as with everyone else IANAL - however I strongly suspect following this advice would be really dumb in your situation.
My main job is Security, DR and Compliance - they key with the compliance bit isn't necissarily being inside the rules at all times but making sure that the people who are in a position to enforce them are happy with the approach you take. I've never seen a company that is genuinely 100% compliant and I doubt they exist, so dont aim to be squeaky clean aim to be on good terms with the people who could hurt you.
If you build and demo it to your existing company they almost certainly own it, you *might* be on safe ground to write a paper outlining the customer segment and business model that you are considering however even that might put you on more dangerous grounds.
One of the best responses above was that most successful startups begin by being symbiotic with their original parent - offer them a 20% stake in you in return for forgoing any legal claims about IP and try to leverage their sales team and customer base to launch.
From their perspective this would probably mean:
a) they get to retain their support team (perhaps 2 days a week on the legacy) b) they get to cut costs (40% salary for 2 days) c) they get a good (?) business idea and the chance to profit from almost no investment and no risk.
From your perspective this clears away most of the legal issues (get that lawyer before you start this conversation!) and gives you some financial backing. It also essentially gives you a sales function, as a start up you will live and die by them.
If the product takes off and flys you could buy them out in a couple of years... perhaps you could even get that written into the contract.
if not well at least you didnt jack everything you had in and open yourself up to a large personal lawsuite.
as someone who's father actually is a vicar I can see how that would be a problem (although they do drink less tea than you might expect).
But I'm still not sure I agree, it might be equivalent to choosing to store your own rat poison in your own teapot in a flat that you didnt lock.... I'm certainly not saying its morally ok, but its probably closer to reckless endangerment than anything else.
Technically "conspiracy to murder", but could you prove the case if you left a note in your "private" diary that you thought someone could be killed in a certain fashion... and someone then read your diary and chose to act upon it?
There is actually quite an interesting aside to this, would someone who used this technique actually be guilty of hacking? Afterall they don't run the exploit and arguably can't guarentee that anyone will.
If I happen to create a utility capable of cracking a site but then store it for research, never distribute and never actively use then I've not committed a crime. If I distribute it to other researchers in good faith then I'm covered - at present its only the person who actively uses it that is guilty of a crime.
However, in this scenario (even if I could be traced) its arguable that *I* never attacked a site, all I did was to place a tool that could be used in that way in a public location. I'm not sure that would completely stand up given the recent ammendment to the UKs computer misuse act (i.e. reasonable belief that the tool would not be used in that fashion), but still...
As always it comes down to people...
PS: Aas an aside I am currently running a survey for my MSc dissertation on IT admin access to confidential information. If you'd like to help out (and would like a shot at winning a £25 or $40 amazon voucher) then please take a look at:
No, but if you have lost it I can put you in touch with people who could help:P
Interesting, but only half the story...
on
Security From A To Z
·
· Score: 2, Interesting
I've been working in security for 5 years now, penetration testing, managed firewalls/IDS, BS7799 prep, etc... currently (among other bits and bobs) I run security for a UK motor insurance company.
Lots of security material is all about the tech, but really (outside of Hollywood) hacking or any form of abuse is largely about people. The tech makes it easier or harder for the people - but ultimately at some point there is still someone at a keyboard making the decision to do something.
For the last couple of years I've been doing what is essentially an MSc in traditional Criminology and it really is interesting how much of the traditional models of motivation and causation cross over into the online environment (and also how little traditional criminologists seem to understand the parrellels).
I'm actually running a survey for my dissertation at the moment looking at IT admin access to confidential information - if you'd like to take part (and be in with a chance of winning a £25 or $40 amazon voucher) take a look at:
Certainly the previous poster was mainly concerned with hide NAT - you on the other hand seem to be only considering static (or possibly pool based dynamic) NAT.
Now while I agree with you that NAT does not have to be the evil that large numbers of people belive it to be it certainly isn't as saintly as you want us to belive. NAT does have fundemental limitations.
For example if you run a VPN between two organisations that have an overlapping internal (private, rfc 1918) range of address you will break quite a lot of things. You could argue that this isn't the fault of NAT but the whole purpose of the technology is to enable non-unique addressing and as you expand the number of organisations involved in the VPN the problem gets worse.
