It seems to me that they just want it labeled as taxable. They don't care to watch the gaming servers, just that when there are people with large amounts of transactions flowing in, they want their cut. They don't want the person receiving the funds to say, "Ah, but this is untaxable money someone gave me for a game item."
You'll get caught. The US government knows every single transaction that hits any US Bank, and I'd guess any US-based credit card (since they're almost always backed by US banks).
The only want around this would be to have someone mail you the cash, and then you spend the cash without ever depositing it - but I'm sure there are some big bad federal laws about using the mail "illegally." Plus at some point you'd run into the same issues drug dealers have - you'd need to get the money laundered into some "legal" form that couldn't be traced. Why is it that drug dealers are caught all the time with loads of cash (at least in the local stories I read)? Because they can't put it into the bank without raising major eye-brows and risk getting it seized and/or arrested.
Just my two cents - I'm not a lawyer or a tax preparer.
Find out the tax laws. If you earn over X, you've got to report it. As someone else suggested, you probably deduct your ISP and gaming account as expenses, as well as your PC - since without those, you cannot earn that income. Again, I'm not a tax preparer - do your own research or hire one.
See my other post with real-world numbers for the past 24 hours. While I'm not a math major and don't plan to work through the forumlas, my numbers seem to back up what the parent here is saying. Basically 20-25% of my spam would make it through if Spamhaus wasn't there, as SpamCop would catch the other 75-80%. I can say this is true as I can filter the mail through SpamCop first and then Spamhaus and see the nubmers reverse themselves. Most likely after that, SpamAssassin using SURBL, DCC, and Pyzor would catch the rest (I'm not willing to let the mail into my MTA to test) anyway, but just at a much higher CPU cost.
On my mailserver, if Spamhaus SBL-XBL fails to return an answer, SpamCop's BL will still be up and working. I've got my MTA configured to check for both. In the past day, Spamhaus SBL-XBL has rejected 25,791 emails and after checking through that list SpamCop has found an additional 4,256 emails to block. If I switch which service is checked first, the numbers are roughly the same (SpamCop will catch ~80% and Spamhaus will catch the other 20%). I'm sure any ISP mail admin knows at least this much.
However, that other 20% that Spamhaus SBL-XBL would have blocked will then get through, and SpamAssassin will start checking against SURBL.org for spam-vertized domains in the email content and catch the rest. This is at a much larger CPU cost to use SpamAssassin than using Spamhaus SBL-XBL on the MTA before it even accepts the email.
BTW, SpamAssassin with SURBL and a number of other filters (pyzor, dcc) still tagged another 5,135 emails as spam (I don't auto-delete, just add headers).
That's pretty scary to me that my system, which houses a few domains for friends and family, has blocked/tagged 35182 spam messages in the last 24 hours.
He took some classes. He doesn't say he ever took or passed the tests.
Secondly, the CCNA is only good for 3 years, so if he had taken and passed the CCNA test, then he's 2 years expired unless he either renewed it or went on to a Professional level certification (CCNP, CCDP, CCVP, CCSP etc.).
A CCNA would be just the first step, with the Cisco Certified Security Professional as the next logical step if he wants to stick with Cisco gear.
If you're in the US, young and the military interests you at all, consider going in with a guaranteed crypto MOS (in writing from your recruiter). IF you're worth your salt at all, you'll come out with a ton of experience, Top Secret clearance, and a long list of good references.
I know my employer doesn't want to hire anyone without a CCNP/CCVP, but even with that we find folks that are booksmart and little real experience. We still require one of those certs within the probation period, but we provide a full-blown CCIE Voice lab for new hires to study and practice in.
I have worked at employers that had partner obligations that required us to have certs. From my A+ that I had to have within 6 months for our site to continue to be an "All A+ certified" shop in 1998, my CNA (Novell) that got me into the "Network Engineering" department (vs. the desktop tech service department), my MCSE (NT) that actually got me to full-blown Network Engineer status, followed a few months later with my CCNA, and 8 months later with my CCNP, CCDA, CCDP (each a week apart), and a month later the CCNP:Security (no longer offered), and then all the Cisco voice tests that my employers relationship with Cisco required (right after they bought the Selsius CallManager and ActiveVoice's Unity), I've pretty much always had to take tests. What does that give me personally? The tests mean little, as you can memorize a bunch of Q&As, but they do filter out some folks. But between myself and my co-workers, it just kept my employer on the top of Cisco's list and the customer referals keep coming in.
