Ditto here--I managed pretty nicely as a consultant for the last few years. I'm not rich, but I was living well. Then, this summer, all of a sudden the horizons just dried up.
Summers here tend to be pretty grim anyway for consultants, but this one took the cake. There was literally nothing around.
Then, all of a sudden, in September the phone began ringing. Job interviews, requests for help, new projects, everything hit within a few weeks.
We've always had more business around October and March, and we've usually chalked it up to IT budget cycles. But this year is different--I really sense an unwillingness to continue cutting costs and shouting doom & gloom. People seem to have a "dammit, screw this, I want to get something done again" attitude now.
The part I don't understand is where you think the people have the right to bare arms.
They can bare arms all they want, but I think most short-sleeved shirts look pretty dorky.
Meanwhile, our dear Canadian friends to the north are running around, exercising their right to arm bears, without control or punishment. Shame on you, Symantec.
The "fruitcakes with guns" way of dealing with corrupt regimes and oppressors worked (to varying degrees, to be sure, but the point still holds), for:
The Americans in the late 18th century
The French in 1830 and 1848
The Maquis in WWII
The Viet Cong
The Afghan Mujahideen ...and lest we forget, it's proving pretty darned effective in a certain unnamed Middle Eastern country as we speak.
I'll agree immediately with anyone who says "control guns". I.e. test people who want one (like with cars, unfortunately unlike with computers and dogs and children). Crush them to the fullest extent of the law if a child gets hold of it because they were inattentive, or if they blow a hole in neighbor Bob for dumping his compost over the common fence, or something like that.
But I will not permit anyone to tell me I cannot have a firearm in my house to protect myself against crooks--the common kind, or the government kind. And yes, I'm familiar with statistics stating that more fatalities occur during burglaries involving armed homeowners than not, but I'm willing to take that chance, and I think it's my business if I do. Unfortunately, it's such an emotional topic that you're not likely to get a non-frothing opinion out of many people.
Bingo. It's also the reason why I'm content to play so many sequels--I did a mental inventory of all the games I've bought, or want to buy, and they all include sequels of Tomb Raider, Homeworld, Command & Conquer, Deus Ex, Half-Life, etc.
It may seem a bit formulaic, and indubitably it would be, if I had time to spend countless hours playing a given game; as it stands, I don't play any game enough to get tired of it.
In my experience, sequels are often as good as the originals in terms of gameplay, and better as far as graphics go. So I'd rather spend the limited time I have on something I know is good.
Of course, as an IT contractor I can get longish periods of downtime between jobs; it didn't help that my )(*!)(*!# PC blew up a week before my current project started. Weather was terrible, friends were busy, girlfriend was away, and me finally with time on my hands and nothing to blow up:(
Oh yeah, I should probably mention that, while I was contracting at one particular client site (large international investment bank) a certain unnamed market data services provider, whose owner is now mayor of a certain unnamed large city, said MDS provider (who, as I found out after about a month of calls with core developers, had no f***ing clue what their application actually did, technically) decided to break our Socks5 proxies (running NEC socks5, which was technically not permissible for commercial usage, but that's another story) through all kinds of protocol tomfoolery.
What happens? The only contractor on the network security team (moi) ends up putting in 3 weeks of 15-20 hour days to fix this, because about 1500 traders in our country (several thousand worldwide) relied on said MDS application for fairly critical data.
Our two Sun Ultra-2 Socks5 boxes running Solaris 2.6 and ipfilter weren't doing much of anything anymore, since said MDS provider's very questionable implementation caused all sorts of fun things to happen (like crashing inetd.) In desperation, at about 3 a.m. one morning, I took my little Thinkpad X20 with FreeBSD 4.7-RELEASE on it, installed socks5 from ports, hooked a USB ethernet adapter to it, and proxied 1500 traders (not all at the same time, thank god) connections.
When the MDS guys came and kicked me awake that morning (somehow they must have heard the snores coming from under my desk) to ask my why things were suddenly working again, I had to tell them that yes, you're getting a large percentage of your market info over a little bitty laptop in the cellar, running FreeBSD. And could they please look into alternatives, as I kind of wanted my laptop back, thank you very much. That went over...interestingly. The thing kept this up for several days; it's remarkable how much more effectively you can fix problems without 5 members of senior management barging into your office, sweating bullets all over the floor every couple of minutes.
Hey, I copyrighted that phrase. And since Congress just extended copyrights to 300 years plus life of the author and his great-great-great-grandchildren and their unborn spawn...
I patented the use of end-of-visible spectrum photonics to display information, so you can't use that black-and-white crap on me either.
