Some industries do make it a standard to disable firewalls on everything except perimeter devices. Networking talent is rare in these industries so it makes a certain amount of economic sense. You might be surprised to hear that SCADA and industrial control are one of the industries where this is common.
It's not totally crazy, either. If you know that if anything were to ever get on your internal network, you're going to be more diligent than usual about letting things on it. If you put all your eggs in the perimeter firewall basket and it's pretty good, then what's the problem?
Well, here's a big difference: the guy running your water plant is way different than the minimum wage guy you have running the till. The cashier has more incentive to attack the system, especially if he can get away with running a skimmer without getting caught. But the cashier has physical access to the system for several hours per day! What's the firewall going to do to stop him? He can just reboot the machine into an OS he controls, then turn off the firewall by writing to the disk directly.
There's another more important problem: if SQL Server Express is involved then I'll bet the PoS app is doing cleartext database writes, which might include credit card transactions in the future. If that's the case, the firewall has to be configured to allow these writes in cleartext. Mr. skimmer guy just needs to put a tap inline with the register's network port to get all this data, firewall or not. The app is the problem here.
Security is a people problem. Think about your staff and your vendors and choose them wisely. Until that's done pontificating about firewall best practices probably shouldn't be your first priority.
Powershell. The only tool that knows how to talk to all the different frameworks in Windows is Powershell. No other tool can talk to.NET, COM, WMI, native APIs (via P/Invoke), and external stdio based tools. If you can't do the automation you want using something in one of the above frameworks, you've got bigger problems than finding a good automation tool.
Since the test guy usually has to be a part time sysadmin too, you should be aware of these tools:
If XP is involved, check out Windows SteadyState. It's like deepfreeze, if you've ever used that. qemu is also a great way to boot test machines and capture output at scale; using CoW disks you can have fresh machines every time you boot regardless if the test machines are XP or not.
Lockheed Martin recently put out a press release about their magnetic communications system (MCS), which works at distances of up to half a mile through solid rock:
Although the MCS probably uses large coils and low wavelengths on both sides to achieve that impressive distance, typical RFID cards have small coils. To make up for this, very strong digitally controlled magnetic fields could be used to couple to a coil from far away. For example, see this implementation of a static 0.7 tesla magnet:
A strong enough, highly directional magnetic field and a sensitive enough detector could couple all the way to the theoretical maximum distance permitted by the RFID card's frequency. Like the MCS, that distance is one third the wavelength of 125 KHz (1.5 miles), or half a mile.
Have you given any thought to what slashdot might look like far, far down the road? I recently had to make continuation plans for a community machine I maintain, and it occurred to me that it's possible that the machine will be running similar software decades from now. The only thing that would force me to replace the box would be the Unix time_t rollover in 2038, so I made plans to move to a 64-bit kernel now, which put my planning horizon far past 2038.
One of the things that box does is pull slashdot's RSS feed. What do you think slashdot will look like in 2038? Do you think that slashdot will still be running a LAMP stack then? And finally, what disaster continuation plans are in place for slashdot?
Linksys makes a new WRT series router, the WRTSL54GS, with a USB 2.0 port. By loading a distribution like OpenWRT on it, you can attach a Linux-supported webcam to it and make some CGIs to be served up by one of the available web servers for OpenWRT.
Asus also makes some OpenWRT compatible routers, the WL-500g series, which also have USB ports, but you can serve up webcam images using the default Asus firmware.
My user account (SID) on my x64 windows machine at home isn't in the administrator group, and I occasionally run into problems. Most software works ok, though.
The typical problem is that the programmer or software architect didn't account for user-specific config settings. Just like on unix, Windows lets you keep user-specific stuff in the user's profile. However, Windows has the ability to synchronize the user's profile across the network -- including the HKEY_CURRENT_USER subkey from the registry, so it's not as simple as just writing a bunch of stuff to a dotfile.
The WinNT kernel actually has an entire subsystem in its executive layer dedicated to handling its elaborate permission system: the security manager. It isn't nearly as easy to learn as the unix permission system, but it is capable of doing some pretty nifty things, like creating audit entries every time someone accesses a driver endpoint, or requiring someone to be logged onto the system console before allowing them to do something.
The problem is that it's just like xlib: you'd have to be crazy to use the APIs directly. So, programmers have the option of either:
A) Write hundreds of lines of code to implement graceful fallback using those APIs to test whether a privilege is available (and gracefully handle errors that occur when calling those APIs), or
B) Write one line of code to call MessageBox() and throw up a dialog telling the user they're boned if some API fails and GetLastError() returns 5 (access denied).
Both ways will result in working software -- as long as the user is running as administrator. Your typical profit-oriented software house doesn't have any financial incentive to help the users run with least privilege, so they nearly always choose option B if they have a choice about it. This is why a lot of people hold a grudge against certain application packages for throwing up uncomprehensible error messages. It's not that the programmers don't know how to do it right, it's just that they don't want to.
As a specific example, Cadence's capture product for EE work will throw up this helpful dialog if you don't have write access to the HKLM registry key, which is only writable by the Administrator and LocalSystem users by default.
