You're right, spoofing would work... but it wouldn't work because you'd have to spoof the same reply over and over. After about 200 identical replies with different tids (damn the source ip)... i'd block it.
Of course if you didn't care *which* domain you cache-poisoned and you just wanted to cache-poison in *general* then you could randomize the domains. That would be tough to block (although hackers *usually* put detectable patterns in their attacks). It would also be undirected an pointless. You'd have to scan to figure out which website you hacked when you were done.
Also, IP spoofing is getting harder.
While I was working at zoneedit, I would call up ISP's every week following packet spoofing attacks (usually easy to detect once you decide to do it) and demand that they block packets with source addresses way out of their range - usually with some success.
But this really should be the default configuration on ALL routers. You should have to work to "unconfigure" source ip filtering, and you should have to know what you're doing.
Simply require routers to verify the source address (I like to call it "RBGP" or reverse-BGP, so people understand it does not require symmetrical routes)... and it's gone altogether.
as long as you change your default password on your home router, you're immune to his javascript bug.
router vendors should *require* you to change it when you log in.
(they should also require that the source ip of the packets leaving the router match the valid inbound destination ip's in the current routing tables. there was a class action lawsuit stewing over this negligence)
I used to run a DNS hosting company. Fortunately, this error only affects caching resolvers, since it is yet another example of cache poisoning. There have been (and continue to be) hundreds of cache poisoning exploits over the years. This one is fairly technical and would require significant expertise to execute in a timeframe (ie: before everyone patches up) to cause harm. I don't know about you,but if someone started flooding my servers with thousands of response regords in hopes of guessing a transaction ID, my iptables config would block them in a heartbeat.
this is not the kind of security problem that should cause people's heart to skip a beat. your average malware worm is much worse.
Antivirus companies will find they no longer have to review software, they can just charge a fee for "express certification", and make the regular process low and cumbersome. This will greatly reduce the costs, and - most importantly - the technical expertise needed to develop antivirus software.
Hackers will find out that they can now pay for certification, all they need is to use one of the 8500 identities and credit cards they compromised last week to pay for their next trojan. This will, in turn, require them to steal more credit cards and identities.
Open Source developers will find it expensive, slow and difficult to get their programs certified. There will be far fewer open source programs developed.
I'll bet Microsoft loves this solution.
The real solution is a better O/S design. Microsoft refuses to do this. Running "all programs as root" by default - should qualify for criminal negligence on their part. There was a site called "ddos-ca.org" that was organizing a class action lawsuit against Microsoft for failing to provide security. Within 2 months of a public interview on Canadian TV, Microsoft shipped a "Windows Firewall" patch to the O/S.
TMXO stock is up 31% following this slashdot article. So, animated GIF's do work to prop up stocks. Provided someone is generous enough to slashdot them.
No, the blogger probably bought the stock, and feeling dumb that it dropped 8%, thought maybe that blogging about it, and posting it on slashdot, would raise the priced.
You might try distinguishing between "Want to eat" and "Need to eat" in your ethics. If I "Want" to eat a blue whale, say to see how it tastes, that doesn't necessarily make it a sound and ethical decision to go off killing such a large and rare beast.
Now, If I'm living in Norway and it's 200 years ago, and it's but cold and me and me bros go out on a big ass boat to go kill one and use every ounce of blubber, meat, to improve our lives..... then I'd say my desire was part of a deeper "Need", and that it's totally justified.
Of course, anyone can use wild examples and edge-cases to argue a "Need" down to a "Want" and vice-versa. But I think we all have a sense of what's "reasonable" here (arguable need for protien in diets), and what's at the edge of reason (wanting to eat whale meat).
Certainly, regardless of your particular views, the ethics of killing and eating things changes as our power as a species changes over time.
IMHO, our desire to kill and eat animals is based more on childish whimsy today than on any sort of reasonably argued "Need".
Absolutely. Do a search trhough uspto software patents. Programmers with graduate degrees and 10 years of experience will realize swiftly that most of the granted patents are for code that they could have written, representing not ingenuity but "a necessity for a particular task".
The patent library is filling up with code that is a "necessary" for various highly particular tasks.
It's very rare these days to see a truly creative work enter the patent office.
