No way. If you are going to buy insurance, you DO have a responsibility to know the terms.
You keep saying that "because everyone knows that nobody reads the fine print, it shouldn't count"
Well, everyone also knows that FINE PRINT IS LEGALLY BINDING, EVEN IF YOU DON'T READ IT, and yet they sign... a conscious choice NOT to read a contract before signing it is easily taken as agreeing to the terms blindly.
Insurance by itself means nothing, the terms MUST be dictated.
It amazes me that so many managers, clerks, and customers alike get so confused about returned items.
All Returns Are Not Created Equal.
- By default, a merchant is not required to take any kind of return if the item worked as it was presented, and there was nothing fraudulent about the sale. Just because you decided you didn't like it, or because you bought the wrong shaped plug by no fault of the store does not mean they have to take it back.
- A merchant generally does have to take a return if the item was sold under false pretenses, or simply didn't work. No fee can be charged for this.
- Most stores have in-store policies that go above and beyond what the law requires. Sometimes this involves a re-stocking fee. THIS *IS* fair... this is for situations where you want to return an item just because you feel like it.
- Make sure you ask before you purchase specifically what happens if the item fails in 1 day, 15 days, etc. Often the clerk or manager will be clueless and try to tell you that you are returning the item under the returns policy, when it's actually a return because it's a bad item, which is a separate issue altogether.
- Is there some substance in the universe we should be using OTHER than hydrogen? I mean, it is the most abundant element in the universe.
- Solar power is a good point, but not workable any time in the forseeable future to meet humanity's energy needs. You could cover entire deserts with modern solar stuff, at astronomical cost, and not come near to meeting our current energy demand.
- We, as humans, want to be able to go place that are inhospitable to us.. place where the sun don't shine. The bottom of the ocean, deep space, the polar regions. Solar power won't help there.
Fission plant: Waste can be nearly completely contained, and has no detremental effect. Accident could have major global effects.
Fossil fuel plant: Waste can not be contained at all. Operation has a continuous but slow negative effect on the planet, both locally and globally. Accident is local only.
We have to trust in engineering and think globally. Chernobyl happened because of a terrible reactor design (known to be bad when it was built) and the operators completely overriding every safety feature in place, doing an incredibly dangerous and stupid experiment.
Nuclear is scary because people think of Hiroshima, Chernobyl, and because bin Bush can't pronounce it correctly.
You can run all the analogies you want, about how it's an attempted crime, and so on...
After all, it is. Attempting to gain unauthorized access to a system IS a crime.
But it's unrealistic to waste resources on something like this.. you should EXPECT people to try to log in through these remote services.. this is the internet. If you don't want people to even TRY to guess, don't put up the service in the first place. If you are confident that your system is secure, some attempts at access shouldn't bother you.
Think of this more like a fortress in a hostile war zone than a house or car in an urban law-abiding suburb.
The fact is if you start chasing down every little attempt, you waste a ton of your time to no real benefit. Spend that time making sure things are tight and secure.
Seriously. It's not causing you a problem. Don't waste time on them. If you like, keep logs, so you can backtrack later if something does happen.
Your main concern is keeping things secure, not hunting down everyone who tries to gain unauthorized access.
Further.. I think it still holds true that if you put up service that listen and answer publicly on the internet, you should expect people to try to use them, even for things like SSHD. It is completely within your technical means to prevent outsiders from being able to even connect to sshd to guess passwords... so rather than complain about it, do something about it.
Heroin is very much chemically addictive.. where did you hear that it wasn't?
Physically, heroin addiction IS morphine addiction. Heroin is turned into morphine in the brain. As far as your neuroreceptors are concerned, it IS morphine.
Heroin is just a more effective way to get the morphine to the brain.
As with most drugs of abuse, the psychological addiction is the one that really gets you... but don't kid yourself. Heroin is VERY physically addictive.. just like morphine.