By the way, the poster's use of the word "root" is a little misleading. In Windows terms, "root" is really the LocalSystem user, which has full access to everything, including \Device\PhysicalMemory and other juicy objects. The Administrator user has the ability to escalate privileges to LocalSystem, but it requires a few extra steps.
As far as helper software goes, there are only two things you need to know: the RUNAS command and the *.MSC files. The *.MSC files are Microsoft Management Console profiles, which are used by MMC to throw up dialogs like Local Users and Groups (lusrmgr.msc), Disk Management (diskmgmt.msc), and Device Manager (devmgmt.msc). You can even run them from the run dialog or the command prompt, since the MSC extension is associated with the MMC program by default. Go try it, I'll wait.
But how does this help you if you don't have privileges to modify disks or devices? Enter the RUNAS command. If you've heard of sudo, you can think of this as sudo for Windows. In fact, I usually do this on Windows boxen where I'm non-root:
C:\>cd %userprofile%
C:\Documents and Settings\myself>mkdir bin && cd bin
C:\Documents and Settings\myself\bin>copy CON SUDO.CMD
@ECHO OFF
REM sudo -- run program as administrator
runas/user:administrator %*
^Z
1 file(s) copied.
C:\Documents and Settings\myself\bin>sudo "mmc devmgmt.msc"
Enter the password for administrator: *************
Attempting to start mmc devmgmt.msc as user "MYBOX\myself"...
Because the Intel compiler actually generates multiple copies of routines, then figures out which one to call at run-time based on a processor detection routine they stick in the program. Example:
[thalakan@shaitan ~]> icc -axKWNPB -c test5.c -o test5.o test5.c(3) : (col. 16) remark: main has been targeted for automatic cpu dispatch. [thalakan@shaitan ~]> nm test5.o 00000000 r _2il0floatpacket.1 00000008 r _2il0floatpacket.3 00000020 r _2il0floatpacket.5 00000028 r _2il0floatpacket.7
U __intel_cpu_indicator
U __intel_cpu_indicator_init
U __intel_proc_init 00000000 T main 000000f2 t main.A <-- SSE version 00000028 t main.H <-- x87 version
U printf
U rand
U targets
U time [thalakan@shaitan ~]>
The remark about automatic CPU dispatch is the compiler notifying you it's going to generate multiple copies of the routine.
... # bc 107376 * 8 <- convert to bits per second last/5 <- account for 5 second sampling 171801 4000000/last <- how many fit into 4 Mbps? 23
So the peak scan bandwidth of a really noisy nmap scan is about 100 kilobits per second, and you would have to have 23 simultaneous scans being performed in the absolute worse case scenario to max out your link. If your router's external interface was actually replying to these scans, you would notice problems at somewhere less than this, say, 20 simultaneous scans. The actual number of scans you could endure before noticing it is much, much higher than this, because I used -T5 to make nmap really noisy (not typical for k1ddi3s scanning), and I took the peak bandwidth instead of the average bandwidth for my calculations.
But I'm a Comcast customer and I don't see anywhere near that level of scanning. I see a few port scans a day, plus the usual worm remnants. Sometimes someone will get a bug up their ass and scan me repeatedly, but that's still just a few scans in a row. This is much, much lower than the 4 Mbit capacity of the throttled rx queue on my cable modem.
The other thing that makes scans an unlikely root cause of your connectivity problem is that Comcast's security department would certainly go after anyone who was scanning one of their customers that hard, and possibly install filters to keep from having to pay their transit suppliers for all that bandwidth.
The most likely explanation is that the problem is a simple misconfiguration, such as a misconfigured DNS setting or a P2P app running on your machine. The P2P apps in particular will cause intermittent problems loading web pages, which sounds like what you're experiencing.
Wrong. The SSE instruction set includes several instructions for doing vector integer ops, such as average and multiplication. These things are a huge speed win even in "average" applications, as the game compiler developer noted above. If you don't believe me, fire up a profiler and look at how much time an office app or web browser spends doing rectangle intersection calculations and TrueType font math.
Also, there aren't nearly enough people using MOVNTDQ to avoid polluting the instruction pipeline and dumping useless garbage into the system cache. If you're copying stuff into main memory and you aren't going to use it for a while, use MOVNTDQ to get a big speed win. If you do need it cached, use MOVDQA to get both caching and 128 bit transfers in one instruction! We all paid for these fancy schmancy new instructions in our processors, and it's extremely annoying to see programmers not use them.
Verizon Express Network, Sprint Vision, TCP/IP over AX.25 to a regional gate, Ricochet (San Diego), a parabolic long shot to a nearby 802.11 gateway, and/or a modem.