Microsoft gives legitimacy and money to the patent system itself with its announcement.
In the past, just the privileged few could obtain phone records. Politically connected or wealthy people could bribe the right people and obtain anything they wanted.
Now, anyone can do it. Turnabout's fair play - as far as I'm concerned. I like seeing rich pols exposed.
I've been busy lobbying to get the video archives of the New York Police made public as well.
Why should the police be the only ones with access to this footage? (I'll tell you why... if enough of it was made public, lots of NY's finest them would wind up fired or in jail.)
Maybe I'm better off starting a data broker business overseas and publishing it myself.
by the standards of someone who lived 100 years ago, a man walking around after a massive heart attack would be considered a "zombie". there was serious ethical discussion of whether a heart attack should be intervened with at all. today, and angioplasty is an inexpensive, routine operation.
bacteria with human dna now produce insulin inexpensively enough for poor diabetics to live full lives. it was not long ago that the pivelige of living a normal life as a diabetic was reserved for the wealthy.
having seen my grandson meet my grandfather (which he would not have otherwise been able to do), i can only feel that the true monsters are the ones who, through fear and intimidation, would try to put an end to human progress
I have seen several comments from people who are concerned that we may alter the trajectory of Tempel 1.
Hitting this comet is like hitting a 747 with a small pebble. It's highly unlikely that the 747 will crash.
But it's *not* impossible. Suppose Deep Impact were to ignite material within the comet that it was designed to penetrate? Or suppose the crater were to spew ejecta for a long period of time (it already is spewing more than expected). Certainly, the impact of NASA's mission won't *directly* affect the trajectory (F=MA).
However, the ejection of material from the comet, over the course of weeks or months, could easily affect the course of Tempel 1.
But, space is big and the Earth is relatively very small. The odds of any trajectory alteration putting the comet on a collision course with Earth are many millions to one.
So, rest easy. It's highly unlikely that some sort of Amageddon will occur over the next few years.
Enterprise features like layered transactions, replication, stored procs, load balancing, etc. are available using Postgres...but you can't find developers and cheap hosters that run Postgres anymore. Was it just the name "MySQL" that made it popular?
search for "cryptonomicon" on gnutella.... scanned from the source, zipped, and published. publishers are rank idiods for thinking that stopping electronic media stops people from ripping. sheesh...all my good mp3's come from cd's, not from kazaa.
Yep, it has to get worse before it can get better. Only when we allow the old system to destroy itself will the new system emerge.
(That's why I vote Green. Maybe some day we'll realize that campaigning should be government-sponsored. How to pay for it? Make corporate donations illegal and then levy a special tax on corps. A reward system, where leaders are given bonuses for GDP growth, could be used as capitalist-directed incentives.)
I think it's version 7.1. If you upgrade try to play a ".wma" file that you ripped, it sends you a page that says "your registry has not been updated with the signature of your copied cd". Something like that. They record your IP address and information about the copied file at that time... regardless fo whether you say "OK". Freaked me out.
What's all the DRM crap really for? It's not to catch real hackers, who will strip off DRM info and watermarks like wrapping paper at Christmas.
No, the point is to scare average people into paying for more CD's. Good little hackers use anonymizers while surfing. They download as muich as they wany - and, partially due to lack of unicast filtering standards, are free to wreak havoc online anonymously and safely with their botnets.
Controlling access to the free distribution of information is probably stup in the long run anyway. Simply slow down the memetic and, eventually, genetic evolution of our species.
But corporations legally couldn't. And any contracts bridging the right of a patenholder to "take his patent elsewhere" would be declared unenforcable.
In other words, the corporations would have to *trust* that the scientists or engineers would continue to work for them after developing the patented technology, or *pay* them appropriately.
They would still have incentive to *inves* in new stuff... but if they tried to play evil legal games, most of the scientists and enginers would probably just walk ove to the corp. next door... who'd actually put the technology to good use.
I own thousands of domains acquired in this manner. I used to run a site called "domainspotter.com" which used lexical analysis to come up domain name suggestions. That technique was also, later, patented and overhyped by Oingo. It makes me laugh that the technology I invented, used, got bored of, gave away, and forgot about was later turned into a multimillion-dollar firm. But that happens a lot to me. I'm not a marketing guy.
