Don't forget about OnStream. They've got a sub $400 IDE solution ($387 on Pricewatch) that does up to 5MB/sec (that's fast) with a 30/60GB capacity (uncompressed vs compressed). The downside is the tapes are costly - about $50/ea.
For about the same $$, you can get a nice DDS4 DAT drive, which does 20/40GB, and has super-cheap tapes - $17/ea at CDW, probably cheaper elsewhere..
NJ has already ruled that we're too stupid to pump our own gas
Do you really like pumping your own gas? Go to another state and be my guest. Didn't you notice that in the surrounding states (DE, PA, NY), all of which have self-serve, gas prices are higher, many times MUCH higher???
Besides, it keeps unemployment down. You can't find a job? You can always pump gas.
Re:Spielberg Over the Hill?
on
Taken?
·
· Score: 2, Offtopic
Yeah, AI was Kubriks, and the Kubrik parts were good
It was vintage Kubrik. It would have been a better film if it had ended 30 minutes earlier. He never could end a movie!
We meet an alien race that is smart enough to figure out how to resurrect the dead, but isn't quite smart enough to figure out how to do it for more than one day. That's the most ridiculous thing I've heard.
Here's the ending I proposed: Next to last shot - aliens flying over the frozen Manhattan. Last shot - cyberboy frozen in the block of ice staring at the blue fairy. Credits. Much better ending.
Reliance on Secondary Routing Protos...
on
VRRP
·
· Score: 3, Interesting
I work for Nokia, though don't speak on behalf of the company.
One problem with VRRP v2 as it stands today. Imagine a case where you have two parallel routers and are running VRRP. If you experience an interface failure on your primary router. Ok, that interface fails over to the secondary unit. Since you only experienced an interface failure (let's suppose this is a pair of edge routers), say on the outside. Because the inside i/f of the router is still up, you need a secondary routing protocol to direct the traffic to the secondary router - introducing an asymmetric routing condition. This is easily done with OSPF.
Consider the case, however, that we're no longer talking about routers, but instead firewalls. This condition can wreak havoc with your firewalls state tracking mechanism if your firewall's connection state tracking mechanism is either not shared with the redundant unit, or your connection is fast enough that reply packets arrive before connection data is sync'd.
Enter extensions to VRRP like VRRP Monitored Circuits (aka VRRPmc), from Nokia. If you're running Nokia firewalls (which run Check Point for those who don't know), you're probably using VRRPmc.
When you configure VRRPmc, you monitor the other interfaces in use for VRRP. If one of those other interfaces goes down, you decrement your VRRP priority value by a pre-defined delta value, which if you've calculated correctly, will cause the primary unit to begin advertising VRRP priorities that are lower than what the secondary unit is advertising, thereby causing the virtual ips/macs to shoot over to the secondary unit, rather than just the i/f that failed. On the wire, it still looks like good old VRRP. I'd like to see either the monitored circuits method, or something similar implemented in the mainstream VRRP protocol.
Re:Like they would tell.
on
Is Mac OS X Slow?
·
· Score: 4, Informative
How about Medal of Honor: Allied Assault? That's pretty new, and a great game... How about Q3? Not really new, but still mighty fun. How about Max Payne?
CompUSA lists 115 available game titles. Surely some of those would be enough to satisfy you.
Second, and more importantly, they have replaced KDE apps with equivalent apps, either from GNOME or independent projects. For example, they replaced konqueror with Mozilla, Koffice with OpenOffice, KMail with Evolution.
Stop and realize the silliness of your "point"... Changing launcher icons on the panel != replacing applications. Can you run Konq on RH8? Sure can. Can you run Koffice? Yup.
It's got this little problem with mailing lists. You subscribe to a mailing list and thread the mailbox you've got your list filted into. Great, so far so good. Now, delete the first message in a thread. Chances are, if it's an active list with several threads going on at once, you'll see that Kmail will dynamically re-arrange your mailbox. By the time you finish reading that thread and deleting messages, you're probably 2/3 of the way down through the new messages, forcing you to go back up to the top and start the next thread with this re-arranging madness. Monumentally stupid behavior, but the kmail developers regarded this as a feature, not a bug!!!!!! Their reasoning? You should never delete a message in a mailing list folder. Huh?
