The biggest canard in law is that "strict construction" has a coherent meaning. Other than "I am the true interpreter of the Text!" The bigger joke in politics is that there was anything principled about the guy.
You can look over his record and predict his votes by this formula: economic strong trumps weak (corp vs. individual), powerful trumps weak (govt vs whistleblower or random individual.) Remember: he voted that INNOCENCE WAS NOT A REASON TO OVERTURN A DEATH PENALTY CONVICTION. After all, rich white people are hardly ever in that situation, so it can't be very important.
Even CNN is falling for it. "States rights...except where state law threatens Republican election chances."
Gil made his bones in thuggish suppression of minority votes - naturally the shenannigans in Florida in 2000 so overwhelmed him with nostalgia that he could punt 20 years of his own precident to achieve an outcome.
It's just a shame it didn't happen 40 years earlier.
It pisses me off, fuckwits voting a brand rather than what's best for the country or even what's in their own interests.
We saw this guy freeze like a deer in the headlights when he got the word about the second plane. He's all mouth, all posing. Dressing up in a flight suit a mile off the San Diego beaches does not make you a warrior.
And we fucking voted him back. Because his advertising made some of us more comfortable with his brand. Chevy is for flip-floppers! A guy whose aggressive tactics in countering ambushes was adopted by the rest of the navy patrol craft is a wimp next to the (needless and incompetently prosecuted) War President. R-i-i-i-i-ght.
And we bought it.
Yeah, he'd leave you and yours to die. He'd kick them off the bus to make enough room to stretch out. He'd put his friends on. He'd put his furnature on. And leave you without a thought.
Look, it takes incredible production values to give highly trained presenters half a chance at being half as compelling as someone in the room. This just doesn't lend itself to mass production.
And do you want your teachers acting like local news clones? Ick.
Put the powerpoint away, hand out books instead. Actual learning may be involved.
She was a woman who teamed up with Jeb when I was at Oberlin in the mid 1980's. Not exactly fertile ground. S.C.: "Does your mother know you eat SPERM?" member of the crowd: "uh, persumably she figured it out when I came out in high school."
I am in favor of full responsible disclosur (give the vendor a deadline and stick to it unless you KNOW they are moving on it)
Still, most exploits seem to be reverse-engineered from patches. Compare the patch to what came before and you have a serious clue to the problem.
That's in the public world; I don't claim to have any insight into privately held 0-day exploits. I suppose that a there are some blackhats as clever as the white, with equivalent labs.
I supervised an intern who had passed the 4 core NT 4.0 exams with some help from the ExamCram series. I asked him to modify the network settings.
Deer in the headlights look. "Go into Control Panel." Deer in the headlights. "Hit the Start Button, select 'settings' " Deer in the headlights. "Start button. Lower left corner of the screen."
I am serious. He turned out to be a bright guy and all, but his certifications were not meaningful. I don't pay any attention to them any more, except possibly as a "clueful enough to understand the labor market"
I don't actually have any data beyond that one massive, apparently unmotivated, and possibly ongoing attack. I think the SYN floods were sort of passe, but if you are doing just a raw bandwidth attack, they'd do the trick.
I think an actual connection hoses the recipient in a more precise way, with less bandwidth usage to trouble already indifferent ISPs.
My sense is that the bots are so common that they aren't worth obfuscating. It may be that egress filtering has caught on, as well. Let's hope so...
I personally will wait for the "punch in the face over IP" rfc to circulate before acting on revenge fantasies.
Your router may block the unreachables - that's a common lockdown step. But it is also correct behavior for the router on the destination net to send an ARP, determine that nobody is listening at that IP address, and reply to sender with the icmp dest unreachable (ICMP Type 3, Code 1). There's also a net unreachable that I haven't run into, Type 3, code 0.
http://www.faqs.org/rfcs/rfc792.html "Gateways in these networks may send destination unreachable messages to the source host when the destination host is unreachable."