- D-Link DCS-2000 for video and audio monitoring (on loan from Joe of via.net while I write some stream decoders for it)
- Mini-ITX system for mass storage and system control
- Kenwood TM-D700A radio with integral TNC and APRS tx/rx
- Various microcontrollers to interface with the CAN network in the car, ignition, environment sensors, fire supression, booster rockets, weapon systems, etc
- GPS of the week
- A backup computer which is more power hungry than the mini-itx guy but is built like a tank; it serves as flight recorder in case a booster ignition event goes awry
- Whatever other computers I lugged out to the car (and bothered to plug in) this month because I couldn't find space for them anywhere else
I had a rather power hungry PC based wireless/3G/APRS/AX.25 router in my car for a while which I used to serve Internet at conventions and such. I recently replaced it with the WRT54G and the sveasoft firmware, which has several benefits:
- The WRT54G only uses a few watts, whereas the PC based router spiked at 300W during startup and consumed north of 60W at idle and south of 100W during load. I also lost between 10-30% of the power due to conversion losses from the DC-AC-DC conversion through the auto inverter, since I couldn't find a good ATX power supply that ran on DC that I could couple to the car's batteries...
- The WRT54G has dual antenna jacks that I don't need to buy delicate adapters or pigtails for. I couple them directly to the jacks on twin high gain 2.4GHz dipole magmounts on the roof of the car, which gives me way better reception than I was getting from the orinoco, a pigtail, and a single one of the same antennas.
- Speaking of reception, kismet has been ported to the WRT54G! I don't need to screw around with the orinoco patches or hack my prism2 cards to add an antenna jack; it just works. I currently feed wifi data from the WRT54G to another computer which actually merges the GPS data with the wifi data from the WRT54G, because the WRT54G only has 4MB flash and 32K NVRAM for persistent storage, and you have to solder a USB serial chipset to the WRT54G PCB to add a serial port to it (for reading GPS's NMEA output); it doesn't come with one.
- Now that sveasoft added dropbear to their latest firmware, you can ssh into the device and run wakeonlan to power up other devices on your network remotely. This is seriously cool shit; I park my car, it associates with my home AP in client mode and shows up on my home network. I can then ssh into the WRT54G to power up the other computers in the car using wakeonlan to transfer files to them (transfer rate is somewhere around 1 megabyte per second in my environment), start the car, use the TNC in the car's ham radio, etc. I had to turn off the PC based router I was using before because it would drain the deep cycle marine batteries I'm using to power the car computers in an hour or two at load, but now I can leave the WRT54G on for a few days before the batteries even get low.
- If I forget where I parked my car, the antennas I'm using for the WRT54G are +6dBi, so I can pull out something with 802.11{b,g} and warwalk the parking lot looking for a strong signal from the WRT54G:)
- It's only $80 brand new around here in the bay area, which is damn cheap for a low power 200MHz Linux box with 16MB of memory, FIVE ethernet jacks, your choice of DC or AC power, pretty lights, official vendor provided source code for the firmware, an active community hacking on it, and a 802.11g capable wifi chipset with diversity antennas in form factor half the size of the smallest mini-ITX machine you can possibly get. And they're on the used market for prices approaching numbers that make me want to say it's close to disposable pricing. Heh, disposable routers:)
Actually, what everyone refers to as "Windows" now was actually introduced in 1993.
VMS, which is still used (and will continue to be used) for many industrial control applications was introduced in 1978, and VMS itself was based on a few prior operating systems such as the RSX-11* family.
I'm consulting for an industrial control firm that installed and maintains some of the industrial control stuff over there at Newport News, and it's all done with proprietary stuff like VMS, and most of the other systems on that net are Windows based. There's not any open source stuff at all on that subnet as far as I can tell (except maybe for whatever parts of the GNU toolchain end up in the images Cisco distributes for their routers).
Although some industrial control and SCADA firms are moving towards porting their stuff to Linux, many customers are very opposed to anything without 20+ years of history behind it. They all seem to be very opposed to this idea of hiring non-vendor people to support their software or to depend on software with a planned lifespan of less than 10 years or so. I think they'd have a revolt on their hands if they forced the city infrastructure departments to use open source stuff, based on the comments I've heard from some of the people working on the project.
The reason is this thing called TCQ, or tagged command queuing.
See, for several years now, the old cylinder/head/sector way of addressing the drive has had very little resemblance to the drive's actual cylinders, heads, and sectors. This is because of BIOS constraints and other software limitations. So we have this thing called logical addressing (LBA) which treats the disk as one big one-dimensional line of sectors in a row.
So when you want to do I/O to a disk, the operating system usually uses a thing called an elevator algorithm to sort the I/O packets by their logical address in the hopes that reading the blocks in order will be faster than reading them out of order. Example: imagine a disk with 10 blocks. Which do you think would be faster? 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 or 1, 10, 2, 9, 3, 7, etc?
But the thing is that the logical address has nothing to do with how the sectors are actually laid out on the disk. Remember, a disk is a stack of pancakes, not a bunch of sectors on a string. But without some kind of way of interrogating the disk's geometry and rewriting all the elevator algorithms in our favorite operating systems, we can't know what the optimal order is for our particular disk.
So why not have the disk re-order the I/O packets? This is the idea behind TCQ. What happens is the kernel bundles up a bunch of I/O requests and sends them to the disk all at once, and the disk services them in the order it thinks is best based on its knowledge of the geometry of the hard disk platters. This makes a bunch of little I/O operations to random locations a lot faster, and explains the Maildir behavior this guy is seeing.
