First you learn how systems work. OS, software design and development, network design, system stability, etc. After that you learn threat analysis and than you can call yourself a security professional.
Unfortunately this is unfashionable in the industry nowdays. It is much more popular to dwell in the threat land without knowing the underlying hardware and software infrastructure. It is also easier.
And as mediocracy is well known to be a selfsupporting mechanism, knowing the guts is actually a problem in finding a security job nowdays. It is much easier to claim familiarity with the relevant BS and ISO.
That is exactly my point. As far as OpenBSD is concerned they think that OpenSSH == OpenBSD and do not give a flying f*** about the name service and authentication layer of anyone else. Well in such a case they should not be asking for money.
The moment they start giving a flying f*** people will be more than happy to give them some the way they give to perl, linux distros and other OSS projects.
There are individuals I would rather avoid in both camps. Lunux has its Jeffs (no family name quoted as he is a well known litigation happy cretinous c**ks****r), Larrys and many others.
Similary, I have not had any trouble with the individuals from the FreeBSD crowd I had to communicate with when I worked with racoon, mpd, altq etc.
So arseholes are clearly not limited to a specific OSS-*nix camp.
And granted, flamewise, Linus is tame compared to Al Viro and Dave S Miller (as a russian speaker I have a special opinion on the his machine naming conventions).
OpenSSH is used in the OSS community despite its development policies, not because of it. The primary branch does not track any authentication and nss developments in non-OpenBSD OSes and does not give a flying f*ck about them. To add insult to injury, when a major alert is out they do not do anything to backport any fixes and the people at Debian (mostly), FreeBSD/OpenPAM have to sweat several days 24/7 to get a patched backport and release. I can quote bugtraq and CVE IDs on this, but do not see a point. Anyone who had to deal with OpenSSH vulns knows this.
With all due respect when you have a serious attitude problem you should not complain that you are short on money. In fact I will happily give OpenSSH money the moment it starts caring about the underlying OS on non-OpenBSD OS-es.
For 90% of the zombies out there even if the computer screams through the speakers "You are infected moron" and displays this on screen permanently the owner will not clean it up. At best they will call Dell and tell that the spanking new PC they bought one week ago has broken speakers.
Just history repeating itself.
Nearly 14 years when I lived in a country on the other side of what used to be the iron curtain I saw one of these cases with my own eyes. Two newly fledged "politology scientists" (no comment on what they were in reality) with some fresh funds from USA donors for a "freedom of information study project" bought themselves the highest possible spec new PC with the biggest and baddest monitor they could buy. It was mostly used by their kids to play tetris and a few other games (the "scientists" did not know how to use a computer). As usually it in a few days it was throughly infected including that funny virus that used to drop the letters down on the screen (SWAP, Cascade or something like this). They looked at it and took the monitor in for repairs screaming that they have been sold damaged goods. We were getting parts from the same supplier so I had about an hour of free entertainment listening to the tech trying to tell the stupid "politically aware c**t" that she is infected.
So making the bots scream at their owners will have no effect. Besides that it is illegal in US, UK and a few other countries laws.
If you are suffering from a case of the load going through the roof do the following:
Flush your SAs with a setkey -F every time your loadavg exceeds a certain predefined value. 2 per CPU does this for me (I check it every 5 seconds).
Essentially it is a combined racoon/setkey problem. When the SA expires some implementations (checkpoint is one) will start negotiating SAs as fast as they can manage. As a result your load will go though the roof and the SA table will grow until the machine chokes. If you detect this on time and flush them all SAs will be happily reestablished on the next packet and the machine will continue trucking along.
Night Down trilogy by Peter F. Hamilton has possibly the best space combat description with near future tech. It is also has reasonably good plot and reasonably good characters.
It will have to learn a few lessons a Cisco first.
They are quite alike. They both tend to trumpet absolutely cretinous marketing claims and beat themselves in the chest senseless screaming repeatedly utterly stupid ideas. Just like a bunch of communists at a party conference. This is where they are similar.