That's true. FreeBSD is not for people who want to play games. These people need to use a PlayStation, GameCube, or Xbox.
Hey dude, try playing Halo or Tux Racer or whatever on a VT220 when stuck in a server room at 3 a.m. waiting for a system upgrade to finish, with nothing more than a bunch of blinking rackmounts to keep you company.
That's what Angband is for! What do you mean, it's not for people who don't want to play games. If it's a choice between Moria/Rogue and counting floor tiles during a long compile....I'll even take Mud Shell at that point.
I have had FreeBSD on all my laptops for ages now--both as a workstation, and as a console/sniffer/debugging machine. The only weakness in this regard was the lack of MS Office support (no, I don't find Star/OpenOffice or KOffice or friends acceptable alternatives as of yet.) It's stable, fast, easy to upgrade and maintain, secure, and flexible.
My personal firwealls have also been FreeBSD since I started finding OpenBSD too archaic for quick changes (my last one started deciding that what I told it to do wasn't secure enough. Looking for solutions in newsgroups/mailing lists inevitably came up with "read through the source and quit bugging us you fucking idiot".) I don't want to use an OS maintained primarily by a psychopath.
My home fileserver, and AMD K6-2-400 has also been FreeBSD since about 3 years now--running 24x7 without a glitch.
I've installed it at several client sites as firewalls, web servers, monitoring boxes, groupware and mail servers, and use it with no hitches _whatsoever_ for our company (DNS, mail, PHProjekt, www.)
Prime factors in terms of quality of an OS are
Ease of installation and upgrade
Support (I've always found the BSD mailing lists to be pretty friendly, and people to be fairly clueful
Good package management
Security
Well-thought out and common sense layout of the OS itself (file systems, config files, etc. Yes, I have a good amount of unix experience, but I often just need something to work without too much knob-dicking around, period. This is the reason I have an XP box lying around at home (games, documents I get from clients, Windows software I sometimes use professionally, etc.). No, I don't think *BSD is ready for the desktop.
However, having worked with Unix variants, including various Linux incarnations, for more than 10 years now (holy shit! I'm old!) I can really recommend this as a reliable, and representative example of a good OS.
This is assuming, of course, that you're not just trolling.
I honestly had just scanned over your paper, but I will read it in detail asap.
You might want to check out chapter 8.2 of my paper. There I show how to wipe out a corporate LAN in under 60 seconds.
I don't doubt you at all. In fact, I am happy for yet another legitimate-looking piece of work which says this. In fact, this statement is one of the cornerstones of all the security incident response mechanisms and structures we've been putting together in my current project. You're preaching to the choir, so to say--it's what we've been yelling for weeks and months. In fact, it was our conclusion that if someone had translated the recent MS Messenger bug (MS03-043) into a successful remote code execution exploit, using sample code released with the DoS exploit for that vulnerability, along with a semi-reasonable hitlist generator, a ca. 60,000 station corporate LAN would be down in 10-15 seconds. Flat.
Until worms earn polymorph capabilities, of course. Unless you are ready to risk a fairly large false positives quota. Remember, most of the recent worms spread as web-traffic.
Not entirely--Nimda and Code Red were both multi-vector worms; SQLSlammer was just that (MSSQL port 1434), and Blaster spread via RPC. What I'm waiting for is not really a polymorphic worm which mutates autonomously (you'd need a fairly horrendous AI capability for that) but rather one which exhibits the covert channel new exploit uploads and cell-based hitlist exchange and breakdown that Nick and others postulate.
We've divided worms into two general categories (this is from the corporate point of view.) These are: worms that primarily affect unpatched private machines, and worms which may not be so damaging on the internet per se, but which will wreak havoc on company infrastructures (your less-than-60-second example) once it penetrates the 'eggshell' or 'maginot line' approach most large corps take to perimeter security.
I would love to get into more of a discussion about this offline--it fits exactly into what we're working on. Assuming you get hit by something against which there's really no defence in existence yet, the really interesting topic is how to recover very quickly, without serious business impact. And there are definitely ways of doing that.
Good luck. Name me one product you'd trust to automatically adjust your perimeter security.
I nearly wet myself laughing when I first saw ISS present their ideas of reactive firewall configuration based on IDS alerts. There are a number of serious issues with this school of thinking, understandable though the initial logic may be.
First off, there is currently no single piece of software in existence smart enough to intelligently distinguish malicious traffic with a high enough degree of reliability to trust it not to fuck up legitimate business operations.
Second, there are good tools out there (e.g. Snort & co.), but they're very often misconfigured--IDS are often "alibi" exercises, to allow a company to check a tick-box on an audit report ("yeah, we have an IDS. NEXT?")