Most software patents exist in the public domain before the patent, are not innovative, and are therefore not enforceable.
Using perl's Net::DNS and fork() calls clearly does not call for a patent. If they pursued it, I would let them waste legal dollars while filibustering and self-defending until a judge threw it out of court.
Contact info on me is available via whois.... please sue me.
I wrote a language 5 years ago and I've used it to develop sites for brokerage firms. I still can't decide whether to GPL it or not. It's a tough decision. Lots of benefits (more developers, more usage, bugs fixed over time, etc.)... but then I don't have the evil leverage I once had.
So should Google strip out all news as "weblogging" except AP and original journalism?
No.
If people link to slashdot stories... instead of to the original source.... it's because the slashdot story, or perhaps the comments, are perceived as more relavent/interestnig than the original. Many times, authors interject their own opinion, or bring together multiple links into a single framework.
An even better example of "weblog as news" is kuro5hin. Occasionally, real news gets published at kuro5hin by reporters who have witnessed crimes and walked in marches.
The only real problem is that Google's ranking system works at the "site level" and not at the "story level"
So the *whole site* often gets ranked up because of *one story*... dragging all the crappy stories with it.
The solution to this is a more *granular pagerank* system that cleverly incorporates tags. *NOT* the exclusion of important media sources from Google's engine!
"I don't want 5000 blogs that have the word stalin in them somewhere that on the large are just pointless ramblings by nobodies."
is my site pointless? is it a rambling by a nobody? what about slashdot?
what we need is for google to fix it's "avowedly democratic" ranking system... so that the more imporant sites stand out... regardless of whethey they are look like a "weblog"... not have some facist sit around and decide for the rest of us what is and what isn't imporant enough to be called "news"
Slashdot Mirror
You're right, spoofing would work... but it wouldn't work because you'd have to spoof the same reply over and over. After about 200 identical replies with different tids (damn the source ip) ... i'd block it.
Of course if you didn't care *which* domain you cache-poisoned and you just wanted to cache-poison in *general* then you could randomize the domains. That would be tough to block (although hackers *usually* put detectable patterns in their attacks). It would also be undirected an pointless. You'd have to scan to figure out which website you hacked when you were done.
Also, IP spoofing is getting harder.
While I was working at zoneedit, I would call up ISP's every week following packet spoofing attacks (usually easy to detect once you decide to do it) and demand that they block packets with source addresses way out of their range - usually with some success.
But this really should be the default configuration on ALL routers. You should have to work to "unconfigure" source ip filtering, and you should have to know what you're doing.
Simply require routers to verify the source address (I like to call it "RBGP" or reverse-BGP, so people understand it does not require symmetrical routes) ... and it's gone altogether.
as long as you change your default password on your home router, you're immune to his javascript bug.
router vendors should *require* you to change it when you log in.
(they should also require that the source ip of the packets leaving the router match the valid inbound destination ip's in the current routing tables. there was a class action lawsuit stewing over this negligence)
I used to run a DNS hosting company. Fortunately, this error only affects caching resolvers, since it is yet another example of cache poisoning. There have been (and continue to be) hundreds of cache poisoning exploits over the years. This one is fairly technical and would require significant expertise to execute in a timeframe (ie: before everyone patches up) to cause harm. I don't know about you,but if someone started flooding my servers with thousands of response regords in hopes of guessing a transaction ID, my iptables config would block them in a heartbeat.
this is not the kind of security problem that should cause people's heart to skip a beat. your average malware worm is much worse.
dan has written an article on a javascript attack that can compromise a home router.... that's probably far worse - in terms of real damage (ie: bot creation, personal data stolen)
in sum... run yum update.... then don't worry about it.
Antivirus companies will find they no longer have to review software, they can just charge a fee for "express certification", and make the regular process low and cumbersome. This will greatly reduce the costs, and - most importantly - the technical expertise needed to develop antivirus software.
Hackers will find out that they can now pay for certification, all they need is to use one of the 8500 identities and credit cards they compromised last week to pay for their next trojan. This will, in turn, require them to steal more credit cards and identities.
