Perhaps ISP's should work with server operators to make their servers better equipped to prevent an entry by a nefarious source...
I actually wrote all the Terms & Conditions of service for an Asian ISP last year, and I made a point of including a section which made the customer responsible for having a secure system, or the ISP could cut their access.
Unfortunately ISPs don't (generally) have the resource required to police all their customers, and thus the problem is ignored.
I strongly agree that the problem is with all those broken boxes hanging off the internet, and not the site administrators at the target.
We are slowly moving towards automated self-updating servers, but don't hold your breath!
There is not a lot you can do if 500Mb/s starts trying to ram itself down your 100Mb line. These vulnerabilites are an inherent part of the infrastructure.
While the state of the art in withstanding an attack has advanced measurably with the new kernel (SYN cookies, etc.), the Ramen Worm and other recent security problems have shown pretty conclusively that it takes a long time for security patches and package updates to make it into production servers.
Unfortunately my friend this has nothing to do with OS kernels, and everything to do with infrastructure elements like pipes, routers, switches, and firewalls.
The infrastructure cannnot handle the level of load being placed on it when these attacks take place.
I agree you can actually DOS a server, but these attacks were against the infrastructure.
I guarantee you that Akamai will patch far faster than microsoft did their own DNS servers.
Except that Microsoft were running their own Microsoft-based DNS servers, and were thus not affected by these latest announcements.
Microsofts mistake was to put all their servers on one subnet, and allow a change to be performed on a mission-critical router without proper approval, as far as I can work out.
The interesting this is that their marketing machine managed to hush this up so well: if it had been Cisco, they would have been toast.
Well they're on/. , i don't think they can be "in the wild" much more than they are now.
Because this announcement is on slashdot does NOT imply there are exploits available in the wild for these security holes.
An exploit "in the wild" implies it is generally available to any script k1d that wants to download it, and as yet there are no "known" attack exploits available on the popular crack download sites.
This does not mean there are no exploits available. A very skilled cracker (or hacker doing it on a theoretical basis) may already have worked out what code he can get by the BIND signiture parser buffer overflow, and thus what he can get the CPU to run.
I hasten to add though that because of the way BIND parses it's input to this buffer, the attacker cannot actually run arbitrary code, but only use code containing characters which can get through the parsing routine.
After a while, you realize all OS's look basically act the same, but just have different flavors. Foreign languages are the same way. Lets end the OS jihad(sp) soon.
Right on man... pass that pipe over here, then pass it round to everyone else!;-)
As the previous poster indicated: it's a free service. If you don't like it you don't have to use it.
As to your bizarre rant about them probably thinking "BSD and Linux users were just like their brain-dead Windows users", well thats about as smart as jamming your head in the car door. It's comments like this which give the whole free software movement a bad name.
If Tucows is a windows site it is their right, just as slashdot chooses to be a non-windows site, and just as linux.org chooses to be a non-windows site, and just like sun.com chooses to be a Sun site!
Oh, puh-leeze. The graphics of the PS2 are so far ahead of the PS1 that there's no comparison. Take a peek at the opening video for Tekken Tag Team. Then look at it twice more, and look at the detail... hair, lips, water, lens flare, etc.
Yeah, looks great... pity the game only features 2D backgrounds and doesn't look a patch on Soul Calibor. Plays well though that's not what we're talking about here.
Does the Dreamcast have component video out? I don't think so. My PS2 is hooked up to my 36" XBR Wega via the component inputs, and the DVDs and games look absolutely stunning. I have a Sony DVP-S7000 reference-grade ($1,500) DVD player, and it's nearly as good as that
Yes it has component out. Mine is hooked up to the tv using S-video connectors, and in work my monitor.
If your PS2 looks as good playing DVDs as your *ahem* Sony "reference-grade" model then either your Sony is a stinking pile of crap, or your DVDs have been burned from their VHS equivalents. If you can't see the difference in quality then you sir are a fool for buying high-end equipment when your eyesight/perception is too low to use it. Not that I would ever class sony kit as high-end".
Speak not from whence you know not. Look at the unit on quality equipment, and there's no going back
You sound like an spoiled 5 year old. *sigh*
/rudeness on Oh please...
Forget about world hunger, mid-eastern holy wars and homeless people, we need mass acceptence of the NET!/rudeness off
No one needed the car, the telephone, or the aeroplane either. That never stopped everyone gaining access to these facilities, and it never stopped world hunger everywhere.