So although older ATA disks are going to get their ass kicked by SCSI systems with TCQ enabled, we have new serial ATA disks that actually support TCQ! My brand new Western Digital Raptor 10K RPM disk doesn't support it though - you'll have to wait a few weeks for a new drive from Seagate which is supposed to be the first one on the market to support SATA TCQ.
In terms of throughput, SCSI disks usually win if you're buying quality parts. But the price of two ATA disks and a RAID controller is usually a lot less than a really big SCSI disk of the same size, so you can slap two ATA disks together and end up getting close to double the throughput for less than the cost of the SCSI system, as long as you're willing to have sucky random I/O for lots of small files. It's a great technique to use for video servers.
I spent 3 years at the Fry's Corporate Headquarters as a consultant doing various Linux stuff for them. Note that this does NOT mean I worked for Fry's in the sense that I'm a drooling moron who can't tie his shoelaces without instructions. Actually, even that description is a bit inaccurate; Fry's has a videoconferencing network set up where vendors give technical product information to the sales associates so they at least have some foundation of knowledge with which to answer technical customer questions. I suspect that the popular perception of their associates comes from the fact that retail shops only exist because people want to feel superior or special somehow, and the folks on slashdot are at some extreme of the personality spectrum where they feel some overriding need to talk down to people at Fry's, or something. The associates in Fremont and Sunnyvale (the highest grossing store in the chain) actually know stuff like whether a motherboard will take DDR or what this onboard IDE raid thing means, for example; they're not all complete morons, especially now that they're picking up semi-technical people who got hit when the bubble burst.
One day at the corporate office when I was doing the ISP thing for them (John Fry had a hard-on for doing an ISP because he wants to be in some business with low-cost recurring service revenue, or something), they drop one of these boxes in my lap and said "give me your opinion of this thing". So I poke around and find out that it's a cheapo Asian Linux distribution with the then-amazing Linux port of PowerDVD so users could play DVDs on their Linux machine. Someone else and I grabbed a random sample DVD from the buyer's cubicles (an awful horror movie iirc) and tried to play it - worked mostly fine.
Then they wanted me to come up with installation procedures for Windows on the machines. I asked them why so I would have some context, and John did everything but say outright that they wanted to sell a machine that people could put their own operating system on. The reason why is because Fry's has this low price leader mentality where they feel something's wrong unless they have the lowest price on a certain product, and the Windows tax is applied pretty equally among the large computer manufacturers. The idea is that they could undercut everyone if they had a computer without an operating system... the fact that we were going to be supplying something with the machines (a set of instructions for installing Windows on the machines) demonstrated how important this was to them, because as a rule Fry's doesn't sell anything except what the vendor sticks in the box.
Regarding the posts about how there are people in the buying chain who understand Linux - yes, there are. There was a buyer who did do mainly Linux stuff, and had little stuffed penguins spread around his desk all the time. I was in there a lot asking about whether we would be carrying various things, or letting him know where he can get stuff from Loki to put on the shelves. At one point, they actually stuck the Wasabi distribution of NetBSD on the shelves, although it didn't sell very well.
Linux is actually pretty important for Fry's - at one point they were selling more of it than Windows, although I'm not sure that's still true now that the "hobbyist" feel is fading. The fact that Linux was outselling Windows was one of the main driving factors for Fry's to start sticking various infrastructure systems on Linux instead of Netware or Windows, which is what they've run in the past. They're still mostly Netware or Windows, but they're looking real hard at moving parts of outpost.com (their online sales group) onto Linux from Oracle/BEA/Solaris.
On Thu, Jul 17, 2003 at 10:01:07PM +0100, Rory Browne wrote: > [is unhappy about our license enforcement]
I'm sorry you feel that way. It's not personal. We'll protect our code just like you will protect yours. This community is very aggressive at protecting their work, look at the recent fuss over the Linksys device that was using Linux. Nobody got upset at the enforcement of the GPL and nobody should get upset at us enforcing our license.
It's not personal, don't take it that way, it wasn't intended that way.
I first saw it mentioned at Black Hat 2002 in Vegas last year. The idea was that you would create fake session tokens for web applications and then monitor them for access by applications trying to brute force the session token values.
I mentioned it to a web developer who said that the idea has actually been implemented in some of the large e-commerce sites he's worked on.
Slashdot Mirror
This scene with the monkey arm in Silicon Valley is uncannily precedent. I can't believe no one has mentioned this yet:
https://youtu.be/1KaWPYOLuT8
Some industries do make it a standard to disable firewalls on everything except perimeter devices. Networking talent is rare in these industries so it makes a certain amount of economic sense. You might be surprised to hear that SCADA and industrial control are one of the industries where this is common.
It's not totally crazy, either. If you know that if anything were to ever get on your internal network, you're going to be more diligent than usual about letting things on it. If you put all your eggs in the perimeter firewall basket and it's pretty good, then what's the problem?
Well, here's a big difference: the guy running your water plant is way different than the minimum wage guy you have running the till. The cashier has more incentive to attack the system, especially if he can get away with running a skimmer without getting caught. But the cashier has physical access to the system for several hours per day! What's the firewall going to do to stop him? He can just reboot the machine into an OS he controls, then turn off the firewall by writing to the disk directly.
