Do you always genuflect when you say UNIX?
on
DECnet Isn't Dead
·
· Score: 2, Insightful
Lots of things just simply can't be done on VMS.
Anything the hardware is capable of can be done on VMS. Unless you suck as a programmer, in which case the problem is not the opsystem.
VAX/VMS had 64-bit computing, seamless virtual memory management, no root superuser, granular permissions, clustering, and all the other stuff *nix is just getting now (thanks to Hans Reiser, Ted T'so, Linus Torvalds and friends) decades ago. VMS was also the first POSIX-compliant system, didja realize that?
The problems with VMS were that it was expensive and closed source, and it was unfriendly to people whose native language was not English (which is why Torvalds hated it, incidentally).
I left unix for VMS because the unix geeks were condescending and unable to admit their OS had flaws, which made it impossible to fix them. I left VMS for linux because the linux geeks were actually addressing the fundamental flaws of unix.
Adam Smith would disagree with you that giving back is better for the society. In a free market, it is the self-interest of capitalists that ultimately enhance society and sustain the free market.
Last time I checked, Adam wasn't the sort of idiot who denied the evidence of his own senses. Dig: I am a capitalist. It is demonstrably in my self-interest to "give back" as you guys put it. Therefore, according to another dead guy named Aristotle, giving back does not conflict with the self-interest of a capitalist. Therefore, your argument is constructed of Green Moon Cheese [TM].
I have doubled my salary by using GPL'd code (which, oddly enough, I actually pay for, because that's in my own self-interest) to increase my employer's profitability.
Stop theorizing and acting like your theories are reality. You have no idea how evil Bill Gates is, he could be the reincarnation of Jesus or he could be secretly running puppies through a blender in his basement and you would have no way of knowing.
Yes, I know. In fact I've installed it on a 9672 and a 4381. It's a port of the VM code, complete with the same bugs.
But before IBM came out with their officially blessed TCP/IP stack there were already mainframes on the Internet (at least for email and file transfer purposes, anyway). There were bitnet gateways at Penn State and I think Berkeley (through some ungodly UUCP-cabled nightmare, I seem to recall?) in the middle of the 1980s if not earlier. And I think somebody - Joiner Associates? - had a third-party MVS TCP/IP subsystem on the market before IBM finished building the VM one.
On the other claw, MVS didn't really get a fully functional TCP/IP stack until MVS-TCPv3r1 reached about 1500 patches... so your post is pretty appropriate...
There is a difference between adopting an open standard and replicating a code base.
Software monoculture leads to catastrophic failures in a connected world. Look how Ultrix, which had a (somewhat) independent code base, was immune to the Cornell worm when most of the Unices dropped off the Internet nearly simultaneously. Would it have been better to have every box on the Internet die? Or was it better for the VMS, MVS, and Ultrix machines to stay on-line?
Re-inventing the wheel is not always a bad thing. Your wheel can have cleats and sipes the old one didn't have, and still be bolt-on compatible.
I'd rather deal with a crap-eating dog which will take orders, than an aloof cat which just stares at me blankly.
If you want something that takes orders, might I suggest a robot or a human slave. Dogs are too stupid to do your housework, and haven't the dexterity to open your beers.
Good point. Unfortunately, well-meaning attempts to free the DNS have met with overwhelming apathy.
My systems use the alternate roots as well as the standard/fascist/american/corporate (pick any you like) one. The end-users don't even notice or care, though.
I would suggest picking up a cheap blender to use for your kewl pest-control experiments, in the event you're unknowngly blending up something that makes anthrax look like chicken pox!
Good advice, if you are blending dead things you've found in the woods you are almost certainly working with live anthrax.
Could backfire too, someday you might find mutant super-caterpillars impervious to any bacteria eating your trees and your dog.