Re:What is that in MegaBytes per Hour?
on
Ethernet at 10 Gbps
·
· Score: 2, Informative
Answer: because laypeople insist on talking in imprecise terms like kilobytes and whatnot. Even the byte, historically, could be of varied size depending on the architecture.
When talking about bandwidth, always use bits, and always use k=1000.
Further, how much useful data transfer you get out of the system is not an accurate number.. it fluctuates based on a number of factors, including the network itself, quality of equipment, protocol stack and version, stack settings, local hardware speeds, etc.
However, what we DO know is that the medium transfers *exactly* 10 billion bits per second, no more, no less.
Transmission speeds are measured atthe base rate they transmit data at, without taking into account the protocol in use generally. It has to be this way, because everything else varies upon use. 11Mbps wifi in no way lets you transmit 11mbps of useful data, or anywhere near that, between two hosts.. but the data rate on air is precisely 11Mbps.
A fully utilized 100Mbps ethernet hub will have exactly 100 million bits per second going through it.. yet it is impossible for a single host to transmit at 100mbps continuously.. there are mandatory pauses in between frames, and stuff like that.
Further to that.. to add any kind of meaning whatsoever to download limits, if it's a service you pay for, you need to inquire to precisely how such things are calculated.
The Gates' do contribute a lot of cash to charity every year, their foundation does some serious work.
People think of the future after they are gone? That's a survival trait.
Humans who had no real will to see future generations succeed, and just felt that they were gonna die so what's the point.. those people didn't really survive, for obvious reasons.
Re:Open Group
on
IT, Be Free!
·
· Score: 2, Insightful
Linux isn't technically unix, but it's unix enough for anything that matters.
It's posix compliant in enough. Can you name some posix feature that is missing that anyone cares about? Which parts of posix are you referring to?
Sales figures would disagree with your comments about Sun hardware. Sun was not on top in some sectors because of posix compliance, nor the fact that they can use the unix trademark.
Sun is in the process of losing it's high end oracle market right now, and oracle is moving customers to intel/linux clusters instead of 64 processor sun servers.
I can assure you that those other "Real" unixes are not chosen because they are "Real" but because they have large corporate backing.
Remember, SCO Unixware is real unix.. and it's crap.
Although I will admit allowing 10% of my customers through instead of none is a start, it's nowhere near a satisfactory solution, and my customers are still going to leave in droves.
That's not solving the problem, nor does it require much infrastructure.
The actual solution involves tons of caching and load balancing, as well as very aggressive filtering (to-date, you can generally detect some aspect of the zombie behavior that differs from a legitimate user's request.. and thereby block it out).
Also, there is usually some lag between zombie updates.. so changes to DNS and whatnot can stay one step ahead of them.
All of these are solutions a well designed attack could overcome, however.
Because they do money laundering? There may be the odd bookie out there who took some dirty money, but by and large this is total nonsense.
You might be surprised the lengths many internet gambling places go to to prevent being used to launder money. The LAST thing any gaming shop wants is the international authorities busting down their door and shutting them down. It's already a good profitable business if done right.. there is no need to accept the increased risk of laundering money for a small extra profit.
Also, in the scenario you painted... unless a lot of people do it, or the numbers are huge (in which case it would be noticed right away), there is nothing in it for the bookie above and beyond his normal customers anyway.
That said, there are several reasons this industry was more vulnerable, and was a good choice for them to attack.
- gambling sites operate outside the US & Canada, where it is MUCH harder to get solid hosting and tons of bandwidth.
- The US authorities are still on the fence as to whether someone legally operating an online gambling business in another country taking action from americans is breaking US law or not.
- Because of not operating in the US, and not wanting extra US exposure, online gambling shops generally don't talk to the US authorities.
- Online gambling shops, specifically bookies, make their money in bursts. Being down for a weekend during NFL is really expensive. 3 hours of downtime could cost you the entire week's profits on a Saturday.