Third, the moment you find someone using such a tool, assuming it existed, consider the possibilities to DoS a large corporation or network by just making it think it's under attack. You wouldn't even actually need to hit it particularly hard. You'd just make their super-duper IDS Black ICE Skynet AI shit its pants and think it's getting hammered, and decide to close down. Bang, objective achieved without even having to write a working exploit.
You might want to have a look at Nick Weaver's Homepage--How to 0wn the Internet in your Spare Time is a pretty good approach to this as well.
Frankly, you're correct in your assumption. However, the author makes a good start in terms of preventing that initial spread. I agree that if you focus too much on 'reaction', dependent on identification of a worm, you're screwed to start out with. But there are several schools of thought related to detecting anomalous traffic and, for example, shutting it off at source, or automatically rate limiting it.
I'll gladly dig out some of our info on this if you're interested, as we're pretty closely involved with exactly this topic right now, but alas, short of time due to having to prepare a presentation on, you guessed it, worm spread in corporate networks:)
It's a not unreasonable guess that it's because they've gone through enough sexuality-related emotional stress that they know what it's like, and aren't going to push it on someone else.
Nah, they're just gentlemen. We're pretty cool about each others' preferences. I don't catcall women either.
But as you said, there's generally not much point pushing your sexual preference on people. Who cares? I just don't find it to be an issue. And you're correct, it's just pretty irrelevant in games.
Well, judging by the frequency of "d00000D!!11 i fukd u! Bend over u h0z3r!!1111" type messages I see when playing online, I wouldn't be so quick to rush to conclusions 8-)
b) I have several homosexual friends--they're stylish, smart people who're usually to be found at the latest bar opening or party or whatever. They have a life, unlike me. And yes, to a man they're significantly less boorish about ogling members of your preferred sex than most of my straight acquaintances:)
So, assumption by anecdote, true, but it holds regardless.
1 - "Gnome with a DDD cup" is not exactly an attribute that comes to mind when I think of attractive women. "Hey, lookit the ta-tas on that female gnome!"
2 - "Expandable codpieces"? Give me a break. Women are beautiful. The female body is one of the most elegant things (at least in some incarnations) created by nature. Men, well, I dunno, naked guys not being my cup of tea, but "partially decorated christmas tree" comes to mind. "Goofy-lookin" is another adjective.
3 - I always thought that women were a bit less physical than guys? Correct me if I'm wrong, I know that my female friends often look after a guy they think is attractive (male companion: *snort* "he's probably gay") but at least I figured that girls were at least a bit less apt to wolf-whistle at nice-looking men (unless they're 40-ish and desperate.) I know it's a bit stereotypical of me to say so, but I can't remember the last time I heard "hey, nice trouser snake!". But then again, maybe that's just because it's me....
4 - Girls with guns and swords and jet fighters and kung fu moves are just sexy, period. Maybe it's that I find assertive (not bitchy or dominant) women attractive, but I've heard similar statements from lots of male friends. The idea of h0t Ch1x that can blow things up, do gymnastics, and ride speedbikes (Lara Croft, anyone?) is just appealing. I've yet to see a woman get weak-kneed over Conan or Dirty Harry.
5 - If you're really into esoteric codpieces, may I suggest renting some Blackadder DVDs. Black, his codpiece made of metal....
That said, I'm all for equal rights in games. If someone wants to customize their 35th level troll barbarian in any and every aspect, great. Frankly, it'd be sort of funny to see what the 13 year old pimply gamer set comes up with--although I can't see having a Rogue constantly tripping over the enormous 5 foot schlong dragging from his left trouser leg having an enormous advantage in combat.
This is pretty cool news, actually. It means that the brambles from my mom's backyard should suffice to power my TT for about, oh, 50 trips around the earth.
Maybe Amoco or Shell should offer gardening services. Let's face it, few of us have the time or desire to really take care of weed-whacking on weekends. Why not drive up a big fat truckfull of those enthusiastic ("do people really care enough to cart off John's piles of compost to use as a renewable energy source? People do!") petroleum geologists, equipped with hedge trimmers and shovels--the owner of the yard gets to keep 50% of all the biogas created from the crap recovered from his garden, the rest is sold at gas stations.
I mean, it'd be a lot easier than bolting a Mr. Kitchen to the back of my car, like the De Lorean in Back to the Future, and shoveling 25 tons of rotting blackberry stems into it every time I want to take a trip.
I have a Fischer space pen, it's a really neat toy--it's a "story", as I noted, but fair enough on the urban legend plonk. Nonetheless, my point holds.