That's not impossible, but it's somewhat unlikely; the benefit of using micro-organisms instead of raw chemicals is that the microbes will co-evolve with their host environment. If the prey have a slower life-cycle than the predator (like, for example, bacteria.vs. caterpillars) the predator evolves faster and the system should settle into a dynamic equilibrium... a good predator does not kill *all* its' prey, and the trees can support *some* caterpillars.
Diversity in your local ecosystem is good, it makes your kids grow up strong.
Markland, the Tuchux, the Norse Film and Pageantry Society, Acre, The Sealed Knot, Dagohir, Milites Normanorum, all do some kind of sword'n'axe type live combat recreation.
Several of those listed above do "live steel" combat, with varying levels of realism and danger. SCA does stickfighting and fencing. Dagohir & its offshoots do padded sticks, Markland does live steel, padded sticks, and fencing.
All require equipment which is easier (and more fun) to make than to purchase... lots of geeks are into it more for the craftsmanship than for the adrenaline rush.
You need to study more history. In most ancient cultures smiths were mystical figures, who gave up much for their mastery.
For example, an ancient goidelic bronze-smith's life was generally short and often ended in madness due to the lack of forced ventilation technology. The arsenic and heavy metals naturally occuring in ores acculumated in the body and induced illness and psychosis. Consequently the smiths were often unable to have normal children; so of course fathers did not want their daughters to marry smiths. A smith who wished to marry might have to steal or buy a bride.
The inherited, rigidly defined social and occupational classes you're talking about are a feature of medieval and post-medieval (c.g. Renaissance and Modern) culture, and are very rare in truly ancient times. In ancient times fostering and apprenticeships were more the norm, and typically a smith chose his apprentices or fosterlings based on aptitude and ability.
If you read the article, it repeatedly mentions that the armor plate factories and shipyard were staffed with Allied POW slave labor. The reporter is able to debunk a few of the claims made by the Japanese and American governments based on the testimony of these workers.
The munitions plants, unsuprisingly, used Japanese workers.
If I had some mod points today, you'd get 'em, my man.
Theo's technical chops are excellent, but Forbes chose to concentrate on infantile name-calling (which Theo is perfectly willing to indulge in) instead of real issues.
You just admitted your viewpoint is too limited to comprehend the issue.
I use blacklists (most of which I built and maintain myself, although I also use the ORDB) to turn away over 5000 spams and viruses daily. You seem to think I have an obligation to accept them. I don't have any such obligation; and I'm perfectly willing to throw away messages from Yama Dharma himself if his lordship is using a spam-friendly ISP. Only commercial pressure will force the ISPs to act, only disgruntled users can provide commercial pressure on the ISPs. That's *my* choice, to be part of the free market, and help the good ISPs prosper while the spam-friendly ISPs die from dissatisfied customers. I prefer this method to heavy-handed government intervention, which doesn't cross international borders and always contains exemptions for the rich and powerful.
Incidentally, I don't block gmail.com nor do I block email to the postmaster and abuse addresses, so if anyone complains politely I give them a gmail invite.
Re:No, you don't understand how the zombies work
on
Zombie Report By ISP
·
· Score: 1
You don't do tech support for family, Mr. Benjamin, because you are smarter than the average bear!;)
The zombie codebase morphs daily. There are guys who modify it on demand for the script kiddies; you can find them on IRC. If you block one port, they will use another. There are already several variations easily available; including ones that use ports 80 and 443. You can't block gramma from those, unfortunately.
The ISPs have to step in and clean this up. It is trivially easy (from their position, since they have total m-i-t-m control of your packet flow) for them to detect and stop this crap. You will note that the worst per-capita offenders are the broadband ISPs who are insulated from competition by legislation - the comcasts, roadrunners, etc. of the net, who have regional monopolies and thus are not pressured to provide competent network administration.
1./usr/local has already debunked by others. Use $PATH
It hasn't been deunked, actually. Packages don't automagically compile into where your $PATH points, so figuring out modifications to makefiles is required if you don't like putting stuff in/usr/local. Think about it; the guy doesn't want to put packages in/usr/local by default, changing the $PATH is a copout on the lines of "you say you don't like grape juice, but grapes are healthy so you are wrong!". He's telling you what he dislikes and you can't debunk that.