There's another more important problem: if SQL Server Express is involved then I'll bet the PoS app is doing cleartext database writes, which might include credit card transactions in the future. If that's the case, the firewall has to be configured to allow these writes in cleartext. Mr. skimmer guy just needs to put a tap inline with the register's network port to get all this data, firewall or not. The app is the problem here.
Security is a people problem. Think about your staff and your vendors and choose them wisely. Until that's done pontificating about firewall best practices probably shouldn't be your first priority.
Powershell. The only tool that knows how to talk to all the different frameworks in Windows is Powershell. No other tool can talk to .NET, COM, WMI, native APIs (via P/Invoke), and external stdio based tools. If you can't do the automation you want using something in one of the above frameworks, you've got bigger problems than finding a good automation tool.
Since the test guy usually has to be a part time sysadmin too, you should be aware of these tools:
System update readiness tool: http://support.microsoft.com/kb/947821/en-us
WMI diagnostic utility: http://www.microsoft.com/downloads/en/details.aspx?familyid=d7ba3cd6-18d1-4d05-b11e-4c64192ae97d&displaylang=en
gplogview: http://www.microsoft.com/downloads/en/confirmation.aspx?familyId=BCFB1955-CA1D-4F00-9CFF-6F541BAD4563
Windows SDK (including debugging tools for windows): http://www.microsoft.com/downloads/en/details.aspx?FamilyID=35AEDA01-421D-4BA5-B44B-543DC8C33A20
ollydbg: http://www.ollydbg.de/
sysinternals suite: http://technet.microsoft.com/en-us/sysinternals/bb842062
Windows Management Framework: http://support.microsoft.com/kb/968929
WDK: http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff
WAIK: http://www.microsoft.com/downloads/en/details.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en
Windows 7 SP1 WAIK supplement: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0AEE2B4B-494B-4ADC-B174-33BC62F02C5D
If XP is involved, check out Windows SteadyState. It's like deepfreeze, if you've ever used that. qemu is also a great way to boot test machines and capture output at scale; using CoW disks you can have fresh machines every time you boot regardless if the test machines are XP or not.
Lockheed Martin recently put out a press release about their magnetic communications system (MCS), which works at distances of up to half a mile through solid rock:
http://www.popsci.com/technology/article/2010-08/lockheed-develops-magnetic-communication-mine-safety
Although the MCS probably uses large coils and low wavelengths on both sides to achieve that impressive distance, typical RFID cards have small coils. To make up for this, very strong digitally controlled magnetic fields could be used to couple to a coil from far away. For example, see this implementation of a static 0.7 tesla magnet:
http://www.technologyreview.com/biomedicine/25527/page1/
A strong enough, highly directional magnetic field and a sensitive enough detector could couple all the way to the theoretical maximum distance permitted by the RFID card's frequency. Like the MCS, that distance is one third the wavelength of 125 KHz (1.5 miles), or half a mile.
Have you given any thought to what slashdot might look like far, far down the road? I recently had to make continuation plans for a community machine I maintain, and it occurred to me that it's possible that the machine will be running similar software decades from now. The only thing that would force me to replace the box would be the Unix time_t rollover in 2038, so I made plans to move to a 64-bit kernel now, which put my planning horizon far past 2038.
One of the things that box does is pull slashdot's RSS feed. What do you think slashdot will look like in 2038? Do you think that slashdot will still be running a LAMP stack then? And finally, what disaster continuation plans are in place for slashdot?
Linksys makes a new WRT series router, the WRTSL54GS, with a USB 2.0 port. By loading a distribution like OpenWRT on it, you can attach a Linux-supported webcam to it and make some CGIs to be served up by one of the available web servers for OpenWRT.
Asus also makes some OpenWRT compatible routers, the WL-500g series, which also have USB ports, but you can serve up webcam images using the default Asus firmware.
My user account (SID) on my x64 windows machine at home isn't in the administrator group, and I occasionally run into problems. Most software works ok, though.
The typical problem is that the programmer or software architect didn't account for user-specific config settings. Just like on unix, Windows lets you keep user-specific stuff in the user's profile. However, Windows has the ability to synchronize the user's profile across the network -- including the HKEY_CURRENT_USER subkey from the registry, so it's not as simple as just writing a bunch of stuff to a dotfile.
The WinNT kernel actually has an entire subsystem in its executive layer dedicated to handling its elaborate permission system: the security manager. It isn't nearly as easy to learn as the unix permission system, but it is capable of doing some pretty nifty things, like creating audit entries every time someone accesses a driver endpoint, or requiring someone to be logged onto the system console before allowing them to do something.
The problem is that it's just like xlib: you'd have to be crazy to use the APIs directly. So, programmers have the option of either:
A) Write hundreds of lines of code to implement graceful fallback using those APIs to test whether a privilege is available (and gracefully handle errors that occur when calling those APIs), or
B) Write one line of code to call MessageBox() and throw up a dialog telling the user they're boned if some API fails and GetLastError() returns 5 (access denied).