Secondly I have seen a number of NAT implementations that do not handle protocols other than a select few TCP/UDP options - that to me is a signficant fault, maybe not in the technology per se but certainly within the reality.
This survey is only going to tell 1/2 of the story
on
Post-crash Salary Survey
·
· Score: 5, Interesting
It won't suprise me at all if this survey shows negligable changes in salaries over the last 12 months - companies prefer to make redundancies to cutting wages as the effect on moral of those who are left is much less.
However, if the statistics were an equivalent of GDP for IT industry professionals (i.e. an estimate of the total take home pay of the profession) then the figures would almost certainly be utterly horrible.
According to www.jobsmeta.co.uk and www.jobstats.co.uk advertised vacancies in the UK are running around 50% of the middle of last year - in addition the hourly rate/annual salaries have also slipped (due to simple supply/demand). It wouldn't suprise me if IT-GDP (for want of a better term) was down 20-30% on the year.
Really this is just a way of saying things are tough all over - I'd like not to complain, but as one of the many people who are looking at the moment this market sucks and the reasons can't really be reduced to simple one-liners or attributed to anyone/thing in particular.
Right now a couple of months off to get some R&R thats been lacking over the last 5 years doesn't go amiss - but in a couple more I'm likely to get really flexible in what I'll look at just to avoid going mad at home. My main concern isn't a pay-cut (my essential bills are around 30% of my last salary) - but I don;t want to take a job outside of my key skills, people pay a huge amount of attention to your last role so it would be like writting off my career to date.
In the mean time I'm doing the odd day of freelance work - its not a lot but its covering the bills.
This forensics challenge isn't about "how the box was cracked" it was a honeypot with a default install of RH. The HoneyNet project themselves said they expect systems like this permanently on the net to have a half-life in weeks. To be frank I don't think anyone cares about the "how" or the "why" in this case, its a detail.
What its actually about is education for systems forensics - I started getting interested in this about six months ago reading background stuff, learning about some of the tools and polishing up incident response strategies...
what's my biggest problem? Well we haven't had a system cracked yet (I'm sure it'll happen some day so that definately isn't a challenge) - but that means we have no way to practise system analysis after an intrusion.
Fine it looks like the rpc.statd exploit - what happened next - should you check for other infected systems nearby? What toolkits does this attacker use and how can you ID them quickly? If you come to a suspect system without the snort trace what do you look for? How do you interpret the output of forensics tools (i.e. TCT)? What are the account names to watch for?
These are all questions I couldn't not answer right now - and unless someone has direct experience of forensics I doubt they can *really* answer those questions either.
I posted a message to forensics@securityfocus.com a while ago looking for small images of cracked boxes - no dice.
I thought about setting up my own default install (possibly under plex86), cracking and root kitting it and then performing an analysis (I never did get around to it in the end as I'm in the process of moving jobs and have tonnes of stuff to sort out to do with the relocation - I'd probably have come back to that in 6 months).
My point is that there is plenty of info out there on systems analysis/forensics - this is the first exercise I've seen. Knowing about tools is fine - but without direct experiance its not really that good. Do *you* really want to start learning about forensics 8 hours after your systems been penetrated?
The output of this challenge is an insight into the methodologies available to analyse a system - along with the original images so that they can be worked through. I intend to work through them in serveral ways:
1. I'll put the images on a clean system and analyse them from safety.
2. I'd like to install them on a host (re-create the cracked server) and then boot from some emergancy recovery disks - this is probably a more realistic scenario... it might also tell me which utilities I'm "really" going to miss on those distros.
In my humble opinion this is the most important thing the honeynet project has done to date - logs of kiddies on a rooted box might be interesting but they don't really tell us very much. I know they do more than this - but this is the first resource which is directly useful to sys-admins... I hope they intend to repeat the exercise with other host types (Win 95/98, Win NT, Solaris, HPUX, etc...).
This is a long term resource and I applaud it and I would recommend that any sys-admin take a look at the results when they are published.
