So, with debian, you can boot into knoppix. There is no general tool to say "I'm booted into knoppix, please verify/mnt/foo which is a debian installation with wesite bar using gpg key XYZ".
Unlike certain Windows-centric individuals, I am not limited by the presence or absence of a tool specifically written to perform a function. I can script my own.
That is because I rock.
Attend, Grasshopper, and I will provide you illumination upon your path to True SysAdmin-hood.
Argue for your limitations, and they will be your's.
Rather, learn the tools available and see how they are used to overcome the obstacles you have set before yourself. Understand that all is but 0's and 1's and therefore subject to the will of the True SysAdmin.
The novice quits upon the absence of a tool. The SysAdmin knows that his understanding is the only tool he will need.
Go in peace and strive to achieve beyond your limits.
Dude, there's no need to be insulting or condescending.
Sure there is. When I say 2+2=4 and someone else is saying it's 6, then condescending is spot on.
Actual production systems are typically much more complex than a raw Debian installation.
No, they are not.
They have the same BASIC system and then they have whatever specifics needed for that app.
If I can validate everything except that app, then it is just a matter of re-installing that app. And that is the issue.
It takes a *lot* of discipline to run a good configuration management environment at all, something that far too many companies with web sites don't do well, much less to run it in a way that gives you a trusted base for every application on your system.
If you don't have a trusted base for the app you're running, then you have bigger problems than a compromised system.
NOTHING you do, including a complete re-install will give you a known clean system in that case.
NOTHING.
You're probably not just going to have raw Debian and some data files.
Been over that. Next question.
There'll be databases (typically Oracle or something of similar power, for which you don't have source code), home-grown applications, for which the source code lives on your development environment, testing and instrumentation to model what's really happening on the production system, little hackish shell/perl/etc. scripts to glue things together, detritus that's accumulated over several years that nobody's really sure what it does, etc.
Right..... and you're going to re-install all of that so you have a known clean system.
Oh, you're not? Then what is the difference between my process and your's?
Furthermore, unless your CM people are extremely good, it's hard to build an adequate development environment without some connection to the production systems, and that means that there are going to be some crossover connections between the two, possibly some developer logins on the production system (you *do* check all your SSH permission files into CVS, and your DNS resolvers, and all the proxy settings for Mozilla that each user uses, don't you?
Again, if you're doing development on a production system (or running with development and production linked) you have bigger problems than a compromised system.
You simply will not KNOW if you have a clean system.
You'll have to do a 100% audit of ALL the code you have because the cracker could have installed backdoors in ANY of your code.
Again, in that situation, even doing a complete rebuild will NOT give you a known clean system.
It'd be a real shame if the Debian you thought you were connecting to wasn't the *real* Debian.
And this is where condescending is required. Fill it in for yourself.
...and that means there's a risk that your developers will get *their* environments contaminated before you've noticed the breakin, just as there's a risk that your backups will get contaminated.
Again, in that scenario there is nothing you can do, including a bare-metal rebuild, that will give you a known good environment.
So, my process would give you results as good as a bare-metal rebuild, even in that scenario.
And I've almost *never* seen a clean development shop environment - it's tough enough to get the developers to make sure the QA department is testing on a properly-built-from-scratch environment for each subrelease, as opposed to upgrading from the previous version.
Again, in a situation where the code you're developing MIGHT be compromised, including your backups, then following my process will give you results as good as a bare-meta
With 100% pure functionality (and pure ugly) at one end...... functionality mixed with aesthetics in the middle...
And at the other end, 100% pure aesthetics with no functionality (apart for the materials used).
Of course, why limit it to one dimension? How about 2 dimensions (a square). In one corner, a bad woodworker who is also a bad artist will make a crappy, ugly chair.
In the opposite corner, you have a very skilled woodworker who is also a very good artist who makes a very beautiful, yet very functional chair.
In the other corners are a bad-woodworker but good good-artist and a good-woodworker but bad-artist.
And where are the package content checksumss kept? That's right, on your compromised system.
No. They're on the web site of the distribution that you used.
You compare the checksum of the package on your system with the checksum listed on the website.
You DO know what a checksum is, right?
I'm not even sure debian mandates MD5 checkums on all it's pacakge files yet.
Mandates or not, they are there.
Also there are more than a few files that don't belong to a package (like/etc/fstab -- and very much do bad things with this) or are config. files (like all of/etc/init.d/* in debian).
Yeah. Right.
No, seriously, how is someone going to sneak something by you in fstab?
And everything in init.d would also be checked.
Do you mean to say that you do not know what changes you've made in init.d? I certainly do. The only changes I've made are for running bind9 in a chroot jail and some tweaks to exim4. Everything else is pure stock and can be checked by a script.