Open Source developers will find it expensive, slow and difficult to get their programs certified. There will be far fewer open source programs developed.
I'll bet Microsoft loves this solution.
The real solution is a better O/S design. Microsoft refuses to do this. Running "all programs as root" by default - should qualify for criminal negligence on their part. There was a site called "ddos-ca.org" that was organizing a class action lawsuit against Microsoft for failing to provide security. Within 2 months of a public interview on Canadian TV, Microsoft shipped a "Windows Firewall" patch to the O/S.
TMXO stock is up 31% following this slashdot article. So, animated GIF's do work to prop up stocks. Provided someone is generous enough to slashdot them.
I made $700. I wish I put more in.
- Erik
No, the blogger probably bought the stock, and feeling dumb that it dropped 8%, thought maybe that blogging about it, and posting it on slashdot, would raise the priced.
on speculation that this slashdot article would make people speculate that this slashdot article would sent it up
You might try distinguishing between "Want to eat" and "Need to eat" in your ethics. If I "Want" to eat a blue whale, say to see how it tastes, that doesn't necessarily make it a sound and ethical decision to go off killing such a large and rare beast.
Now, If I'm living in Norway and it's 200 years ago, and it's but cold and me and me bros go out on a big ass boat to go kill one and use every ounce of blubber, meat, to improve our lives..... then I'd say my desire was part of a deeper "Need", and that it's totally justified.
Of course, anyone can use wild examples and edge-cases to argue a "Need" down to a "Want" and vice-versa. But I think we all have a sense of what's "reasonable" here (arguable need for protien in diets), and what's at the edge of reason (wanting to eat whale meat).
Certainly, regardless of your particular views, the ethics of killing and eating things changes as our power as a species changes over time.
IMHO, our desire to kill and eat animals is based more on childish whimsy today than on any sort of reasonably argued "Need".
My guess is that people who are allergic to cats are, most likely, NOT infected.
.... well, different, from the rest of us? As if they don't fit in to the system. ... ...
Ever notice how people who are allergic to cats are
How do you know? Did you look at the code?
Absolutely. Do a search trhough uspto software patents. Programmers with graduate degrees and 10 years of experience will realize swiftly that most of the granted patents are for code that they could have written, representing not ingenuity but "a necessity for a particular task".
The patent library is filling up with code that is a "necessary" for various highly particular tasks.
It's very rare these days to see a truly creative work enter the patent office.
Microsoft gives legitimacy and money to the patent system itself with its announcement.
In the past, just the privileged few could obtain phone records. Politically connected or wealthy people could bribe the right people and obtain anything they wanted.
Now, anyone can do it. Turnabout's fair play - as far as I'm concerned. I like seeing rich pols exposed.
I've been busy lobbying to get the video archives of the New York Police made public as well.
Why should the police be the only ones with access to this footage? (I'll tell you why... if enough of it was made public, lots of NY's finest them would wind up fired or in jail.)
Maybe I'm better off starting a data broker business overseas and publishing it myself.
by the standards of someone who lived 100 years ago, a man walking around after a massive heart attack would be considered a "zombie". there was serious ethical discussion of whether a heart attack should be intervened with at all. today, and angioplasty is an inexpensive, routine operation.
bacteria with human dna now produce insulin inexpensively enough for poor diabetics to live full lives. it was not long ago that the pivelige of living a normal life as a diabetic was reserved for the wealthy.
having seen my grandson meet my grandfather (which he would not have otherwise been able to do), i can only feel that the true monsters are the ones who, through fear and intimidation, would try to put an end to human progress
there is no too far. lets go all the way.
I have seen several comments from people who are concerned that we may alter the trajectory of Tempel 1.
Hitting this comet is like hitting a 747 with a small pebble. It's highly unlikely that the 747 will crash.
But it's *not* impossible. Suppose Deep Impact were to ignite material within the comet that it was designed to penetrate? Or suppose the crater were to spew ejecta for a long period of time (it already is spewing more than expected). Certainly, the impact of NASA's mission won't *directly* affect the trajectory (F=MA).
However, the ejection of material from the comet, over the course of weeks or months, could easily affect the course of Tempel 1.
But, space is big and the Earth is relatively very small. The odds of any trajectory alteration putting the comet on a collision course with Earth are many millions to one.
