You'd have to explain why the building where this classified network resided had offices with glass windows, and terminals ('92 remember?) facing the windows.
So you were using dumb terminals that had floppy drives?
I'd rather have security people paid to be intelligent, than paid to be insane.
I think the point is that he is willing to believe that at the time the "paranoid" security folks put more thought into it (since it was their job) than you did. If they let you carry floppies out, maybe it was because they knew something that you didn't. Or were you actually succesful at your espionage attempts?
The SYN packet is the first packet of a TCP session. It is the packet that the computer initiating the session sends to the server to initiate the conversation.
When the server recieves a packet with the SYN flag set it either replies with a SYN/ACK, at which point the client sends an ACK and the session is established.
The SYN traceroute will only work with host that are directly accessable from the outside and is useful for tracing to a publicly available server. The Hotmail trick is useful for tracing to non-publicly available clients.
The datagram in question is a fragment. There is no ICMP type 65535, valid values are 0-255, and the common ones are 0-18, however this data is only valid in the first fragment. This looks like part of a large ICMP packet.
Check your logs, there should be more of these fragments before this one. The first will have more useful information.
Re:Paranoid? Or are they really out to get us?
on
Museum Of Broken Packets
·
· Score: 5, Informative
tcptraceroute works by sending syn packets with incremented TTL's to publicly available servers on port 80 (or other public port). This passes firewalls because they are configured to allow traffic to these servers (hence "publicly available")
Again, this will not work if your firewall drops the outbound ICMP packets. In the case of tcptraceroute you will eventually get an ACK back from the server, so you will know how many hops it behind the firewall, but no other information.
The hotmail trick is somewhat more insidious because it is used in the midst of a session the firewall will usually pass the traffic to a normally protected (even NAT'd) host.
Both are easily blocked with outbound filters.
Re:Paranoid? Or are they really out to get us?
on
Museum Of Broken Packets
·
· Score: 2, Informative
This isn't hard to foil at all. The "attacker" (hotmail in this case) can already trace up to your firewall, but not beyond it. This allows them to get the _incoming_ packets passed the firewall because they are part of an established connection, but the _outgoing_ packets will not be, they will be ICMP packets. Just block the outgoing TTL Exceeded packets (and while you are at it all ICMP except maybe ECHO) at your firewall.
It is as important to control what is leaving your network as what is coming in.
If it weren't for the need to have an updated photo, we could get our driver's licenses renewed online....
In Texas you can at the DPS website.
http://dps.texasonline.state.tx.us/
Now that all the photos are digitized they just print off another one. The website is recent, but for at least the last 5 years you could renew by mail if you had a clean record.
The Airline companies are worse. They have been responsible for airport security since the 1960's and they made the _business_decision_ a long time ago that it wasn't profitable to provide adequate security. When that decision bit them in the ass they begged the Feds to limit their liability. If they wanted to limit their liablity they should have provided security in the first place. Now instead of figuring out that they _need_ to provide security or they'll be out of business they are begging the gov't to do it for them. So much for deregulation.
The reason the NASA ahouldn't outsource this is because NASA would then be the only customer. If you read the article the unamed private corp. would get the shuttles, launch facilities, presonnel, etc. and resell the services back to NASA. Presumably the corp. would do the job much better and more eficiently than NASA thereby saveing the gov't money and still making a profit. This is what NASA did with orbiter maintenance.
The problem is thus: If there are efficiencies and cost savings to be realized NASA should be able to do so. By privatizing the Shuttle program any realized savings will be mitigated by the fact that the private corp. adds profit to all costs. Since NASA is still the only customer there is no economy of scale, the is only artificially increased scarcity. This will actually lead to higher costs than neccesary.
What should happen is NASA should simply start doing a better job. Whatever cost saving measures they imaging a provate company doing they should simply do themselves. The taxpayers paid for 100% of the development up to this point, if there are now savings or profit to be taken, it belongs to us, not Lockheed Martin or Boeing.
I still wouldn't say the DOJ is capitulating because of money. Recent polls have shown that the American people don't really care about Microsoft anymore, and that is why the Government is giving up and settling. Although they supposedly brought this case because MS broke the law, and the Gov't should pursue this kind of thing regardless of politics, if it isn't popular it isn't going to happen no matter who is President.