Even if you could somehow trust the OS+libc+package-manager there's no Linux package-manager that will do a full check (Ie. tell me of all files in/usr that "don't belong" there), or check against a verifiable remote resource.
#1. Why would I not trust "the OS+libc+package-manager"? It's Knoppix. I booted the system clean.
#2. On Debian, I can check all the files on the whole disk (not just/usr) and it will tell me what files belong to what packages and which do not.
Here's the first step for you. cd/usr dpkg -S * >/root/usr.info.txt
See? Every file there lists the package that installed it. If you see any files that do NOT have a package referenced, then you have a problem.
Yes, with rpm/dpkg you can get yourself out of a simple compromise if you assume a lot of things... but the only way to be sure if re-install, and import the data.
Incorrect. The concept becomes very clear once you understand the boot process of Linux.
If you can get the machine to boot from a known good install (Knoppix) then you can trust the tools you'll use to check each file on the disk.
The disk is not magical. There is no secret place that a file can be mystically concealed from a clean boot and the root account.
The process of loading those files is not magical. Each file is called by a specific process. If the processes can be validated and the files verified, then the system is clean.
Therefore, it is just a matter of collecting the information from a known good source (Debian's website) and validating that every file on the disk can be verified as to origin and checksum.
The ONLY times when this will not work is for files that YOU have altered or software that YOU have installed and YOU should be aware of each and every instance of such on YOUR machines.
Even if you do NOT know that about a machine, I can still identify the clean portions and the suspect portions AND THEN isolate the suspect portions for analysis.
It's really good that you're happy with Windows at home.
And many of the people who have Windows at home and are spam zombies are also fairly happy with Windows. Until it becomes too laggy.
The average Windows user would not care how many viruses/trojans/worms were on his computer as long as it seemed to be performing okay for what he used it for.
Meanwhile, there are bot nets out there with 10,000+ compromised Windows machines on them.
The issue isn't what you are happy with. The issue is whether you are being used as an attack vector by someone else. And the statistics show that those boxes are home Windows users (99%+).
Sure, you can check the files that are part of the standard distribution.
Yep. And those are the ones that would be replaced by a rootkit.
That won't find additions to your password files or the similar permission files for half a dozen different programs that track who's authorized to do what...
It doesn't have to. Those should be easy to check manually.
You DO know what accounts are necessary on your systems, right?
...or find extra programs in root's home directory...
Why would there be any apps in/root? If you find any there, you delete them.
...or search path or/bin (such as a modified version of a file that's normally in/usr/bin, with the/usr/bin version left untouched),...
Sure it will. Every file there should be part of a package. All you have to do is have the system check which package each file belongs to.
Any files that don't belong to a package, you delete.
...and it won't find modified versions of files that get modified during the installation process,...
Such as? The files that get modified during installation are things like hostname and timezone and so forth. It's kind of hard to hide anything bad in those.
... and there are probably a bunch of other ways to hide things.
Nope. That's one of the reasons why package management systems are so good. They make it easy to validate every file on your machine.
So you have to start by reinstalling known good copies on a reformatted disk slice, and gradually recover things as you prove them safe.
Again, no you don't. Not with Debian.
I once found a directory/.something with cracker data on one of my lab honeypots - the cracker had modified "ls" and "ps" so his files and processes wouldn't be found, including all his little setuid toys.
Yep. That's pretty standard for a rootkit.
And those mod's are instantly identifiable because they won't have the same checksum as the originals.
You'd probably find some of those things if you were using Knoppix to check, but you might not, since the evil processes were running with innocuous-looking names and the directory names started with dots.
Of course you would find them. They would show up as NOT belonging to any of the packages that are installed.
Many open source projects are mimics of commercially available software.
Yep. And many are not. The key item though is that ALL of the current commercial software products are also mimics of previous commercially available software or non-commercial software (the first text editors for example).
They were adopted because they were free for the most part - not because the source code was available.
Really? So you'd use a word processor that didn't work instead of one that did just because the one that didnt' work was free (as beer)?
No? So the price is NOT the issue you claim it is.
If it doesn't work, then free (as beer) is still too expensive.
Very few people and companies customize the software or utilize the source code in any way.
Actually, 90%+ of the programmers work for companies that do not sell software.
They work for companies who do customize code or write in-house apps.
So, you're correct only if you count Maggie's Dog Grooming as one company and IBM as one company. And so what if you do? Your metric is meaningless in that case.
Like most critics, I'm not good at leading large companies. But I know good leadership when I see it. This guy Lutz has his head bolted on right.
I'll have to disagree with that. He made a good choice in going to Linux from Unix, but he did so is such a fucked up way that it was only Linux's technological goodness that saved him from being a poster boy for Microsoft's "Linux sucks" campaign.
Here, from TFA:
The decision not to focus more on testing came back to haunt them.
