Upon further thinking, this whole article is flawed and perverted.
"Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file."
I already said why that's stupid anyway.
"All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware."
Well, malware authors are just going to replace the resolver function instead of aiming for the easier target. If they can replace entries in the hosts file, they have sufficient privileges anyway.
"However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."
That's really far-fetched. Let me see: Most users use their Windows as root-equivalent because of sucky software and because they don't know any better. Spyware can replace the hosts file to block access to Microsoft's auto-update because users are root. So instead of fixing the fundamental problem, Microsoft does what it does best: kludges, bandaids, bullshit. And now suddenly this is viewed as a "competitive advantage"?! Remember people: don't attribute to malice what can be explained with stupidity.
To me this is only proof again that anything related to Windows is a swamp of bad design, ugly hacks and inconsistencies. I wouldn't construct an evil intent on Microsoft's side here. It's just their usual incompetence.
I don't know if it's been said already, but using the hosts file to reliably "block" anything is a very stupid idea to begin with.
The hosts file is there to provide name-to-address translation for crucial hosts which might be needed before DNS is available. It has no features like pattern matching or blocking by address range, because that's entirely out of its scope.
Another side effect of abusing the hosts file is ambiguous errors. Because access to ad servers in the hosts file is not "blocked" but rather redirected to 127.0.0.1, you are twisting semantics about why this or that URL doesn't work now.
If you need to block networks/URLs by pattern and for HTTP only, you should use a proxy like squid.
I won't even begin to rant how using the hosts file for more than 1 computer is phenomenally stupid. Seriously, the guy who came up with this abuse should be severely beaten over with a cluestick.
OpenVPN to the rescue again. It has options to specify the peer by name instead of IP address. Together with options to periodically ping the peer and re-resolve its name upon timeout, you can even establish VPN connections between two peers with dynamic addresses, as long as they both have a fixed name, e.g. *.dyndns.org.
I disagree, it's quite a hack. Personally, I use a script that gets invoked whenever a new PPPoE connection is established. From there, I do an update to a DNS server.
Voila, DNS is my "db", I don't run a script every minute and still get better time granularity, because the update is only done when a state change on the interface occurs.
Really, OpenVPN must be the best thing since sliced bread. Runnable as non-user, chrootable, interfacing with standard tun/tap devices, certs. None of the complexity of IPsec. I love it.
My 266MHz Geode WRAP can handle 6Mbps which is enough to connect a LAN wirelessly. Faster boxes should handle more than that, despite someone else saying 5Mbps would be a limit.
Indeed. I know people who made the mistake of going with the big players, only to find out that their wanted names had been taken as soon as 6 minutes after the start of Landrush.
Even hours later, 1&1 hadn't registered names that were still free. 18 and a half hours(!) later those names were finally registered.
Smaller registrars were said to have completed their whole(!) procedure after 17 minutes of the start.
Or, taking it a step further, use Systrace which eliminiates the need to run e.g. OpenNTP in a chroot. It even eliminates the need to run it as root to bind to *:123.
With Systrace, you can define what each application can do on the system call level and with pattern matching on their arguments. You could even run OpenNTP as user nobody and provide an exception in the policy that raises its uid to 0 for the duration of the bind() system call only.
Cool stuff. Wasn't really aware of it although it exists for years now.
BIND9 has a concept called views. Views are separate sets of option{}; and zone{}; scopes based on client address or destination address or even something else.
It's very easy to define an external zone without recursion and some master zones and an internal zone that recurses. This also has the benfit of split caches. If you just disabled recursion for some clients in a "single-zone" BIND, you still are "vulnerable" to information leakage where external clients can probe your cache for records.
Is the concern that the 'ping' comes from your browser and not any proxy server you may be using?
That would be incredibly stupid if they did it that way. Every request the browser makes should adhere the proxy settings. Most of the time, a proxy is not optional but mandatory.
In most cases your proxy server is also your NAT server so the 'ping' isn't going to give much of anything about your IP....
Quite the contrary. Most of the time, if people are to use a proxy, it's because their clients are _not_ allowed direct access via NAT. I think the case that proxy = NAT box is very rare and uncommon.
An important thing to note is that Tor provides IP-based anonymity, not privacy. It _only_ helps to hide your IP address. If you send the password for your anonymous e-mail account in cleartext, the last node can intercept it. Actually, when I was running a Tor node, I sniffed people's traffic to see what they were doing. That didn't help me know _who_ the person was, unless he posted his name in cleartext somewhere. This is something you should expect. Tor nodes are random people with unknown interests. That someone is running a Tor node does not mean they don't look at the data you send.