That being said, I personally do like/usr/local; I run HP-UX11 as well as other OSes and it's appalling how HP shoves things willy-nilly into/usr/local,/opt,/usr/contrib,/etc/opt, all in complete disregard of their own published standards. Do fiber channel drivers belong in/opt? I don't think so. OpenBSD does it better than most, and at least as well as most linuxes (better than Red Hat, certainly).
2. Ever had two NICs in a box running Linux located in such a way that it is very inconvenient to open the box? I have to locate which is eth0 and which is eth1 just to make sure I don't misconfigure things, adn the only way to separate them (even though they're a different make/model) is to find the bloody MAC address on it.
I have at least four NICs in the majority of my production servers (a couple of them have six). Linux is the easiest of the OSes to find this information for. There are plenty of ways; you can get at least as much information as you say BSD provides simply by checking the startup messages (do the command dmesg|more and see) or you can get far more extensive information from various places in the/proc tree, right down to the PCI slot numbers and chip numbers if you know what you are doing.
At least the BSD model narrows it down to the make/model of the NIC, so that ambiguous names are harder to come by.
I'm not sure what you are talking about, unless it's the henious *nix tradition of stupidly inconsistent device naming... which linux and several other *nix type systems are moving away from.
In any case, OS flavor wars are retarded and ignore the basic truth that different tools suit different uses and different users, and more importantly the meta-truth that software monoculture is bad. As beautiful as OpenSSH is, we need more independently developed codebases for secure transports. Even if you think BSD is Allah's Own OS, you still should do nothing to discourage the use and development of alternatives.
Theo's not an idiot. I bet he knows that saying those things will piss off the linux developers enough to fix any specific problems he mentions.
Graham writes: For example, in order to get revenge on people they believed were spamming, MAPS would blacklist the mail server of the company hosting their site.
Wrong. "Revenge" is completely off the menu. Paul's being a crybaby and refusing to look at anyone else's point of view.
The truth is, MAPS blacklists the mail server of the company hosting the spammer because MAPS subscribers are willing to give up their ability to recieve mail from some innocent bystanders if that will break spamhosters' profit model. That is the choice of those who use the blacklist.
Graham also writes: This is, strictly speaking, terrorism: harming innnocent people as a way to pressure some central authority into doing what you want.
Now Paul's really gone over the top. Allowing MAPS subscribers to block email is "harming innocent people"? Get a sense of proportion, man! Terrorism has a definition, although some dispute the details and this isn't it. Where's the terror? Are you living in fear that your email might be blocked, because you use a spamhoster? I don't think it's MAPS fault if you are terrorised; I hope you are not, but if you think you are, you need to see a psychiatrist quick.
Once you get past the hyperbole in the first few paragraphs, Graham makes at least one valid point (his site has been wrongly blacklisted) and asks at least one pertinent question (who watches the watchers? answer: subscribers). But this article is mostly just a hysterical anti-blacklisting rant.
No, you don't understand how the zombies work
on
Zombie Report By ISP
·
· Score: 1
Incorrect. The zombies make the outgoing connection without gramma's knowledge; the firewall does not block it because it's outgoing.
See, it comes in on an email, gramma clicks it, nothing obvious (to granny) happens. At some point (probably immediately after the next reboot) the zombie code connects to an IRC channel and waits for the secret word. It can wait forever, it doesn't care. When Groucho says the secret word, "Allez-allez-oxenfrei!" or whatever, all the zombies on the channel respond by switching to another channel where they say "YES MASTER I AWAIT YOUR BIDDING". Groucho tells them who to hit, how fast, and when.
There are many variations. But, firewalls do not prevent infected machines from receiving their control channel, because the zombie initiates the connection.
...how long is the "lifetime" of such a zombie until the user finaly cleans up his box?