The difference is in the way they perform a 180 degree turn when the party line changes.
When the great Cisco Marketing Bubba declares that it is time to admit that WFQ is worthless without having a clasfull qdisc above it the entire cisco marketing force turns around on tiptoe and starts saying the same. All courses change overnight and people who would have passed the exam yesterday are failed for not following the new party line. There are plenty of numerous other examples. It is just like nothing ever happened.
Microsoft has yet to learn the trick. When they change something they have used to beat themselves into the chest about like GDI printers, kernel graphics integration, etc they try to do it quietly. Their presentation droids are not anywhere as good in dodging questions which are phrased along the lines "Look you just told me yesterday that this design by your competitor is a genuinely stupid idea and today you are presenting the same design".
They have to learn and improve their liar capabilities. Delivering FUD in an enterprise is much harder than delivering FUD in an SME. An enterprise always has someone who remembers the "previous party line". SMEs usually do not. There are two solutions to this. One is to have 30 years of evolution in your current architecture the way Big Iron people do. The other is to turn around and chant the new party line without even blinking the way Cisco does.
With all the architectural mistakes Microsoft has made over the years it has to follow the latter approach and it is very far off from having mastered it. Time to poach some Cisco marketing staff I guess.
I assume you mean "public" addresses and the answer is: Not necessarily.
You need the same number for your ADVERTISERs as normal. No change there.
You can use martian addresses for the listen address of the rest and the ADVERTISERs address with a high port (non-53) as query source for the RESOLVERs (so that you do not churn a lot of NAT entries for them).
I have no problem eating the equivalent of 10-20, but it hits me elsewhere. High doses of capsacin will cause reumatic pains in many people. I love hot food, but I cannot eat it.
While at it, collating some stats about mexican hot chili pepper consumption in the population vs rate of cancer should be trivial. In fact if the effect works in the real world it should be fairly obvious in the stats for let's say Mexican (who eat a lot of hot food) versus Finnish (who do not eat it at all).
That is almost correct. As stated it requires 3x2 machines (primaries and secondaries) which is a serious resource waste. In most cases the RESOLVER and ADVERTISER can be combined on one machine.
You simply need to set listen statements in the named.conf's so that the ADVERTISER listens on an externally reachable address and the RESOLVER issues queries on an externally reachable address while listening on an address that can be reached only from the inside.
Depending on your topology and security constraints you can throw in the INTERNAL on one more set of addresses or keep it separately (lo:0, lo:1, lo:2, etc).
In addition to everything else, having no-recursion in the ADVERTISER helps decrease the possibility of cache poisoning attacks. While bind has gotten much better lately they still can happen.
But the price of a second hand thin client with a warranty from someone like Computacenter is peanuts. Depending on the CPU you can get them for 50-120$ in the US or 50-120£ in the UK (due to the usual way things a priced). If you are brave enough to buy from Ebay you can get them for even less.
Overall, their cost is comparable to the electricity bill for a desktop with a P4 or Athlon (especially one that has not had power management configured to the max) over its lifetime.
I used to have a similar list to yours, but most of it is in storage now. I have reduced it to a XP3200+ with a RAID array which is used for storage and thin clients like this: http://www.sigsegv.cx/hp-thin-client.html for the actual use. This or various Via EPIA systems. 5-15W power consumption. And most importantly - very very very quiet.
Be patient. If you ignore them for 2-3 years and during those two years you pay your credit card bill 100% on time they take you off their lists. You are not an interesting subject to them from there on because you are not likely to generate interest. They look for stupid people. If you are not one of them you will not get any "preapproved applications".
Dunno about US, but they can see your payment history for at least 2 years back in the UK. Once it rolls over and contains only entries that show 100% payment month on month all applications suddenly seize. Forgot how long it takes. 2 years at least.