The CIO decided not to TEST the system correctly?
Frantic calls began coming in from some of the 44,000 travel agency locations in 116 countries that were unable to access Fares.
Their customers cannot access their new Linux system!
Lutz would not comment on the financial losses incurred by United or Galileo during the downtimes.
They were LOSING money with their new Linux system.
"In hindsight," says Lutz, "we shouldn't have tried to cut over to a new infrastructure at the same time we were deploying a new software application. It was too much at once."
This guy made novice-level mistakes and it was only because Linux is so good that this became a huge success rather than a terrible failure.
Rather than falling back to the old platform at the first signs of trouble and reworking the new one, the engineers always thought the answer was around the corner.
You always have a back-out plan. Always.
This guy took a huge risk... screwed it up royally... and was saved by IBM, Red Hat and Linux.
And the Linux system STILL saves him $$$MILLIONS$$$ every year and OUTPERFORMS his old system.
It's one thing when you're a genius CIO who plans and test for every contingency and deploys a working Linux system.
It's a completely different thing when you don't BUT YOU STILL SUCCEED BECAUSE OF LINUX.
This story is important because it shows the average CIO that, even if you aren't a genius and you DO make mistakes, Linux can STILL save you barrels of money and make you LOOK like a genius.
Rice is also an expert on the former Soviet Union.
And in 2005, that is about as important as being an expert on Elizabethan England. Maybe you should include her best time on the Rubic's Cube, too.
I find Ms. Rice to be very impressive,...
I'm sure you do. And I'm also sure that you cannot name a single item that is "impressive" that she has accomplished since she was appointed to either of her jobs.
Do you know what "racist" means? Would you find her as "impressive" if she was a white woman?
How about "classist"? Would you find her as "impressive" if she were a rich white woman?
How about we wrap this up and check if you would find a rich white man as "impressive" with the same list of accomplishments since being appointed?
I didn't think so. And before you go off making claims about how you aren't racist, be sure you include specific accomplishments. No one cares about some rich white guy learning to play the piano.
I believe that if Rice were a Democrat, she'd be touted as the second coming of MLK.
You can believe whatever you want.
But, just maybe, you should look at what the differences between those two really are. Why don't you try naming them, other than one was a liberal and the other was not.
Those who cry about "no WMDs" generally aren't worth trying to educate about the war beyond their strict viewpoint.
The fact is, our current regime claimed over and over that Saddam had them and that we knew where they were.
How do they spell "lies" on your world?
I used to think liberals cared about human rights, but not when human rights are promoted by a Republican apparently.
How do you define "human rights"?
Is it okay if we only kill 1/10th the number of people that Saddam did as long as we're doing it as part of the "war on terror"?
How does killing innocent people equate to "human rights"?
And before you go off on how many people Saddam killed, you'd better be damn sure you want to start making comparisions between the USofA and a 3rd world tin-pot dictator.
Now ask yourself what the world would look like today if microsoft avoided the BSD TCP/IP for their own implimentation because of GPL concerns?
Okay.....
#1. Microsoft spends some time, money and programmer time doing a clean room implementation of the BSD stack. The only difference is Microsoft has a little bit less money and some programmers who REALLY understand TCP/IP.
#2. Microsoft doesn't do any work on their TCP/IP stack and they have security issues and performance issues with it.
Now if that is the case, there really is no need for the GPL, as companies who don't participate in this superior system (that is, take open source code and turn it into closed source) are in fact punishing themselves.
Open Source may be the best developmental model for technically superior code...
But just having technically superior code doesn't mean anything in the marketplace.
Check out the history of Gem OS or OS/2. Check out the marketshare of the various *BSD versions. Sure, their TCP/IP stack is getting heavy usage, but that's only because Microsoft is distributing it.
Is Microsoft hurting itself by NOT openly providing any improvements/enhancements for that TCP/IP stack? I don't see how.
And any non-Microsoft improvements that are released under that license can, quickly, be absorbed by Microsoft to improve Microsoft's products.
It all comes down to money and marketing. Microsoft has the money, they can afford the marketing.
Anyone want to bet that a survey of CxO's would show 100% recognize the "Microsoft" brand name but less than 10% would recognize "NetBSD" or "OpenBSD" and so forth?
Marketshare is important in getting to the point where enough DEVELOPERS (shades of Ballmer!) recognize the project and understand the license and still want to contribute.
http://spf.pobox.com/faq.html#whichfield So, this is implementation specific, but it seems that it will compare published SPF record of the domain in the FROM: or the return path with the fully qualified domain name of the sending machine (zombie123.earthlink.net yields "earthlink.net").
So, if the incoming email claims to be from/return-path taco@slashdot.org and slashdot.org publishes an SPF record, that SPF record had better list zombie123.earthlink.net as a legitimate mail server or it will fail.