The vacuum-tube radar is a good example--I've had a look at these. The conception at the time was that USAF electronic jamming techniques (MX-1420 was one of the originators, I believe, but I can't find subsequent designations) were invulnerable to common transistor-based AA intercept radars. Vacuum tubes _were_ easier to manufacture, hence cheaper, with the added side effect that the Sapfir-25 fire control radar could simply burn through most US jamming at the time.
And while we're at it, if you're going to nitpick, the two B-70s were built of a titanium-stainless steel honeycomb.
Whatever the reason, Soviet tech, especially military-related, _did_ follow a 'robust-rather-than-sophisticated' design philosophy. T-34, AK-47, MiG-25 all are good examples of this--there's a common thread to be found there. I'm not an aerospace engineer, but I believe the UDMH used to fuel Proton rockets is a simpler, less elegant, but equally effecive method, compared to the LH2 used in US space shuttles (I think earlier Titans used UDMH too.) What the Soviets had was yes, less money, but also different goals, and hence definitely different ways of approaching a solution.
Regarding the 'low risk' thing, have a look at the N1 program, or do a search for 'tsar bomba'. No, they didn't want to simple engineering, but yes, you're right, they were constrained by cost.
As for your point comparing MIR to Spacelab, which one stayed up longer? And this after several modules had failed, the oxygen scrubbers broke repeatedly, with multiple unmanned/unheated periods in between, etc etc etc.
First off, the parent is not flamebait. It's unfairly moderated.
That said,
ANY computer is susceptible to a virus written for it. Money? The last time I checked security patches were free.
For the individual user, opportunity cost, lost productivity, and essentially waste of resources are far less of a noticeable factor than for MegaCorp Inc. I should know, I'm building an incident response team at a large international bank--they blew millions and millions either preparing for or responding to shit that never should have happened in the first place. Check the CSI/FBI computer crime survey, Gartner, whatnot--you'll find absolutely stunning figures. Whether they're the result of underlying flaws in Windows, or just of a higher suscepbility of that OS to attack because it's further spread I won't argue--I have made up my mind on that already.
Furthermore, while I have no issue with your general comments, there's one important thing you're missing--vulnerabilities in Linux/BSD tend (note careful choice of words) to be results of configuration errors, or of vulnerabilities in software running on top of the OS.
I just had this discussion with a colleague recently--your fundamental difference, compared to Windows is that (a) the existence of Linux workstation in a corporate network does not require you automatically to run vulnerable services as part of the core OS (vulnerabilities in OpenSSH notwithstanding, it's a far more secure mechanism for administering distributed boxes than mapping a C: drive via RPC), and (b) if you do have to run service, I can't think of many (and if you mention NFS, I'll throw a shoe at you) which cannot somehow have their running privileges limited (run as different user, chroot, jail, whatever.)
Of course, if you allow remote root logins, that's your own problem.
Pretty simple, I'd guess. Look up any information on MIG-25 development. Shortages of titanium led them to basically rivet the thing together out of steel plates; the air-to-air radar was powered by a bunch of massive vacuum tubes.
Remember the story of how the US spent $5 million to develop a space pen, which would work in vacuum, under water, in massive heat, etc? (The Fisher space pen, I have one, they're pretty nifty)
The tale goes, the Russians brought a pencil. Different design philosophies. I've been inside a reconstruction of MIR--the thing's pretty massive, and you definitely get the feeling that some of the engineers had a blacksmithing background...
The CA department of health (or OSHA, I'm not sure what's called what there anymore) started requiring restaurants and other hospitality industries to put up visible signs saying something to the extent of,
The State of California has determined that this facility contains chemicals and substances which could potentially cause reproductive harm.
Great. Why not say "substances which could cause heart disease" (hamburgers), "substances which could cause liver failure" (wine), etc.
The Golden Gate Restaurant Association got a bunch of places to print and post signs with the above nonsense on it, along with the text,
The Management therefore discourages all reproductive behavior on these premises.
I never found out whether this applies to brothels.
This gentleman uses a classic tactic of poor debaters: "people who disagree with me just didn't bother to read/understand what I said."
He also neglects to consider that what he calls "Pros" might refuse to call themselves "Windows experts" not from any religious belief ("priest"? Give me a break) or zealotry, but based on their own knowledge.
I'm a security consultant. I'm happily helping a client figure out how to blow several million dollars on building an organization to deal with the constant threats to their (primarily Microsoft) infrastructure. I realize there is no fix-all solution, but if I wanted to be taken even remotely seriously as a tech columnist, I'd shy away from impugning the technical credentials of real professionals (not pansy-assed tech columnists, to be sure) who refuse to consider crappy software as "the right tool for the job" based on hard-earned experience.
