripts so that you can make your life easier, take care of some of the tedious stuff automatically, and then they expect you to fill your free time with more work! Whatever happened to "if I'm smart enough to make the system work for me, I deserve to do less work"?
~Will
I'm 6 or so years behind highschool now, too, and I agree with your post. While in highschool, I ended up conforming, fitting in, and playing along with the in crowd so that I'd be socially accepted, even though before I had moved to this area, I had been the geek kid. I didn't want to be the geek kid by the time 10th grade and the big move happened.
I look back and wonder, though... I was pulling a 4.5 in a catholic kick-your-ass-5-hours-of-homework school in 9th grade, and by the time I graduated from public school, I only had a 3.6 - which sounds good, but trust me, I never lifted a finger... I wonder what would have happened if I hadn't broken out of my shell. If I had sat in my room, programming and playing DnD, rather than hanging out with friends and going on the occasional date. I bet I'm a better adjusted person, but I also bet I gave up something along the way.
You're right, of course. By "provide", i was just trying to get across the whole "anyone who you voluntarially give access to the software also has to have access to the source" angle.
Not that there's anything wrong with that.
Your comment can be summed up like this:
"It is dangerous to underestimate the resources of corporations"
You don't have to open everything. Just the stuff that is a derrivative of the GPLed program.
And even that's not entirely accurate. If you take GPL'd code, modify it, and use it in house, you don't have to release it. The ONLY time that you'd have to release code is when you're distributing a derivative work. For example, if you modify code, and then turn around and sell it, when you sell it, you also have to provide a copy of the source to the people who buy it. If you release it for download, you have to release your changes. That's it.
~Wx
Worse than worms?!? Worms can get into your system, slave it, erase or steal data, slow it down, advertise to you, and any number of other things! What's worse than lost data, identity theft, popups, and a slow computer? Strangulation via TCP/IP?
~Will
Oh, yeah!?!? Well... Well... Your Mother!
Let me put it this way:
When I read the line in the submission: Do you run a mail server using Postfix? If so, then you should..., I internally finished it with "...blow your head off?".
~Will
When I worked at a webhosting company, I dealt with email extensively (and I still run my own qmail-vpop-courrier-squirrelmail-qmailadmin server). When email would break, and people would call in asking why it took so much effort/time/whatever to fix, we'd have to explain to them:
1.) Email is the killer application of the internet. Not everyone uses mysql. EVERYONE uses email. Without email, the internet is useless to a large group of netziens.
2.) Email is the *MOST COMPLICATED* thing that happens on the internet. More shit happens to an email to get it from person A's outlook to person B's outlook than anything else I can think of. It's dependant on DNS, Firewalls, rbl's, sender white/blacklisting, spam scoring, format checking, forwarding, local user checking, virtual user table matching, queueing, delivery via web/pop3/imap, sending via web/smtp through firewalls with sender verification/temporary IP whitelisting, mailbox sorting, listservs, distribution lists, digesting, etc.
And that's every server it passes through!
Email was origionally very simple. telnet 25 helo foo.bar.com mail from rcpt to data . go. Since then, there have been 189218953 extentions and addons to the protocols and standards, and the same number of un-regulated features and whizbangs added, all while trying to keep the end user experience of the "send-recieve all" button the same. Add to that, the worlds most popular, and worst, mail server (sendmail) has come up with a config file and a set of rules/instructions/etc that have spawned a cottege industry of book publishers trying to explain them (I own an *800 page* book on sendmail). There is no worse sentax in the world than a sendmail.cf, perl included.
So: to answer your question, it's complicated because it's complicated. However, once you get all your stuff installed correctly, managing through something like qmailmgr is pretty easy.
~Will
Not to mention.. They've announced that there will be XYZ feature in longhorn, and then announced that they're not going to be able to get it done in time. Most notably, the database driven filesystem - that would have been a nice, next-gen feature (in 2004). Now, not only are they falling into the current times, and destined to fall behind the times, if they announce that they'll add it into longhorn later, people will think it's buggy and incomplete.
True, and to be honest, the hardware QoS in the linksys is good, but not great. For example, with torrents running, I can ssh into my webserver and it feels like i'm sitting at the terminal. However, you can see from the picture - I gave port 80 traffic high priority, but... websurfing is still sluggish with torrents at full tilt.
All in all, though, I have to say that I'm amazed at the versatility of the WRT54G for the price. Since cisco bought linksys, their low end products are really adding features you wouldn't expect to find in non-enterprise class routers. The new firmware also has, for example, a feature that can put every wireless connection in it's own subnet (which i'm sure is just giving out dhcp info of subnetmask 255.255.255.255). It's a simple task, but it's something you don't see in cheapies, or didn't see. I use the feature in business situations where people might be inclined to bring viruses into the network from home.