What, specifically, happens when it fails is also up to the implementation.
The problem appears when taco@slashdot._org sends an email to my old college which offers forwarding services for alumni.
taco@slashdot._org sends to khasim@example._com
mail.example._com forwards that message to my gmail account.
mail.gmail._com checks the From:/return of slashdot._org and checks their SPF record for slashdot._org.
slashdot._org does not list any example._org boxes as a mail server so the message fails the SPF check.
Again, what happens at this point depends upon the implementation of SPF that is being used. It can range from increasing the SpamAssassin score to dropping the connection attempt.
Before the rush of posts about how this won't do anything about spam, this is not about spam. This is about stopping spammers from using your address which results in your email servers dealing with the mass of bounces and spam reports from clueless admins.
Of course, only the admins with a clue will correctly implement either of these so...
But only if you hold onto the stocks and the stocks pay dividends.
Otherwise, you're 100% accurate. The "buy low, sell high" stock market mantra is pure speculation and speculation just moves the existing money around without creating anything of value.
What happens is lots of money goes to a few people who spend lavishly on extravagent luxuries. That money comes from the many losers in that game.
And that is the problem with the current "investments" in the stock market. It's great when you're the winner, but there are far more losers than winners. No one likes to look at what happens if you aren't one of the winners.
When you start NOT COUNTING certain data points, you SKEW the results.
The government WANTS to skew the results so it can claim to be "improving" the "economy".
If the government is skipping homeless people and people who have given up looking for work because the jobs aren't out there, then the government is not reporting the situation correctly.
The theory is that people that do not have a job and have reached the end of unemployment benefits should not count as unemployed.
Okay...
They should not count because they are in a class of people that either will not accept the jobs that are available or have no useful skills for the current market.
But unemployment benefits do not exist in a vacuum. Those people had to have HAD jobs in the very recent past.
So, in the very recent past, they WERE willing to accept a job and their skills WERE useful.
Either way, they are not counted in unemployment because unemployment is more a measure of people that are likely to be useful in the workforce and are willing to fill a present economic need.
Again, they were considered "useful" in the very recent past.
By your "logic", there would never be any unemployment because the only people who would be counted as "unemployed" would have skills currently needed by business and a willingness to work for those businesses. So why would they not be hired by those businesses?
And before you talk about demanding too much money, the businesses would only have to offer them more than they'd make on unemployment.
Which doesn't leave much rational for "unemployment".
So, just because you own your own business and the land it sits upon... the local government can kick you off if it BELIEVES that another BUSINESS can generate more tax revenue/jobs or whatever.
It never ceases to amaze that a large majority of the people on this board have an innate aversion to serve the country that has provided them with the most freedom and liberty of ANY government in the history of man.
"Country" and "government" and "freedom" and "liberty".
I can serve my country and still be opposed to the demands of our current government. Bush and Co have not done anything to increase my Freedom. At the moment, it is unclear whether they will have done anything to increase the Freedom of people in Afghanistan or Iraq.
EVERY amercian owes a debt of gratitude to every soldier, sailor, airman, marine, and coast guardsman who serves or has served this country.
Without them, you wouldn't be sitting here on slashdot spouting your displaced self-loathing.
You're a bit confused on this thing known as "history".
Because some people fought back in the Revolutionary War, does not mean that some mechanic in the Army is the reason I can type this.
Only the last couple of generations of Americans are so self-involved that they cannot see the DUTY, the OBLIGATION for every American to repay the debt and serve at least a 2-year commitment their own country.
No. It is only the last couple of generations that have seen their current government use the military to further their own aims rather than to protect the USofA.
That's Islamic Fundamentalism, not "islamofacism".
It is very similar to the Christian Fundamentalists you see in the good ol' USofA.
We should get the best people we can in our military and we should train them hard, equip them with the best and only use them when we or our allies are invaded.
Right now we have a military where people are being held in, without the right equipment and being killed in a country that was no threat to us.
It takes a LOT more guts to stand up and say that the government is WRONG in that circumstance than to just go along rah-rah-rah support.
Listen folks, here's the deal. Many people are opposed to the war, both inside and outside of the military. This is inconcequential to this discussion.
No. You're wrong. There is a REASON that this war is BECOMING unpopular.
And tracking kids so the government can pressure them into fighting such a war is the PROBLEM.
The reality of the entire issue is this: We are a nation founded on revolution and war.
No. Look up "Boston Tea Party". Our country was founded upon the belief in certain Rights.
Our power in the world was won through superior military force.
Only recently. Before that, it was because of our vast natural resources and distance from the established armies of the other nations.
We are currently having difficulty in maintaining that force.
You might want to look at the Founding Fathers' views on a standing military.