Slashdot Mirror
Ditto here--I managed pretty nicely as a consultant for the last few years. I'm not rich, but I was living well. Then, this summer, all of a sudden the horizons just dried up.
Summers here tend to be pretty grim anyway for consultants, but this one took the cake. There was literally nothing around.
Then, all of a sudden, in September the phone began ringing. Job interviews, requests for help, new projects, everything hit within a few weeks.
We've always had more business around October and March, and we've usually chalked it up to IT budget cycles. But this year is different--I really sense an unwillingness to continue cutting costs and shouting doom & gloom. People seem to have a "dammit, screw this, I want to get something done again" attitude now.
They can bare arms all they want, but I think most short-sleeved shirts look pretty dorky.
Meanwhile, our dear Canadian friends to the north are running around, exercising their right to arm bears, without control or punishment. Shame on you, Symantec.
Hm, let's see (and as a caveat, I'm American.)
The "fruitcakes with guns" way of dealing with corrupt regimes and oppressors worked (to varying degrees, to be sure, but the point still holds), for:
The Americans in the late 18th century
The French in 1830 and 1848
The Maquis in WWII
The Viet Cong
The Afghan Mujahideen
...and lest we forget, it's proving pretty darned effective in a certain unnamed Middle Eastern country as we speak.
I'll agree immediately with anyone who says "control guns". I.e. test people who want one (like with cars, unfortunately unlike with computers and dogs and children). Crush them to the fullest extent of the law if a child gets hold of it because they were inattentive, or if they blow a hole in neighbor Bob for dumping his compost over the common fence, or something like that.
But I will not permit anyone to tell me I cannot have a firearm in my house to protect myself against crooks--the common kind, or the government kind. And yes, I'm familiar with statistics stating that more fatalities occur during burglaries involving armed homeowners than not, but I'm willing to take that chance, and I think it's my business if I do. Unfortunately, it's such an emotional topic that you're not likely to get a non-frothing opinion out of many people.
Bingo. It's also the reason why I'm content to play so many sequels--I did a mental inventory of all the games I've bought, or want to buy, and they all include sequels of Tomb Raider, Homeworld, Command & Conquer, Deus Ex, Half-Life, etc.
It may seem a bit formulaic, and indubitably it would be, if I had time to spend countless hours playing a given game; as it stands, I don't play any game enough to get tired of it.
In my experience, sequels are often as good as the originals in terms of gameplay, and better as far as graphics go. So I'd rather spend the limited time I have on something I know is good.
Of course, as an IT contractor I can get longish periods of downtime between jobs; it didn't help that my )(*!)(*!# PC blew up a week before my current project started. Weather was terrible, friends were busy, girlfriend was away, and me finally with time on my hands and nothing to blow up
Oh yeah, I should probably mention that, while I was contracting at one particular client site (large international investment bank) a certain unnamed market data services provider, whose owner is now mayor of a certain unnamed large city, said MDS provider (who, as I found out after about a month of calls with core developers, had no f***ing clue what their application actually did, technically) decided to break our Socks5 proxies (running NEC socks5, which was technically not permissible for commercial usage, but that's another story) through all kinds of protocol tomfoolery.
What happens? The only contractor on the network security team (moi) ends up putting in 3 weeks of 15-20 hour days to fix this, because about 1500 traders in our country (several thousand worldwide) relied on said MDS application for fairly critical data.
Our two Sun Ultra-2 Socks5 boxes running Solaris 2.6 and ipfilter weren't doing much of anything anymore, since said MDS provider's very questionable implementation caused all sorts of fun things to happen (like crashing inetd.) In desperation, at about 3 a.m. one morning, I took my little Thinkpad X20 with FreeBSD 4.7-RELEASE on it, installed socks5 from ports, hooked a USB ethernet adapter to it, and proxied 1500 traders (not all at the same time, thank god) connections.
When the MDS guys came and kicked me awake that morning (somehow they must have heard the snores coming from under my desk) to ask my why things were suddenly working again, I had to tell them that yes, you're getting a large percentage of your market info over a little bitty laptop in the cellar, running FreeBSD. And could they please look into alternatives, as I kind of wanted my laptop back, thank you very much. That went over...interestingly. The thing kept this up for several days; it's remarkable how much more effectively you can fix problems without 5 members of senior management barging into your office, sweating bullets all over the floor every couple of minutes.
Our unix & security engineering guys' response? "Deploy laptops!"
Hey, I copyrighted that phrase. And since Congress just extended copyrights to 300 years plus life of the author and his great-great-great-grandchildren and their unborn spawn...