I'll say it again: the encryption in Tor does _not_ hide your payload. It only serves to hide your IP address.
If you use Tor, use encryption on the upper layer.
Do I hear a subliminal tone of anti-anonymity? The important thing with anonymity is to expect and tolerate the trolls, not to condemn anonymity for it. One day you will be glad you stuck through the trolls when you really have something to say, but can't do it freely anymore.
OTOH, if you never have anything important to say.. well, you might as well be anti-anonymity.
* Ext3 does a sync() every 5 seconds. This is because ext3 developers are paranoid about your data and prefers to care about your data than win on benchmarks. Syncing every 5 seconds ensures you don't lose more than 5 seconds of work but it hurts on benchmarks. Other filesystems don't do it, if you are doing a FAIR comparison override the default with the "commit" mount option
Is it just me or does this sound like a ridiculously ugly approach to data integrity?
An MD5 checksum (not signature) in a non-signed message is useless. It's just unprofessional to spread source/binaries without any means to cryptographically check their correctness.
Nowhere did I see any cryptographic signature regarding this patch. As it stands, it could be all made up.
And my point still holds. To a novice this is no different than any spam advertising the "latest hotfix". Telling users that untested, unofficial patches are OK to apply is a bad thing, even if Bill Gates himself distributed them unsigned via his personal blog.
Quick, everyone! Download an executable from a totally unrelated third-party site with "blog" in its name! Look! I even got the patch in my mail before I knew it existed!
Why should the category be duplicated in the title? I sounds like either you or Slashdot need to fix something RSS-related so that the category gets prefixed to the title. On the front page it looks OK via HTML.
Slashdot Mirror
There are helpful examples right in the Windows DDK.
I can already see it: Microsoft is removing documentation to protect users.
A saying comes to mind: "Linux is for people who hate Windows. BSD is for people who love UNIX." :)
Upon further thinking, this whole article is flawed and perverted.
"Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file."
I already said why that's stupid anyway.
"All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware."
Well, malware authors are just going to replace the resolver function instead of aiming for the easier target. If they can replace entries in the hosts file, they have sufficient privileges anyway.
"However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."
That's really far-fetched. Let me see: Most users use their Windows as root-equivalent because of sucky software and because they don't know any better. Spyware can replace the hosts file to block access to Microsoft's auto-update because users are root. So instead of fixing the fundamental problem, Microsoft does what it does best: kludges, bandaids, bullshit. And now suddenly this is viewed as a "competitive advantage"?! Remember people: don't attribute to malice what can be explained with stupidity.
To me this is only proof again that anything related to Windows is a swamp of bad design, ugly hacks and inconsistencies. I wouldn't construct an evil intent on Microsoft's side here. It's just their usual incompetence.
I don't know if it's been said already, but using the hosts file to reliably "block" anything is a very stupid idea to begin with.
The hosts file is there to provide name-to-address translation for crucial hosts which might be needed before DNS is available. It has no features like pattern matching or blocking by address range, because that's entirely out of its scope.
Another side effect of abusing the hosts file is ambiguous errors. Because access to ad servers in the hosts file is not "blocked" but rather redirected to 127.0.0.1, you are twisting semantics about why this or that URL doesn't work now.
If you need to block networks/URLs by pattern and for HTTP only, you should use a proxy like squid.
I won't even begin to rant how using the hosts file for more than 1 computer is phenomenally stupid. Seriously, the guy who came up with this abuse should be severely beaten over with a cluestick.
</rant>
This is a very dangerous thing to suggest. Do you really think this is done to catch criminals?
What will happen is not
Wow, we have so much data. I don't even know where to begin looking for a criminal.
but instead
Now that we have so much data, let's see if we can find something that can get my political/corporate/private opponent into some trouble.
Power corrupts. Always.
n/t
OpenVPN to the rescue again. It has options to specify the peer by name instead of IP address. Together with options to periodically ping the peer and re-resolve its name upon timeout, you can even establish VPN connections between two peers with dynamic addresses, as long as they both have a fixed name, e.g. *.dyndns.org.
I disagree, it's quite a hack. Personally, I use a script that gets invoked whenever a new PPPoE connection is established. From there, I do an update to a DNS server.
Voila, DNS is my "db", I don't run a script every minute and still get better time granularity, because the update is only done when a state change on the interface occurs.
Right, isn't Hamachi using a central point which you don't control? I wouldn't want to send any data - let alone sensitive data - over such a "VPN".
This might be adequate for gamers and equally "sophisticated" user groups. Using it for a company? Bad idea.