By the way, it is the same for other debt. If they see that you hate feeding them they will leave you alone. This of course means that you have to leave in a fashion that is proportionate to your income and the average "consumer-producer" hates that. And the credit card companies love him for that.
There is no such thing as "the general purpose backup problem". There are two problems - backup as a defence against a luser error or minor failure and backup as a defence against a system failure or a catastrophic failure. Or in backup architecture terms you have to deal with operational recovery and disaster recovery.
Tapes suck rotten eggz for operational recovery. With all advances they are much slower then disk based solutions.
Disks suck for disaster recovery. Once you add removeability in the equation the cost of backup to disk for disaster (offsite or fire safe) recovery is much higher than tape. The requirement for removeability may be removed if the whole backup solution is off-site and connected via a suitable network. In that case disks get back their advantage over tape, but very few companies have the infrastructure to afford this.
By the way - that is valid for "general purpose backup". Which in fact is only a minor fraction of any backup expense. Applications usually are a much bigger pain in the neck.
People don't like to play against bots because they suck
This is solely a matter of the AI in use. Most modern computers have enough CPU to keep operational 5-10 bots that do not suck, more for some games.
Granted, the industry has followed the steps of Doom having cretinous monsters that march with zombie steps left and right and no real AI behind them. This is the "industry standard" at the moment, but there is no need for it to be this way. At all.
One caveat - the enclosure does not work with newer Maxtor drives because the idiots redefined the power up SATA spec and the meaning of the LED indicator on the power pinout.
I have Debian running on 30+ of them. All varieties from V onwards. In fact it has been the primary small server platform for all of my projects for 2+ years now.
Ubuntu and Knoppix also run fine.
I have heard about some problems with RHEL on the lowe end C3 which is not surprising because AFAIK RHEL nowdays by default comes with a 686 kernel which requires SSE. All you need to do is force it to use a 586 or lower kernel (if it ships with one). It should be OK with C7 and all higher end C3s (nehemia core).
Which reminds me, I have been postponing writing an article on how to run Linux on these for a while now. Need to get to work on it...
I will second that. I look after 20-30+ EPIA systems. Mostly M, but some V, MII, TC, SP - so nearly all varieties are represented. I use them for all odds-n-sods servers (DNS, News, SMTP, firewalls, VPN using the Via AES accel, archiving, alerts, even some slower file services). The only times I had thermal problems with them was when there was obstruction from cables.
I am not a windows user, but I happen to admin a mixed network with 50%+ Windows. With all due respect you are talking BS. This was valid in the days of 3.11. It has not been true ever since. Less then 5% of the applications nowdays will operate correctly if installed by copying because they rely on registry settings put in by the installer.
Funnily enough the model you are describing works fine on guess what... Gentoo and BSDs. Portage. I personally dislike it, but that is a matter of taste.
They did not perform any attempt to cover their mobile usage and had no clue whatsoever about the level of precision mobile location records from GSM can yield in a high density urban environment. Italians love to talk so the GSM coverage in their cities is one of the densest in Europe.
All the judge had to do is subpoena the Italian GSM operators.
Slashdot Mirror
No.
First you learn how systems work. OS, software design and development, network design, system stability, etc. After that you learn threat analysis and than you can call yourself a security professional.
Unfortunately this is unfashionable in the industry nowdays. It is much more popular to dwell in the threat land without knowing the underlying hardware and software infrastructure. It is also easier.
And as mediocracy is well known to be a selfsupporting mechanism, knowing the guts is actually a problem in finding a security job nowdays. It is much easier to claim familiarity with the relevant BS and ISO.
That is exactly my point. As far as OpenBSD is concerned they think that OpenSSH == OpenBSD and do not give a flying f*** about the name service and authentication layer of anyone else. Well in such a case they should not be asking for money.
The moment they start giving a flying f*** people will be more than happy to give them some the way they give to perl, linux distros and other OSS projects.
