Let's think that through. Let's say this honeypot had a standard packet-filtering firewall in front of it, e.g. the kind implemented by ipchains in Linux. Assume there are two services which we wish to expose to the outside world: Apache and SSH. So we set the firewall to forward all HTTP connections to Apache and all SSH connections to OpenSSH.
Now, how secure is this network? You've got a firewall, so you're secure, right? Just two minor little flaws: the security holes mentioned in the article are in Apache and SSH. Your firewall didn't add any security at all! You're just as exposed as the next guy with no firewall.
Sticking a firewall in front of your network and thinking you're secure can be very dangerous, if it lulls you into thinking that the machines behind the firewall are now secure. Most exploitable holes are not on the thousands of unused ports that a firewall blocks - they're on the ports that the firewall lets through.
I should mention that with a stateful firewall, you can get greater security, since it monitors the actual content of the connection and may be able to detect hack attempts. However, stateful firewalls tend to be more expensive, less transparent (require more maintenance), and if they're commercial, more expensive. And many hacks can't even be detected by a stateful firewall, and there are all sorts of tunneling tricks that can be used to circumvent this kind of security. Ultimately, the only way to be secure is to make sure that every box that can be accessed from the outside is completely secure.
Especially if you run windows.
Along those lines, one of my favorite firewall-related quotes came from a sysadmin whose mail server and entire internal 70-station LAN had been infected by NIMDA: "But we have a firewall! How did it get through??"
Brian Walker mentions in the article that he has dyslexia and ADHD. Writing is not usually the best way for such people to communicate. My g/f has severe dyslexia, and although she's is a very insightful and extremely knowledgeable person, she doesn't come off at all well in any written venue.
I think it's ironic that here on Slashdot, that there seems to be so little tolerance or understanding of people who might have different ways of thinking and expressing themselves.
But AT&T is a company with a lot of proprietary information that could be easily broken if someone starts playing around with it, especially if they really don't understand what they're doing.
If that's the case - and I would hope it isn't! - I'd rather a pimply teen from Queens did the breaking first, giving the target company a heads-up as to their poor security, rather than a terrorist bent on crippling the US phone network or Internet. Think of H2K2 and its attendees as a free security test for AT&T and other companies.
Is it really okay to expose this?
Yes, absolutely. Much more sensitive information gets published in mainstream media all the time. In fact, it's in posting things like this that Slashdot is at its best, since it provides insight into things that are normally hidden, and which perhaps could stand a bit of scrutiny (or if they can't, should be able to!)
At worst it's letting the world know that, on this particular weekend, the back door to the Best Buy on Such-and-such St. has a broken lock.
That's silly. If AT&T's procedures can be compromised so easily based on the information in that email, they better get new procedures, and they'd better hire security people who know what they're doing.
And if this did result in a real-world break-in -- if someone did use this information to steal from the Best Buy -- the person who posted this information would be arested and charged.
That may well be true, and is an example of the kind of thinking that many officials indulge in. Crack down on the hackers who expose problems, and maybe no-one will notice some of the more serious holes in our infrastructure security. In fact, one of the talks at H2K2 covers this topic:
Abuse of Authority
Over the years, there have been many stories in the hacker world of law enforcement personnel who have abused their authority. Two of the more dramatic cases in recent memory both come out of Philadelphia. Many of us are already familiar with the horror story of Bernie S. who toured five dangerous prisons for over a year - not because of what he was charged with - but because the United States Secret Service was upset about his collection of information about them. Then there is the case of ShapeShifter, 2600 layout artist, who was arrested at the Republican National Convention in 2000 (shortly after leading a panel on the RNC at H2K) and held on half a million dollars bail as if he were a terrorist mastermind - all because he had been targeted for speaking out in public. Hear the games the authorities play and how public education really can make a difference in putting an end to such abuse.