I patented the use of end-of-visible spectrum photonics to display information, so you can't use that black-and-white crap on me either.
Hey dude, try playing Halo or Tux Racer or whatever on a VT220 when stuck in a server room at 3 a.m. waiting for a system upgrade to finish, with nothing more than a bunch of blinking rackmounts to keep you company.
That's what Angband is for! What do you mean, it's not for people who don't want to play games. If it's a choice between Moria/Rogue and counting floor tiles during a long compile....I'll even take Mud Shell at that point.
Absolutely.
I have had FreeBSD on all my laptops for ages now--both as a workstation, and as a console/sniffer/debugging machine. The only weakness in this regard was the lack of MS Office support (no, I don't find Star/OpenOffice or KOffice or friends acceptable alternatives as of yet.) It's stable, fast, easy to upgrade and maintain, secure, and flexible.
My personal firwealls have also been FreeBSD since I started finding OpenBSD too archaic for quick changes (my last one started deciding that what I told it to do wasn't secure enough. Looking for solutions in newsgroups/mailing lists inevitably came up with "read through the source and quit bugging us you fucking idiot".) I don't want to use an OS maintained primarily by a psychopath.
My home fileserver, and AMD K6-2-400 has also been FreeBSD since about 3 years now--running 24x7 without a glitch.
I've installed it at several client sites as firewalls, web servers, monitoring boxes, groupware and mail servers, and use it with no hitches _whatsoever_ for our company (DNS, mail, PHProjekt, www.)
Prime factors in terms of quality of an OS are
Ease of installation and upgrade
Support (I've always found the BSD mailing lists to be pretty friendly, and people to be fairly clueful
Good package management
Security
Well-thought out and common sense layout of the OS itself (file systems, config files, etc.
Yes, I have a good amount of unix experience, but I often just need something to work without too much knob-dicking around, period. This is the reason I have an XP box lying around at home (games, documents I get from clients, Windows software I sometimes use professionally, etc.). No, I don't think *BSD is ready for the desktop.
However, having worked with Unix variants, including various Linux incarnations, for more than 10 years now (holy shit! I'm old!) I can really recommend this as a reliable, and representative example of a good OS.
This is assuming, of course, that you're not just trolling.
I honestly had just scanned over your paper, but I will read it in detail asap.
I don't doubt you at all. In fact, I am happy for yet another legitimate-looking piece of work which says this. In fact, this statement is one of the cornerstones of all the security incident response mechanisms and structures we've been putting together in my current project. You're preaching to the choir, so to say--it's what we've been yelling for weeks and months. In fact, it was our conclusion that if someone had translated the recent MS Messenger bug (MS03-043) into a successful remote code execution exploit, using sample code released with the DoS exploit for that vulnerability, along with a semi-reasonable hitlist generator, a ca. 60,000 station corporate LAN would be down in 10-15 seconds. Flat.
Not entirely--Nimda and Code Red were both multi-vector worms; SQLSlammer was just that (MSSQL port 1434), and Blaster spread via RPC. What I'm waiting for is not really a polymorphic worm which mutates autonomously (you'd need a fairly horrendous AI capability for that) but rather one which exhibits the covert channel new exploit uploads and cell-based hitlist exchange and breakdown that Nick and others postulate.
We've divided worms into two general categories (this is from the corporate point of view.) These are: worms that primarily affect unpatched private machines, and worms which may not be so damaging on the internet per se, but which will wreak havoc on company infrastructures (your less-than-60-second example) once it penetrates the 'eggshell' or 'maginot line' approach most large corps take to perimeter security.
I would love to get into more of a discussion about this offline--it fits exactly into what we're working on. Assuming you get hit by something against which there's really no defence in existence yet, the really interesting topic is how to recover very quickly, without serious business impact. And there are definitely ways of doing that.
Good luck. Name me one product you'd trust to automatically adjust your perimeter security.
I nearly wet myself laughing when I first saw ISS present their ideas of reactive firewall configuration based on IDS alerts. There are a number of serious issues with this school of thinking, understandable though the initial logic may be.
First off, there is currently no single piece of software in existence smart enough to intelligently distinguish malicious traffic with a high enough degree of reliability to trust it not to fuck up legitimate business operations.
Second, there are good tools out there (e.g. Snort & co.), but they're very often misconfigured--IDS are often "alibi" exercises, to allow a company to check a tick-box on an audit report ("yeah, we have an IDS. NEXT?")