If it's implemented properly, surely it shouldn't matter
The if is exactly what I meant... after support for unicode is added to domain name encoding schemes in applications each and every application has an opotunity to make a mistake... some of them will.
ummm... DNS is only used in name resolution, packets are routed according to the IP address once resolved which is totally unrelated to the domain name - that happens right now - nothing has changed.
If anything extending the number of TLD's will reduce latency as it will spread the load accross more servers probably on a geographical basis!
feel free to troll its your god given right, but do try to remember that acting both jingoistic and technically ignorant in the same mail is very unlikely to get you any respect.
The problem isn't necisarily with buffer overflows, read bug-traq...
there was a report a couple of weeks ago regarding a problem with internationalised IIS's where unicode representations of directory traversal codes (.,/,\,etc) where being substitued after access checks had been applied...
Now imagine domain based trust relationships - these will be implemented in numerous sub-systems (tcp wrappers,.rhosts, sendmail.cf, etc...) each of which may perform the normalisation/access checks slightly differently.
I imagine that this will lead to numerous security issues due to slight differences in systems support for multi-byte characters.
Another question (which I suspect will be answered in the FAQ) is do you need to register the same domain name several times to take account of the differing unicode byte widths?
My real concern is that I don't know what someone can be certified in. In many cases people persue certification to get onto the IT career ladder in a support role (ok this view may be very biased due to the MCSE's I've met, and I suspect it doesn't hold for Oracle/Cisco type certs) - but its true.
As such I'd expect certification to teach people how to perform basic routine tasks (possibly by rote - it doesn't matter as long as they are done correctly). Understanding of the platform can then be gained while working in a commercial environment under the instruction of someone senior - paying their way as an extra set of hands.
Real troubleshooting skills come from a fundemental understanding of the platform involved and strong problem solving skills. Something which I don't belive any 100% taught course ever pretends to provide.
Now given that there are significant differences between distributions regarding:
Its very hard to see what linux certification can do to be meaningful to a basic support role - it will either have to be very distribution specific or sufficiently general as to be inaccessible to junior staff.
So in the meantime I suspect that its a bit of CV candy for the attendees and an important learning experiance for those designing and running the courses.
I might be daft but why not just install all the sevices by default (after all people install the OS to play) but have a set of IP chains rules in the local init file to block off access?
Somehow I think the kernel is modular enough so that if I load a new PCMCIA module, it wouldn't automatically be given rights to read and write to arbitrary files on the system. Please correct me if I'm wrong, and I'll sleep much less well at night.
Unfortunatly I belive you are wrong - all code within the (Linux) kernel operates with root priviledges.
Moreover as these things operate within the kernel you can pull all kinds of tricks to keep them hidden.
Take a look at this link for a nice discussion of this issue.
No you can't "haggle" but you can decide not to buy it... any time I want to purchase something (doesn't matter what) I have a mental figure of roughly what that item/service is worth to me... if someone trys to charge me more than my personal value of the item I just won't buy it.
Do I lose out by this, personally I don't think so I either have the item I wanted in exchange for my perception of its value - or I have the cold hard cash.
To then complain that the price is to high doesn't really do anyone any good. I could do this about lots of things but at some point I just need to accept that my value of those goods does not match the value which the vendor places on them... so what? its not like Amazon are selling food or another vital commodity, nor are they a monopoloy... just deal with it.
All that Amazon is doing is seeing if it can judge what a customers value for an item is - exactly what all stores try to do all of the time with discount or loyalty schemes.
When AOL trialed an unlimited access account in the UK they trialed it first in several groups. Each group was offered a totally different price. This practise is not uncommon, the only difference with Amazon is that they got noticed.
As an aside I strongly suspect that the really valuable data for them is the people who they predicted would buy an item and then walked away - it tells them where their model is wrong i.e. the real valuable information is the set of sales which they *lost* and to get that data it does cost them.
OK this may be a really dumb question - but given that the IPv6 address space is a *lot* bigger than the IPv4 address space how can NAT'ing the backbone work...
Most cases where I've seen NAT used is to get a large address space to access an external network through a smaller address space (typically a single IP).