I just passed the Gateway/Gatekeeper (GWGK) test for my CCVP two days ago after basically two days of study. I studied the first time the morning of the test two weeks ago and failed by 7 points. Having seen the test and knowing exactly what I needed to fill in, I spent last Thursday morning researching the stuff I needed, wrote out a 3x5 card of the exact lab-sim commands I needed, memorized them, and passed the test with 80 more points than the first time and with 30 minutes to spare. There aren't too many folks who could pass the GWGK test with basically 8 hours of study time, but anyone with enough time and drive can do it.
Our CEO is a CCIE (#14888), and I'd said that cert has the most pull of any I know about. But you don't just go and pass the CCIE. It took him 5 or 6 times.
I know a number of people who have been wanting to get their CCNA for years... the fact that they can't buckle down and study for a month and pass the test tells me they're not worth hiring. I've even given a few guys I knew that were interested in moving past the desktop tech to network engineer access to full-blown CCNP/CCVP online lab courses via Thomson NETg (each course worth $1,000+), and none of them even completed the courses.
A cert doesn't get your foot in the door, but a lack of it can keep you locked out. That's my two cents from my point of view and 8 years of Networking experience.
You mean like the Kyocera Slider Remix? Add on stereo headphones that let you talk to callers as well (and automatically mute your music when you answer a call), plus 512mb of storage for all that music and pictures (1.3megapixel is kinda fun on a phone).
"SecureWorks announced..." Including a link to SecureWorks.
A Network Intrusion Prevention System and Host Intrusion Prevention System can offer many of these protections, especially if they are being monitored by a 24x7x365 security team that can stay on top of the newest types of SQL Injection attacks, as there are new variances being released all the time."
Interesting that this is SecureWorks business - doing 24/7 monitoring. So, you can skip fixing your apps so long as you hire SecureWorks, is basically what the last paragraph is saying.
However, this makes the assumption that all someone is doing is voice. If you looked at my ssh tunnels over tcp/443, it has everything I'm doing going through it (essentially like a VPN), and it is all to the same remote box that proxies what I do.
I don't think NARUS can tell when voice calls start and stop if I'm running remote Terminal Services (RDP and/or Citrix), other VPNs to other customers (within the SSH), web traffic, email, steaming music (last.fm. While I'm very unique, and what I do is unique, I don't think TS and/or steaming music is unique. My workflow involves constant open VPNs with SSH and/or telnet and/or RDP. With it all run over a single SSH over TCP/443, there is no way to break down what is going on by traffic signatures, unless I do nothing but the voice call. However, I always have debugs and remote desktop running in the background coming in.
I think a NARUS box only works if it can see where the traffic is really going to. Since I proxy/tunnel all my traffic to a host I have on a DS3, it would be totally blind without being able to see what traffic is coming out of that host (which has tunnels of many of my users coming out).
Using "SSL" over 443 has long worked for bypassing firewalls and even proxies. I wrote about this back in 2003 and have been using ever since. It works even through a proxy server, as the proxy server just has to blindly forward all "SSL" traffic over port 443. By the very nature of SSL traffic, there is nothing you can do about it. All I do is wrap my SSH (or whatever) traffic inside an "SSL" stream and you can't touch it without breaking every other https site.
The only way to block this would be to create a whitelist of SSL/https sites and allow only those access. Since every business relationship is driven online these days and everyone wants it encrypted, unless you sell tires to folks that walk in and just have a cash register, you'll still going to have to allow SSL.
Telco will probably never upgrade a copper house to fiber. However, all new homes should definately be getting fiber.
In Patterson, California, that is the case and you can get 25mbit down/5mbit up for $80/month. They actually could offer up to 100mbit on the fiber they have.
But the point the person warning made is valid. I would add: do you want to go through the hassle of having your gear siezed for a week+ (if you're lucky it'll be that short) while the local PD check it for whatever? No thanks.