So, rest easy. It's highly unlikely that some sort of Amageddon will occur over the next few years.
No the original post is absolutely correct.
We know nothing about the interior of the comet.
If there is a high-pressure gas in the interior, or an ignitable chemical, then even a very small impact could create a jet-like opening in the comet.
The resulting ejecta could take many, many years to complete.
And, if so, then the comet would significantly alter its trajectory.
This sort of mission is extremely prone to chaotic/compounded influences.
If you want it. It's not that hard to monitor a site and then switch the DNS on it. I wrote the ZoneEdit one.
Enterprise features like layered transactions, replication, stored procs, load balancing, etc. are available using Postgres...but you can't find developers and cheap hosters that run Postgres anymore. Was it just the name "MySQL" that made it popular?
search for "cryptonomicon" on gnutella.... scanned from the source, zipped, and published. publishers are rank idiods for thinking that stopping electronic media stops people from ripping. sheesh...all my good mp3's come from cd's, not from kazaa.
Yep, it has to get worse before it can get better. Only when we allow the old system to destroy itself will the new system emerge.
(That's why I vote Green. Maybe some day we'll realize that campaigning should be government-sponsored. How to pay for it? Make corporate donations illegal and then levy a special tax on corps. A reward system, where leaders are given bonuses for GDP growth, could be used as capitalist-directed incentives.)
I think it's version 7.1. If you upgrade try to play a ".wma" file that you ripped, it sends you a page that says "your registry has not been updated with the signature of your copied cd". Something like that. They record your IP address and information about the copied file at that time... regardless fo whether you say "OK". Freaked me out.
What's all the DRM crap really for? It's not to catch real hackers, who will strip off DRM info and watermarks like wrapping paper at Christmas.
No, the point is to scare average people into paying for more CD's. Good little hackers use anonymizers while surfing. They download as muich as they wany - and, partially due to lack of unicast filtering standards, are free to wreak havoc online anonymously and safely with their botnets.
Controlling access to the free distribution of information is probably stup in the long run anyway. Simply slow down the memetic and, eventually, genetic evolution of our species.
In other words, the corporations would have to *trust* that the scientists or engineers would continue to work for them after developing the patented technology, or *pay* them appropriately.
They would still have incentive to *inves* in new stuff... but if they tried to play evil legal games, most of the scientists and enginers would probably just walk ove to the corp. next door... who'd actually put the technology to good use.
Fostering a technocracy... what I'm all about yo.
Most software patents exist in the public domain before the patent, are not innovative, and are therefore not enforceable.
Using perl's Net::DNS and fork() calls clearly does not call for a patent. If they pursued it, I would let them waste legal dollars while filibustering and self-defending until a judge threw it out of court.
Contact info on me is available via whois.... please sue me.
I wrote a language 5 years ago and I've used it to develop sites for brokerage firms. I still can't decide whether to GPL it or not. It's a tough decision. Lots of benefits (more developers, more usage, bugs fixed over time, etc.)... but then I don't have the evil leverage I once had.
So should Google strip out all news as "weblogging" except AP and original journalism?
No.
If people link to slashdot stories... instead of to the original source.... it's because the slashdot story, or perhaps the comments, are perceived as more relavent/interestnig than the original. Many times, authors interject their own opinion, or bring together multiple links into a single framework.
An even better example of "weblog as news" is kuro5hin. Occasionally, real news gets published at kuro5hin by reporters who have witnessed crimes and walked in marches.
The only real problem is that Google's ranking system works at the "site level" and not at the "story level"
So the *whole site* often gets ranked up because of *one story*... dragging all the crappy stories with it.
The solution to this is a more
*granular pagerank* system that cleverly incorporates tags. *NOT* the exclusion of important media sources from Google's engine!
"I don't want 5000 blogs that have the word stalin in them somewhere that on the large are just pointless ramblings by nobodies."
is my site pointless? is it a rambling by a nobody? what about slashdot?
what we need is for google to fix it's "avowedly democratic" ranking system... so that the more imporant sites stand out... regardless of whethey they are look like a "weblog"... not have some facist sit around and decide for the rest of us what is and what isn't imporant enough to be called "news"