Third, the moment you find someone using such a tool, assuming it existed, consider the possibilities to DoS a large corporation or network by just making it think it's under attack. You wouldn't even actually need to hit it particularly hard. You'd just make their super-duper IDS Black ICE Skynet AI shit its pants and think it's getting hammered, and decide to close down. Bang, objective achieved without even having to write a working exploit.
You might want to have a look at Nick Weaver's Homepage--How to 0wn the Internet in your Spare Time is a pretty good approach to this as well.
Frankly, you're correct in your assumption. However, the author makes a good start in terms of preventing that initial spread. I agree that if you focus too much on 'reaction', dependent on identification of a worm, you're screwed to start out with. But there are several schools of thought related to detecting anomalous traffic and, for example, shutting it off at source, or automatically rate limiting it.
I'll gladly dig out some of our info on this if you're interested, as we're pretty closely involved with exactly this topic right now, but alas, short of time due to having to prepare a presentation on, you guessed it, worm spread in corporate networks
Nah, they're just gentlemen. We're pretty cool about each others' preferences. I don't catcall women either.
But as you said, there's generally not much point pushing your sexual preference on people. Who cares? I just don't find it to be an issue. And you're correct, it's just pretty irrelevant in games.
Well, judging by the frequency of "d00000D!!11 i fukd u! Bend over u h0z3r!!1111" type messages I see when playing online, I wouldn't be so quick to rush to conclusions 8-)
a) I know no gay gamers.
b) I have several homosexual friends--they're stylish, smart people who're usually to be found at the latest bar opening or party or whatever. They have a life, unlike me. And yes, to a man they're significantly less boorish about ogling members of your preferred sex than most of my straight acquaintances
So, assumption by anecdote, true, but it holds regardless.
1 - "Gnome with a DDD cup" is not exactly an attribute that comes to mind when I think of attractive women. "Hey, lookit the ta-tas on that female gnome!"
2 - "Expandable codpieces"? Give me a break. Women are beautiful. The female body is one of the most elegant things (at least in some incarnations) created by nature. Men, well, I dunno, naked guys not being my cup of tea, but "partially decorated christmas tree" comes to mind. "Goofy-lookin" is another adjective.
3 - I always thought that women were a bit less physical than guys? Correct me if I'm wrong, I know that my female friends often look after a guy they think is attractive (male companion: *snort* "he's probably gay") but at least I figured that girls were at least a bit less apt to wolf-whistle at nice-looking men (unless they're 40-ish and desperate.) I know it's a bit stereotypical of me to say so, but I can't remember the last time I heard "hey, nice trouser snake!". But then again, maybe that's just because it's me....
4 - Girls with guns and swords and jet fighters and kung fu moves are just sexy, period. Maybe it's that I find assertive (not bitchy or dominant) women attractive, but I've heard similar statements from lots of male friends. The idea of h0t Ch1x that can blow things up, do gymnastics, and ride speedbikes (Lara Croft, anyone?) is just appealing. I've yet to see a woman get weak-kneed over Conan or Dirty Harry.
5 - If you're really into esoteric codpieces, may I suggest renting some Blackadder DVDs. Black, his codpiece made of metal....
That said, I'm all for equal rights in games. If someone wants to customize their 35th level troll barbarian in any and every aspect, great. Frankly, it'd be sort of funny to see what the 13 year old pimply gamer set comes up with--although I can't see having a Rogue constantly tripping over the enormous 5 foot schlong dragging from his left trouser leg having an enormous advantage in combat.
Well, there'd probably be a lot more of the stuff to go around if the damn Germans didn't keep using it to light up the New Jersey night sky.
This is pretty cool news, actually. It means that the brambles from my mom's backyard should suffice to power my TT for about, oh, 50 trips around the earth.
Maybe Amoco or Shell should offer gardening services. Let's face it, few of us have the time or desire to really take care of weed-whacking on weekends. Why not drive up a big fat truckfull of those enthusiastic ("do people really care enough to cart off John's piles of compost to use as a renewable energy source? People do!") petroleum geologists, equipped with hedge trimmers and shovels--the owner of the yard gets to keep 50% of all the biogas created from the crap recovered from his garden, the rest is sold at gas stations.
I mean, it'd be a lot easier than bolting a Mr. Kitchen to the back of my car, like the De Lorean in Back to the Future, and shoveling 25 tons of rotting blackberry stems into it every time I want to take a trip.
"Look, Klaus, zer is a fat drunken Englander pulling down his pants at us from across ze ether! Isn't technology vunderful?"
Und ve could tell zem ja, zis is how yoo become successful in der English-shpeaking countries. Yoo can even become Gubernator of der California!
Now how would you convey that in sign language?
Ever watch The Italian Job?
Mod parent up, good point, however...