I used to run an open AP (freenet.artoo.net) and friends would often park in front my house and use it (since that's mostly who knew about it)... it was kinda funny to see someone pop in front to check their email real fast (actually, they were independant consultants and linux geeks that I knew). At least I made people register a username and password so I could keep track of them and their MAC address. I had things pretty locked down and forced them through a proxy (with logs of websites). I had a proxy that filtered stuff as well (squidguard) so noone was surfing "questionable stuff" through my ADSL.
It was pretty cool, but still not work the risk of getting all my computer gear seized.
$60/month for just a cablemodem (no cabletv) will get you 3mbit/s download. $15/month mini-basic cable (normal broadcast channels plus 1-2 more) + $45/month cablemodem will get you 6mbit/s download.
If you didn't do the math, it costs the same (actually about $.50 less for the combo deal), and you get perfectly clear broadcast channels and twice the speed.
I'm sorry, DSL just can't touch that. While I don't have a guarantee of a static address, I've had the same one for 2 years now, even after moving 6 months ago across town.
Anywhere I can get Comcast cabletv, I know I can get internet. With SBC/AT&T it's a crap shoot, and often they lie or don't have accurate info. I'm one of those households where all the adults have cell phones and we can't see the point in paying $33/month just to have call waiting, callerid, and pay all those taxes - just to have a land line.
Gah, and the hassle of moving with DSL! Comcast cablemodem, you just move, plug in the cablemodem and call them up and they pop in your new address.
That's actually relative. If you call my cell when I'm roaming (or if it were another provider and I was out of my plans' minutes), I pay to receive the call. If I have ISDN BRI circuits, I have to pay per minute charges for phone calls in or out (including voice). Then there are things like 800 numbers that allow the caller to not pay and the receiving party agrees to pay any toll/LD charges.
But the point here is that these are all based on established contractual agreements. AT&T is trying to change the rules. Fine, let them change the rules and everyone will switch.
Gcom pays their upstream to get to the "cloud," as does Ucom. It's up to their providers to keep their peering agreements in place and route the traffic. If they won't their customers will leave. If a peer advertises a route to another peer, they are bound to route that traffic as efficiently as possible, not slow it down. If a peer doesn't want to route traffic, then don't advertise the prefixes to their downstream peers.
Guess what happens when you advertise less prefixes? You get less traffic. At some point, whoever has less traffic through their cloud pays their peers who have more traffic.
If AT&T starts to mess with content people want to access, people will leave AT&T. Or, customers may sue AT&T for messing with their content which AT&T has agreed to provide them access to. Either way, AT&T will lose in the end - with our without net neutrality.
I ditched SBC when they said they could get me ADSL at a property I was moving to, and then after I moved in and couldn't get it to train up, said my order had been cancelled due to being beyond the length limits - but the never bothered to call me and their policy is to inform the customer when they call in saying it won't work. Guess who I stopped doing business with? I'll go with Vonage, etc. before I'll ever do personal business with SBC/AT&T again. I've 3 other different high-speed internet providers (Fire2Wire, a local 802.11b provider, ClearW1re some other new wireless provider, and Comcast cablemodem). The only people this will hurt are the folks without another choice - but guess what, another choice will pop up if there are enough peeved customers.
I ditched Cingular for the same reason. To get a new "free" phone or make any changes to my plan, I have to agree to a two year contract with less minutes, more money, and moving free evening to 7, 8, or 9pm instead of my existing 6pm. Thanks, but no thanks. I switched to a local cell provider for unlimited minutes, all the time (Cricket), one flat rate, period - oh, and unlimited text and picture messages too - and no monthly contract.
Choice rocks, and it keeps businesses in check. The government just needs to make sure no monopoly can lock out choice, and the market will decide.
BTW, I tried a tunnel to freenet6 (very simple interface) just now, and tested stuff like ipv6.chat.freenode.net, a few random ipv6 sites, and even an FM broadcasting site in mplayer. It all worked, but it was still way laggy as before... non-native (tunneled) ipv6 is just too slow. Other than the geek factor of being on freenode with an ipv6 address, I don't see the point just yet since 99.999% of the internet doesn't even support ipv6, and you have to hunt for sites that even support it (feels like the days of '94 when I used to comb geek magazines for cool sites to visit since there really wasn't much to see on the internet then).