As I understand it this works fine because an internal client sends packets to the real address of external hosts and all the router has to do is track open connections and re-write the inbound packets on open connections.
However if the internal hosts are using IPv4 and they request a host 10.1.1.1 that would actually map to a large range of IPv6 addresses - how does the router know which of the address in that range is the correct one? and if the whole range is mapped to the single IPv4 address then you aren't increasing your address space.
As an example how would two different dial up users from different ISP's establish a TCP connection between their two machines (eg for an audio channel)?
Like I say I may be missing something really obvious - but I can see how you can have pockets of IPv6 connected over IPv4 but not the other way around...
I know thats how it works at present - but the browser by doing a reverse lookup could also get the real name of the server and validate against that.... this would involve a change to the authentication method but as far as I can see it would be the only way to allow virual SSL servers on a single IP.
More to the point if you are hosting several virtual SSL servers on a single box then its likely that your DNS is setup with an alias for the real site to point to the CNAME of the hosting box....
This suggests to me that the client could allow authentication against a certificate from the real host name... eg
then both webservers could use a certificate for host.hostingcompany.com.
The problem with this of course is that if someone can hack your DNS (which of course would never happen *grin*) then they can fake the SSL component of another site which isn't a vulnerability under the current mechanism.
Really it comes down to a question of is SSL intended to provide security for traffic in transit or authentication of the web site? Consumers are currently more paranoid about the first but I'd have thought the second was actually more important.
I suppose that there could be a two stage authentication process where the real name of the box is used to encrypt the link (and authenticate that host) but then an additional certificate (X509 with an extension) could be provided to prove that a particular name can be hosted on that machine...
Slashdot Mirror
as with everyone else IANAL - however I strongly suspect following this advice would be really dumb in your situation.
My main job is Security, DR and Compliance - they key with the compliance bit isn't necissarily being inside the rules at all times but making sure that the people who are in a position to enforce them are happy with the approach you take. I've never seen a company that is genuinely 100% compliant and I doubt they exist, so dont aim to be squeaky clean aim to be on good terms with the people who could hurt you.
If you build and demo it to your existing company they almost certainly own it, you *might* be on safe ground to write a paper outlining the customer segment and business model that you are considering however even that might put you on more dangerous grounds.
One of the best responses above was that most successful startups begin by being symbiotic with their original parent - offer them a 20% stake in you in return for forgoing any legal claims about IP and try to leverage their sales team and customer base to launch.
From their perspective this would probably mean:
a) they get to retain their support team (perhaps 2 days a week on the legacy)
b) they get to cut costs (40% salary for 2 days)
c) they get a good (?) business idea and the chance to profit from almost no investment and no risk.
From your perspective this clears away most of the legal issues (get that lawyer before you start this conversation!) and gives you some financial backing. It also essentially gives you a sales function, as a start up you will live and die by them.
If the product takes off and flys you could buy them out in a couple of years... perhaps you could even get that written into the contract.
if not well at least you didnt jack everything you had in and open yourself up to a large personal lawsuite.
as someone who's father actually is a vicar I can see how that would be a problem (although they do drink less tea than you might expect).
But I'm still not sure I agree, it might be equivalent to choosing to store your own rat poison in your own teapot in a flat that you didnt lock.... I'm certainly not saying its morally ok, but its probably closer to reckless endangerment than anything else.
Technically "conspiracy to murder", but could you prove the case if you left a note in your "private" diary that you thought someone could be killed in a certain fashion... and someone then read your diary and chose to act upon it?
sorry... the url above should read:
https://msc-survey.priogenus.com/amazon.php
sorry typo in URL:
https://msc-survey.priogenus.com/amazon.php
There is actually quite an interesting aside to this, would someone who used this technique actually be guilty of hacking? Afterall they don't run the exploit and arguably can't guarentee that anyone will.
If I happen to create a utility capable of cracking a site but then store it for research, never distribute and never actively use then I've not committed a crime. If I distribute it to other researchers in good faith then I'm covered - at present its only the person who actively uses it that is guilty of a crime.