If an ACL blocks the traffic with a reject (vs. drop) then typically it's an ICMP destination host administratively prohibited (Type 3, Code 10)
These days it's pretty hard to spoof a tcp connection. UDP/ICMP/Weird,rare, connectionless protocol, sure.
But if they are loading a page over and over via http like in a recent massive DDoS (http://www.dshield.org/pipermail/intrusions/2005- January/008739.html) you can be sure that the zombies' source ip is what it says it is. These days zombies are not worth the trouble of hiding, anyway.
I wouldn't retaliate, but I would especially not retaliate unless the completed tcp handshake gave me assurance the source wasn't spoofed.
Since blocking a particular host at a router/firewall is sufficient "self-defense" that's probably the ethical limit. Notifying the owner of the trespassing host is a time-consuming, but reasonable step. One more thing, possibly more satisfying: tarpits
The late LaBrea project implemented techniques that did not block attackers/scanners, but rather through protocol manipulation, HELD ON to them as long as possible, through things like tcp window size, etc. they kept the source host on the line sending zero bytes.
This kept them from bothering other people , and was computationally inexpensive to implement on the destination host. I think the honeyd project has some of this built in.
I heard of one connection maintained for over 9 months - but I have no link, sorry.
it's a really bad idea to surf with IE. It's a pretty bad idea to surf on a machine that has IE installed (some malware will be able to invoke IE to do its dirty work even if you hit the page via another browser)
I grant that within the limits you specified, you are correct. Non-forwarded NAT will protect you from external worms. It will not protect you from multi-vector threats. Some spread via tcp connections on tcp 135 | 445, email, AND web compromise. So once you hit that bad patch of teh intarwebs you are now spewing email viri and scanning the local and distant net.
Lots of replies making note of the human endurance advantage, but I can't see chasing individuals and that resulting in extinction. It just doesn't seem to scale in my imagination.
There was a radio bit to do with some bozos who couldn't figure out the bipedal advantage - it takes much more energy per unit distance than quadruped. (It's actually only efficient relative to knuckle-walking as our nearest cousins do) Turns out the advantage is in cooling: most fur-bearing critters don't sweat. So these guys tried chasing down a north american antelope - and failed miserably. They couldn't keep track of which one they were chasing. The group trotted easily, mingled with other groups, and led them in a big circle. Granted, as a matter of survival and with skeelz handed down, our ancestors may have been better at this than two in-shape but citified newbs.
It also didn't help that they were picking on the 2nd fastest land animal (and way ahead of #1 in stamina)
My point, if I have one, is that extinction should require wholesale slaughter techniques. You can herd mustangs into a box canyon, but that requires speed pedestrians lack.
? Maybe we could and did impose a predation rate higher than replacement rate. Humans with guns just drove elk in to the mountains, though, they didn't exterminate them. Native Americans didn't even do that much, with high stone-age tech. Are horses that much easier to prey on than elk? Or bison?
I'd been skeptical for a while that humans ate all the horses. They can survive on the nastiest scrub, are basically too tough for wolves and coyotes (moose may be bigger, but moose are solitary), and they are fast. It's true that humans can cover more ground in a day (if those humans are apaches) but not more ground in an hour. They have excellent senses, so they are hard to sneak up on. Really, the way to catch them is to have caught one already.
I'm planning to push some hardware upgrades via Group Policies. All cd-r's are now cd-rw! Cool! I'll dictate that all workstations now have more memory, too.
I've tried some other patch management stuff (I even was a contract tester for MS for SMS 2.0) and didn't see anything I'd be comfortable relying on.
Of course, an inactive sneaker-net is no improvement.
I'm just deeply skeptical that a registry bit saying an update is required is the same thing as getting the update installed and verified. Even Windows Update, presumably written to update Windows, absolutely SUCKS at this, with silent failure or even untruthful failure ("Update succeeded!" when update did NOT succeed)
if you have a backup link, you can set up both links to filter routes from the other link. Traffic to ISP2 really ought to exit to ISP2.
And unless you are set up to be a transit net, you really ought to block outbound src != your addresses on both nets.
There are a lot of leaf node nets with more than one stem.