~Will
Heh.
Get a Linksys WRT54G for $89, and update the firmware to 3.03.
http://elvis.netmar.com/~will/qos.JPG
I just spent like an hour working the numbers out.
On pricewatch, I found a vendor selling 160GB Maxtor HDDs new for $69.
6 drives seems to lend its self to optimal price vs. size vs. redundancy.
6 x $69 = $414
Now, I am going to go for a RAID-5 array, with one hot spare. So, 4 disks of data, one for parity, and one for a hot spare:
4 x 160GB = 640GB
Take whatever you've got laying around the house (I know I have a 600 Mhz celeron doing nothing, which probably can serve as a file server... may want something faster, I think I have a P-III 800Mhz hanging around.) I also have a Promise Ultra-TX2 somewhere 'round here. It's very common - I think it came free with a 40GB hard drive sometime ago. Ask a friend if you don't have one.
You'll also need an OS drive, but I'm sure I have a 20 GB drive here somewhere...
You may need to buy a new case. Antec has a real nice full tower case that comes with 6 3.5" bays and a 500 watt power supply for about $115.
Install linux on the OS drive, then make sure you have md in the kernel. fdisk all the 160's and set them to partition type "fd (linux raid auto-detect)" Configure your
cd
mkraid
make sure it's done syncing (use cat
So, $115 + $415 = $530 (plus spare parts and time) for a 640GB raid array with redundancy and a hot spare. You can get a cool 800GB if you don't need the hot spare (but it's pretty nerd-cool).
If you up the ante to 10 drives, you can have a 1TB array (1120GB) with one parity and two hot-spares, for a cost of under $700, extra ATA card notwithstanding.
~Will
I think your priorities are out of whack.
GPS gives accuracy in the 200 to 400m region due to multipath effects.
Don't you mean "multi-level effect along the path"?
I would, but mine shut down recently.
The owner blamed it on pirated music, but I think he was just looking to blame those damn kids - I think it's more likely that when he opened his store, the only cd stores around were sam goody and musicland, or whatever was in the mall, and those places were selling CDs at $21.99/ea. Now, there's a best buy, a circuit city, and three super walmarts that have popped up in the area, not to mention online stores that cater to his demographic.
You can see my friend's blog on the subject.
As an onsite support tech, I can tell you that in a lot of ways, I'd much rather be going to people's businesses (and maybe homes) than talking to them in the store or on the phone.
When on the phone, there's a certain level of anonymity that customers feel they have, and you're much more likely to get screamed at on the phone than while onsite. When you're onsite, most customers are aware that 1.) they need you more than you need them, as they've called you out to their business, and 2.) you're getting paid hourly, so screaming wastes their time and money. Also, 3.) it's kind of unspoken that the people you talk to on the phone aren't as good as the people in the field, or they'd be in the field.
So your assessment about being nicer in person is completely, 100% correct, in my experience. The worst part about going out on site is dealing with customers who don't have a store account. I hate dealing with money, and I'm bad at it. I fix computers, that's it. My wife pays the bills, and our understanding is that if I need it to sustain life, I purchase it, and if not, I ask first. Asking customers for $85 or $135 for an hour of work almost wierds me out. And having to sit down at the computer you just fixed, break out calc, and add up ((parts*1.05)+labor), and show them the total still feels odd. Especially since I see about $15/hr of that.
Every once-in-a-while, though, you do get an interesting customer. Last week, I had a customer who invited me into his townhouse, made a comment about getting his "fat ass out of this chair" (his words), and then stood up, grabbed his crotch, and exclaimed, "Holy Shit, the bag's full!". Just as I was beginning to work that one over in my mind, and coming to the conclusion that he had, indeed, grown a third testis since he sat down, he explained that he had had a good bit of his colon removed, and excused himself to the bathroom to empty his colostomy bag. I began cleaning his spyware in earnest at this point.
You don't gt experiences like that from working in store.
~Will
Ok, here you go:
http://elvis.netmar.com/~will/geeks.7z
I can't host that forever, I do have a limit on my bandwidth, but I'll leave it there for a week or two. It's going to take about 35 more minutes to finish uploading, but it should be done by 10:30 EST June 20.
~Will
I hope you check replies to your posts. Your journal is archived, which is teh ghey, cause I have all the GIS episodes, including the supplimental ones. I'm currently 7-zipping them, and I'll upload them to my website soon, please check back.
If you need to get in touch with me re: this, you can email spam(a)dunnclan*net
George Takei: "You see, the show was banned after the 'Star Trek Wars'."
Zapf: "You mean the vast migration of Star Wars fans?"
Nichelle Nichols: "No, that was the 'Star Wars Trek'. By the 23rd century, Star Trek fandom had evolved from a loose association of nerds with skin problems into a full blown religion."