Transmeta's problem is not technology, it's public relations. As the article's author pointed out, after 5 years of secrecy they are not comfortable talking to the public. Add to that fact that Intel is telling anyone who'll listen that Crusoe is junk. Do you really think Intel doesn't have anything to do with the lack of notebooks in the US with Crusoe processors?
Linux zealots blame MS for not being able to buy Linux laptops, but turn a blind eye to the Intel monopoly? What gives?
This article is a good example of the kind of press Transmeta doesn't need or deserve. The authors claim Transmeta is down the tubes, but don't provide any evidence of that (bad debts, layoffs, etc.) In fact Transmeta has enough cash to go 3 more years at the current run rate before becoming profitable. They may indeed go tits up or be bought, but it is _far_ to early to start nailing up the coffin
I used Ricochet inside a tank-like commercial building with aluminum ceilings and got the highest connection rate. This was in North Hollywood.
You were lucky. As I said the cells are small so you are either in or out. Contrary to what some other poster said the frequencies Ricochet uses (2.4Ghz and 900Mhz) are line of sight, but do have _some_ building pentration.
When I signed up, the guy said the biggest myth about Ricochet was that it was only good outdoors, or while you were moving.
That is exactly what it was designed for. If a sales dood told you diferently his was either misinformed or he lied.
It can do that, too, but if your house or apartment or office was in a coverage area, then it will likely work fine.
The important word there being _if_ since the cells require 5 radios for a 1 square mile coverage area they are mostly located along main streets and commercial areas. It wouldn't be cost effective to put radios all over residential neighbohoods since that isn't the target market.
I even used it in my house right on the edge of San Francisco, and used it coming over the Bay Bridge from Oakland, and it got a signal right as we came off the San Francisco side of the bridge, so San Francisco seems pretty well covered. That's what they want you to think. Again, the coverage areas are very small so they put them where people will notice. If you live in one of these places it will make a good fixed wireless solution.
There are like 17 big hills here, so you can put stuff like this on top of the hills and get everybody.
Ricochet doesn't work that way, it uses little radios attached to utility poles. Hills and such aren't a big issue since the cells are so small.
http://www.metricom.com/ricochet_advantage/tech_ ov erview/index.html
Ricochet is not a good replacement for Cable, DSL, etc. Ricochet IS NOT fixed wireless and it does not work well if you remain stationary.
The nodes have about a 1/8 mile coverage area and are line of site. This isn't a problem if you are driving down the road and you pass under one of their antennas every 10 light poles, you'll go in and out of coverage and the modem will deal with it.
If you are sitting at a desk with your ricochet modem you are either in or out of coverage all of the time and considering how small the cells are unless your desk in on the sidewalk under a light pole you are probably out.
In a traditional network environment you are correct. Trunks and core links rarely are capable of carrying the full agregate bandwidth of the downstream links. However, This is supposed to be a system that lets you simulate the Internet and any to any conections and we're talking about a 3000% oversubscription (with no redundancy). You would think that they would make the hardware configuration as flexible as possible. Apparantly the boxes in there even emulate routers and switches. I don't know how they plan to do it, but it can't be realtime since the real Internet has many >100Mb links and the routers and switches have much higher packet fowarding rates than even the fastest server is capable of.
People who's only experience is with academia frequently baffle at the marvels of the real world.
Try taking a recent CCNA boot-camp gradute through even a small data center, "why would you need more than one router?"
5 miles of cable could easily be used up just in a fiber loop around a small campus, and plenty of data centers have more servers. This project may be "cool" for its function, but the data center itself really isn't that special.
Not only that, but they have 7 slots worth of 48 port 100Mb cards (33.6Gb) and 1 Gb uplink. That might be a little of a bottleneck if more than a few of the nodes are trying to pass upstream traffic.
Most systems like this allow you to look the account for a certain period of time. This is usually sufficient for most applications since it takes away the "fun" of locking someone else's account and at the same time defeats most hacking attempts. Many brute force hacking programs can try hundreds of passwords a minute, but if the account is locked for even 10 minutes after every 3 attmepts it will take the wind out of the hackers sails.