I agree the filter ought to be pushed as close to the host as possible. You need the host mac to track the spoofer down, for one thing. You lose that after hop > 0.
Egress filtering is easy, and should be mandatory. Dunno if ISPs are in the driver seat these days, but unless someone made arrangements to be a transit net with a 2nd ISP, I'd be pretty ticked to see inbound packets from a surprising CIDR range.
My own net (medium size community college) is filtered on the internal and border router. Belt and suspenders, you know?
It's AMAZING, but you have to supply the electricity which will add up to a fair amount for a real pc vs. a little appliance thingy. Got a spare laptop with a borked screen or something? You could probably pick one up for a song at RePC or a similar outfit.
Depends. You can't forge tcp connections, which make really good DoS packets because they tie the target server up much more.
Granted: a raw bandwidth attack can use UDP, ICMP, or a TCP SYN, ACK, SYN-ACK or RST packet, and could be usefully forged.
There's a fairly riviting thread on the Intrusions list about a DDoS attack in Jan-Feb (may still be going on) that eventually involved some 80,000+ bots. It was defeated with Squid (on OBSD), as well as active upstream providers. The bots repeatedly went to load a file via http, which tied up the web server. Since the tcp connection was actually made, the src ip was known. The bots were apparently installed via drive-by download, rather than worm or email.
Slashdot Mirror
The biggest canard in law is that "strict construction" has a coherent meaning. Other than "I am the true interpreter of the Text!" The bigger joke in politics is that there was anything principled about the guy.
You can look over his record and predict his votes by this formula: economic strong trumps weak (corp vs. individual), powerful trumps weak (govt vs whistleblower or random individual.) Remember: he voted that INNOCENCE WAS NOT A REASON TO OVERTURN A DEATH PENALTY CONVICTION. After all, rich white people are hardly ever in that situation, so it can't be very important.
Even CNN is falling for it. "States rights...except where state law threatens Republican election chances."
Gil made his bones in thuggish suppression of minority votes - naturally the shenannigans in Florida in 2000 so overwhelmed him with nostalgia that he could punt 20 years of his own precident to achieve an outcome.
It's just a shame it didn't happen 40 years earlier.
Amen.
Dammit.
It pisses me off, fuckwits voting a brand rather than what's best for the country or even what's in their own interests.
We saw this guy freeze like a deer in the headlights when he got the word about the second plane. He's all mouth, all posing. Dressing up in a flight suit a mile off the San Diego beaches does not make you a warrior.
And we fucking voted him back. Because his advertising made some of us more comfortable with his brand. Chevy is for flip-floppers! A guy whose aggressive tactics in countering ambushes was adopted by the rest of the navy patrol craft is a wimp next to the (needless and incompetently prosecuted) War President. R-i-i-i-i-ght.
And we bought it.
Yeah, he'd leave you and yours to die. He'd kick them off the bus to make enough room to stretch out. He'd put his friends on. He'd put his furnature on. And leave you without a thought.
I lack wifi skills, but if they need non-Tower certified but damn safe climbing, I'll be there.
Good luck, and keep your head down.
Ghengis Khan: "It is not enough that I be successful. Everyone else must lose."
Look, it takes incredible production values to give highly trained presenters half a chance at being half as compelling as someone in the room. This just doesn't lend itself to mass production.
And do you want your teachers acting like local news clones? Ick.
Put the powerpoint away, hand out books instead. Actual learning may be involved.
Or was that Sin-dee?
She was a woman who teamed up with Jeb when I was at Oberlin in the mid 1980's. Not exactly fertile ground.
S.C.: "Does your mother know you eat SPERM?"
member of the crowd: "uh, persumably she figured it out when I came out in high school."
I am in favor of full responsible disclosur (give the vendor a deadline and stick to it unless you KNOW they are moving on it)
Still, most exploits seem to be reverse-engineered from patches. Compare the patch to what came before and you have a serious clue to the problem.
That's in the public world; I don't claim to have any insight into privately held 0-day exploits. I suppose that a there are some blackhats as clever as the white, with equivalent labs.