I've thought for a long time that IPv6 is going to be one area that the US will lag behind in networking. Cisco/Linksys will have support (Cisco routers all do now) as they compete in Asia, etc. where IPv6 is already in widespread use.
Can you name 2 ISPs in the US that you can get native IPv6 assignments from?
For some time, I had a 6-bone/48 from Sprintlink.
I know that Verio announced IPv6 service some time ago (2+ years) and that Hurricane Electric has had IPv6 service for a very long time (you can even use HE as a Tunnel Broker).
But how about small/medium businesses or home users that aren't going to pay for a dedicated T1 to one of these ISPs when a cablemodem/dsl is just as fast for downloading and works just fine? While I can tunnel to HE, I'd really like to have native IPv6 service.
Having said that, I haven't dinked with IPv6 in 2 years, and it's been 3 years since I was doing anything serious with it (hosting an IRC node and a MUD, both with native IPv6 access). I want to use it, but it's like the internet in '93 vs. '06...
Regarding the last one with an email: What if the password exists, but you don't have and were never in possession of them? How do you prove you never knew a password?
I guess it is right along side if someone sends you some pedophile pictures and you delete them - how do you prove you never requested them and have nothing to do with them?
What if someone is totally innocent, has a bunch of different encryption programs and passphrases, and is raided by law enforcement.
What if they cannot recall every single passphrase? If they forget just one, are they going to jail until they can remember?
Think about that, I've got PCs sitting around from years back. I've used different password systems over time, and often I cannot remember very old passwords. If I were living in the UK and were to get raided (I have no reason to, I don't even download TV shows or have MP3, just OGGs of stuff I own, so move along), I'd be sitting in jail, I suppose.
What if, because you cannot recall a password, you reformat a hard drive? Then they find the drive and want the password because they can recover the data?
What if someone send you an email with an encrypted content (whatever the method), and you don't legitimately have the means to decrypt it? Sounds like a great way to set up a suspected criminal. "Yes, we see you have several emails in your trash with encrypted contents. Tell us how to decrypt it or you're going to rot in jail."
How about amnesia? It goes on and on...
It's not hard to blow massive holes in this playing devil's advocate. Then all a real criminal has to do is play ignorant.
I'm no scientist, but I recall that just by observing something, you are inherently changing it. While it may be subtle and unnoticable ("hidden" cameras on a beach or home that no one notices), but things are not unchanged.
Just the fact that the parents know there is recording going on is going to modify things. The extra time they take to deal with it and delete things is going to modify how the child learns.
I'm not saying it's not cool, but it's not without some effects (even if small) on the child. Sine the parents know about the taping and have control of it, it's going to be a bigger change that if not.
Just try and sign up for a class at a local junior college or community college or state 4-year school. SSN is required and often some, if not all, is used routinely for identification.
I remember a friend that was going to take some programming classes, and even after meeting with the dean they were giving him a hassle about not supplying his SSN. I believe their justification was that they needed it to get funding from the state for each student that enrolled.
I believe it was Blockbuster Video or Hollywood Video that wanted my SSN to create an account - uhm, no, I don't think so. Once I refused, they just skipped it.
I should give some background (I'm not a lawyer or law enforcement, just siting personal experience):
A friend had her husband leave early in the morning and left the front door unlocked. She awoke to find a homeless person sleeping on the couch. She called the police, but all the police said they could do is make him leave once she asked him to and he refused as the homeless person had broken no laws. She told him to leave, he did. According to the local Modesto Police Department, there was no crime.
If this is true (which the story is, even if the MPD were incorrect in their enforcement of the law), then the unlocked (doesn't even need to be an open door) house analogy works just fine: if it is unlocked, one can enter the home until asked to leave.
So I guess at least here where I live, if there is no breaking and entering, there is no crime.
If you want to keep someone out, lock the door. If a laptop happens on your unencrypted open access point and surfs the internet, what crime is there? Especially as Windows' default is to connect to any open APs.
If someone connects to a PUBLICALLY CONNECTED service (web, telnet, whatever) and is prompted with no authentication and no "AUTHORIZED ACCESS ONLY," etc., how is one to know it is private?
But if this guy was purposely looking for military computers, so I'd say that is where he screwed up. While there may have been no banners or passwords telling him it was military, he KNEW it was miltary. No doubt the UFO story was cover after the fact.