There are individuals I would rather avoid in both camps. Lunux has its Jeffs (no family name quoted as he is a well known litigation happy cretinous c**ks****r), Larrys and many others.
Similary, I have not had any trouble with the individuals from the FreeBSD crowd I had to communicate with when I worked with racoon, mpd, altq etc.
So arseholes are clearly not limited to a specific OSS-*nix camp.
And granted, flamewise, Linus is tame compared to Al Viro and Dave S Miller (as a russian speaker I have a special opinion on the his machine naming conventions).
Sorry mate, you need to read some LKM archives. Ending up on the receiving end of a Linus flame is not something I would wish to anyone.
I would agree with this.
OpenSSH is used in the OSS community despite its development policies, not because of it. The primary branch does not track any authentication and nss developments in non-OpenBSD OSes and does not give a flying f*ck about them. To add insult to injury, when a major alert is out they do not do anything to backport any fixes and the people at Debian (mostly), FreeBSD/OpenPAM have to sweat several days 24/7 to get a patched backport and release. I can quote bugtraq and CVE IDs on this, but do not see a point. Anyone who had to deal with OpenSSH vulns knows this.
With all due respect when you have a serious attitude problem you should not complain that you are short on money. In fact I will happily give OpenSSH money the moment it starts caring about the underlying OS on non-OpenBSD OS-es.
For 90% of the zombies out there even if the computer screams through the speakers "You are infected moron" and displays this on screen permanently the owner will not clean it up. At best they will call Dell and tell that the spanking new PC they bought one week ago has broken speakers.
Just history repeating itself.
Nearly 14 years when I lived in a country on the other side of what used to be the iron curtain I saw one of these cases with my own eyes. Two newly fledged "politology scientists" (no comment on what they were in reality) with some fresh funds from USA donors for a "freedom of information study project" bought themselves the highest possible spec new PC with the biggest and baddest monitor they could buy. It was mostly used by their kids to play tetris and a few other games (the "scientists" did not know how to use a computer). As usually it in a few days it was throughly infected including that funny virus that used to drop the letters down on the screen (SWAP, Cascade or something like this). They looked at it and took the monitor in for repairs screaming that they have been sold damaged goods. We were getting parts from the same supplier so I had about an hour of free entertainment listening to the tech trying to tell the stupid "politically aware c**t" that she is infected.
So making the bots scream at their owners will have no effect. Besides that it is illegal in US, UK and a few other countries laws.
If you are suffering from a case of the load going through the roof do the following:
Flush your SAs with a setkey -F every time your loadavg exceeds a certain predefined value. 2 per CPU does this for me (I check it every 5 seconds).
Essentially it is a combined racoon/setkey problem. When the SA expires some implementations (checkpoint is one) will start negotiating SAs as fast as they can manage. As a result your load will go though the roof and the SA table will grow until the machine chokes. If you detect this on time and flush them all SAs will be happily reestablished on the next packet and the machine will continue trucking along.
Night Down trilogy by Peter F. Hamilton has possibly the best space combat description with near future tech. It is also has reasonably good plot and reasonably good characters.
2 8/qid=1142634482/sr=1-4/ref=sr_1_3_4/203-2662547-9 8487103 5/qid=1142634382/sr=2-1/ref=sr_2_3_1/203-2662547-9 8487105 1/qid=1142634447/sr=1-1/ref=sr_1_2_1/203-2662547-9 848710
I would highly recommend it.
http://www.amazon.co.uk/exec/obidos/ASIN/03303403
http://www.amazon.co.uk/exec/obidos/ASIN/03303514
http://www.amazon.co.uk/exec/obidos/ASIN/03303514
It will have to learn a few lessons a Cisco first.
They are quite alike. They both tend to trumpet absolutely cretinous marketing claims and beat themselves in the chest senseless screaming repeatedly utterly stupid ideas. Just like a bunch of communists at a party conference. This is where they are similar.