If I had said that everyone needs net access then your comments might have had some weight, but I was commenting on the strategies of the companies in this "lovely" capitalist planet of ours ability to generate money.
It really does look silly to flame someone for something they never even said, you know.
As to your comments on rebated PCs, we in the UK have happily embraced cheap mobile phones based on subscribing for a year at a time to get handsets for next to nothing, so who is to say the same model will not work with net access, considering the company marketing it is one of the biggest, most well known brands in Europe whos phones we all use!
I think the poster is referring to the fact that computer technology to most young people nowadays means PC-class computers (or at best a Sparc platform) in their house or on their office desk. They rarely have access to large TPM environments.
The days at wonderlust at a piece of "big iron" are long fading, though I get to play with an E10k sometimes (but it's live, so I can't 'tinker':-)
... and Ahmdal are still making them!!
Amdahl will continue manufacturing its existing 31-bit S/390-compatible systems until March 2002 and will continue to provide service and technical support until 2007
A bit of detective work on google found the following info from trying to implement Ada on the 2200 36-bit architecture:
We are working with Unisys on an Ada 95 implementation for the 2200 series machines. Those machines are 36-bit, 1's complement machines.
Originally, we did not think there was a problem here. After all, the C compiler supports a full 36-bit unsigned type. We would just copy that implementation.
However, on further inspection, that turns out not to be so easy. The C compiler had major problems with the unsigned type. Ultimately, two versions of the C compiler were built, one to pass the C validation tests, and one to actually use. To pass the C validation tests, Unisys built a compiler which emulated 2's complement math for this machine! That was done by doing all operations as 72 bit operations, and then reducing the result. Obviously, they did not want to use that implementation for production use.
In summary, if you read the Ada article it seems there are a whole lot of issues with a 36-bit machine, like having to do everything at 72-bit so you can divide by 8 again!
At this rate it's no wonder Emacs turned out so bl**dy complicated!
68bit wouldn't really make sense, since there should be one parity bit for every byte. 64 / 8 = 8 bytes, so 72bit would make more sense than 68.
Aha! I had forgotten why 36bit was actually used in the first place: it makes sense again:-)
So why don't we use parity bits in the data path any more? Is this because of self-checking ECC-RAM (for instance), or because of more reliable processors/manufacturing processes?
Unisys still use a 36 bit architecture in their 2200 mainframe class machines.... caused no end of grief to the new graduates at the last place I worked, on a UK banking system *grin*
Interestingly enough, these machines still power most of the airline reservation and core banking systems in a significant part of the world.
If someone came up with a 68bit (for instance) architecture nowadays we'd all be on/. accusing them of smoking crack!
If we could combine this technology with
this technology, then we could reach a stage of rapid advancement in screen technology which could revolutionalise the way which computers and information are displayed.
Pioneer also announced work in this area several years ago... I wonder what happened to it.
I remember reading that scientists had also created an lcd technology which absorbs and reflects more background light, but I cannot find the article anywhere:-(
There is a problem: how to give cheap net access to the masses so that it becomes as common and easy to use as the telephone.
Sun have been raving about this for years, and is behind both their push on Java and distributed processing: they figure if they provide the infrastructure, then that is where they can make their money.
In Europe at least, Nokia is the premier mobile phone brand (though I use a Motorola v50), and the average consumer:
a) Has heard of Nokia,
b) Has trust in the company, and
c) expects a Nokia device to be easy to use
So bully for Nokia! If they can get these devices into the marketplace then they can probably persuade Joe consumer to buy one.
Aren't these aimed at proffessional workstation markets where cutting edge graphics and surround sound don't matter as much as the raw CPU speed and RAM/Hard drive space?
If you actually do mean Professional Workstations, then these are the machines where an integrated system will not cut it. Most workstation class machines imply they are used by powerusers for graphic design / modelling / CAD, etc. and are usually based on the best-of-breed components when they are sold, like multi-thousand pound graphics cards with high-end scsi drives.
If on the other hand you meant office-class machines for people like myself to use office/outlook/visio (which I think you did!) then you are spot on with your observations.
While integrated chipsets provide manufacturers with a low price-point for their value machines, they have little worth if you actually need any of the integrated parts to be either high-performance or high-bandwidth.
Can't argue from the point of view of cheap desktops for the office however.