Hosted by Bernie S. and ShapeShifter
The fact that the poster of the AT&T email might be arrested and charged is all the more reason to post it. If you allow valid and responsible actions to be circumscribed by petty intimidation, you've already lost your freedom. Of course, you might question the "valid" and "responsible" in my previous sentence, but the point is that it's possible to disagree on these things, and it's not the job of law enforcement to take a position unless an actual identifiable crime has occurred.
Yes. I can also tell you that Dave Barry was not exaggerating, although I've only ever been in the lobby of that hotel.
I know at least one reason why the Hotel Pennsylvania is so sucky - it's right over the road from Penn Station & Madison Square Gardens. When things like the annual Westminster Kennel Club dog show are held at the Gardens, many dog owners stay, with their dogs, at the Hotel Pennsylvania. Ditto for the cat show. So imagine a hotel with sub-par housekeeping that at least twice a year for the last few decades has every room occupied by one or more dogs and/or cats!
We have all lost weight -- at least 15 pounds *each*; I still eat pizza, Hagan Daas Ice cream (Chocolate Chocolate Chip), etc., and fried food that was fried in anything but corn oil. I eat Safeway brand sugar cream wafer cookies (sugar, not corn syrup). I eat *tons* of bread (I am a bread fanatic).
Good for you, and whatever works. From a scientific perspective, though, this isn't a very satisfying situation. Without some kind of theory about why corn is worse than all these other foods, all you have is some anecdotal evidence.
I'm not trying to defend corn, but I like to base the information I choose to believe on more than word of mouth and unscientific correlational assumptions.
You could argue coincidence
Yes, you could. If you're trying to lose weight, many other factors could also affect this. Perhaps you would have lost an equal amount of weight if you had cut out ice cream instead. Or perhaps corn was a particularly large proportion of your diet. It doesn't sound as though you've done any serious control tests at all, so you really don't have a basis for drawing a conclusion.
BTW, this is nothing like the situation with aluminmum and Alzheimers: in that case, there's a marker that provides concrete evidence of something. If we could analyze your fat cells and find that they all had traces of corn in them, that would be useful; but that's presumably not the case.
They have the same incentive to cure obesity that the pharmaceutical industry has to cure AIDS, diabetes, high blood pressure, yeast infections, and the common cold: none.
It seems to me that people get what they ask for: people want to be able to pop a pill to cure themselves, they don't want to work at it. Frankly, many of them deserve to lose their money to a drug company. There's plenty of free information out there about losing weight and being healthy. My girlfriend has had good results just by walking a couple of miles a day. But people seem to *want* to spend money on the next fad that will fix their lives without their having to lift a finger other than to open their wallets.
Ultimately, if you want things to be better, you need to make sure you have strong information that can be backed up. Your anecdotes about corn don't really qualify, unfortunately - it just puts you right there alongside the people who claim that it's only the fat, or only the sugar, or... I'd be willing to bet any amount of money that you're all wrong. It's a complex business, and humans don't seem to be good at intuitively analyzing situations that involve multiple interacting variables.
Thanks for the info. It's a plausible theory, but here's mine: required reboots, along with BSODs, are caused by Microsoft's black ops department, intended to keep the productivity of the rest of the world low in order to reduce competition.
Microsofties add a special registry key:
HKEY_LOCAL_MACHINE\SYSTEM\PraiseBeToBill\Reboots = No
...to their own machines so that they can work reboot-free, while the rest of us have to suffer!;)
I've seen Windows 2000 request a reboot when moving an installed USB modem from one USB port to another. So it's not as though unnecessary reboots are something from Microsoft's dark, distant past.
You're not kidding. Apparently they originally used a source-code control system that was "internally developed, maintained by a non-NT tools team" with "no branch capability". He isn't specific about how this might have changed later, except that "Windows [2000] team takes ownership of source code control system which at this point is on life support". Sounds like they
might have benefited from a port of RCS or CVS?!
I realize that would have completely contradicted company dogma, but did every Windows user in the world have to suffer as a result? Think of the time and aggravation saved if a smooth-running SCC system were used from the start!