DON'T use tinc, CIPE, vtun or PPTP!
v pn.txt
http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_
Really, OpenVPN must be the best thing since sliced bread. Runnable as non-user, chrootable, interfacing with standard tun/tap devices, certs. None of the complexity of IPsec. I love it.
My 266MHz Geode WRAP can handle 6Mbps which is enough to connect a LAN wirelessly. Faster boxes should handle more than that, despite someone else saying 5Mbps would be a limit.
Just as I said here.
Indeed. I know people who made the mistake of going with the big players, only to find out that their wanted names had been taken as soon as 6 minutes after the start of Landrush.
Even hours later, 1&1 hadn't registered names that were still free. 18 and a half hours(!) later those names were finally registered.
Smaller registrars were said to have completed their whole(!) procedure after 17 minutes of the start.
Or, taking it a step further, use Systrace which eliminiates the need to run e.g. OpenNTP in a chroot. It even eliminates the need to run it as root to bind to *:123.
With Systrace, you can define what each application can do on the system call level and with pattern matching on their arguments. You could even run OpenNTP as user nobody and provide an exception in the policy that raises its uid to 0 for the duration of the bind() system call only.
Cool stuff. Wasn't really aware of it although it exists for years now.
BIND9 has a concept called views. Views are separate sets of option{}; and zone{}; scopes based on client address or destination address or even something else.
6 .html#view_statement_grammar
It's very easy to define an external zone without recursion and some master zones and an internal zone that recurses. This also has the benfit of split caches. If you just disabled recursion for some clients in a "single-zone" BIND, you still are "vulnerable" to information leakage where external clients can probe your cache for records.
http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch0
Is the concern that the 'ping' comes from your browser and not any proxy server you may be using?
That would be incredibly stupid if they did it that way. Every request the browser makes should adhere the proxy settings. Most of the time, a proxy is not optional but mandatory.
In most cases your proxy server is also your NAT server so the 'ping' isn't going to give much of anything about your IP....
Quite the contrary. Most of the time, if people are to use a proxy, it's because their clients are _not_ allowed direct access via NAT. I think the case that proxy = NAT box is very rare and uncommon.
An important thing to note is that Tor provides IP-based anonymity, not privacy. It _only_ helps to hide your IP address. If you send the password for your anonymous e-mail account in cleartext, the last node can intercept it. Actually, when I was running a Tor node, I sniffed people's traffic to see what they were doing. That didn't help me know _who_ the person was, unless he posted his name in cleartext somewhere. This is something you should expect. Tor nodes are random people with unknown interests. That someone is running a Tor node does not mean they don't look at the data you send.
I'll say it again: the encryption in Tor does _not_ hide your payload. It only serves to hide your IP address.
If you use Tor, use encryption on the upper layer.
Do I hear a subliminal tone of anti-anonymity? The important thing with anonymity is to expect and tolerate the trolls, not to condemn anonymity for it. One day you will be glad you stuck through the trolls when you really have something to say, but can't do it freely anymore.
OTOH, if you never have anything important to say.. well, you might as well be anti-anonymity.
* Ext3 does a sync() every 5 seconds. This is because ext3 developers are paranoid about your data and prefers to care about your data than win on benchmarks. Syncing every 5 seconds ensures you don't lose more than 5 seconds of work but it hurts on benchmarks. Other filesystems don't do it, if you are doing a FAIR comparison override the default with the "commit" mount option
Is it just me or does this sound like a ridiculously ugly approach to data integrity?
LOL! You don't really think PayPal would do anything that benefits a customer? Nice dream world you have there.
I'm suprised they don't lock up the donations completely without any reason.
http://www.paypalsucks.com/
An MD5 checksum (not signature) in a non-signed message is useless. It's just unprofessional to spread source/binaries without any means to cryptographically check their correctness.
Nowhere did I see any cryptographic signature regarding this patch. As it stands, it could be all made up.
And my point still holds. To a novice this is no different than any spam advertising the "latest hotfix". Telling users that untested, unofficial patches are OK to apply is a bad thing, even if Bill Gates himself distributed them unsigned via his personal blog.
Quick, everyone! Download an executable from a totally unrelated third-party site with "blog" in its name! Look! I even got the patch in my mail before I knew it existed!
IM is "instant", offers logging of communications and doesn't require somebody to check their email (it pops up on their screen).
That's what IRC is for.
Why should the category be duplicated in the title? I sounds like either you or Slashdot need to fix something RSS-related so that the category gets prefixed to the title. On the front page it looks OK via HTML.
Could you stop spreading bullshit if you obviously have no clue? Thank you very much.