I have two machines linked together by an crossover ethernet cable. Can you hack into that network? I'd be impressed if you could
A fairly simple manner of splitting the cable and installing my own junction, or attaching my laptop to one of your machines via a serial port/joke
Anyway, as soon as I saw your comment, I got into your master server (which I noticed connected to the Internet on 127.0.0.1 hah!!), and have told the police about your massive pr0n and war3z collection! You should now notice your hard disk is thrashing as my rm -r * takes affect suX0r!
Whoops! Hangon? Why is MY disk thrashing... aargh!!
Quantum: in the true spirit of the new millenium (seeing how I have just booked my Lunar Holiday and the space suit is down the dry-cleaners), I appreciate your viewpoint and would like to aplogise if you thought I was attacking you!
You're point as to pointing out that no-one had actually looked at the source of the patch was an extremely valid and important one.
As to distinguishing between network and software security, well I started as a coder and moved into whole architectures, so I'm a generic security consultant... no need to differentiate us!
Now that I know what to simulate, I'll rig one of the honeypots and see if the script tries the exploit, or if the crackers wait until later after a positive hit to try their luck. But that will wait until tomorrow, beer is calling:-)
They actually let you run a honeypot? You lucky thing! The chances of me actually managing to produce a business justification for one are pretty slim. Management happily spend money on top-end NetRangers etc. which is nice, but this is one step too far for them!
And besides, if I ever choke out one of the routers, its good justification to accounting to buy bigger routers:-)
Extremely good point: like accounting would ever understand that processor saturation is down to multiple ACLs....!
Slashdot Mirror
Perhaps ISP's should work with server operators to make their servers better equipped to prevent an entry by a nefarious source...
I actually wrote all the Terms & Conditions of service for an Asian ISP last year, and I made a point of including a section which made the customer responsible for having a secure system, or the ISP could cut their access.
Unfortunately ISPs don't (generally) have the resource required to police all their customers, and thus the problem is ignored.
I strongly agree that the problem is with all those broken boxes hanging off the internet, and not the site administrators at the target.
We are slowly moving towards automated self-updating servers, but don't hold your breath!
Perhaps I'm just insanely naive?
:-)
You are naive, but not insanely so
There is not a lot you can do if 500Mb/s starts trying to ram itself down your 100Mb line. These vulnerabilites are an inherent part of the infrastructure.
While the state of the art in withstanding an attack has advanced measurably with the new kernel (SYN cookies, etc.), the Ramen Worm and other recent security problems have shown pretty conclusively that it takes a long time for security patches and package updates to make it into production servers.
Unfortunately my friend this has nothing to do with OS kernels, and everything to do with infrastructure elements like pipes, routers, switches, and firewalls.
The infrastructure cannnot handle the level of load being placed on it when these attacks take place.
I agree you can actually DOS a server, but these attacks were against the infrastructure.
I guarantee you that Akamai will patch far faster than microsoft did their own DNS servers.
Except that Microsoft were running their own Microsoft-based DNS servers, and were thus not affected by these latest announcements.
Microsofts mistake was to put all their servers on one subnet, and allow a change to be performed on a mission-critical router without proper approval, as far as I can work out.
The interesting this is that their marketing machine managed to hush this up so well: if it had been Cisco, they would have been toast.
Well they're on /. , i don't think they can be "in the wild" much more than they are now.
Because this announcement is on slashdot does NOT imply there are exploits available in the wild for these security holes.
An exploit "in the wild" implies it is generally available to any script k1d that wants to download it, and as yet there are no "known" attack exploits available on the popular crack download sites.
This does not mean there are no exploits available. A very skilled cracker (or hacker doing it on a theoretical basis) may already have worked out what code he can get by the BIND signiture parser buffer overflow, and thus what he can get the CPU to run.
I hasten to add though that because of the way BIND parses it's input to this buffer, the attacker cannot actually run arbitrary code, but only use code containing characters which can get through the parsing routine.
Excellent description at The Register.
You're never going to /. the BBC ... they are public funded, so they are very adept at wasting squillions of quid buying big server farms.
:-)
After a while, you realize all OS's look basically act the same, but just have different flavors. Foreign languages are the same way. Lets end the OS jihad(sp) soon.
... pass that pipe over here, then pass it round to everyone else! ;-)
Right on man
As the previous poster indicated: it's a free service. If you don't like it you don't have to use it.