However, in this scenario (even if I could be traced) its arguable that *I* never attacked a site, all I did was to place a tool that could be used in that way in a public location. I'm not sure that would completely stand up given the recent ammendment to the UKs computer misuse act (i.e. reasonable belief that the tool would not be used in that fashion), but still...
As always it comes down to people...
PS:
Aas an aside I am currently running a survey for my MSc dissertation on IT admin access to confidential information. If you'd like to help out (and would like a shot at winning a £25 or $40 amazon voucher) then please take a look at:
https://msc-survery.priogenus.com/amazon.php
No, but if you have lost it I can put you in touch with people who could help :P
I've been working in security for 5 years now, penetration testing, managed firewalls/IDS, BS7799 prep, etc... currently (among other bits and bobs) I run security for a UK motor insurance company.
Lots of security material is all about the tech, but really (outside of Hollywood) hacking or any form of abuse is largely about people. The tech makes it easier or harder for the people - but ultimately at some point there is still someone at a keyboard making the decision to do something.
For the last couple of years I've been doing what is essentially an MSc in traditional Criminology and it really is interesting how much of the traditional models of motivation and causation cross over into the online environment (and also how little traditional criminologists seem to understand the parrellels).
I'm actually running a survey for my dissertation at the moment looking at IT admin access to confidential information - if you'd like to take part (and be in with a chance of winning a £25 or $40 amazon voucher) take a look at:
https://msc-survey.priogenus.com/amazon.php
hmmm - not sure I agree with you completely.
Certainly the previous poster was mainly concerned with hide NAT - you on the other hand seem to be only considering static (or possibly pool based dynamic) NAT.
Now while I agree with you that NAT does not have to be the evil that large numbers of people belive it to be it certainly isn't as saintly as you want us to belive. NAT does have fundemental limitations.
For example if you run a VPN between two organisations that have an overlapping internal (private, rfc 1918) range of address you will break quite a lot of things. You could argue that this isn't the fault of NAT but the whole purpose of the technology is to enable non-unique addressing and as you expand the number of organisations involved in the VPN the problem gets worse.
Secondly I have seen a number of NAT implementations that do not handle protocols other than a select few TCP/UDP options - that to me is a signficant fault, maybe not in the technology per se but certainly within the reality.
It won't suprise me at all if this survey shows negligable changes in salaries over the last 12 months - companies prefer to make redundancies to cutting wages as the effect on moral of those who are left is much less.
However, if the statistics were an equivalent of GDP for IT industry professionals (i.e. an estimate of the total take home pay of the profession) then the figures would almost certainly be utterly horrible.
According to www.jobsmeta.co.uk and www.jobstats.co.uk advertised vacancies in the UK are running around 50% of the middle of last year - in addition the hourly rate/annual salaries have also slipped (due to simple supply/demand). It wouldn't suprise me if IT-GDP (for want of a better term) was down 20-30% on the year.
Really this is just a way of saying things are tough all over - I'd like not to complain, but as one of the many people who are looking at the moment this market sucks and the reasons can't really be reduced to simple one-liners or attributed to anyone/thing in particular.
Right now a couple of months off to get some R&R thats been lacking over the last 5 years doesn't go amiss - but in a couple more I'm likely to get really flexible in what I'll look at just to avoid going mad at home. My main concern isn't a pay-cut (my essential bills are around 30% of my last salary) - but I don;t want to take a job outside of my key skills, people pay a huge amount of attention to your last role so it would be like writting off my career to date.
In the mean time I'm doing the odd day of freelance work - its not a lot but its covering the bills.
I guess we'll see where we end up.
This forensics challenge isn't about "how the box was cracked" it was a honeypot with a default install of RH. The HoneyNet project themselves said they expect systems like this permanently on the net to have a half-life in weeks. To be frank I don't think anyone cares about the "how" or the "why" in this case, its a detail.
What its actually about is education for systems forensics - I started getting interested in this about six months ago reading background stuff, learning about some of the tools and polishing up incident response strategies...
what's my biggest problem? Well we haven't had a system cracked yet (I'm sure it'll happen some day so that definately isn't a challenge) - but that means we have no way to practise system analysis after an intrusion.