Measures are being taken to resolve that issue. Period. Don't cry to me about big brother or dead children.
That sounds a bit too much like "the ends justify the means".
Look at the world around you and realize that the reason you enjoy your freedoms is because of the blood spilt by hundreds of thousands of Americans who paid the price for you.
Here's the flaw in that claim.
Because some people joined the military and fought and died for Freedom does not mean that everyone who dies in the military furthers Freedom.
Check out Kuwait. We "Freed" them from Iraqi invasion... but they still don't allow women to vote.
This "Freedom" thing is a bit tricky, no?
If people really don't want thier children getting blown up, then don't vote for a president who will go to war so easily.
So people who didn't vote for Bush are exempt from this database?
If you are afraid of "big brother", don't use credit cards, save your money and pay for everything in cash.
And now you're into "blaming the victim".
Why not just make it illegal for those companies to collect that information on me?
Our modern society is productive because of our ability to exploit knowledge opportunities.
That can mean anything from filing a patent on your new, effective, cold fusion generator to filming your neighbor in the shower.
Now that it's being done for the defense of the country, people want to complain.
This is not about "defense of the country". Iraq was no threat to the USofA.
If a marketing company sent you a free box of Tide Detergent in the mail you wouldn't bitch, because you're greedy like that.
Getting a sample box of Tide == tracking kids to target them for recruitment
Right.
Well, you're being given freedom, and it's going to require some computers and research to get it done.
No one "gives" anyone else "Freedom".
And tracking kids is the OPPOSITE of Freedom.
No one forces the hand of the individual to sign the paper.
That is correct. But this isn't about forcing them to sign. This is about tracking them to specifically target them.
So shut up about all the crap, take a deep breath and try not to choke on the sweet air of freedom.
You use that word a lot, but I don't think you understand what it means.
Went to school? Thank a teacher.
Okay, but shouldn't I also thank the people who funded the school system and paid the teachers' salaries?
Scenario: I'm in college and the Pentagon collects all this info on me. I'm cool with it.
Anyway, I graduate and I'm having trouble getting a job and so on and I'm living at home.
I'd really like for my local recruiter to get a list of people who have recently graduated, but don't have a job and are still living at home and maybe even cross-index that with newly acquired debts (buy a car recently?) so he can call me up and offer me some free training and governmental help with those school loans.
Maybe even flag people in the database as the law enforcement agencies (yes, it can be shared with them) ask for checks on it. Like if you're in a traffic accident and your car is wrecked.
No, I see no possiblity that this will be abused and lots of ways that it will help our young people through a trying time of personal and emotional maturing. Yes.
I'm sure that there never be, under any circumstance, any "evaluation" of the criteria contained in that database to determine someone's "recruitability rating" similar to how your "credit rating" is determined now.
Again, so you claim. Yet the references I can post do not seem to support your claim.
Anyway, I've posted enough references for this. If you want to continue to claim that a number you pulled out of your ass is accurate, go for it. I've posted links to an actual newspaper.
Paperboys must be pulling in 6 figures on your world. suh-weet!
That is because I rock.
Attend, Grasshopper, and I will provide you illumination upon your path to True SysAdmin-hood.
Argue for your limitations, and they will be your's.
Rather, learn the tools available and see how they are used to overcome the obstacles you have set before yourself. Understand that all is but 0's and 1's and therefore subject to the will of the True SysAdmin.
The novice quits upon the absence of a tool. The SysAdmin knows that his understanding is the only tool he will need.
Go in peace and strive to achieve beyond your limits.
Sure there is. When I say 2+2=4 and someone else is saying it's 6, then condescending is spot on.
No, they are not.
They have the same BASIC system and then they have whatever specifics needed for that app.
If I can validate everything except that app, then it is just a matter of re-installing that app. And that is the issue.
If you don't have a trusted base for the app you're running, then you have bigger problems than a compromised system.
NOTHING you do, including a complete re-install will give you a known clean system in that case.
NOTHING.
Been over that. Next question.
Right..... and you're going to re-install all of that so you have a known clean system.
Oh, you're not? Then what is the difference between my process and your's?
Again, if you're doing development on a production system (or running with development and production linked) you have bigger problems than a compromised system.
You simply will not KNOW if you have a clean system.
You'll have to do a 100% audit of ALL the code you have because the cracker could have installed backdoors in ANY of your code.
Again, in that situation, even doing a complete rebuild will NOT give you a known clean system.
And this is where condescending is required. Fill it in for yourself.
Again, in that scenario there is nothing you can do, including a bare-metal rebuild, that will give you a known good environment.
So, my process would give you results as good as a bare-metal rebuild, even in that scenario.