And no admin should ever find himself lock out of his own system. If he did, it's because of something he did wrong.
30 fps for 24/7 is what our customer wants. End of discussion.
Your customer could have saved themselves your fee by posting this to Slashdot themselves.
Two questions:
1. How did you get this customer if you have no idea how to meet their needs, and
2. What kind of consultant doesn't work with the customer to refine project goals and requirements?
Your customer has a need, 30fps is not a need, and they belive the only way to satisfy it with full framerate video 24x7. If they are wrong it is your job to show them why and how you can satisfy the need without 30fps.
Gigabit ethernet is becoming common in network cores. Unfortunately GigE is still very expensive, and to go a reasonable distance you need costly single mode fiber. Even 100MB goes much farther over fiber than copper, and I can't imagine your 1000 cameras will be very close together. Just running the fiber to 1000 cameras could easily cost you several million.
If this projecet is going to happen it will probably cost more than 10 million so your customer is wither a government agency or someone with really deep pockets. Either way if you want to get good information here you will need to give more information. If you are worried about disclosing too much you should go talk to some people at vendors like IBM and EMC. They do this kind of thing everyday. They can handle the data storage part and you evidently can handle the video part. Talk to the folks at Cisco about putting it all together. Of course when you go to these vendors they will need more information as well. "That's what the customre wants," doesn't cut the mustard when developing specs for cutting edge projects. Sorry.
You aren't comparing the Skylarov case to the Betamax case are you, because if you are that's stupid.
digital copying != analog copying
copying != timeshifting
Betamax did not break any encrytion and there was no DMCA at the time.
In the Betamx case the decision reflected the fact that "timeshifting" is not a violation, and VCR's have substantial non-infringing uses. The decision did not give VCR owners permission to start copying copyrighted works.
Dimitry wrote and sold software that was designed to violate copyrights. Even without the DMCA the ebooks license specifies you may not make copies and contrary to Slashlore there is no indescriminant "Fair Use Right" that allows this behavior. Had Sony marketed the Betamax as a method of illegal copying protected material they likely would have lost their case as well.
While I don't understand why they'd care (the customer is still, in theory, paying for the service), the fact that they've kept it secret for so long makes me wonder if they'll let this slide.
If you've ever used AOL you'll realize while they probably won't "let it slide" AOL is much more than an ISP and the client is about 80% of that. Whether they take legal action depends on their lawyers, but it would be trivial for them to get around this technically. Since the AOL client automatically every time it connects they could simple change some small bit of the protocol every week (or day) that would break the non-AOL clients until someone patched them. AOL could probaly automate this fairly easily to the point that they could just do it forever or until the non-AOL folks just give up.
I imagine you'll see cease-and-desist letters followed by engineering changes, followed by lawsuits.
OK, here's a test for you. Without looking, can you tell me if your laptop power supply has a UL seal? How about your phone? The power strip under your desk? The flourescent light above your head?
The point is, yes they could make the UL seal harder to get, but at some point manufacturers would stop bothering because it really doesn't mean jack to most people.
If you use Sony components this function is built in, since Sony components use discrete off and on sigals there is no dnager of turning you TV off when you just want to select it. You can however assign macros to the component buttons when you hold them down, so you can program the DVD button for example to turn the DVD on set the video and audio source, select the proper viewing mode and adjust the volume.
My wife gave me a Sony lVL-900 6 months ago, and none of my other remotes have been out of the drawer since.
This remote is all buttons, but it is a totally programmable LEARNING remote. You don't have to worry about whether the button you want is preprogramed because you can "teach it" It also can do 11 macros, and even though it will control 8 devices, since you can put any function on any button you can put all the stuff you need one device and not have to switch back and forth. This thrills my wife because she only has to puch one button to turn everything on to watch cable, or a DVD.
Compared to $400 for a full GUI, I'll take the $50 buttons.
Slashdot Mirror
So you were using dumb terminals that had floppy drives?
I'd rather have security people paid to be intelligent, than paid to be insane.