I have a Fischer space pen, it's a really neat toy--it's a "story", as I noted, but fair enough on the urban legend plonk. Nonetheless, my point holds.
The vacuum-tube radar is a good example--I've had a look at these. The conception at the time was that USAF electronic jamming techniques (MX-1420 was one of the originators, I believe, but I can't find subsequent designations) were invulnerable to common transistor-based AA intercept radars. Vacuum tubes _were_ easier to manufacture, hence cheaper, with the added side effect that the Sapfir-25 fire control radar could simply burn through most US jamming at the time.
And while we're at it, if you're going to nitpick, the two B-70s were built of a titanium-stainless steel honeycomb.
Whatever the reason, Soviet tech, especially military-related, _did_ follow a 'robust-rather-than-sophisticated' design philosophy. T-34, AK-47, MiG-25 all are good examples of this--there's a common thread to be found there. I'm not an aerospace engineer, but I believe the UDMH used to fuel Proton rockets is a simpler, less elegant, but equally effecive method, compared to the LH2 used in US space shuttles (I think earlier Titans used UDMH too.) What the Soviets had was yes, less money, but also different goals, and hence definitely different ways of approaching a solution.
Regarding the 'low risk' thing, have a look at the N1 program, or do a search for 'tsar bomba'. No, they didn't want to simple engineering, but yes, you're right, they were constrained by cost.
As for your point comparing MIR to Spacelab, which one stayed up longer? And this after several modules had failed, the oxygen scrubbers broke repeatedly, with multiple unmanned/unheated periods in between, etc etc etc.
First off, the parent is not flamebait. It's unfairly moderated.
That said,
For the individual user, opportunity cost, lost productivity, and essentially waste of resources are far less of a noticeable factor than for MegaCorp Inc. I should know, I'm building an incident response team at a large international bank--they blew millions and millions either preparing for or responding to shit that never should have happened in the first place. Check the CSI/FBI computer crime survey, Gartner, whatnot--you'll find absolutely stunning figures. Whether they're the result of underlying flaws in Windows, or just of a higher suscepbility of that OS to attack because it's further spread I won't argue--I have made up my mind on that already.
Furthermore, while I have no issue with your general comments, there's one important thing you're missing--vulnerabilities in Linux/BSD tend (note careful choice of words) to be results of configuration errors, or of vulnerabilities in software running on top of the OS.
I just had this discussion with a colleague recently--your fundamental difference, compared to Windows is that (a) the existence of Linux workstation in a corporate network does not require you automatically to run vulnerable services as part of the core OS (vulnerabilities in OpenSSH notwithstanding, it's a far more secure mechanism for administering distributed boxes than mapping a C: drive via RPC), and (b) if you do have to run service, I can't think of many (and if you mention NFS, I'll throw a shoe at you) which cannot somehow have their running privileges limited (run as different user, chroot, jail, whatever.)
Of course, if you allow remote root logins, that's your own problem.
Pretty simple, I'd guess. Look up any information on MIG-25 development. Shortages of titanium led them to basically rivet the thing together out of steel plates; the air-to-air radar was powered by a bunch of massive vacuum tubes.
Remember the story of how the US spent $5 million to develop a space pen, which would work in vacuum, under water, in massive heat, etc? (The Fisher space pen, I have one, they're pretty nifty)
The tale goes, the Russians brought a pencil. Different design philosophies. I've been inside a reconstruction of MIR--the thing's pretty massive,
and you definitely get the feeling that some of the engineers had a blacksmithing background...
The CA department of health (or OSHA, I'm not sure what's called what there anymore) started requiring restaurants and other hospitality industries to put up visible signs saying something to the extent of,
Great. Why not say "substances which could cause heart disease" (hamburgers), "substances which could cause liver failure" (wine), etc.
The Golden Gate Restaurant Association got a bunch of places to print and post signs with the above nonsense on it, along with the text,
I never found out whether this applies to brothels.
This gentleman uses a classic tactic of poor debaters: "people who disagree with me just didn't bother to read/understand what I said."
He also neglects to consider that what he calls "Pros" might refuse to call themselves "Windows experts" not from any religious belief ("priest"? Give me a break) or zealotry, but based on their own knowledge.
I'm a security consultant. I'm happily helping a client figure out how to blow several million dollars on building an organization to deal with the constant threats to their (primarily Microsoft) infrastructure. I realize there is no fix-all solution, but if I wanted to be taken even remotely seriously as a tech columnist, I'd shy away from impugning the technical credentials of real professionals (not pansy-assed tech columnists, to be sure) who refuse to consider crappy software as "the right tool for the job" based on hard-earned experience.