I know what an allergist is, thanks. I just didn't think my chances of running into one to ask about the effects of corn on body weight were very high.
they make an ideal test bed for what elimination of certain foods and combinations of foods from ones diet mean to attributes like body weight, etc..
OK, thanks. So you're simply claiming that many allergists have noticed a strong correlation between corn and body mass?
Corn and corn products tend to have high glycemic indexes, but in that respect they're not that different from highly refined wheat products and things like white potatoes, all of which are similarly good at quickly spiking your blood glucose levels (and thus should generally be avoided). Doesn't the weight-gaining effect of corn arise from this?
If so, it's simplistic to just blame corn. For example, puffed rice can have a higher glycemic index than e.g. cornflakes, and white rice can have a higher index than cornmeal (I say "can have" because the specifics vary a lot in practice). So a lot depends on refinement and preparation techniques.
I would think the french fry and therefore the potato has had at least as great an effect on the weight of Americans, as corn. Not to mention refined breads, and sugars. It isn't really fair blaming corn for corn syrup, since once sugar is refined to that level, the only discriminator are the relative quantities of glucose, sucrose, fructose etc.
Actually, it'll appear to take forever from your point of view, but from my point of view with my bicycle speedometer reading 1 billion nano-c, the trip would appear instantaneous (zero time). But no matter which way you look at it, my fundamental problem is that I can't seem to pedal fast enough...
So the Vatican may not kill you for beshmirching the name of a legendary, likely never-having-existed woman who sired the bastard Christian demigod Jesus (though they do apparently think nothing of violating your basic right of free expression for doing so), but they'll certainly encourage you to kill yourself via unsafe sex, especially if you're an African.
A wonderful quote, it's going up on my bulletin board, thank you.
Hey, are you trying to censor the guy because you think he blasphemed? If so, and you are a US resident/citizen, please turn yourself in at the nearest ACLU or EFF offices for corrective brain surgery. Don't worry, a frontal lobotomy will not seriously reduce your ability to believe in imaginary entities.
Being your own God seems to work for many charismatic or just plain rich business, political and of course religious leaders in the US. I don't think I need to name names...
What most people don't realize is all the advantages of being your own God: first, you know God exists, so the tricky theological questions are minimized. All doubt evaporates, when you realize that your word is law, and thus you cannot possible ever be wrong, even in theory. You can communicate with God easily, and in fact, you always know what God is thinking. In any case, even the Christians say things like "God is in your heart", so really this "meotheism" is actually consistent with Christianity in that respect. Self-godhood is also, of course, fully consistent with general everday American self-centeredness.
So when I take my citizenship oath, if I have to mention the word God, I'll be thinking of yours truly. USA: one nation under me! Bwahahaha!
That's the same time we went from granulated sugar as a sweetener to High Fructose Corn Syrup, because it was easier for the food industry to deal with liquid rather than powdered supplies; welcome to "Old Coke"/"New Coke"/"Old Coke But Not Really".
Coke apparently began switching to high fructose corn syrup in 1980, and completed the switch by six months prior to the intro of New Coke. However, the New Coke debacle did spawn the urban legend to which you refer, described on this urban legends page:
An interesting little claim sprang up in the wake of the introduction of Classic Coke, one having to do with its sweetener. People swore they detected a change in the flavor between Classic Coke and the original. This gave rise to the rumor that the product had been reformulated, dropping cane sugar in favor of high fructose corn syrup. Depending upon whom you listened to, either the demand for the return of original Coca-Cola afforded the company the opportunity to switch from cane sugar to corn syrup or the whole fiasco of taking original Coca-Cola off the shelves and reintroducing it three months later as Classic Coke was all a brilliant scheme to mask the change in sweetener. According to whispered wisdom, the company had hoped to slip the modification past consumers by having it take place during the original beverage's absence from the shelves. People would be so darned glad to have Classic Coke back that they wouldn't notice it didn't taste the same as original Coca-Cola. (Another twist to this rumor had it that New Coke had deliberately been formulated to taste awful in order to facilitate the switch -- this supposedly gave Coca-Cola an excuse for pulling the original formula and then putting it back on the market after a brief absence, making it look all along as if they were simply responding to consumer demands.)