I think the point is that he is willing to believe that at the time the "paranoid" security folks put more thought into it (since it was their job) than you did. If they let you carry floppies out, maybe it was because they knew something that you didn't. Or were you actually succesful at your espionage attempts?
The SYN packet is the first packet of a TCP session. It is the packet that the computer initiating the session sends to the server to initiate the conversation.
When the server recieves a packet with the SYN flag set it either replies with a SYN/ACK, at which point the client sends an ACK and the session is established.
The SYN traceroute will only work with host that are directly accessable from the outside and is useful for tracing to a publicly available server. The Hotmail trick is useful for tracing to non-publicly available clients.
The datagram in question is a fragment. There is no ICMP type 65535, valid values are 0-255, and the common ones are 0-18, however this data is only valid in the first fragment. This looks like part of a large ICMP packet.
Check your logs, there should be more of these fragments before this one. The first will have more useful information.
Go here to analyze ipchains log output.
tcptraceroute works by sending syn packets with incremented TTL's to publicly available servers on port 80 (or other public port). This passes firewalls because they are configured to allow traffic to these servers (hence "publicly available")
Again, this will not work if your firewall drops the outbound ICMP packets. In the case of tcptraceroute you will eventually get an ACK back from the server, so you will know how many hops it behind the firewall, but no other information.
The hotmail trick is somewhat more insidious because it is used in the midst of a session the firewall will usually pass the traffic to a normally protected (even NAT'd) host.
Both are easily blocked with outbound filters.
This isn't hard to foil at all. The "attacker" (hotmail in this case) can already trace up to your firewall, but not beyond it. This allows them to get the _incoming_ packets passed the firewall because they are part of an established connection, but the _outgoing_ packets will not be, they will be ICMP packets. Just block the outgoing TTL Exceeded packets (and while you are at it all ICMP except maybe ECHO) at your firewall.
It is as important to control what is leaving your network as what is coming in.
If it weren't for the need to have an updated photo, we could get our driver's licenses renewed online....
In Texas you can at the DPS website.
http://dps.texasonline.state.tx.us/
Now that all the photos are digitized they just print off another one. The website is recent, but for at least the last 5 years you could renew by mail if you had a clean record.
The Airline companies are worse. They have been responsible for airport security since the 1960's and they made the _business_decision_ a long time ago that it wasn't profitable to provide adequate security. When that decision bit them in the ass they begged the Feds to limit their liability. If they wanted to limit their liablity they should have provided security in the first place. Now instead of figuring out that they _need_ to provide security or they'll be out of business they are begging the gov't to do it for them. So much for deregulation.
50 points if you remeber how Jimmy got rid of him.
The reason the NASA ahouldn't outsource this is because NASA would then be the only customer. If you read the article the unamed private corp. would get the shuttles, launch facilities, presonnel, etc. and resell the services back to NASA. Presumably the corp. would do the job much better and more eficiently than NASA thereby saveing the gov't money and still making a profit. This is what NASA did with orbiter maintenance.
The problem is thus: If there are efficiencies and cost savings to be realized NASA should be able to do so. By privatizing the Shuttle program any realized savings will be mitigated by the fact that the private corp. adds profit to all costs. Since NASA is still the only customer there is no economy of scale, the is only artificially increased scarcity. This will actually lead to higher costs than neccesary.
What should happen is NASA should simply start doing a better job. Whatever cost saving measures they imaging a provate company doing they should simply do themselves. The taxpayers paid for 100% of the development up to this point, if there are now savings or profit to be taken, it belongs to us, not Lockheed Martin or Boeing.
According to opensecrets.org Microsoft gives almost evenly to both political parties. In 2000 they gave 46% of $4,543,276 to the Dems. I'd say they were hedging their bets either way.
I still wouldn't say the DOJ is capitulating because of money. Recent polls have shown that the American people don't really care about Microsoft anymore, and that is why the Government is giving up and settling. Although they supposedly brought this case because MS broke the law, and the Gov't should pursue this kind of thing regardless of politics, if it isn't popular it isn't going to happen no matter who is President.