As to your bizarre rant about them probably thinking "BSD and Linux users were just like their brain-dead Windows users", well thats about as smart as jamming your head in the car door. It's comments like this which give the whole free software movement a bad name.
If Tucows is a windows site it is their right, just as slashdot chooses to be a non-windows site, and just as linux.org chooses to be a non-windows site, and just like sun.com chooses to be a Sun site!
Oh, puh-leeze. The graphics of the PS2 are so far ahead of the PS1 that there's no comparison. Take a peek at the opening video for Tekken Tag Team. Then look at it twice more, and look at the detail... hair, lips, water, lens flare, etc.
... pity the game only features 2D backgrounds and doesn't look a patch on Soul Calibor. Plays well though that's not what we're talking about here.
Yeah, looks great
Does the Dreamcast have component video out? I don't think so. My PS2 is hooked up to my 36" XBR Wega via the component inputs, and the DVDs and games look absolutely stunning. I have a Sony DVP-S7000 reference-grade ($1,500) DVD player, and it's nearly as good as that
Yes it has component out. Mine is hooked up to the tv using S-video connectors, and in work my monitor.
If your PS2 looks as good playing DVDs as your *ahem* Sony "reference-grade" model then either your Sony is a stinking pile of crap, or your DVDs have been burned from their VHS equivalents. If you can't see the difference in quality then you sir are a fool for buying high-end equipment when your eyesight/perception is too low to use it. Not that I would ever class sony kit as high-end".
Speak not from whence you know not. Look at the unit on quality equipment, and there's no going back You sound like an spoiled 5 year old. *sigh*
No one needed the car, the telephone, or the aeroplane either. That never stopped everyone gaining access to these facilities, and it never stopped world hunger everywhere.
If I had said that everyone needs net access then your comments might have had some weight, but I was commenting on the strategies of the companies in this "lovely" capitalist planet of ours ability to generate money.
It really does look silly to flame someone for something they never even said, you know.
As to your comments on rebated PCs, we in the UK have happily embraced cheap mobile phones based on subscribing for a year at a time to get handsets for next to nothing, so who is to say the same model will not work with net access, considering the company marketing it is one of the biggest, most well known brands in Europe whos phones we all use!
What do you want then?
I think the poster is referring to the fact that computer technology to most young people nowadays means PC-class computers (or at best a Sparc platform) in their house or on their office desk. They rarely have access to large TPM environments.
The days at wonderlust at a piece of "big iron" are long fading, though I get to play with an E10k sometimes (but it's live, so I can't 'tinker'
word size char size chars/word architecture Company
16 bits 8 bits 2 Mini/Micro Intel,Moto,DEC,DG
24 bits 6 bits 8 PDP?? DEC
24 bits xxxxxx ? DSPs TI,Moto
36 bits 6 bits 6 1100 Univac/Sperry/Unisys
36 bits 6 bits 6 GCOS 8 GE/Honeywell/Bull
36 bits 9 bits 4 1100/2200 Sperry/ Unisys
36 bits 9 bits 4 GCOS 8 Honeywell/Bull
48 bits 6 bits 8 A/B series Burroughs/Unisys
48 bits 8 bits 6 A/B series Burroughs/Unisys
60 bits 6 bits 10 6000 CDC
60 bits 7 bits 8 6000 CDC
God I must have some work to do!!
... and Ahmdal are still making them!! Amdahl will continue manufacturing its existing 31-bit S/390-compatible systems until March 2002 and will continue to provide service and technical support until 2007
;-)
Where will it all end?
A bit of detective work on google found the following info from trying to implement Ada on the 2200 36-bit architecture:
We are working with Unisys on an Ada 95 implementation for the 2200 series machines. Those machines are 36-bit, 1's complement machines.
Originally, we did not think there was a problem here. After all, the C compiler supports a full 36-bit unsigned type. We would just copy that implementation. However, on further inspection, that turns out not to be so easy. The C compiler had major problems with the unsigned type. Ultimately, two versions of the C compiler were built, one to pass the C validation tests, and one to actually use. To pass the C validation tests, Unisys built a compiler which emulated 2's complement math for this machine! That was done by doing all operations as 72 bit operations, and then reducing the result. Obviously, they did not want to use that implementation for production use.
In summary, if you read the Ada article it seems there are a whole lot of issues with a 36-bit machine, like having to do everything at 72-bit so you can divide by 8 again!
At this rate it's no wonder Emacs turned out so bl**dy complicated!