Can't give you an actual number, but I can make a few related observations.
The performance penalty on the zombie does not hit until it actually used in an attack. Even then, users severely infected with adware and spyware and tracking malware (that would be the majority of Comcast users on Windows, for example) see very little performance hit when they are part of a properly paced DDOS. Another approach, instead of pacing, is to only have the zombie participate in DDOSes during idle hours - broadband providers used to urge their customers to leave their computers on at all times, and many clueless techies still do make this recommendation (which Mom & Pop will blindly follow).
People building botnets may allow their zombies to lie quiescent for years before actually using them or selling them to someone who will.
So, a zombie lives until the user
a) buys a new computer (most commonly because "this one is so slow")
b) is traced by DDOS targets who make the ISP shut him down
or
c) the owner notices the infection and takes steps to remedy it (very rare)
There is theoretically a fourth way for a zombie to be terminated... the target of the attack responds by mulching the attackers. But that never happens. No responsible person would ever strike back, even though they'd never get caught or punished. All computer jocks are really Quakers at heart, you know. They just turn the other cheek.
Sure, it's part of the answer, but if you don't keep your software patched up to date no firewall will help you.
See, the point of being connected to the internet is to get email and access external resources. If you visit a web site that exploits your buggy browser, your firewall won't help you. If you click on an email that exploits your buggy mail client, your firewall won't help you.
The primary means of infection for the most prevalent malwares is email. Firewalls don't prevent you from receiving email.
That being said, you still should have a firewall. But keeping your OS and apps patched is even more important.
Even patching+firewalling won't save you if you are stupid enough to run binaries from untrusted sources. A virus checker can help out with that, but it won't save you from brand-new virii.
Allow me to make a couple of points before I answer your specific questions...
Don't confuse a portscan with a DOS attack. There is a difference, both in method and intent. Portscans are diagnostics or exploratory probes and are necessary for many benign purposes.
I have been a comcast customer for many years at several locations. Their service is unreliable; the internet is sometimes unreachable and like all the big-name ISPs they let worms that could easily be stopped run rampant in their network. Their DNS infrastructure is also well below par. Since they have a regional monopoly, it is not necessary for them to provide a clean feed, there simply is no competition in their market sector.
My comcast-connected systems are, like yours, portscanned constantly. So are my systems at work (where I have far less bandwidth in both directions) but I don't ever have connectivity problems on the non-comcast links.
First, can anything be done with a simple at-home modem/Linksys router/two computer setup to stop a portscanning attack?
Again, if it's really a portscan, it's not an attack. But let's say it's a DOS over multiple ports so it looks like a portscan... you can reverse-resolve the addresses, figure out Comcast's IP-to-physical location mapping (easier than it sounds) and go burn down those people's houses. Other than that, probably not.
Second, is it possible for the Linksys router to become a 'bot' and actually be the originator of much of the traffic?
In theory, yes, absolutely. That's why you keep it up to date on patches and always change the default password. Here in the Real World [tm] you haven't supplied the type of router or patchlevel you are using so I can't go look it up on Google or astalavista. Some cable interface boxes are pretty secure due to hardware limitations, others make very good bots.
Finally... most people on comcast that have major problems are infected with viruses or worms, usually propagated by email. Those that are not are sometimes suffering from bad grounds - check that your cable system and the electrical outlets that feed your computer and televison systems are all properly grounded.
Mere portscanning doesn't intentionally clog all bandwidth.
True. Portscanning per se is harmless (some things that look like portscanning on cursory inspection are not).
IANA network security expert, but I'd say put a more capable firewall behind the router (read: a Linux or BSD box) and make it the DMZ.
No, bad advice; if a person would consider a port scan harmful (s)he is not qualified to run a secured general-purpose system (not even OpenBSD) as a firewall. Better to use a cable modem with an integrated firewall (making sure to keep it patched and not use default passwords) or a "dumb" cable modem with a dedicated firewall between it and the hub or switch (same caveats apply).