The change in sweetener wasn't anything that diabolical. Corn syrup was cheaper than cane sugar; that's what it came down to. In 1980 -- five years before the introduction of New Coke -- half the cane sugar in Coca-Cola had been replaced with high fructose corn syrup. By six months prior to New Coke's knocking the original Coca-Cola off the shelves, there was no cane sugar in American Coca-Cola. Whether they knew it or not, what consumers were drinking then was 100% sweetened by high fructose corn syrup.
convincing the general populace would be just about impossible, especially considering how much trouble some countries are still having adjusting to the metric system;)
Yeah, but think of the potential for the geek & nerd subculture to further distance themselves from the real world by using units that no-one else has even heard of!
I've previously played with fractions of the speed of light, as a way to liven up my bike riding (which I do mainly as a marginally non-boring form of exercise). This makes 12mph sound a lot more exciting: it works out to 17.9 nano-c, i.e. 17.9 billionths of the speed of light. Most electronic bike speedometers let you calibrate them to any units you like, so for a while I had my speedometer set to show my speed in these units. If you do this, it helps to already be familiar with kilometers, since 1 nano-c is fairly close to 1 kph (actually about 1.079 kph).
I gave this up when I realized that it was going to take me forever to cover the four light years to Alpha Centauri...
doesn't the word metric come from meter? or is it the other way around?
Neither, really, although it's true that the "metric system" is based on the meter as one of the fundamental units of measure. But both words ultimately derive from the Greek word "metron", meaning "measure". That's why the little dials that measure your electricity usage, for example, are also called "meters", and why software developers use the term "metrics" to refer to measurable aspects of their systems.
surely the correct term is 'decimal' and not 'metric' time.
"Metric time" is presumably meant to imply that the system of time in question would properly belong to the metric system of units. But you'd be correct in assuming there's nothing intrinsic about "metric time" that relates it to the "metric system", other than that both systems rely heavily on powers of 10.
Slashdot Mirror
Now, how secure is this network? You've got a firewall, so you're secure, right? Just two minor little flaws: the security holes mentioned in the article are in Apache and SSH. Your firewall didn't add any security at all! You're just as exposed as the next guy with no firewall.
Sticking a firewall in front of your network and thinking you're secure can be very dangerous, if it lulls you into thinking that the machines behind the firewall are now secure. Most exploitable holes are not on the thousands of unused ports that a firewall blocks - they're on the ports that the firewall lets through.
I should mention that with a stateful firewall, you can get greater security, since it monitors the actual content of the connection and may be able to detect hack attempts. However, stateful firewalls tend to be more expensive, less transparent (require more maintenance), and if they're commercial, more expensive. And many hacks can't even be detected by a stateful firewall, and there are all sorts of tunneling tricks that can be used to circumvent this kind of security. Ultimately, the only way to be secure is to make sure that every box that can be accessed from the outside is completely secure.
Along those lines, one of my favorite firewall-related quotes came from a sysadmin whose mail server and entire internal 70-station LAN had been infected by NIMDA: "But we have a firewall! How did it get through??"I think it's ironic that here on Slashdot, that there seems to be so little tolerance or understanding of people who might have different ways of thinking and expressing themselves.
If that's the case - and I would hope it isn't! - I'd rather a pimply teen from Queens did the breaking first, giving the target company a heads-up as to their poor security, rather than a terrorist bent on crippling the US phone network or Internet. Think of H2K2 and its attendees as a free security test for AT&T and other companies.
Is it really okay to expose this?