Use mutt. It's only about a gazillion times better.
Not familiar with dsniff, ettercap, and the like, eh? Or how about large-scale SSL-based websites? Most of those actually terminate the SSL connections on some sort of SSL acceleration device, spitting out plain old http traffic out the back side.
Installing a firewall is not a magic solution. Suppose you run a website. You WILL be permitting 80/tcp through your firewall, probably also 443/tcp. Along comes the next worm that uses only http to gain entry to a system (Think CodeRed, Nimda && friends). How exactly is your firewall going to stop that sort of traffic? The answer you're searching for is, "it won't."
In addition to firewalling, running a NIDS sensor will help abate these threats. Most NIDS products support the notion of killing a connection (rskill, for RealSecure, flexresp for Snort, etc.) - this is how you can stop the threat of CR, CR-II, Nimda, et al.
Another way to abate these kinds of threats is to use something like Hogwash (which strangely enough is based on Snort), or a reverse-proxy that can inspect HTTP requests. Of course, those only help for HTTP traffic - there's a lot more out there besides HTTP. Remember sendmail, uw-imap, old qpopper, bind, and friends? They've all had remote-rootables that blew right through firewalls, since they only used the designated "proper" port(s) for the vulnerable daemon.
Use your head. There is no security magic bullet. It's a process, not a single product.
How exactly DOES one monitor >100mbit full-duplex traffic using only a single 100mbit port:) ?
Um, you don't. That's what Gigabit Ethernet is for. Check out the Intel Copper Gig cards - there's Linux support for them and they're reliable cards.
On another note, I don't quite see how using 2 nics, one on a management LAN and the second with no IP bound to it doing the sniffing is a revelation! Shouldn't this just be common sense? After all, it's been a standard NIDS sensor practice for quite a long time now. To really do this job right, all of the sensors should be using a management LAN for reporting back to a MySQL/PostgreSQL database, which in turn is queried by ACID, or something similar..
BTW, ACID's SQL is so terribly un-optimized, it's downright pitiful. I know of a large company that's getting ready to release a huge patch to ACID to actually optimize its SQL usage, bringing performance for large-scale snort deployments up to a reasonable level.
You/. people are so hypocritical, when Microsoft iis users fail to install patches to upgrade immediately and get mod_Code Red automatically installed via Internet you say "l4amers", and yet when it's your turn to upgrade Apache, or even just to patch the older vulnerable version, it's suddenly OK to wait, if it ain't broke don't fix it.
Alas, the point goes streaking over your head like a 747. Do you understand the difference between applying *SECURITY PATCHES* versus completely ripping out your httpd and replacing it with a new major version?
It turns out that, in Vancouver, Canada, my $1CAN will buy about the same as your $1US bill will buy in Los Angeles.
Be that as it may, I don't see that as the spirit of the original statement, given the distance between two points of purchase. I read the original comment as if he was somehow under the (delusional) impression that my $1US was somehow worth the same as his $1CAN. Since we're talking about a comparison, it's reasonable to expect to be comparing under the same conditions. In terms of buying power the $US is still much (50%) stronger. Of course, time is the great equalizer, and could change that - hey, you never know..
Now the whole health care thing is just silly. I get to keep an enormous percentage of my salary that I'd have to give up in the land of maple leaves, and get my health care for about $50/month, and that's because I chose the better medical and dental plans. The whole notion of your government having to be your daddy is just dumb. I'd rather have my government keep its nose out of my business whenever possible.
Of course comparing dollar values is idiotic without considering purchasing power, and on that stat the Canadian dollar is almost at par with the US $ for most goods.
Insightful, my foot.
Last time I checked, I could get about $1.50CA for every $1US. Hmm. Where I come from, this means that the $US has 1.5x the purchasing power of the $CA.
Why on earth do you think that people from the US that live near CA go over the border to shop????
Non-standard units of measurement? Um, this IS a US phone. What, precisely is wrong with measuring in inches and ounces, since after all, the metric system is not in wide use in the US?