At least you don't have some punk trying to find a weak username/password combo through SSH. (Silly script kiddie, you can't login to root through SSH on my box.)
If he has port 22 live, and he's on broadband, then he certainly is experiencing the attack you are referring to. Everybody is.
The rocket science allusion was funny, I think I had a lot fewer problems understanding rocket science than I've had with OpenLDAP.:)
LDAP has to live on top of a database (with whatever issues the DB brings to the table) and at the junction point of SASL (which is raw) and Kerberos (which is complex) and NSS (which is unfinished) and PAM (which still doesn't have a solution for creation or modification of any account attributes other than passwords). And of course LDAP is clear-text, so it has to ride an encryption layer, and that in turn requires host authentication, which usually means you need TLS and X.509 certificate management . The core protocol really is lightweight - especially compared to X500 DAP - but there are all these other problems that come riding in on the coat-tails of any real-world LDAP deployment.
Still, it's the only way I've found to co-ordinate the authentication infrastructure for all the major OSes simultaneously. If you don't need SASL, RADIUS, TACACS or Kerberos the complexity is manageable, but if you do need one or more of those you'll need skilled colleagues (or else plan on having no vacations).
I guess I wasn't clear earlier, the $0.00 X-server I use is XFree on linux. Those programmers here that use MSwindows pay for their Xservers (they use hummingbird)... I'd like to get rid of the cost of X11 and other programs in the applications programming group, and I tested the OSX Mac with that in mind. It doesn't really work for the purpose, though; the re-education required for the MS users is no less than if I just gave them a Fedora or OpenBSD desktop, which is far cheaper.
All operating systems suck, in different ways. The thing about Mac OS X is that it mostly sucks in ways that don't keep it from being really good for people who just want an appliance that works. And those are the people for whom "it just works" is hardest to do, and for whom "it just works" is most important.
That's well put. I agree! To put it another way, the Mac has always tried for Larry Wall's mantra of "make the easy things easy, and the hard things possible" and with OSX they've really done a nice job. As I keep telling people, if you like OSX you should go ahead and buy a mac, but don't expect it to be the most cost-effective option. Very few people actually require the mac interface, but plenty of people like it, and why shouldn't they use what they like?
Slashdot Mirror
VAX/VMS had 64-bit computing, seamless virtual memory management, no root superuser, granular permissions, clustering, and all the other stuff *nix is just getting now (thanks to Hans Reiser, Ted T'so, Linus Torvalds and friends) decades ago. VMS was also the first POSIX-compliant system, didja realize that?
The problems with VMS were that it was expensive and closed source, and it was unfriendly to people whose native language was not English (which is why Torvalds hated it, incidentally).
I left unix for VMS because the unix geeks were condescending and unable to admit their OS had flaws, which made it impossible to fix them. I left VMS for linux because the linux geeks were actually addressing the fundamental flaws of unix.
... that this Jonathan Schwartz guy would fit right in here on slashdot.
I'm kidding, Rob! Kidding!
I have doubled my salary by using GPL'd code (which, oddly enough, I actually pay for, because that's in my own self-interest) to increase my employer's profitability.
Stop theorizing and acting like your theories are reality. You have no idea how evil Bill Gates is, he could be the reincarnation of Jesus or he could be secretly running puppies through a blender in his basement and you would have no way of knowing.
Yes, I know. In fact I've installed it on a 9672 and a 4381. It's a port of the VM code, complete with the same bugs.
But before IBM came out with their officially blessed TCP/IP stack there were already mainframes on the Internet (at least for email and file transfer purposes, anyway). There were bitnet gateways at Penn State and I think Berkeley (through some ungodly UUCP-cabled nightmare, I seem to recall?) in the middle of the 1980s if not earlier. And I think somebody - Joiner Associates? - had a third-party MVS TCP/IP subsystem on the market before IBM finished building the VM one.