Again, in a situation where the code you're developing MIGHT be compromised, including your backups, then following my process will give you results as good as a bare-meta
With 100% pure functionality (and pure ugly) at one end ... ... ...
functionality mixed with aesthetics in the middle
And at the other end, 100% pure aesthetics with no functionality (apart for the materials used).
Of course, why limit it to one dimension? How about 2 dimensions (a square). In one corner, a bad woodworker who is also a bad artist will make a crappy, ugly chair.
In the opposite corner, you have a very skilled woodworker who is also a very good artist who makes a very beautiful, yet very functional chair.
In the other corners are a bad-woodworker but good good-artist and a good-woodworker but bad-artist.
You compare the checksum of the package on your system with the checksum listed on the website.
You DO know what a checksum is, right?Mandates or not, they are there.Yeah. Right.
No, seriously, how is someone going to sneak something by you in fstab?
And everything in init.d would also be checked.
Do you mean to say that you do not know what changes you've made in init.d? I certainly do. The only changes I've made are for running bind9 in a chroot jail and some tweaks to exim4. Everything else is pure stock and can be checked by a script.#1. Why would I not trust "the OS+libc+package-manager"? It's Knoppix. I booted the system clean.
#2. On Debian, I can check all the files on the whole disk (not just
Here's the first step for you.
cd
dpkg -S * >
See? Every file there lists the package that installed it. If you see any files that do NOT have a package referenced, then you have a problem.Incorrect. The concept becomes very clear once you understand the boot process of Linux.
If you can get the machine to boot from a known good install (Knoppix) then you can trust the tools you'll use to check each file on the disk.
The disk is not magical. There is no secret place that a file can be mystically concealed from a clean boot and the root account.
The process of loading those files is not magical. Each file is called by a specific process. If the processes can be validated and the files verified, then the system is clean.
Therefore, it is just a matter of collecting the information from a known good source (Debian's website) and validating that every file on the disk can be verified as to origin and checksum.
The ONLY times when this will not work is for files that YOU have altered or software that YOU have installed and YOU should be aware of each and every instance of such on YOUR machines.
Even if you do NOT know that about a machine, I can still identify the clean portions and the suspect portions AND THEN isolate the suspect portions for analysis.
It's really good that you're happy with Windows at home.
And many of the people who have Windows at home and are spam zombies are also fairly happy with Windows. Until it becomes too laggy.
The average Windows user would not care how many viruses/trojans/worms were on his computer as long as it seemed to be performing okay for what he used it for.
Meanwhile, there are bot nets out there with 10,000+ compromised Windows machines on them.
The issue isn't what you are happy with. The issue is whether you are being used as an attack vector by someone else. And the statistics show that those boxes are home Windows users (99%+).
Each minor variation means that the old anti-virus signatures won't catch it.
So new signatures have to be downloaded.
The problem is that any error in that and you're vulnerable to these "new" viruses/trojans/worms.
The real problem is that the infection routes on Windows still haven't been closed.
You DO know what accounts are necessary on your systems, right?Why would there be any apps in
Any files that don't belong to a package, you delete.Such as? The files that get modified during installation are things like hostname and timezone and so forth. It's kind of hard to hide anything bad in those.Nope. That's one of the reasons why package management systems are so good. They make it easy to validate every file on your machine.Again, no you don't. Not with Debian.Yep. That's pretty standard for a rootkit.
And those mod's are instantly identifiable because they won't have the same checksum as the originals.Of course you would find them. They would show up as NOT belonging to any of the packages that are installed.
It doesn't matter where they're hidden.
It doesn't matter what they're named.
All you have to do is to boot with a known good rescue CD (Knoppix is great for this).
Then you can mount the infected drive and validate the checksums against the packages available on the web.
This will not tell you anything about your data, but none of your data should be executable anyway, right?
The same goes for Red Hat or any other distribution that has checksums for both packages and files contained within those packages.
You can even completely re-install the kernel on a Debian system in this fashion.
No? So the price is NOT the issue you claim it is.
If it doesn't work, then free (as beer) is still too expensive.Actually, 90%+ of the programmers work for companies that do not sell software.
They work for companies who do customize code or write in-house apps.
So, you're correct only if you count Maggie's Dog Grooming as one company and IBM as one company. And so what if you do? Your metric is meaningless in that case.
Here, from TFA:The CIO decided not to TEST the system correctly?Their customers cannot access their new Linux system!They were LOSING money with their new Linux system.This guy made novice-level mistakes and it was only because Linux is so good that this became a huge success rather than a terrible failure.You always have a back-out plan. Always.
This guy took a huge risk
And the Linux system STILL saves him $$$MILLIONS$$$ every year and OUTPERFORMS his old system.
It's one thing when you're a genius CIO who plans and test for every contingency and deploys a working Linux system.
It's a completely different thing when you don't BUT YOU STILL SUCCEED BECAUSE OF LINUX.