I supervised an intern who had passed the 4 core NT 4.0 exams with some help from the ExamCram series. I asked him to modify the network settings.
Deer in the headlights look.
"Go into Control Panel."
Deer in the headlights.
"Hit the Start Button, select 'settings' "
Deer in the headlights.
"Start button. Lower left corner of the screen."
I am serious. He turned out to be a bright guy and all, but his certifications were not meaningful. I don't pay any attention to them any more, except possibly as a "clueful enough to understand the labor market"
I don't actually have any data beyond that one massive, apparently unmotivated, and possibly ongoing attack. I think the SYN floods were sort of passe, but if you are doing just a raw bandwidth attack, they'd do the trick.
I think an actual connection hoses the recipient in a more precise way, with less bandwidth usage to trouble already indifferent ISPs.
My sense is that the bots are so common that they aren't worth obfuscating. It may be that egress filtering has caught on, as well. Let's hope so...
I personally will wait for the "punch in the face over IP" rfc to circulate before acting on revenge fantasies.
Your router may block the unreachables - that's a common lockdown step. But it is also correct behavior for the router on the destination net to send an ARP, determine that nobody is listening at that IP address, and reply to sender with the icmp dest unreachable (ICMP Type 3, Code 1). There's also a net unreachable that I haven't run into, Type 3, code 0.
http://www.faqs.org/rfcs/rfc792.html
"Gateways in these networks may send destination unreachable messages to the source host when the
destination host is unreachable."
If an ACL blocks the traffic with a reject (vs. drop) then typically it's an ICMP destination host administratively prohibited (Type 3, Code 10)
These days it's pretty hard to spoof a tcp connection. UDP/ICMP/Weird,rare, connectionless protocol, sure.
- January/008739.html)
But if they are loading a page over and over via http like in a recent massive DDoS (http://www.dshield.org/pipermail/intrusions/2005
you can be sure that the zombies' source ip is what it says it is. These days zombies are not worth the trouble of hiding, anyway.
I wouldn't retaliate, but I would especially not retaliate unless the completed tcp handshake gave me assurance the source wasn't spoofed.
Since blocking a particular host at a router/firewall is sufficient "self-defense" that's probably the ethical limit. Notifying the owner of the trespassing host is a time-consuming, but reasonable step. One more thing, possibly more satisfying: tarpits
The late LaBrea project implemented techniques that did not block attackers/scanners, but rather through protocol manipulation, HELD ON to them as long as possible, through things like tcp window size, etc. they kept the source host on the line sending zero bytes.
This kept them from bothering other people , and was computationally inexpensive to implement on the destination host. I think the honeyd project has some of this built in.
I heard of one connection maintained for over 9 months - but I have no link, sorry.
If you have a fw inside a router, the router will send a "destination host unreachable" ICMP message in response to traffic to non-existant hosts.
A drop will generally indicate:
1) firewalling
2) an inverse map - "I didn't get the ICMP 'dest. host unreachable', ergo something is there"
blocking that outbound ICMP message is possibly a mistake if you have public net resources.
As others pointed out, a drop vs. the icmp error slows the scan down nicely, though.
Ever visit a benign website with an ad banner from a server farm that was own3d?
r egister_among_sites_serving_banner_malware.html
http://news.netcraft.com/archives/2004/11/22/the_
it's a really bad idea to surf with IE. It's a pretty bad idea to surf on a machine that has IE installed (some malware will be able to invoke IE to do its dirty work even if you hit the page via another browser)
I grant that within the limits you specified, you are correct. Non-forwarded NAT will protect you from external worms. It will not protect you from multi-vector threats. Some spread via tcp connections on tcp 135 | 445, email, AND web compromise. So once you hit that bad patch of teh intarwebs you are now spewing email viri and scanning the local and distant net.
Lots of replies making note of the human endurance advantage, but I can't see chasing individuals and that resulting in extinction. It just doesn't seem to scale in my imagination.