- Many shops are small, independant, and not large organisations who have to justify their decisions to a board. Given the amount of money to be lost, paying $20,000 in order to not lose $100,000 is a fairly easy decision to make. pay up then investigate how you can avoid having this happen again later.
It's like if someone robbed you on the street.. and instead of just taking your moeny said "Okay, I can either take all your money, every day, or you can give me $100 right now, and keep the other $900 in your wallet AND I won't bug you again until next year". In the long run, you had better learn how to fight.. but in the immediate short term, it's a good deal.
There is a reason protection rackets work, both on and offline.
Yes, of COURSE there is such an infrastructure that can do the required analysis and block the traffic. Most ISPs do not have it at this point in time.
Also, your ISP is not necessairly obligated to deal with this; it may be far cheaper for them, given the resources they would need to throw at this to keep their customer up, to simply drop the problem customer, which is what many did. Your ISP isn't necessairly going to add tens or hundreds of thousands of dollars in equipment and manpower and sacrifice half of their bandwidth just to keep your little site up unless you are paying them a small fortune.
Okay, I don't mean just prosecution, but any sort of investigative help at all. Many of the attacking zombies were in the US, and tons of the traffic moved through the US.
The US Govt. was actually quite helpful during related attacks earlier this year, even though they would most likely not end up prosecuting anyone.
If it were 200 IPS, or even 2000, this would not have been aproblem.
So tell me, smarteyman, as my ISP, how do you plan to block 4Gbps of legitimate-looking web requests coming from 30,000 hosts in nearly an equal number of unrelated subnets, distributed globally?
The scale and scope of these attacks, and the amounts of money paid to these people, how far that money went, how many countries it was wired through, and the amount of law enforcement and private sector work involved in getting even this far would shock many of you.
Contrary to what some say, the US authorities *DO* care what's going on... they just can't prosecute directly unless it's affecitng US business.
These people and similar operators have extored millions of dollars in the last 12 months alone.
I'm sure many will come out and say "Oh well if you had just built your network properly...".. oh, if only it were that simple. These attacks have come in at over 4Gbps... and no matter how you slice it, that's a shitload of bandwidth.
The slashdot effect is jack shit compared to what these guys have unleashed for WEEKS at a time on one site alone.
I may be totally wrong here.. but I was under the impression that the 30" widescreen required the use of BOTH dvi ports on the $600 card in order to function correctly.
But when I, as the owner and administrator of the mail server, decide that ALL addresses are going to be a valid user, delivered in any number of methods of my choice, then there is by definnition no such thing as an invalid user, therefore I'm not required to send anything.
If you are going to argue against that.. you really need to re-think how to interpret RFC's...
Because nobody can trust the period of copyright not to change.
You, the author, created a work in the 60's or whatever. Society granted you, clearly and under no uncertain terms, copyright over that work for say 50 years. You understood that 50 years later, your work would lose all copyright protections, and fall into the public domain.
Society at large understood this too... and *expects* that work to fall into the public domain on the required date.
If we are going to keep retroactively changing copyright periods, why bother putting a limit on it at all?
Just because it has economic value to the owner does not mean it should continue to be protected.. the owner should work on NEW stuff, not continue to sit on the old.
To further back that up.. not implmeenting everytihng mentioned in an RFC isn't generally a violation. THere are plenty of parts of TCP/IP that are not used on the internet, or disabled. same with other protocols.
If I decide that in my domain, there are no invalid addresses, then the concept of an invalid address becomes irrelevant, and there is no need to implment it.
I own foo.com. I want ALL mail to foo.com, with a few exceptions, to go to a different mailbox. This is not a violation; it is the same as if I set up a quadzillion email aliases pointing to one box.
Slashdot Mirror
No way. If you are going to buy insurance, you DO have a responsibility to know the terms.