On the other claw, MVS didn't really get a fully functional TCP/IP stack until MVS-TCPv3r1 reached about 1500 patches... so your post is pretty appropriate...
There is a difference between adopting an open standard and replicating a code base.
Software monoculture leads to catastrophic failures in a connected world. Look how Ultrix, which had a (somewhat) independent code base, was immune to the Cornell worm when most of the Unices dropped off the Internet nearly simultaneously. Would it have been better to have every box on the Internet die? Or was it better for the VMS, MVS, and Ultrix machines to stay on-line?
Re-inventing the wheel is not always a bad thing. Your wheel can have cleats and sipes the old one didn't have, and still be bolt-on compatible.
Good point. Unfortunately, well-meaning attempts to free the DNS have met with overwhelming apathy.
My systems use the alternate roots as well as the standard/fascist/american/corporate (pick any you like) one. The end-users don't even notice or care, though.
There is ample documentation available. Try this if you've got a PDF viewer.
What do you rinse with?
I'm wondering what I should clean my silicon carbide crucible with (it holds about 15 lb of bronze).
Diversity in your local ecosystem is good, it makes your kids grow up strong.
Markland, the Tuchux, the Norse Film and Pageantry Society, Acre, The Sealed Knot, Dagohir, Milites Normanorum, all do some kind of sword'n'axe type live combat recreation.
Several of those listed above do "live steel" combat, with varying levels of realism and danger. SCA does stickfighting and fencing. Dagohir & its offshoots do padded sticks, Markland does live steel, padded sticks, and fencing.
All require equipment which is easier (and more fun) to make than to purchase... lots of geeks are into it more for the craftsmanship than for the adrenaline rush.
You need to study more history. In most ancient cultures smiths were mystical figures, who gave up much for their mastery.
For example, an ancient goidelic bronze-smith's life was generally short and often ended in madness due to the lack of forced ventilation technology. The arsenic and heavy metals naturally occuring in ores acculumated in the body and induced illness and psychosis. Consequently the smiths were often unable to have normal children; so of course fathers did not want their daughters to marry smiths. A smith who wished to marry might have to steal or buy a bride.
The inherited, rigidly defined social and occupational classes you're talking about are a feature of medieval and post-medieval (c.g. Renaissance and Modern) culture, and are very rare in truly ancient times. In ancient times fostering and apprenticeships were more the norm, and typically a smith chose his apprentices or fosterlings based on aptitude and ability.
If you read the article, it repeatedly mentions that the armor plate factories and shipyard were staffed with Allied POW slave labor. The reporter is able to debunk a few of the claims made by the Japanese and American governments based on the testimony of these workers.
The munitions plants, unsuprisingly, used Japanese workers.
If I had some mod points today, you'd get 'em, my man.
Theo's technical chops are excellent, but Forbes chose to concentrate on infantile name-calling (which Theo is perfectly willing to indulge in) instead of real issues.
I use blacklists (most of which I built and maintain myself, although I also use the ORDB) to turn away over 5000 spams and viruses daily. You seem to think I have an obligation to accept them. I don't have any such obligation; and I'm perfectly willing to throw away messages from Yama Dharma himself if his lordship is using a spam-friendly ISP. Only commercial pressure will force the ISPs to act, only disgruntled users can provide commercial pressure on the ISPs. That's *my* choice, to be part of the free market, and help the good ISPs prosper while the spam-friendly ISPs die from dissatisfied customers. I prefer this method to heavy-handed government intervention, which doesn't cross international borders and always contains exemptions for the rich and powerful.
Incidentally, I don't block gmail.com nor do I block email to the postmaster and abuse addresses, so if anyone complains politely I give them a gmail invite.
You don't do tech support for family, Mr. Benjamin, because you are smarter than the average bear! ;)
The zombie codebase morphs daily. There are guys who modify it on demand for the script kiddies; you can find them on IRC. If you block one port, they will use another. There are already several variations easily available; including ones that use ports 80 and 443. You can't block gramma from those, unfortunately.