Do those DLP projectors have firewire outputs? Hmm.. Let's see, grab a couple of 100G firewire drives, a powerbook and final cut pro... Maybe I'll go get a job in a theater..:) Heck, even S-video or composite would do.
Maybe you haven't noticed, but all of the other stuff you mentioned doesn't form a solution. They're providing the software to tie it all together in a nice, easy to implement solution. There's plenty of $$ to be made out there selling such solutions.
In this day and age, the majority of network security incidents have some sort of internal connection. Implicitly trusting your internal users is suicidal in terms of network defense.
I think c't is right on with his assessment regarding things like file permissions, shadowed passwords, etc. In a security device, there is no excuse for not finishing the job - that is, securing your file permissions, using shadowed passwords, etc.
The SmoothWall people argue against the need for shadowed passwords as the only interactive user on the system is root. How about the CGIs that manage the applications? How about the possibility of exploiting some sort of weakness in one of them, resulting in the display of the encrypted passwords? Or are they so arrogant as to believe there couldn't possibly be any vulnerabilities in their code?
I purchased an Xbox a couple of weeks before Christmas from my local Target store (at about 11am, when they had about a dozen xboxes on the shelf). I also picked up the Monster 300X+100LX (essentially s-video + optical) connector, to get nice picture with DD5.1. Guess what? The DD5.1 was malfunctioning. I packed up everything and returned to Target the same day at about 4pm. I was first given the song and dance about MS wanted returns to go through them.
I put it very simply to the sales weasel. It went something like, "I, your customer, spent over $500 of my hard-earned cash this morning in this very store. The product you sold me is defective. Are you refusing to exchange it for a replacement product, which presumably will work? Oh, you are? Get the store manager here, now."
I explained the situation to the store manager, and outlined what I felt were acceptable options at that point... 1. Exchange the console and make me happy, or 2. Take back the whole lot, games and all, and give me my $500 and change back.
Funny thing? 5 minutes later, I was walking out of the sture with one of the 3 xboxes that were left. Went home, hooked it up, and the DD5.1 worked great. Bottom line? Stand up for your rights as a customer.
What's amazing is an alleged security "professional" that doesn't know how to abate the threats that exist when using WLAN technology. It's not rocket science, genius. Go ahead, airsnort me all you want, it won't help. Why? Immediately on the other side of my access point is a firewall where the IPSec tunnels of my WLAN clients terminate. The firewall is configured so that the only traffic that passes is traffic that came out of the IPSec tunnels.
Let me get this straight, you pay $40 or so a month for your cable access, right? Boo freaking hoo, poor you, only T-1 speeds. How'd you like to pay for that T-1 to the tune of over $1000/mo?
Perhaps I'm missing something here... Presumably he's paying the builder, so the builder does what? Builds. Builds what the customer is asking for. It's not like he's asking for something unreasonable.
It's a GSM 900/1900 handset. So order one from the US and get it shipped to you. As long as you've got GSM 900 service (and you purchase a unit that's not simlocked), you'll be fine.
Slashdot Mirror
For about the same $$, you can get a nice DDS4 DAT drive, which does 20/40GB, and has super-cheap tapes - $17/ea at CDW, probably cheaper elsewhere..
Do you really like pumping your own gas? Go to another state and be my guest. Didn't you notice that in the surrounding states (DE, PA, NY), all of which have self-serve, gas prices are higher, many times MUCH higher???
Besides, it keeps unemployment down. You can't find a job? You can always pump gas.
It was vintage Kubrik. It would have been a better film if it had ended 30 minutes earlier. He never could end a movie!
We meet an alien race that is smart enough to figure out how to resurrect the dead, but isn't quite smart enough to figure out how to do it for more than one day. That's the most ridiculous thing I've heard.
Here's the ending I proposed: Next to last shot - aliens flying over the frozen Manhattan. Last shot - cyberboy frozen in the block of ice staring at the blue fairy. Credits. Much better ending.