Fine it looks like the rpc.statd exploit - what happened next - should you check for other infected systems nearby? What toolkits does this attacker use and how can you ID them quickly? If you come to a suspect system without the snort trace what do you look for? How do you interpret the output of forensics tools (i.e. TCT)? What are the account names to watch for?
These are all questions I couldn't not answer right now - and unless someone has direct experience of forensics I doubt they can *really* answer those questions either.
I posted a message to forensics@securityfocus.com a while ago looking for small images of cracked boxes - no dice.
I thought about setting up my own default install (possibly under plex86), cracking and root kitting it and then performing an analysis (I never did get around to it in the end as I'm in the process of moving jobs and have tonnes of stuff to sort out to do with the relocation - I'd probably have come back to that in 6 months).
My point is that there is plenty of info out there on systems analysis/forensics - this is the first exercise I've seen. Knowing about tools is fine - but without direct experiance its not really that good. Do *you* really want to start learning about forensics 8 hours after your systems been penetrated?
The output of this challenge is an insight into the methodologies available to analyse a system - along with the original images so that they can be worked through. I intend to work through them in serveral ways:
1. I'll put the images on a clean system and analyse them from safety.
2. I'd like to install them on a host (re-create the cracked server) and then boot from some emergancy recovery disks - this is probably a more realistic scenario... it might also tell me which utilities I'm "really" going to miss on those distros.
In my humble opinion this is the most important thing the honeynet project has done to date - logs of kiddies on a rooted box might be interesting but they don't really tell us very much. I know they do more than this - but this is the first resource which is directly useful to sys-admins... I hope they intend to repeat the exercise with other host types (Win 95/98, Win NT, Solaris, HPUX, etc...).
This is a long term resource and I applaud it and I would recommend that any sys-admin take a look at the results when they are published.
Tom
hmmmm Virtua Vicar... theres a scary thought
personally I always use root@127.0.0.1 when forced to register with a site I dont want spam from.
thats for a non-commercial training/development license only!
If it's implemented properly, surely it shouldn't matter The if is exactly what I meant... after support for unicode is added to domain name encoding schemes in applications each and every application has an opotunity to make a mistake... some of them will.
ummm... DNS is only used in name resolution, packets are routed according to the IP address once resolved which is totally unrelated to the domain name - that happens right now - nothing has changed.
If anything extending the number of TLD's will reduce latency as it will spread the load accross more servers probably on a geographical basis!
feel free to troll its your god given right, but do try to remember that acting both jingoistic and technically ignorant in the same mail is very unlikely to get you any respect.
The problem isn't necisarily with buffer overflows, read bug-traq...
.rhosts, sendmail.cf, etc...) each of which may perform the normalisation/access checks slightly differently.
there was a report a couple of weeks ago regarding a problem with internationalised IIS's where unicode representations of directory traversal codes (.,/,\,etc) where being substitued after access checks had been applied...
Now imagine domain based trust relationships - these will be implemented in numerous sub-systems (tcp wrappers,
I imagine that this will lead to numerous security issues due to slight differences in systems support for multi-byte characters.
Another question (which I suspect will be answered in the FAQ) is do you need to register the same domain name several times to take account of the differing unicode byte widths?
you know I think that was his point!
My real concern is that I don't know what someone can be certified in. In many cases people persue certification to get onto the IT career ladder in a support role (ok this view may be very biased due to the MCSE's I've met, and I suspect it doesn't hold for Oracle/Cisco type certs) - but its true.
As such I'd expect certification to teach people how to perform basic routine tasks (possibly by rote - it doesn't matter as long as they are done correctly). Understanding of the platform can then be gained while working in a commercial environment under the instruction of someone senior - paying their way as an extra set of hands.
Real troubleshooting skills come from a fundemental understanding of the platform involved and strong problem solving skills. Something which I don't belive any 100% taught course ever pretends to provide.
Now given that there are significant differences between distributions regarding:
* package management tools
* configuration file locations
* basic install components
* critical library versions (glibc2 et al)
* etc...