The difference is in the way they perform a 180 degree turn when the party line changes.
When the great Cisco Marketing Bubba declares that it is time to admit that WFQ is worthless without having a clasfull qdisc above it the entire cisco marketing force turns around on tiptoe and starts saying the same. All courses change overnight and people who would have passed the exam yesterday are failed for not following the new party line. There are plenty of numerous other examples. It is just like nothing ever happened.
Microsoft has yet to learn the trick. When they change something they have used to beat themselves into the chest about like GDI printers, kernel graphics integration, etc they try to do it quietly. Their presentation droids are not anywhere as good in dodging questions which are phrased along the lines "Look you just told me yesterday that this design by your competitor is a genuinely stupid idea and today you are presenting the same design".
They have to learn and improve their liar capabilities. Delivering FUD in an enterprise is much harder than delivering FUD in an SME. An enterprise always has someone who remembers the "previous party line". SMEs usually do not. There are two solutions to this. One is to have 30 years of evolution in your current architecture the way Big Iron people do. The other is to turn around and chant the new party line without even blinking the way Cisco does.
With all the architectural mistakes Microsoft has made over the years it has to follow the latter approach and it is very far off from having mastered it. Time to poach some Cisco marketing staff I guess.
I assume you mean "public" addresses and the answer is: Not necessarily.
You need the same number for your ADVERTISERs as normal. No change there.
You can use martian addresses for the listen address of the rest and the ADVERTISERs address with a high port (non-53) as query source for the RESOLVERs (so that you do not churn a lot of NAT entries for them).
So there is no public address wastage here.
I have no problem eating the equivalent of 10-20, but it hits me elsewhere. High doses of capsacin will cause reumatic pains in many people. I love hot food, but I cannot eat it.
While at it, collating some stats about mexican hot chili pepper consumption in the population vs rate of cancer should be trivial. In fact if the effect works in the real world it should be fairly obvious in the stats for let's say Mexican (who eat a lot of hot food) versus Finnish (who do not eat it at all).
That is almost correct. As stated it requires 3x2 machines (primaries and secondaries) which is a serious resource waste. In most cases the RESOLVER and ADVERTISER can be combined on one machine.
You simply need to set listen statements in the named.conf's so that the ADVERTISER listens on an externally reachable address and the RESOLVER issues queries on an externally reachable address while listening on an address that can be reached only from the inside.
Depending on your topology and security constraints you can throw in the INTERNAL on one more set of addresses or keep it separately (lo:0, lo:1, lo:2, etc).
In addition to everything else, having no-recursion in the ADVERTISER helps decrease the possibility of cache poisoning attacks. While bind has gotten much better lately they still can happen.
True, nobody is giving them up for free.
You have to pay.
But the price of a second hand thin client with a warranty from someone like Computacenter is peanuts. Depending on the CPU you can get them for 50-120$ in the US or 50-120£ in the UK (due to the usual way things a priced). If you are brave enough to buy from Ebay you can get them for even less.
Overall, their cost is comparable to the electricity bill for a desktop with a P4 or Athlon (especially one that has not had power management configured to the max) over its lifetime.
I used to have a similar list to yours, but most of it is in storage now. I have reduced it to a XP3200+ with a RAID array which is used for storage and thin clients like this: http://www.sigsegv.cx/hp-thin-client.html for the actual use. This or various Via EPIA systems. 5-15W power consumption. And most importantly - very very very quiet.
Be patient. If you ignore them for 2-3 years and during those two years you pay your credit card bill 100% on time they take you off their lists. You are not an interesting subject to them from there on because you are not likely to generate interest. They look for stupid people. If you are not one of them you will not get any "preapproved applications".
Dunno about US, but they can see your payment history for at least 2 years back in the UK. Once it rolls over and contains only entries that show 100% payment month on month all applications suddenly seize. Forgot how long it takes. 2 years at least.