One problem with VRRP v2 as it stands today. Imagine a case where you have two parallel routers and are running VRRP. If you experience an interface failure on your primary router. Ok, that interface fails over to the secondary unit. Since you only experienced an interface failure (let's suppose this is a pair of edge routers), say on the outside. Because the inside i/f of the router is still up, you need a secondary routing protocol to direct the traffic to the secondary router - introducing an asymmetric routing condition. This is easily done with OSPF.
Consider the case, however, that we're no longer talking about routers, but instead firewalls. This condition can wreak havoc with your firewalls state tracking mechanism if your firewall's connection state tracking mechanism is either not shared with the redundant unit, or your connection is fast enough that reply packets arrive before connection data is sync'd.
Enter extensions to VRRP like VRRP Monitored Circuits (aka VRRPmc), from Nokia. If you're running Nokia firewalls (which run Check Point for those who don't know), you're probably using VRRPmc.
When you configure VRRPmc, you monitor the other interfaces in use for VRRP. If one of those other interfaces goes down, you decrement your VRRP priority value by a pre-defined delta value, which if you've calculated correctly, will cause the primary unit to begin advertising VRRP priorities that are lower than what the secondary unit is advertising, thereby causing the virtual ips/macs to shoot over to the secondary unit, rather than just the i/f that failed. On the wire, it still looks like good old VRRP. I'd like to see either the monitored circuits method, or something similar implemented in the mainstream VRRP protocol.
CompUSA lists 115 available game titles. Surely some of those would be enough to satisfy you.
Stop and realize the silliness of your "point"... Changing launcher icons on the panel != replacing applications. Can you run Konq on RH8? Sure can. Can you run Koffice? Yup.
It's got this little problem with mailing lists. You subscribe to a mailing list and thread the mailbox you've got your list filted into. Great, so far so good. Now, delete the first message in a thread. Chances are, if it's an active list with several threads going on at once, you'll see that Kmail will dynamically re-arrange your mailbox. By the time you finish reading that thread and deleting messages, you're probably 2/3 of the way down through the new messages, forcing you to go back up to the top and start the next thread with this re-arranging madness. Monumentally stupid behavior, but the kmail developers regarded this as a feature, not a bug!!!!!! Their reasoning? You should never delete a message in a mailing list folder. Huh?
Use mutt. It's only about a gazillion times better.
Not familiar with dsniff, ettercap, and the like, eh? Or how about large-scale SSL-based websites? Most of those actually terminate the SSL connections on some sort of SSL acceleration device, spitting out plain old http traffic out the back side.
Use the right tool for the right job. In this case, switch out that fiber GBIC for a Cu GBIC and use a Cu-Gig card in the sensor.
Score: -17, bad security.
Installing a firewall is not a magic solution. Suppose you run a website. You WILL be permitting 80/tcp through your firewall, probably also 443/tcp. Along comes the next worm that uses only http to gain entry to a system (Think CodeRed, Nimda && friends). How exactly is your firewall going to stop that sort of traffic? The answer you're searching for is, "it won't."
In addition to firewalling, running a NIDS sensor will help abate these threats. Most NIDS products support the notion of killing a connection (rskill, for RealSecure, flexresp for Snort, etc.) - this is how you can stop the threat of CR, CR-II, Nimda, et al.
Another way to abate these kinds of threats is to use something like Hogwash (which strangely enough is based on Snort), or a reverse-proxy that can inspect HTTP requests. Of course, those only help for HTTP traffic - there's a lot more out there besides HTTP. Remember sendmail, uw-imap, old qpopper, bind, and friends? They've all had remote-rootables that blew right through firewalls, since they only used the designated "proper" port(s) for the vulnerable daemon.
Use your head. There is no security magic bullet. It's a process, not a single product.
Um, you don't. That's what Gigabit Ethernet is for. Check out the Intel Copper Gig cards - there's Linux support for them and they're reliable cards.
On another note, I don't quite see how using 2 nics, one on a management LAN and the second with no IP bound to it doing the sniffing is a revelation! Shouldn't this just be common sense? After all, it's been a standard NIDS sensor practice for quite a long time now. To really do this job right, all of the sensors should be using a management LAN for reporting back to a MySQL/PostgreSQL database, which in turn is queried by ACID, or something similar..