You keep saying that "because everyone knows that nobody reads the fine print, it shouldn't count"
Well, everyone also knows that FINE PRINT IS LEGALLY BINDING, EVEN IF YOU DON'T READ IT, and yet they sign... a conscious choice NOT to read a contract before signing it is easily taken as agreeing to the terms blindly.
Insurance by itself means nothing, the terms MUST be dictated.
It amazes me that so many managers, clerks, and customers alike get so confused about returned items.
All Returns Are Not Created Equal.
- By default, a merchant is not required to take any kind of return if the item worked as it was presented, and there was nothing fraudulent about the sale. Just because you decided you didn't like it, or because you bought the wrong shaped plug by no fault of the store does not mean they have to take it back.
- A merchant generally does have to take a return if the item was sold under false pretenses, or simply didn't work. No fee can be charged for this.
- Most stores have in-store policies that go above and beyond what the law requires. Sometimes this involves a re-stocking fee. THIS *IS* fair... this is for situations where you want to return an item just because you feel like it.
- Make sure you ask before you purchase specifically what happens if the item fails in 1 day, 15 days, etc. Often the clerk or manager will be clueless and try to tell you that you are returning the item under the returns policy, when it's actually a return because it's a bad item, which is a separate issue altogether.
- Is there some substance in the universe we should be using OTHER than hydrogen? I mean, it is the most abundant element in the universe.
- Solar power is a good point, but not workable any time in the forseeable future to meet humanity's energy needs. You could cover entire deserts with modern solar stuff, at astronomical cost, and not come near to meeting our current energy demand.
- We, as humans, want to be able to go place that are inhospitable to us.. place where the sun don't shine. The bottom of the ocean, deep space, the polar regions. Solar power won't help there.
Fission plant: Waste can be nearly completely contained, and has no detremental effect. Accident could have major global effects.
Fossil fuel plant: Waste can not be contained at all. Operation has a continuous but slow negative effect on the planet, both locally and globally.
Accident is local only.
We have to trust in engineering and think globally. Chernobyl happened because of a terrible reactor design (known to be bad when it was built) and the operators completely overriding every safety feature in place, doing an incredibly dangerous and stupid experiment.
Nuclear is scary because people think of Hiroshima, Chernobyl, and because bin Bush can't pronounce it correctly.
They do not change their direction.. spacetime is curved. They are travelling straight. It just looks curved to us.
You can run all the analogies you want, about how it's an attempted crime, and so on...
After all, it is. Attempting to gain unauthorized access to a system IS a crime.
But it's unrealistic to waste resources on something like this.. you should EXPECT people to try to log in through these remote services.. this is the internet. If you don't want people to even TRY to guess, don't put up the service in the first place. If you are confident that your system is secure, some attempts at access shouldn't bother you.
Think of this more like a fortress in a hostile war zone than a house or car in an urban law-abiding suburb.
The fact is if you start chasing down every little attempt, you waste a ton of your time to no real benefit. Spend that time making sure things are tight and secure.
Seriously.
It's not causing you a problem. Don't waste time on them. If you like, keep logs, so you can backtrack later if something does happen.
Your main concern is keeping things secure, not hunting down everyone who tries to gain unauthorized access.
Further.. I think it still holds true that if you put up service that listen and answer publicly on the internet, you should expect people to try to use them, even for things like SSHD. It is completely within your technical means to prevent outsiders from being able to even connect to sshd to guess passwords... so rather than complain about it, do something about it.
Heroin is very much chemically addictive.. where did you hear that it wasn't?
Physically, heroin addiction IS morphine addiction. Heroin is turned into morphine in the brain. As far as your neuroreceptors are concerned, it IS morphine.
Heroin is just a more effective way to get the morphine to the brain.
As with most drugs of abuse, the psychological addiction is the one that really gets you... but don't kid yourself. Heroin is VERY physically addictive.. just like morphine.
Answer: because laypeople insist on talking in imprecise terms like kilobytes and whatnot. Even the byte, historically, could be of varied size depending on the architecture.