By the way, it is the same for other debt. If they see that you hate feeding them they will leave you alone. This of course means that you have to leave in a fashion that is proportionate to your income and the average "consumer-producer" hates that. And the credit card companies love him for that.
There is at least one missing law: The robot must know that he is a robot.
Without this one the primary three make no sense.
You are both right and both wrong.
There is no such thing as "the general purpose backup problem". There are two problems - backup as a defence against a luser error or minor failure and backup as a defence against a system failure or a catastrophic failure. Or in backup architecture terms you have to deal with operational recovery and disaster recovery.
Tapes suck rotten eggz for operational recovery. With all advances they are much slower then disk based solutions.
Disks suck for disaster recovery. Once you add removeability in the equation the cost of backup to disk for disaster (offsite or fire safe) recovery is much higher than tape. The requirement for removeability may be removed if the whole backup solution is off-site and connected via a suitable network. In that case disks get back their advantage over tape, but very few companies have the infrastructure to afford this.
By the way - that is valid for "general purpose backup". Which in fact is only a minor fraction of any backup expense. Applications usually are a much bigger pain in the neck.
SQL does not allow adding and subtracting date types. I think this is part of the ANSI spec, but I may be mistaken. You need to use the interval ops.
Example: http://www.sigsegv.cx/exim-greylist.html
As far as the checking is concerned I think that 4+ does all checking including invalidating dates like 31 Feb correctly.
This is solely a matter of the AI in use. Most modern computers have enough CPU to keep operational 5-10 bots that do not suck, more for some games.
Granted, the industry has followed the steps of Doom having cretinous monsters that march with zombie steps left and right and no real AI behind them. This is the "industry standard" at the moment, but there is no need for it to be this way. At all.
Indeed.
Removing a letter here or there would have been even better.
Via SP8000 http://www.via.com.tw/en/products/mainboards/mini_ itx/epia_sp/index.jsp
b ProductID=84948
Got two departamental servers running on that. The onboard + 2 Silicon Image Adaptecs (6 disks total) using these enclosures: http://www.scan.co.uk/Products/ProductInfo.asp?We
One caveat - the enclosure does not work with newer Maxtor drives because the idiots redefined the power up SATA spec and the meaning of the LED indicator on the power pinout.
Bollocks.
I have Debian running on 30+ of them. All varieties from V onwards. In fact it has been the primary small server platform for all of my projects for 2+ years now.
Ubuntu and Knoppix also run fine.
I have heard about some problems with RHEL on the lowe end C3 which is not surprising because AFAIK RHEL nowdays by default comes with a 686 kernel which requires SSE. All you need to do is force it to use a 586 or lower kernel (if it ships with one). It should be OK with C7 and all higher end C3s (nehemia core).
Which reminds me, I have been postponing writing an article on how to run Linux on these for a while now. Need to get to work on it...
I will second that. I look after 20-30+ EPIA systems. Mostly M, but some V, MII, TC, SP - so nearly all varieties are represented. I use them for all odds-n-sods servers (DNS, News, SMTP, firewalls, VPN using the Via AES accel, archiving, alerts, even some slower file services). The only times I had thermal problems with them was when there was obstruction from cables.
I am not a windows user, but I happen to admin a mixed network with 50%+ Windows. With all due respect you are talking BS. This was valid in the days of 3.11. It has not been true ever since. Less then 5% of the applications nowdays will operate correctly if installed by copying because they rely on registry settings put in by the installer.
Funnily enough the model you are describing works fine on guess what... Gentoo and BSDs. Portage. I personally dislike it, but that is a matter of taste.
Neither.
In fact - unqualified.
They did not perform any attempt to cover their mobile usage and had no clue whatsoever about the level of precision mobile location records from GSM can yield in a high density urban environment. Italians love to talk so the GSM coverage in their cities is one of the densest in Europe.
All the judge had to do is subpoena the Italian GSM operators.