This story is important because it shows the average CIO that, even if you aren't a genius and you DO make mistakes, Linux can STILL save you barrels of money and make you LOOK like a genius.
You see, "the net" existed long before Microsoft took the BSD TCP/IP stack.
Windows machines on "the net" existed before Microsoft took the BSD TCP/IP stack.
At one time, I had THREE different, commercial IP stacks for Win3.1 on a machine.So, your point could otherwise be stated as "water is wet" or "fire is hot". Great. But "defacto standards" aren't the topic here. Bye now.
Do you know what "racist" means? Would you find her as "impressive" if she was a white woman?
How about "classist"? Would you find her as "impressive" if she were a rich white woman?
How about we wrap this up and check if you would find a rich white man as "impressive" with the same list of accomplishments since being appointed?
I didn't think so. And before you go off making claims about how you aren't racist, be sure you include specific accomplishments. No one cares about some rich white guy learning to play the piano.You can believe whatever you want.
But, just maybe, you should look at what the differences between those two really are. Why don't you try naming them, other than one was a liberal and the other was not.The fact is, our current regime claimed over and over that Saddam had them and that we knew where they were.
How do they spell "lies" on your world?How do you define "human rights"?
Is it okay if we only kill 1/10th the number of people that Saddam did as long as we're doing it as part of the "war on terror"?
How does killing innocent people equate to "human rights"?
And before you go off on how many people Saddam killed, you'd better be damn sure you want to start making comparisions between the USofA and a 3rd world tin-pot dictator.
#1. Microsoft spends some time, money and programmer time doing a clean room implementation of the BSD stack. The only difference is Microsoft has a little bit less money and some programmers who REALLY understand TCP/IP.
#2. Microsoft doesn't do any work on their TCP/IP stack and they have security issues and performance issues with it.
#3. any combination of the above.
What was your point?
But just having technically superior code doesn't mean anything in the marketplace.
Check out the history of Gem OS or OS/2. Check out the marketshare of the various *BSD versions. Sure, their TCP/IP stack is getting heavy usage, but that's only because Microsoft is distributing it.
Is Microsoft hurting itself by NOT openly providing any improvements/enhancements for that TCP/IP stack? I don't see how.
And any non-Microsoft improvements that are released under that license can, quickly, be absorbed by Microsoft to improve Microsoft's products.
It all comes down to money and marketing. Microsoft has the money, they can afford the marketing.
Anyone want to bet that a survey of CxO's would show 100% recognize the "Microsoft" brand name but less than 10% would recognize "NetBSD" or "OpenBSD" and so forth?
Marketshare is important in getting to the point where enough DEVELOPERS (shades of Ballmer!) recognize the project and understand the license and still want to contribute.
Microsoft's favorite tactics are "embrace, extend, extinguish".
This is far more difficult if you have have release the code for that "extend" under the same license that you got the original code.
If everyone can implement those same extensions, under the same license, then "extinguish" becomes far more difficult.
http://spf.pobox.com/faq.html#whichfield
So, this is implementation specific, but it seems that it will compare published SPF record of the domain in the FROM: or the return path with the fully qualified domain name of the sending machine (zombie123.earthlink.net yields "earthlink.net").
So, if the incoming email claims to be from/return-path taco@slashdot.org and slashdot.org publishes an SPF record, that SPF record had better list zombie123.earthlink.net as a legitimate mail server or it will fail.
What, specifically, happens when it fails is also up to the implementation.
The problem appears when taco@slashdot._org sends an email to my old college which offers forwarding services for alumni.
taco@slashdot._org sends to khasim@example._com
mail.example._com forwards that message to my gmail account.
mail.gmail._com checks the From:/return of slashdot._org and checks their SPF record for slashdot._org.
slashdot._org does not list any example._org boxes as a mail server so the message fails the SPF check.
Again, what happens at this point depends upon the implementation of SPF that is being used. It can range from increasing the SpamAssassin score to dropping the connection attempt.
Before the rush of posts about how this won't do anything about spam, this is not about spam. This is about stopping spammers from using your address which results in your email servers dealing with the mass of bounces and spam reports from clueless admins.
...
Of course, only the admins with a clue will correctly implement either of these so
But only if you hold onto the stocks and the stocks pay dividends.
Otherwise, you're 100% accurate. The "buy low, sell high" stock market mantra is pure speculation and speculation just moves the existing money around without creating anything of value.
http://www.bell.lib.umn.edu/Products/tulips.html
What happens is lots of money goes to a few people who spend lavishly on extravagent luxuries. That money comes from the many losers in that game.
And that is the problem with the current "investments" in the stock market. It's great when you're the winner, but there are far more losers than winners. No one likes to look at what happens if you aren't one of the winners.