When talking about bandwidth, always use bits, and always use k=1000.
Further, how much useful data transfer you get out of the system is not an accurate number.. it fluctuates based on a number of factors, including the network itself, quality of equipment, protocol stack and version, stack settings, local hardware speeds, etc.
However, what we DO know is that the medium transfers *exactly* 10 billion bits per second, no more, no less.
Transmission speeds are measured atthe base rate they transmit data at, without taking into account the protocol in use generally. It has to be this way, because everything else varies upon use. 11Mbps wifi in no way lets you transmit 11mbps of useful data, or anywhere near that, between two hosts.. but the data rate on air is precisely 11Mbps.
A fully utilized 100Mbps ethernet hub will have exactly 100 million bits per second going through it.. yet it is impossible for a single host to transmit at 100mbps continuously.. there are mandatory pauses in between frames, and stuff like that.
Further to that.. to add any kind of meaning whatsoever to download limits, if it's a service you pay for, you need to inquire to precisely how such things are calculated.
Money is power. DO something good with it.
The Gates' do contribute a lot of cash to charity every year, their foundation does some serious work.
People think of the future after they are gone? That's a survival trait.
Humans who had no real will to see future generations succeed, and just felt that they were gonna die so what's the point.. those people didn't really survive, for obvious reasons.
Linux isn't technically unix, but it's unix enough for anything that matters.
It's posix compliant in enough. Can you name some posix feature that is missing that anyone cares about? Which parts of posix are you referring to?
Sales figures would disagree with your comments about Sun hardware. Sun was not on top in some sectors because of posix compliance, nor the fact that they can use the unix trademark.
Sun is in the process of losing it's high end oracle market right now, and oracle is moving customers to intel/linux clusters instead of 64 processor sun servers.
I can assure you that those other "Real" unixes are not chosen because they are "Real" but because they have large corporate backing.
Remember, SCO Unixware is real unix.. and it's crap.
Also.. ever tried to work with an interactive website when only one out of ten reqeusts gets through?
Oh, you are going to cache those 10% of addresses and let all their traffic through? The attackers will quickly fill that up.
Although I will admit allowing 10% of my customers through instead of none is a start, it's nowhere near a satisfactory solution, and my customers are still going to leave in droves.
That's not solving the problem, nor does it require much infrastructure.
The actual solution involves tons of caching and load balancing, as well as very aggressive filtering (to-date, you can generally detect some aspect of the zombie behavior that differs from a legitimate user's request.. and thereby block it out).
Also, there is usually some lag between zombie updates.. so changes to DNS and whatnot can stay one step ahead of them.
All of these are solutions a well designed attack could overcome, however.
Because they do money laundering? There may be the odd bookie out there who took some dirty money, but by and large this is total nonsense.
You might be surprised the lengths many internet gambling places go to to prevent being used to launder money. The LAST thing any gaming shop wants is the international authorities busting down their door and shutting them down. It's already a good profitable business if done right.. there is no need to accept the increased risk of laundering money for a small extra profit.
Also, in the scenario you painted... unless a lot of people do it, or the numbers are huge (in which case it would be noticed right away), there is nothing in it for the bookie above and beyond his normal customers anyway.
That said, there are several reasons this industry was more vulnerable, and was a good choice for them to attack.
- gambling sites operate outside the US & Canada, where it is MUCH harder to get solid hosting and tons of bandwidth.
- The US authorities are still on the fence as to whether someone legally operating an online gambling business in another country taking action from americans is breaking US law or not.
- Because of not operating in the US, and not wanting extra US exposure, online gambling shops generally don't talk to the US authorities.
- Online gambling shops, specifically bookies, make their money in bursts. Being down for a weekend during NFL is really expensive. 3 hours of downtime could cost you the entire week's profits on a Saturday.
- Many shops are small, independant, and not large organisations who have to justify their decisions to a board. Given the amount of money to be lost, paying $20,000 in order to not lose $100,000 is a fairly easy decision to make. pay up then investigate how you can avoid having this happen again later.