Yes, absolutely. Much more sensitive information gets published in mainstream media all the time. In fact, it's in posting things like this that Slashdot is at its best, since it provides insight into things that are normally hidden, and which perhaps could stand a bit of scrutiny (or if they can't, should be able to!)
At worst it's letting the world know that, on this particular weekend, the back door to the Best Buy on Such-and-such St. has a broken lock.
That's silly. If AT&T's procedures can be compromised so easily based on the information in that email, they better get new procedures, and they'd better hire security people who know what they're doing.
And if this did result in a real-world break-in -- if someone did use this information to steal from the Best Buy -- the person who posted this information would be arested and charged.
That may well be true, and is an example of the kind of thinking that many officials indulge in. Crack down on the hackers who expose problems, and maybe no-one will notice some of the more serious holes in our infrastructure security. In fact, one of the talks at H2K2 covers this topic:
The fact that the poster of the AT&T email might be arrested and charged is all the more reason to post it. If you allow valid and responsible actions to be circumscribed by petty intimidation, you've already lost your freedom. Of course, you might question the "valid" and "responsible" in my previous sentence, but the point is that it's possible to disagree on these things, and it's not the job of law enforcement to take a position unless an actual identifiable crime has occurred.I know at least one reason why the Hotel Pennsylvania is so sucky - it's right over the road from Penn Station & Madison Square Gardens. When things like the annual Westminster Kennel Club dog show are held at the Gardens, many dog owners stay, with their dogs, at the Hotel Pennsylvania. Ditto for the cat show. So imagine a hotel with sub-par housekeeping that at least twice a year for the last few decades has every room occupied by one or more dogs and/or cats!
Good for you, and whatever works. From a scientific perspective, though, this isn't a very satisfying situation. Without some kind of theory about why corn is worse than all these other foods, all you have is some anecdotal evidence.
I'm not trying to defend corn, but I like to base the information I choose to believe on more than word of mouth and unscientific correlational assumptions.
You could argue coincidence
Yes, you could. If you're trying to lose weight, many other factors could also affect this. Perhaps you would have lost an equal amount of weight if you had cut out ice cream instead. Or perhaps corn was a particularly large proportion of your diet. It doesn't sound as though you've done any serious control tests at all, so you really don't have a basis for drawing a conclusion.
BTW, this is nothing like the situation with aluminmum and Alzheimers: in that case, there's a marker that provides concrete evidence of something. If we could analyze your fat cells and find that they all had traces of corn in them, that would be useful; but that's presumably not the case.
They have the same incentive to cure obesity that the pharmaceutical industry has to cure AIDS, diabetes, high blood pressure, yeast infections, and the common cold: none.
It seems to me that people get what they ask for: people want to be able to pop a pill to cure themselves, they don't want to work at it. Frankly, many of them deserve to lose their money to a drug company. There's plenty of free information out there about losing weight and being healthy. My girlfriend has had good results just by walking a couple of miles a day. But people seem to *want* to spend money on the next fad that will fix their lives without their having to lift a finger other than to open their wallets.
Ultimately, if you want things to be better, you need to make sure you have strong information that can be backed up. Your anecdotes about corn don't really qualify, unfortunately - it just puts you right there alongside the people who claim that it's only the fat, or only the sugar, or... I'd be willing to bet any amount of money that you're all wrong. It's a complex business, and humans don't seem to be good at intuitively analyzing situations that involve multiple interacting variables.
I like this one:
Why use your program when we already have the Homeland Security Advisory System to raise meaningless alerts at random?
Whoa, you snort acid? Hardcore, dude!
Does "O.J." stand for "Open Java", by any chance? No? Guess that explains it.
What makes you think we will? ;)
Microsofties add a special registry key:
Not everyone can know everything. Why discriminate against good information based on its age?
I've seen Windows 2000 request a reboot when moving an installed USB modem from one USB port to another. So it's not as though unnecessary reboots are something from Microsoft's dark, distant past.