Fujitsu is selling a Crusoe based notebook that they claim will last 14 hours on a charge.
Lifebook P
Transmeta's problem is not technology, it's public relations. As the article's author pointed out, after 5 years of secrecy they are not comfortable talking to the public. Add to that fact that Intel is telling anyone who'll listen that Crusoe is junk. Do you really think Intel doesn't have anything to do with the lack of notebooks in the US with Crusoe processors?
Linux zealots blame MS for not being able to buy Linux laptops, but turn a blind eye to the Intel monopoly? What gives?
This article is a good example of the kind of press Transmeta doesn't need or deserve. The authors claim Transmeta is down the tubes, but don't provide any evidence of that (bad debts, layoffs, etc.) In fact Transmeta has enough cash to go 3 more years at the current run rate before becoming profitable. They may indeed go tits up or be bought, but it is _far_ to early to start nailing up the coffin
I used Ricochet inside a tank-like commercial building with aluminum ceilings and got the highest connection rate. This was in North Hollywood.
_ ov erview/index.html
You were lucky. As I said the cells are small so you are either in or out. Contrary to what some other poster said the frequencies Ricochet uses (2.4Ghz and 900Mhz) are line of sight, but do have _some_ building pentration.
When I signed up, the guy said the biggest myth about Ricochet was that it was only good outdoors, or while you were moving.
That is exactly what it was designed for. If a sales dood told you diferently his was either misinformed or he lied.
It can do that, too, but if your house or apartment or office was in a coverage area, then it will likely work fine.
The important word there being _if_ since the cells require 5 radios for a 1 square mile coverage area they are mostly located along main streets and commercial areas. It wouldn't be cost effective to put radios all over residential neighbohoods since that isn't the target market.
I even used it in my house right on the edge of San Francisco, and used it coming over the Bay Bridge from Oakland, and it got a signal right as we came off the San Francisco side of the bridge, so San Francisco seems pretty well covered.
That's what they want you to think. Again, the coverage areas are very small so they put them where people will notice. If you live in one of these places it will make a good fixed wireless solution.
There are like 17 big hills here, so you can put stuff like this on top of the hills and get everybody.
Ricochet doesn't work that way, it uses little radios attached to utility poles. Hills and such aren't a big issue since the cells are so small.
http://www.metricom.com/ricochet_advantage/tech
Ricochet is not a good replacement for Cable, DSL, etc. Ricochet IS NOT fixed wireless and it does not work well if you remain stationary.
The nodes have about a 1/8 mile coverage area and are line of site. This isn't a problem if you are driving down the road and you pass under one of their antennas every 10 light poles, you'll go in and out of coverage and the modem will deal with it.
If you are sitting at a desk with your ricochet modem you are either in or out of coverage all of the time and considering how small the cells are unless your desk in on the sidewalk under a light pole you are probably out.
IE caches into one single file that I don't know how to get into.
Just open Tools--Internet Options
Under "Temporary Internet Files" click "settings", "view Files"
Scroll down to the file you want, copy and paste into anohter directory.
In a traditional network environment you are correct. Trunks and core links rarely are capable of carrying the full agregate bandwidth of the downstream links. However, This is supposed to be a system that lets you simulate the Internet and any to any conections and we're talking about a 3000% oversubscription (with no redundancy). You would think that they would make the hardware configuration as flexible as possible. Apparantly the boxes in there even emulate routers and switches. I don't know how they plan to do it, but it can't be realtime since the real Internet has many >100Mb links and the routers and switches have much higher packet fowarding rates than even the fastest server is capable of.
People who's only experience is with academia frequently baffle at the marvels of the real world.
Try taking a recent CCNA boot-camp gradute through even a small data center, "why would you need more than one router?"
5 miles of cable could easily be used up just in a fiber loop around a small campus, and plenty of data centers have more servers. This project may be "cool" for its function, but the data center itself really isn't that special.
Not only that, but they have 7 slots worth of 48 port 100Mb cards (33.6Gb) and 1 Gb uplink. That might be a little of a bottleneck if more than a few of the nodes are trying to pass upstream traffic.