The ISPs have to step in and clean this up. It is trivially easy (from their position, since they have total m-i-t-m control of your packet flow) for them to detect and stop this crap. You will note that the worst per-capita offenders are the broadband ISPs who are insulated from competition by legislation - the comcasts, roadrunners, etc. of the net, who have regional monopolies and thus are not pressured to provide competent network administration.
That being said, I personally do like
I have at least four NICs in the majority of my production servers (a couple of them have six). Linux is the easiest of the OSes to find this information for. There are plenty of ways; you can get at least as much information as you say BSD provides simply by checking the startup messages (do the command dmesg|more and see) or you can get far more extensive information from various places in the
I'm not sure what you are talking about, unless it's the henious *nix tradition of stupidly inconsistent device naming... which linux and several other *nix type systems are moving away from.
In any case, OS flavor wars are retarded and ignore the basic truth that different tools suit different uses and different users, and more importantly the meta-truth that software monoculture is bad. As beautiful as OpenSSH is, we need more independently developed codebases for secure transports. Even if you think BSD is Allah's Own OS, you still should do nothing to discourage the use and development of alternatives.
Theo's not an idiot. I bet he knows that saying those things will piss off the linux developers enough to fix any specific problems he mentions.
Graham writes: For example, in order to get revenge on people they believed were spamming, MAPS would blacklist the mail server of the company hosting their site.
Wrong. "Revenge" is completely off the menu. Paul's being a crybaby and refusing to look at anyone else's point of view.
The truth is, MAPS blacklists the mail server of the company hosting the spammer because MAPS subscribers are willing to give up their ability to recieve mail from some innocent bystanders if that will break spamhosters' profit model. That is the choice of those who use the blacklist.
Graham also writes: This is, strictly speaking, terrorism: harming innnocent people as a way to pressure some central authority into doing what you want.
Now Paul's really gone over the top. Allowing MAPS subscribers to block email is "harming innocent people"? Get a sense of proportion, man! Terrorism has a definition, although some dispute the details and this isn't it. Where's the terror? Are you living in fear that your email might be blocked, because you use a spamhoster? I don't think it's MAPS fault if you are terrorised; I hope you are not, but if you think you are, you need to see a psychiatrist quick.
Once you get past the hyperbole in the first few paragraphs, Graham makes at least one valid point (his site has been wrongly blacklisted) and asks at least one pertinent question (who watches the watchers? answer: subscribers). But this article is mostly just a hysterical anti-blacklisting rant.
Incorrect. The zombies make the outgoing connection without gramma's knowledge; the firewall does not block it because it's outgoing.
See, it comes in on an email, gramma clicks it, nothing obvious (to granny) happens. At some point (probably immediately after the next reboot) the zombie code connects to an IRC channel and waits for the secret word. It can wait forever, it doesn't care. When Groucho says the secret word, "Allez-allez-oxenfrei!" or whatever, all the zombies on the channel respond by switching to another channel where they say "YES MASTER I AWAIT YOUR BIDDING". Groucho tells them who to hit, how fast, and when.
There are many variations. But, firewalls do not prevent infected machines from receiving their control channel, because the zombie initiates the connection.
The performance penalty on the zombie does not hit until it actually used in an attack. Even then, users severely infected with adware and spyware and tracking malware (that would be the majority of Comcast users on Windows, for example) see very little performance hit when they are part of a properly paced DDOS. Another approach, instead of pacing, is to only have the zombie participate in DDOSes during idle hours - broadband providers used to urge their customers to leave their computers on at all times, and many clueless techies still do make this recommendation (which Mom & Pop will blindly follow).
People building botnets may allow their zombies to lie quiescent for years before actually using them or selling them to someone who will.