There was a radio bit to do with some bozos who couldn't figure out the bipedal advantage - it takes much more energy per unit distance than quadruped. (It's actually only efficient relative to knuckle-walking as our nearest cousins do) Turns out the advantage is in cooling: most fur-bearing critters don't sweat. So these guys tried chasing down a north american antelope - and failed miserably. They couldn't keep track of which one they were chasing. The group trotted easily, mingled with other groups, and led them in a big circle. Granted, as a matter of survival and with skeelz handed down, our ancestors may have been better at this than two in-shape but citified newbs.
It also didn't help that they were picking on the 2nd fastest land animal (and way ahead of #1 in stamina)
My point, if I have one, is that extinction should require wholesale slaughter techniques. You can herd mustangs into a box canyon, but that requires speed pedestrians lack.
? Maybe we could and did impose a predation rate higher than replacement rate. Humans with guns just drove elk in to the mountains, though, they didn't exterminate them. Native Americans didn't even do that much, with high stone-age tech. Are horses that much easier to prey on than elk? Or bison?
I'd been skeptical for a while that humans ate all the horses. They can survive on the nastiest scrub, are basically too tough for wolves and coyotes (moose may be bigger, but moose are solitary), and they are fast. It's true that humans can cover more ground in a day (if those humans are apaches) but not more ground in an hour. They have excellent senses, so they are hard to sneak up on. Really, the way to catch them is to have caught one already.
Yep. I got the 30 day "shape up" warning, but I really didn't get any sense that there was anything I could do about it.
It was my fault, really. Not very motivated. I spent all day on Slashdot.
Oops.
I'm planning to push some hardware upgrades via Group Policies. All cd-r's are now cd-rw! Cool! I'll dictate that all workstations now have more memory, too.
I've tried some other patch management stuff (I even was a contract tester for MS for SMS 2.0) and didn't see anything I'd be comfortable relying on.
Of course, an inactive sneaker-net is no improvement.
I'm just deeply skeptical that a registry bit saying an update is required is the same thing as getting the update installed and verified. Even Windows Update, presumably written to update Windows, absolutely SUCKS at this, with silent failure or even untruthful failure ("Update succeeded!" when update did NOT succeed)
they are being called idiots.
The thing is, the people calling them that are right.
if you have a backup link, you can set up both links to filter routes from the other link. Traffic to ISP2 really ought to exit to ISP2.
And unless you are set up to be a transit net, you really ought to block outbound src != your addresses on both nets.
There are a lot of leaf node nets with more than one stem.
I agree the filter ought to be pushed as close to the host as possible. You need the host mac to track the spoofer down, for one thing. You lose that after hop > 0.
Egress filtering is easy, and should be mandatory. Dunno if ISPs are in the driver seat these days, but unless someone made arrangements to be a transit net with a 2nd ISP, I'd be pretty ticked to see inbound packets from a surprising CIDR range.
My own net (medium size community college) is filtered on the internal and border router. Belt and suspenders, you know?
Come to think of it, with the liberal BSD license, I'm surprised there aren't a lot of pf-based appliances out there.
/googles
s g01116.html
Hmmm
http://www.monkey.org/openbsd/archive/misc/0407/m
It's AMAZING, but you have to supply the electricity which will add up to a fair amount for a real pc vs. a little appliance thingy. Got a spare laptop with a borked screen or something? You could probably pick one up for a song at RePC or a similar outfit.
Depends. You can't forge tcp connections, which make really good DoS packets because they tie the target server up much more.
Granted: a raw bandwidth attack can use UDP, ICMP, or a TCP SYN, ACK, SYN-ACK or RST packet, and could be usefully forged.
There's a fairly riviting thread on the Intrusions list about a DDoS attack in Jan-Feb (may still be going on) that eventually involved some 80,000+ bots. It was defeated with Squid (on OBSD), as well as active upstream providers. The bots repeatedly went to load a file via http, which tied up the web server. Since the tcp connection was actually made, the src ip was known. The bots were apparently installed via drive-by download, rather than worm or email.