BTW, ACID's SQL is so terribly un-optimized, it's downright pitiful. I know of a large company that's getting ready to release a huge patch to ACID to actually optimize its SQL usage, bringing performance for large-scale snort deployments up to a reasonable level.
Alas, the point goes streaking over your head like a 747. Do you understand the difference between applying *SECURITY PATCHES* versus completely ripping out your httpd and replacing it with a new major version?
Be that as it may, I don't see that as the spirit of the original statement, given the distance between two points of purchase. I read the original comment as if he was somehow under the (delusional) impression that my $1US was somehow worth the same as his $1CAN. Since we're talking about a comparison, it's reasonable to expect to be comparing under the same conditions. In terms of buying power the $US is still much (50%) stronger. Of course, time is the great equalizer, and could change that - hey, you never know..
Now the whole health care thing is just silly. I get to keep an enormous percentage of my salary that I'd have to give up in the land of maple leaves, and get my health care for about $50/month, and that's because I chose the better medical and dental plans. The whole notion of your government having to be your daddy is just dumb. I'd rather have my government keep its nose out of my business whenever possible.
Insightful, my foot.
Last time I checked, I could get about $1.50CA for every $1US. Hmm. Where I come from, this means that the $US has 1.5x the purchasing power of the $CA.
Why on earth do you think that people from the US that live near CA go over the border to shop????
Methinks you have no idea what penultimate means.
It means "next to last". And you get +4 for that? Yeesh.
specs.
Do those DLP projectors have firewire outputs? Hmm.. Let's see, grab a couple of 100G firewire drives, a powerbook and final cut pro... Maybe I'll go get a job in a theater.. :) Heck, even S-video or composite would do.
Maybe you haven't noticed, but all of the other stuff you mentioned doesn't form a solution. They're providing the software to tie it all together in a nice, easy to implement solution. There's plenty of $$ to be made out there selling such solutions.
In this day and age, the majority of network security incidents have some sort of internal connection. Implicitly trusting your internal users is suicidal in terms of network defense.
I think c't is right on with his assessment regarding things like file permissions, shadowed passwords, etc. In a security device, there is no excuse for not finishing the job - that is, securing your file permissions, using shadowed passwords, etc.
The SmoothWall people argue against the need for shadowed passwords as the only interactive user on the system is root. How about the CGIs that manage the applications? How about the possibility of exploiting some sort of weakness in one of them, resulting in the display of the encrypted passwords? Or are they so arrogant as to believe there couldn't possibly be any vulnerabilities in their code?
I put it very simply to the sales weasel. It went something like, "I, your customer, spent over $500 of my hard-earned cash this morning in this very store. The product you sold me is defective. Are you refusing to exchange it for a replacement product, which presumably will work? Oh, you are? Get the store manager here, now."
I explained the situation to the store manager, and outlined what I felt were acceptable options at that point... 1. Exchange the console and make me happy, or 2. Take back the whole lot, games and all, and give me my $500 and change back.
Funny thing? 5 minutes later, I was walking out of the sture with one of the 3 xboxes that were left. Went home, hooked it up, and the DD5.1 worked great. Bottom line? Stand up for your rights as a customer.
What's amazing is an alleged security "professional" that doesn't know how to abate the threats that exist when using WLAN technology. It's not rocket science, genius. Go ahead, airsnort me all you want, it won't help. Why? Immediately on the other side of my access point is a firewall where the IPSec tunnels of my WLAN clients terminate. The firewall is configured so that the only traffic that passes is traffic that came out of the IPSec tunnels.
Let me get this straight, you pay $40 or so a month for your cable access, right? Boo freaking hoo, poor you, only T-1 speeds. How'd you like to pay for that T-1 to the tune of over $1000/mo?
Perhaps I'm missing something here... Presumably he's paying the builder, so the builder does what? Builds. Builds what the customer is asking for. It's not like he's asking for something unreasonable.
There are also GSM 900 nets of course too, namely BT and Vodafone.
It's a GSM 900/1900 handset. So order one from the US and get it shipped to you. As long as you've got GSM 900 service (and you purchase a unit that's not simlocked), you'll be fine.