Most systems like this allow you to look the account for a certain period of time. This is usually sufficient for most applications since it takes away the "fun" of locking someone else's account and at the same time defeats most hacking attempts. Many brute force hacking programs can try hundreds of passwords a minute, but if the account is locked for even 10 minutes after every 3 attmepts it will take the wind out of the hackers sails.
And no admin should ever find himself lock out of his own system. If he did, it's because of something he did wrong.
Your customer could have saved themselves your fee by posting this to Slashdot themselves.
Two questions:
1. How did you get this customer if you have no idea how to meet their needs, and
2. What kind of consultant doesn't work with the customer to refine project goals and requirements?
Your customer has a need, 30fps is not a need, and they belive the only way to satisfy it with full framerate video 24x7. If they are wrong it is your job to show them why and how you can satisfy the need without 30fps.
Gigabit ethernet is becoming common in network cores. Unfortunately GigE is still very expensive, and to go a reasonable distance you need costly single mode fiber. Even 100MB goes much farther over fiber than copper, and I can't imagine your 1000 cameras will be very close together. Just running the fiber to 1000 cameras could easily cost you several million.
If this projecet is going to happen it will probably cost more than 10 million so your customer is wither a government agency or someone with really deep pockets. Either way if you want to get good information here you will need to give more information. If you are worried about disclosing too much you should go talk to some people at vendors like IBM and EMC. They do this kind of thing everyday. They can handle the data storage part and you evidently can handle the video part. Talk to the folks at Cisco about putting it all together. Of course when you go to these vendors they will need more information as well. "That's what the customre wants," doesn't cut the mustard when developing specs for cutting edge projects. Sorry.
You aren't comparing the Skylarov case to the Betamax case are you, because if you are that's stupid.
digital copying != analog copying
copying != timeshifting
Betamax did not break any encrytion and there was no DMCA at the time.
In the Betamx case the decision reflected the fact that "timeshifting" is not a violation, and VCR's have substantial non-infringing uses. The decision did not give VCR owners permission to start copying copyrighted works.
Dimitry wrote and sold software that was designed to violate copyrights. Even without the DMCA the ebooks license specifies you may not make copies and contrary to Slashlore there is no indescriminant "Fair Use Right" that allows this behavior. Had Sony marketed the Betamax as a method of illegal copying protected material they likely would have lost their case as well.
Alexis de Tocqueville,
Democracy in America
While I don't understand why they'd care (the customer is still, in theory, paying for the service), the fact that they've kept it secret for so long makes me wonder if they'll let this slide.
If you've ever used AOL you'll realize while they probably won't "let it slide" AOL is much more than an ISP and the client is about 80% of that. Whether they take legal action depends on their lawyers, but it would be trivial for them to get around this technically. Since the AOL client automatically every time it connects they could simple change some small bit of the protocol every week (or day) that would break the non-AOL clients until someone patched them. AOL could probaly automate this fairly easily to the point that they could just do it forever or until the non-AOL folks just give up.
I imagine you'll see cease-and-desist letters followed by engineering changes, followed by lawsuits.
OK, here's a test for you. Without looking, can you tell me if your laptop power supply has a UL seal? How about your phone? The power strip under your desk? The flourescent light above your head?
The point is, yes they could make the UL seal harder to get, but at some point manufacturers would stop bothering because it really doesn't mean jack to most people.
If you use Sony components this function is built in, since Sony components use discrete off and on sigals there is no dnager of turning you TV off when you just want to select it. You can however assign macros to the component buttons when you hold them down, so you can program the DVD button for example to turn the DVD on set the video and audio source, select the proper viewing mode and adjust the volume.
My wife gave me a Sony lVL-900 6 months ago, and none of my other remotes have been out of the drawer since.
This remote is all buttons, but it is a totally programmable LEARNING remote. You don't have to worry about whether the button you want is preprogramed because you can "teach it" It also can do 11 macros, and even though it will control 8 devices, since you can put any function on any button you can put all the stuff you need one device and not have to switch back and forth. This thrills my wife because she only has to puch one button to turn everything on to watch cable, or a DVD.
Compared to $400 for a full GUI, I'll take the $50 buttons.