I realize that would have completely contradicted company dogma, but did every Windows user in the world have to suffer as a result? Think of the time and aggravation saved if a smooth-running SCC system were used from the start!
they make an ideal test bed for what elimination of certain foods and combinations of foods from ones diet mean to attributes like body weight, etc..
OK, thanks. So you're simply claiming that many allergists have noticed a strong correlation between corn and body mass?
Corn and corn products tend to have high glycemic indexes, but in that respect they're not that different from highly refined wheat products and things like white potatoes, all of which are similarly good at quickly spiking your blood glucose levels (and thus should generally be avoided). Doesn't the weight-gaining effect of corn arise from this?
If so, it's simplistic to just blame corn. For example, puffed rice can have a higher glycemic index than e.g. cornflakes, and white rice can have a higher index than cornmeal (I say "can have" because the specifics vary a lot in practice). So a lot depends on refinement and preparation techniques.
I would think the french fry and therefore the potato has had at least as great an effect on the weight of Americans, as corn. Not to mention refined breads, and sugars. It isn't really fair blaming corn for corn syrup, since once sugar is refined to that level, the only discriminator are the relative quantities of glucose, sucrose, fructose etc.
Actually, it'll appear to take forever from your point of view, but from my point of view with my bicycle speedometer reading 1 billion nano-c, the trip would appear instantaneous (zero time). But no matter which way you look at it, my fundamental problem is that I can't seem to pedal fast enough...
A wonderful quote, it's going up on my bulletin board, thank you.
Hey, are you trying to censor the guy because you think he blasphemed? If so, and you are a US resident/citizen, please turn yourself in at the nearest ACLU or EFF offices for corrective brain surgery. Don't worry, a frontal lobotomy will not seriously reduce your ability to believe in imaginary entities.
What most people don't realize is all the advantages of being your own God: first, you know God exists, so the tricky theological questions are minimized. All doubt evaporates, when you realize that your word is law, and thus you cannot possible ever be wrong, even in theory. You can communicate with God easily, and in fact, you always know what God is thinking. In any case, even the Christians say things like "God is in your heart", so really this "meotheism" is actually consistent with Christianity in that respect. Self-godhood is also, of course, fully consistent with general everday American self-centeredness.
So when I take my citizenship oath, if I have to mention the word God, I'll be thinking of yours truly. USA: one nation under me ! Bwahahaha!
I've never met an allergist in my life, afaik. Could you give us a clue?
Coke apparently began switching to high fructose corn syrup in 1980, and completed the switch by six months prior to the intro of New Coke. However, the New Coke debacle did spawn the urban legend to which you refer, described on this urban legends page:
Yeah, but think of the potential for the geek & nerd subculture to further distance themselves from the real world by using units that no-one else has even heard of!
I've previously played with fractions of the speed of light, as a way to liven up my bike riding (which I do mainly as a marginally non-boring form of exercise). This makes 12mph sound a lot more exciting: it works out to 17.9 nano-c, i.e. 17.9 billionths of the speed of light. Most electronic bike speedometers let you calibrate them to any units you like, so for a while I had my speedometer set to show my speed in these units. If you do this, it helps to already be familiar with kilometers, since 1 nano-c is fairly close to 1 kph (actually about 1.079 kph).
I gave this up when I realized that it was going to take me forever to cover the four light years to Alpha Centauri...
Neither, really, although it's true that the "metric system" is based on the meter as one of the fundamental units of measure. But both words ultimately derive from the Greek word "metron", meaning "measure". That's why the little dials that measure your electricity usage, for example, are also called "meters", and why software developers use the term "metrics" to refer to measurable aspects of their systems.
surely the correct term is 'decimal' and not 'metric' time.
"Metric time" is presumably meant to imply that the system of time in question would properly belong to the metric system of units. But you'd be correct in assuming there's nothing intrinsic about "metric time" that relates it to the "metric system", other than that both systems rely heavily on powers of 10.
Nein!