DAMN! Finally someone who UNDERSTANDS statistics!
When you start NOT COUNTING certain data points, you SKEW the results.
The government WANTS to skew the results so it can claim to be "improving" the "economy".
If the government is skipping homeless people and people who have given up looking for work because the jobs aren't out there, then the government is not reporting the situation correctly.
So, in the very recent past, they WERE willing to accept a job and their skills WERE useful.Again, they were considered "useful" in the very recent past.
By your "logic", there would never be any unemployment because the only people who would be counted as "unemployed" would have skills currently needed by business and a willingness to work for those businesses. So why would they not be hired by those businesses?
And before you talk about demanding too much money, the businesses would only have to offer them more than they'd make on unemployment.
Which doesn't leave much rational for "unemployment".
So, just because you own your own business and the land it sits upon ... the local government can kick you off if it BELIEVES that another BUSINESS can generate more tax revenue/jobs or whatever.
And nice big FUCK YOU from the US Supreme Court.
I can serve my country and still be opposed to the demands of our current government. Bush and Co have not done anything to increase my Freedom. At the moment, it is unclear whether they will have done anything to increase the Freedom of people in Afghanistan or Iraq.Bullshit. Just putting on a uniform is NOT enough to earn respect.
http://archives.cnn.com/2002/US/10/24/muhammad.pr
You're a bit confused on this thing known as "history".
Because some people fought back in the Revolutionary War, does not mean that some mechanic in the Army is the reason I can type this.No. It is only the last couple of generations that have seen their current government use the military to further their own aims rather than to protect the USofA.That's Islamic Fundamentalism, not "islamofacism".
It is very similar to the Christian Fundamentalists you see in the good ol' USofA.
We should get the best people we can in our military and we should train them hard, equip them with the best and only use them when we or our allies are invaded.
Right now we have a military where people are being held in, without the right equipment and being killed in a country that was no threat to us.
It takes a LOT more guts to stand up and say that the government is WRONG in that circumstance than to just go along rah-rah-rah support.
No. You're wrong. There is a REASON that this war is BECOMING unpopular.
And tracking kids so the government can pressure them into fighting such a war is the PROBLEM.
No. Look up "Boston Tea Party". Our country was founded upon the belief in certain Rights.
Only recently. Before that, it was because of our vast natural resources and distance from the established armies of the other nations.
You might want to look at the Founding Fathers' views on a standing military.
That sounds a bit too much like "the ends justify the means".
Here's the flaw in that claim.
... but they still don't allow women to vote.
Because some people joined the military and fought and died for Freedom does not mean that everyone who dies in the military furthers Freedom.
Check out Kuwait. We "Freed" them from Iraqi invasion
This "Freedom" thing is a bit tricky, no?
So people who didn't vote for Bush are exempt from this database?
And now you're into "blaming the victim".
Why not just make it illegal for those companies to collect that information on me?
That can mean anything from filing a patent on your new, effective, cold fusion generator to filming your neighbor in the shower.
This is not about "defense of the country". Iraq was no threat to the USofA.
Getting a sample box of Tide == tracking kids to target them for recruitment
Right.
No one "gives" anyone else "Freedom".
And tracking kids is the OPPOSITE of Freedom.
That is correct. But this isn't about forcing them to sign. This is about tracking them to specifically target them.
You use that word a lot, but I don't think you understand what it means.
Okay, but shouldn't I also thank the people who funded the school system and paid the teachers' salaries?
You are, of course, aware tha
Scenario: I'm in college and the Pentagon collects all this info on me. I'm cool with it.
Anyway, I graduate and I'm having trouble getting a job and so on and I'm living at home.
I'd really like for my local recruiter to get a list of people who have recently graduated, but don't have a job and are still living at home and maybe even cross-index that with newly acquired debts (buy a car recently?) so he can call me up and offer me some free training and governmental help with those school loans.
Maybe even flag people in the database as the law enforcement agencies (yes, it can be shared with them) ask for checks on it. Like if you're in a traffic accident and your car is wrecked.
No, I see no possiblity that this will be abused and lots of ways that it will help our young people through a trying time of personal and emotional maturing. Yes.
I'm sure that there never be, under any circumstance, any "evaluation" of the criteria contained in that database to determine someone's "recruitability rating" similar to how your "credit rating" is determined now.
Really? Yet the majority of articles I see in the paper http://seattlepi.nwsource.com/ seem to have an API or UP byline http://seattlepi.nwsource.com/national/apus_story
Again, so you claim. Yet the references I can post do not seem to support your claim.
Anyway, I've posted enough references for this. If you want to continue to claim that a number you pulled out of your ass is accurate, go for it. I've posted links to an actual newspaper.
Paperboys must be pulling in 6 figures on your world. suh-weet!