Its very hard to see what linux certification can do to be meaningful to a basic support role - it will either have to be very distribution specific or sufficiently general as to be inaccessible to junior staff.
So in the meantime I suspect that its a bit of CV candy for the attendees and an important learning experiance for those designing and running the courses.
Role on the LSB!
I might be daft but why not just install all the sevices by default (after all people install the OS to play) but have a set of IP chains rules in the local init file to block off access?
Somehow I think the kernel is modular enough so that if I load a new PCMCIA module, it wouldn't automatically be given rights to read and write to arbitrary files on the system. Please correct me if I'm wrong, and I'll sleep much less well at night.
Unfortunatly I belive you are wrong - all code within the (Linux) kernel operates with root priviledges.
Moreover as these things operate within the kernel you can pull all kinds of tricks to keep them hidden.
Take a look at this link for a nice discussion of this issue.
No you can't "haggle" but you can decide not to buy it... any time I want to purchase something (doesn't matter what) I have a mental figure of roughly what that item/service is worth to me... if someone trys to charge me more than my personal value of the item I just won't buy it.
Do I lose out by this, personally I don't think so I either have the item I wanted in exchange for my perception of its value - or I have the cold hard cash.
To then complain that the price is to high doesn't really do anyone any good. I could do this about lots of things but at some point I just need to accept that my value of those goods does not match the value which the vendor places on them... so what? its not like Amazon are selling food or another vital commodity, nor are they a monopoloy... just deal with it.
All that Amazon is doing is seeing if it can judge what a customers value for an item is - exactly what all stores try to do all of the time with discount or loyalty schemes.
When AOL trialed an unlimited access account in the UK they trialed it first in several groups. Each group was offered a totally different price. This practise is not uncommon, the only difference with Amazon is that they got noticed.
As an aside I strongly suspect that the really valuable data for them is the people who they predicted would buy an item and then walked away - it tells them where their model is wrong i.e. the real valuable information is the set of sales which they *lost* and to get that data it does cost them.
OK this may be a really dumb question - but given that the IPv6 address space is a *lot* bigger than the IPv4 address space how can NAT'ing the backbone work...
Most cases where I've seen NAT used is to get a large address space to access an external network through a smaller address space (typically a single IP).
As I understand it this works fine because an internal client sends packets to the real address of external hosts and all the router has to do is track open connections and re-write the inbound packets on open connections.
However if the internal hosts are using IPv4 and they request a host 10.1.1.1 that would actually map to a large range of IPv6 addresses - how does the router know which of the address in that range is the correct one? and if the whole range is mapped to the single IPv4 address then you aren't increasing your address space.
As an example how would two different dial up users from different ISP's establish a TCP connection between their two machines (eg for an audio channel)?
Like I say I may be missing something really obvious - but I can see how you can have pockets of IPv6 connected over IPv4 but not the other way around...
I know thats how it works at present - but the browser by doing a reverse lookup could also get the real name of the server and validate against that.... this would involve a change to the authentication method but as far as I can see it would be the only way to allow virual SSL servers on a single IP.
More to the point if you are hosting several virtual SSL servers on a single box then its likely that your DNS is setup with an alias for the real site to point to the CNAME of the hosting box....
This suggests to me that the client could allow authentication against a certificate from the real host name... eg
website = www.somecompany.com
website = www.anothercompany.com
host = host.hostingcompany.com
with DNS config of:
host.hostingcompany.com IN A 10.0.0.1
and
www.somecompany.com CNAME host.hostingcompany.com
www.anothercompany.com CNAME host.hostingcompany.com
then both webservers could use a certificate for host.hostingcompany.com.
The problem with this of course is that if someone can hack your DNS (which of course would never happen *grin*) then they can fake the SSL component of another site which isn't a vulnerability under the current mechanism.
Really it comes down to a question of is SSL intended to provide security for traffic in transit or authentication of the web site? Consumers are currently more paranoid about the first but I'd have thought the second was actually more important.
I suppose that there could be a two stage authentication process where the real name of the box is used to encrypt the link (and authenticate that host) but then an additional certificate (X509 with an extension) could be provided to prove that a particular name can be hosted on that machine...
just thoughts
Tom