It's like if someone robbed you on the street.. and instead of just taking your moeny said "Okay, I can either take all your money, every day, or you can give me $100 right now, and keep the other $900 in your wallet AND I won't bug you again until next year". In the long run, you had better learn how to fight.. but in the immediate short term, it's a good deal.
There is a reason protection rackets work, both on and offline.
Yes, of COURSE there is such an infrastructure that can do the required analysis and block the traffic. Most ISPs do not have it at this point in time.
Also, your ISP is not necessairly obligated to deal with this; it may be far cheaper for them, given the resources they would need to throw at this to keep their customer up, to simply drop the problem customer, which is what many did.
Your ISP isn't necessairly going to add tens or hundreds of thousands of dollars in equipment and manpower and sacrifice half of their bandwidth just to keep your little site up unless you are paying them a small fortune.
Okay, I don't mean just prosecution, but any sort of investigative help at all. Many of the attacking zombies were in the US, and tons of the traffic moved through the US.
The US Govt. was actually quite helpful during related attacks earlier this year, even though they would most likely not end up prosecuting anyone.
If it were 200 IPS, or even 2000, this would not have been aproblem.
So tell me, smarteyman, as my ISP, how do you plan to block 4Gbps of legitimate-looking web requests coming from 30,000 hosts in nearly an equal number of unrelated subnets, distributed globally?
The scale and scope of these attacks, and the amounts of money paid to these people, how far that money went, how many countries it was wired through, and the amount of law enforcement and private sector work involved in getting even this far would shock many of you.
Contrary to what some say, the US authorities *DO* care what's going on... they just can't prosecute directly unless it's affecitng US business.
These people and similar operators have extored millions of dollars in the last 12 months alone.
I'm sure many will come out and say "Oh well if you had just built your network properly...".. oh, if only it were that simple. These attacks have come in at over 4Gbps... and no matter how you slice it, that's a shitload of bandwidth.
The slashdot effect is jack shit compared to what these guys have unleashed for WEEKS at a time on one site alone.
Damn.. I guess that's one more piece of Alberta folklore that I learned while growing up in BC that was wrong.
I think it was an evil plot to keep us from moving there....
I may be totally wrong here.. but I was under the impression that the 30" widescreen required the use of BOTH dvi ports on the $600 card in order to function correctly.
Some provinces have some laws against using radar detectors while driving... I believe Alberta and Ontario.
In BC, and others, you are free to use radar detectors to your heart's content.
Correct.
But when I, as the owner and administrator of the mail server, decide that ALL addresses are going to be a valid user, delivered in any number of methods of my choice, then there is by definnition no such thing as an invalid user, therefore I'm not required to send anything.
If you are going to argue against that.. you really need to re-think how to interpret RFC's...
Because nobody can trust the period of copyright not to change.
You, the author, created a work in the 60's or whatever. Society granted you, clearly and under no uncertain terms, copyright over that work for say 50 years. You understood that 50 years later, your work would lose all copyright protections, and fall into the public domain.
Society at large understood this too... and *expects* that work to fall into the public domain on the required date.
If we are going to keep retroactively changing copyright periods, why bother putting a limit on it at all?
Just because it has economic value to the owner does not mean it should continue to be protected.. the owner should work on NEW stuff, not continue to sit on the old.
To further back that up.. not implmeenting everytihng mentioned in an RFC isn't generally a violation. THere are plenty of parts of TCP/IP that are not used on the internet, or disabled. same with other protocols.
If I decide that in my domain, there are no invalid addresses, then the concept of an invalid address becomes irrelevant, and there is no need to implment it.
Violate RFC? Gimme a break.
I own foo.com. I want ALL mail to foo.com, with a few exceptions, to go to a different mailbox. This is not a violation; it is the same as if I set up a quadzillion email aliases pointing to one box.