So, a zombie lives until the user
- b) is traced by DDOS targets who make the ISP shut him down
or- c) the owner notices the infection and takes steps to remedy it (very rare)
There is theoretically a fourth way for a zombie to be terminated... the target of the attack responds by mulching the attackers. But that never happens. No responsible person would ever strike back, even though they'd never get caught or punished. All computer jocks are really Quakers at heart, you know. They just turn the other cheek.Sure, it's part of the answer, but if you don't keep your software patched up to date no firewall will help you.
See, the point of being connected to the internet is to get email and access external resources. If you visit a web site that exploits your buggy browser, your firewall won't help you. If you click on an email that exploits your buggy mail client, your firewall won't help you.
The primary means of infection for the most prevalent malwares is email. Firewalls don't prevent you from receiving email.
That being said, you still should have a firewall. But keeping your OS and apps patched is even more important.
Even patching+firewalling won't save you if you are stupid enough to run binaries from untrusted sources. A virus checker can help out with that, but it won't save you from brand-new virii.
Don't confuse a portscan with a DOS attack. There is a difference, both in method and intent. Portscans are diagnostics or exploratory probes and are necessary for many benign purposes.
I have been a comcast customer for many years at several locations. Their service is unreliable; the internet is sometimes unreachable and like all the big-name ISPs they let worms that could easily be stopped run rampant in their network. Their DNS infrastructure is also well below par. Since they have a regional monopoly, it is not necessary for them to provide a clean feed, there simply is no competition in their market sector.
My comcast-connected systems are, like yours, portscanned constantly. So are my systems at work (where I have far less bandwidth in both directions) but I don't ever have connectivity problems on the non-comcast links.
Again, if it's really a portscan, it's not an attack. But let's say it's a DOS over multiple ports so it looks like a portscan... you can reverse-resolve the addresses, figure out Comcast's IP-to-physical location mapping (easier than it sounds) and go burn down those people's houses. Other than that, probably not. In theory, yes, absolutely. That's why you keep it up to date on patches and always change the default password. Here in the Real World [tm] you haven't supplied the type of router or patchlevel you are using so I can't go look it up on Google or astalavista. Some cable interface boxes are pretty secure due to hardware limitations, others make very good bots.
Finally... most people on comcast that have major problems are infected with viruses or worms, usually propagated by email. Those that are not are sometimes suffering from bad grounds - check that your cable system and the electrical outlets that feed your computer and televison systems are all properly grounded.
HTH, I'm off to dinner.
LDAP has to live on top of a database (with whatever issues the DB brings to the table) and at the junction point of SASL (which is raw) and Kerberos (which is complex) and NSS (which is unfinished) and PAM (which still doesn't have a solution for creation or modification of any account attributes other than passwords). And of course LDAP is clear-text, so it has to ride an encryption layer, and that in turn requires host authentication, which usually means you need TLS and X.509 certificate management . The core protocol really is lightweight - especially compared to X500 DAP - but there are all these other problems that come riding in on the coat-tails of any real-world LDAP deployment.
Still, it's the only way I've found to co-ordinate the authentication infrastructure for all the major OSes simultaneously. If you don't need SASL, RADIUS, TACACS or Kerberos the complexity is manageable, but if you do need one or more of those you'll need skilled colleagues (or else plan on having no vacations).
I guess I wasn't clear earlier, the $0.00 X-server I use is XFree on linux. Those programmers here that use MSwindows pay for their Xservers (they use hummingbird)... I'd like to get rid of the cost of X11 and other programs in the applications programming group, and I tested the OSX Mac with that in mind. It doesn't really work for the purpose, though; the re-education required for the MS users is no less than if I just gave them a Fedora or OpenBSD desktop, which is far cheaper. That's well put. I agree! To put it another way, the Mac has always tried for Larry Wall's mantra of "make the easy things easy, and the hard things possible" and with OSX they've really done a nice job. As I keep telling people, if you like OSX you should go ahead and buy a mac, but don't expect it to be the most cost-effective option. Very few people actually require the mac interface, but plenty of people like it, and why shouldn't they use what they like?