Both ways will result in working software -- as long as the user is running as administrator. Your typical profit-oriented software house doesn't have any financial incentive to help the users run with least privilege, so they nearly always choose option B if they have a choice about it. This is why a lot of people hold a grudge against certain application packages for throwing up uncomprehensible error messages. It's not that the programmers don't know how to do it right, it's just that they don't want to.
As a specific example, Cadence's capture product for EE work will throw up this helpful dialog if you don't have write access to the HKLM registry key, which is only writable by the Administrator and LocalSystem users by default.
By the way, the poster's use of the word "root" is a little misleading. In Windows terms, "root" is really the LocalSystem user, which has full access to everything, including \Device\PhysicalMemory and other juicy objects. The Administrator user has the ability to escalate privileges to LocalSystem, but it requires a few extra steps.
As far as helper software goes, there are only two things you need to know: the RUNAS command and the *.MSC files. The *.MSC files are Microsoft Management Console profiles, which are used by MMC to throw up dialogs like Local Users and Groups (lusrmgr.msc), Disk Management (diskmgmt.msc), and Device Manager (devmgmt.msc). You can even run them from the run dialog or the command prompt, since the MSC extension is associated with the MMC program by default. Go try it, I'll wait.
But how does this help you if you don't have privileges to modify disks or devices? Enter the RUNAS command. If you've heard of sudo, you can think of this as sudo for Windows. In fact, I usually do this on Windows boxen where I'm non-root:
C:\>cd %userprofile% /user:administrator %*
...
C:\Documents and Settings\myself>mkdir bin && cd bin
C:\Documents and Settings\myself\bin>copy CON SUDO.CMD
@ECHO OFF
REM sudo -- run program as administrator
runas
^Z
1 file(s) copied.
C:\Documents and Settings\myself\bin>sudo "mmc devmgmt.msc"
Enter the password for administrator: *************
Attempting to start mmc devmgmt.msc as user "MYBOX\myself"
C:\Documents and Settings\myself\bin>
Then the de
The IFS can be ordered here:
v erIFSKitOrderinfo.mspx
w ww.microsoft.com/whdc/devtools/ifskit/ServerIFSKit Orderinfo.mspx
http://www.microsoft.com/whdc/devtools/ifskit/Ser
It isn't free, but the current price of $109 is a lot cheaper than the $900 it used to be:
http://web.archive.org/web/20041012080008/http://
Pathscale's EKOPath is the compiler I see most performance-oriented folks use for AMD64 platforms. It knows about EM64T too.
So the peak scan bandwidth of a really noisy nmap scan is about 100 kilobits per second, and you would have to have 23 simultaneous scans being performed in the absolute worse case scenario to max out your link. If your router's external interface was actually replying to these scans, you would notice problems at somewhere less than this, say, 20 simultaneous scans. The actual number of scans you could endure before noticing it is much, much higher than this, because I used -T5 to make nmap really noisy (not typical for k1ddi3s scanning), and I took the peak bandwidth instead of the average bandwidth for my calculations.
But I'm a Comcast customer and I don't see anywhere near that level of scanning. I see a few port scans a day, plus the usual worm remnants. Sometimes someone will get a bug up their ass and scan me repeatedly, but that's still just a few scans in a row. This is much, much lower than the 4 Mbit capacity of the throttled rx queue on my cable modem.
The other thing that makes scans an unlikely root cause of your connectivity problem is that Comcast's security department would certainly go after anyone who was scanning one of their customers that hard, and possibly install filters to keep from having to pay their transit suppliers for all that bandwidth.
The most likely explanation is that the problem is a simple misconfiguration, such as a misconfigured DNS setting or a P2P app running on your machine. The P2P apps in particular will cause intermittent problems loading web pages, which sounds like what you're experiencing.
Wrong. The SSE instruction set includes several instructions for doing vector integer ops, such as average and multiplication. These things are a huge speed win even in "average" applications, as the game compiler developer noted above. If you don't believe me, fire up a profiler and look at how much time an office app or web browser spends doing rectangle intersection calculations and TrueType font math.
Also, there aren't nearly enough people using MOVNTDQ to avoid polluting the instruction pipeline and dumping useless garbage into the system cache. If you're copying stuff into main memory and you aren't going to use it for a while, use MOVNTDQ to get a big speed win. If you do need it cached, use MOVDQA to get both caching and 128 bit transfers in one instruction! We all paid for these fancy schmancy new instructions in our processors, and it's extremely annoying to see programmers not use them.
> Why would anyone ever use a linked list?
me@mybox:/usr/src/linux$ find . | xargs grep -Is LIST_HEAD | wc -l
720
According to a post on neowin:
Filename: WindowsXP-KB835935-SP2-ENU.exe
MD5: 59A98F181FE383907E520A391D75B5A7
The one I'm getting on a torrent has a SHA1 hash of:
GOUP55QNJCXB6LCP52RHCENPLTWKHRHW
Verizon Express Network, Sprint Vision, TCP/IP over AX.25 to a regional gate, Ricochet (San Diego), a parabolic long shot to a nearby 802.11 gateway, and/or a modem.
YHBQ. HTH. HAND.