68bit wouldn't really make sense, since there should be one parity bit for every byte. 64 / 8 = 8 bytes, so 72bit would make more sense than 68.
:-)
Aha! I had forgotten why 36bit was actually used in the first place: it makes sense again
So why don't we use parity bits in the data path any more? Is this because of self-checking ECC-RAM (for instance), or because of more reliable processors/manufacturing processes?
Unisys still use a 36 bit architecture in their 2200 mainframe class machines.... caused no end of grief to the new graduates at the last place I worked, on a UK banking system *grin*
/. accusing them of smoking crack!
Interestingly enough, these machines still power most of the airline reservation and core banking systems in a significant part of the world.
If someone came up with a 68bit (for instance) architecture nowadays we'd all be on
I wonder if it is one of those Celerons with like 2 bits of Cache?
Nah: Intel stopped making those years ago. The first of the new breed with 128Kb cache was the 300A
All celerons since then have been as fast as their P2/3 equivalents (excepting 100MHz FSB).
If we could combine this technology with this technology, then we could reach a stage of rapid advancement in screen technology which could revolutionalise the way which computers and information are displayed.
... I wonder what happened to it.
I remember reading that scientists had also created an lcd technology which absorbs and reflects more background light, but I cannot find the article anywhere :-(
Pioneer also announced work in this area several years ago
There is a problem: how to give cheap net access to the masses so that it becomes as common and easy to use as the telephone.
Sun have been raving about this for years, and is behind both their push on Java and distributed processing: they figure if they provide the infrastructure, then that is where they can make their money.
In Europe at least, Nokia is the premier mobile phone brand (though I use a Motorola v50), and the average consumer:
a) Has heard of Nokia,
b) Has trust in the company, and
c) expects a Nokia device to be easy to use
So bully for Nokia! If they can get these devices into the marketplace then they can probably persuade Joe consumer to buy one.
Aren't these aimed at proffessional workstation markets where cutting edge graphics and surround sound don't matter as much as the raw CPU speed and RAM/Hard drive space?
If you actually do mean Professional Workstations, then these are the machines where an integrated system will not cut it. Most workstation class machines imply they are used by powerusers for graphic design / modelling / CAD, etc. and are usually based on the best-of-breed components when they are sold, like multi-thousand pound graphics cards with high-end scsi drives.
If on the other hand you meant office-class machines for people like myself to use office/outlook/visio (which I think you did!) then you are spot on with your observations.
While integrated chipsets provide manufacturers with a low price-point for their value machines, they have little worth if you actually need any of the integrated parts to be either high-performance or high-bandwidth.
Can't argue from the point of view of cheap desktops for the office however.
How is this off topic and a guy 15 comments down is 4( FUNNY )?
Even better than that, it was modded to troll first! Howzat then? Me, the 13th Duke of Glasgow, in an internet chatroom, with my Karma?
I have two machines linked together by an crossover ethernet cable. Can you hack into that network? I'd be impressed if you could
A fairly simple manner of splitting the cable and installing my own junction, or attaching my laptop to one of your machines via a serial port
Anyway, as soon as I saw your comment, I got into your master server (which I noticed connected to the Internet on 127.0.0.1 hah!!), and have told the police about your massive pr0n and war3z collection! You should now notice your hard disk is thrashing as my rm -r * takes affect suX0r!
Whoops! Hangon? Why is MY disk thrashing
Quantum: in the true spirit of the new millenium (seeing how I have just booked my Lunar Holiday and the space suit is down the dry-cleaners), I appreciate your viewpoint and would like to aplogise if you thought I was attacking you!
... no need to differentiate us!
You're point as to pointing out that no-one had actually looked at the source of the patch was an extremely valid and important one.
As to distinguishing between network and software security, well I started as a coder and moved into whole architectures, so I'm a generic security consultant
Now that I know what to simulate, I'll rig one of the honeypots and see if the script tries the exploit, or if the crackers wait until later after a positive hit to try their luck. But that will wait until tomorrow, beer is calling :-)
:-)
....!
They actually let you run a honeypot? You lucky thing! The chances of me actually managing to produce a business justification for one are pretty slim. Management happily spend money on top-end NetRangers etc. which is nice, but this is one step too far for them!
And besides, if I ever choke out one of the routers, its good justification to accounting to buy bigger routers
Extremely good point: like accounting would ever understand that processor saturation is down to multiple ACLs