> What do the computers in your car do?
At the moment, the list looks like:
- D-Link DCS-2000 for video and audio monitoring (on loan from Joe of via.net while I write some stream decoders for it)
- Mini-ITX system for mass storage and system control
- Kenwood TM-D700A radio with integral TNC and APRS tx/rx
- Various microcontrollers to interface with the CAN network in the car, ignition, environment sensors, fire supression, booster rockets, weapon systems, etc
- GPS of the week
- A backup computer which is more power hungry than the mini-itx guy but is built like a tank; it serves as flight recorder in case a booster ignition event goes awry
- Whatever other computers I lugged out to the car (and bothered to plug in) this month because I couldn't find space for them anywhere else
I had a rather power hungry PC based wireless/3G/APRS/AX.25 router in my car for a while which I used to serve Internet at conventions and such. I recently replaced it with the WRT54G and the sveasoft firmware, which has several benefits:
:)
:)
- The WRT54G only uses a few watts, whereas the PC based router spiked at 300W during startup and consumed north of 60W at idle and south of 100W during load. I also lost between 10-30% of the power due to conversion losses from the DC-AC-DC conversion through the auto inverter, since I couldn't find a good ATX power supply that ran on DC that I could couple to the car's batteries...
- The WRT54G has dual antenna jacks that I don't need to buy delicate adapters or pigtails for. I couple them directly to the jacks on twin high gain 2.4GHz dipole magmounts on the roof of the car, which gives me way better reception than I was getting from the orinoco, a pigtail, and a single one of the same antennas.
- Speaking of reception, kismet has been ported to the WRT54G! I don't need to screw around with the orinoco patches or hack my prism2 cards to add an antenna jack; it just works. I currently feed wifi data from the WRT54G to another computer which actually merges the GPS data with the wifi data from the WRT54G, because the WRT54G only has 4MB flash and 32K NVRAM for persistent storage, and you have to solder a USB serial chipset to the WRT54G PCB to add a serial port to it (for reading GPS's NMEA output); it doesn't come with one.
- Now that sveasoft added dropbear to their latest firmware, you can ssh into the device and run wakeonlan to power up other devices on your network remotely. This is seriously cool shit; I park my car, it associates with my home AP in client mode and shows up on my home network. I can then ssh into the WRT54G to power up the other computers in the car using wakeonlan to transfer files to them (transfer rate is somewhere around 1 megabyte per second in my environment), start the car, use the TNC in the car's ham radio, etc. I had to turn off the PC based router I was using before because it would drain the deep cycle marine batteries I'm using to power the car computers in an hour or two at load, but now I can leave the WRT54G on for a few days before the batteries even get low.
- If I forget where I parked my car, the antennas I'm using for the WRT54G are +6dBi, so I can pull out something with 802.11{b,g} and warwalk the parking lot looking for a strong signal from the WRT54G
- It's only $80 brand new around here in the bay area, which is damn cheap for a low power 200MHz Linux box with 16MB of memory, FIVE ethernet jacks, your choice of DC or AC power, pretty lights, official vendor provided source code for the firmware, an active community hacking on it, and a 802.11g capable wifi chipset with diversity antennas in form factor half the size of the smallest mini-ITX machine you can possibly get. And they're on the used market for prices approaching numbers that make me want to say it's close to disposable pricing. Heh, disposable routers
Yes, and I have one. It runs Windows 9x pretty well. Apple has a page about it.
Actually, what everyone refers to as "Windows" now was actually introduced in 1993. VMS, which is still used (and will continue to be used) for many industrial control applications was introduced in 1978, and VMS itself was based on a few prior operating systems such as the RSX-11* family.
I'm consulting for an industrial control firm that installed and maintains some of the industrial control stuff over there at Newport News, and it's all done with proprietary stuff like VMS, and most of the other systems on that net are Windows based. There's not any open source stuff at all on that subnet as far as I can tell (except maybe for whatever parts of the GNU toolchain end up in the images Cisco distributes for their routers).
Although some industrial control and SCADA firms are moving towards porting their stuff to Linux, many customers are very opposed to anything without 20+ years of history behind it. They all seem to be very opposed to this idea of hiring non-vendor people to support their software or to depend on software with a planned lifespan of less than 10 years or so. I think they'd have a revolt on their hands if they forced the city infrastructure departments to use open source stuff, based on the comments I've heard from some of the people working on the project.
The reason is this thing called TCQ, or tagged command queuing.
See, for several years now, the old cylinder/head/sector way of addressing the drive has had very little resemblance to the drive's actual cylinders, heads, and sectors. This is because of BIOS constraints and other software limitations. So we have this thing called logical addressing (LBA) which treats the disk as one big one-dimensional line of sectors in a row.
So when you want to do I/O to a disk, the operating system usually uses a thing called an elevator algorithm to sort the I/O packets by their logical address in the hopes that reading the blocks in order will be faster than reading them out of order. Example: imagine a disk with 10 blocks. Which do you think would be faster? 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 or 1, 10, 2, 9, 3, 7, etc?
But the thing is that the logical address has nothing to do with how the sectors are actually laid out on the disk. Remember, a disk is a stack of pancakes, not a bunch of sectors on a string. But without some kind of way of interrogating the disk's geometry and rewriting all the elevator algorithms in our favorite operating systems, we can't know what the optimal order is for our particular disk.
So why not have the disk re-order the I/O packets? This is the idea behind TCQ. What happens is the kernel bundles up a bunch of I/O requests and sends them to the disk all at once, and the disk services them in the order it thinks is best based on its knowledge of the geometry of the hard disk platters. This makes a bunch of little I/O operations to random locations a lot faster, and explains the Maildir behavior this guy is seeing.
So although older ATA disks are going to get their ass kicked by SCSI systems with TCQ enabled, we have new serial ATA disks that actually support TCQ! My brand new Western Digital Raptor 10K RPM disk doesn't support it though - you'll have to wait a few weeks for a new drive from Seagate which is supposed to be the first one on the market to support SATA TCQ.
In terms of throughput, SCSI disks usually win if you're buying quality parts. But the price of two ATA disks and a RAID controller is usually a lot less than a really big SCSI disk of the same size, so you can slap two ATA disks together and end up getting close to double the throughput for less than the cost of the SCSI system, as long as you're willing to have sucky random I/O for lots of small files. It's a great technique to use for video servers.
I spent 3 years at the Fry's Corporate Headquarters as a consultant doing various Linux stuff for them. Note that this does NOT mean I worked for Fry's in the sense that I'm a drooling moron who can't tie his shoelaces without instructions. Actually, even that description is a bit inaccurate; Fry's has a videoconferencing network set up where vendors give technical product information to the sales associates so they at least have some foundation of knowledge with which to answer technical customer questions. I suspect that the popular perception of their associates comes from the fact that retail shops only exist because people want to feel superior or special somehow, and the folks on slashdot are at some extreme of the personality spectrum where they feel some overriding need to talk down to people at Fry's, or something. The associates in Fremont and Sunnyvale (the highest grossing store in the chain) actually know stuff like whether a motherboard will take DDR or what this onboard IDE raid thing means, for example; they're not all complete morons, especially now that they're picking up semi-technical people who got hit when the bubble burst.
One day at the corporate office when I was doing the ISP thing for them (John Fry had a hard-on for doing an ISP because he wants to be in some business with low-cost recurring service revenue, or something), they drop one of these boxes in my lap and said "give me your opinion of this thing". So I poke around and find out that it's a cheapo Asian Linux distribution with the then-amazing Linux port of PowerDVD so users could play DVDs on their Linux machine. Someone else and I grabbed a random sample DVD from the buyer's cubicles (an awful horror movie iirc) and tried to play it - worked mostly fine.
Then they wanted me to come up with installation procedures for Windows on the machines. I asked them why so I would have some context, and John did everything but say outright that they wanted to sell a machine that people could put their own operating system on. The reason why is because Fry's has this low price leader mentality where they feel something's wrong unless they have the lowest price on a certain product, and the Windows tax is applied pretty equally among the large computer manufacturers. The idea is that they could undercut everyone if they had a computer without an operating system... the fact that we were going to be supplying something with the machines (a set of instructions for installing Windows on the machines) demonstrated how important this was to them, because as a rule Fry's doesn't sell anything except what the vendor sticks in the box.
Regarding the posts about how there are people in the buying chain who understand Linux - yes, there are. There was a buyer who did do mainly Linux stuff, and had little stuffed penguins spread around his desk all the time. I was in there a lot asking about whether we would be carrying various things, or letting him know where he can get stuff from Loki to put on the shelves. At one point, they actually stuck the Wasabi distribution of NetBSD on the shelves, although it didn't sell very well.
Linux is actually pretty important for Fry's - at one point they were selling more of it than Windows, although I'm not sure that's still true now that the "hobbyist" feel is fading. The fact that Linux was outselling Windows was one of the main driving factors for Fry's to start sticking various infrastructure systems on Linux instead of Netware or Windows, which is what they've run in the past. They're still mostly Netware or Windows, but they're looking real hard at moving parts of outpost.com (their online sales group) onto Linux from Oracle/BEA/Solaris.
Note that this post predates the slashdot post by two days.
---
From: Larry McVoy (lm@bitmover.com)
Subject: Re: BK Licence: Protocols and Research
Newsgroups: linux.kernel
Date: 2003-07-17 15:10:09 PST
On Thu, Jul 17, 2003 at 10:01:07PM +0100, Rory Browne wrote:
> [is unhappy about our license enforcement]
I'm sorry you feel that way. It's not personal. We'll protect our code just like you will protect yours. This community is very aggressive at protecting their work, look at the recent fuss over the Linksys device that was using Linux. Nobody got upset at the enforcement of the GPL and nobody should get upset at us enforcing our license.
It's not personal, don't take it that way, it wasn't intended that way.
---
I first saw it mentioned at Black Hat 2002 in Vegas last year. The idea was that you would create fake session tokens for web applications and then monitor them for access by applications trying to brute force the session token values.
I mentioned it to a web developer who said that the idea has actually been implemented in some of the large e-commerce sites he's worked on.