However, going back to playing devil's advocate: The military has a ton of public websites for the public to access non-classified info. If the info wasn't marked as classified, couldn't he claim he thought it was a site meant for the public to access?
If it was only this via unsecured webservers, and no passwords, then I can't see there being a real case: "Though McKinnon was able to view sensitive details about naval munitions and shipbuilding on the secure U.S. systems, he did not access classified information, an investigation found."
However, clearly there was more to it than that, as this was clearly over the line: "In New Jersey, he is accused of hacking into a network of 300 computers at the Earle Naval Weapons Station in Colts Neck, N.J., and stealing 950 passwords."
That's like copying down someone's credit card info, even if you weren't illegally trespassing to get to the credit card - you're still not supposed to have that info. There is no reason for someone to need someone else's password unless there is unauthorized uses planned.
But what if the passwords were stored unencrypted on an unsecured webserver? What if I put my passwords in/index.html and then tried to have people who accessed my website prosecuted? I know this is an oversimplication of the situation, but what if? What if it was in a "secret" place on my webserver that should have a password, but somehow I broke it and someone finds it from some links (say from Google crawning a webalizer log that I shouldn't have publically available), are they at fault just for pulling up a page that says, "passwords.html" ? In that case, I'd say yes, just due to the nature of the filename. But what if it was just some random filename and they accessed it and saw it was passwords? No crime there that I can see, unless they kept the passwords (saved or printed the file or whatever).
It's all such a slipperly slope with grey lines. The best way with security is to avoid going near the line. If you never go snooping around a bank, they're not going to try and get you arrested for casing the place. I know this doesn't fit with the hacker (not cracker) ethic of "explore and learn everything." Noaways hardware is cheap... hack your own gear.
Addresses that can be spoofed are completely dependant on each ISPs filter rules. No ISP should allow you to use an address they don't own unless you have a BGP peer relationship with them and can show that your ASN has been assigned those addresses.
I've got to say, IMHO, The Painter was the most professional and most "ready for TV" ad in the entire lot (I watched all over them rated with 3 or better stars).
It's a simple message (grandma doesn't understand "viruses," "security," "pop-ups," etc.), it's got great music. It "just works" for the non-technical masses.
Of course, if you're marketing to the TechTV crowd, you need something a bit different and can use all the buzzwords.
I thought the Xraalthraal and John was kinda funny too (could use a bit better acting).
Slashdot Mirror
It seems to me that they just want it labeled as taxable. They don't care to watch the gaming servers, just that when there are people with large amounts of transactions flowing in, they want their cut. They don't want the person receiving the funds to say, "Ah, but this is untaxable money someone gave me for a game item."
You'll get caught. The US government knows every single transaction that hits any US Bank, and I'd guess any US-based credit card (since they're almost always backed by US banks).
The only want around this would be to have someone mail you the cash, and then you spend the cash without ever depositing it - but I'm sure there are some big bad federal laws about using the mail "illegally." Plus at some point you'd run into the same issues drug dealers have - you'd need to get the money laundered into some "legal" form that couldn't be traced. Why is it that drug dealers are caught all the time with loads of cash (at least in the local stories I read)? Because they can't put it into the bank without raising major eye-brows and risk getting it seized and/or arrested.
Just my two cents - I'm not a lawyer or a tax preparer.
Find out the tax laws. If you earn over X, you've got to report it. As someone else suggested, you probably deduct your ISP and gaming account as expenses, as well as your PC - since without those, you cannot earn that income. Again, I'm not a tax preparer - do your own research or hire one.
Yeah, but you can't sell your miles for cash to anyone. The miles are just good for you (and yours).
See my other post with real-world numbers for the past 24 hours. While I'm not a math major and don't plan to work through the forumlas, my numbers seem to back up what the parent here is saying. Basically 20-25% of my spam would make it through if Spamhaus wasn't there, as SpamCop would catch the other 75-80%. I can say this is true as I can filter the mail through SpamCop first and then Spamhaus and see the nubmers reverse themselves. Most likely after that, SpamAssassin using SURBL, DCC, and Pyzor would catch the rest (I'm not willing to let the mail into my MTA to test) anyway, but just at a much higher CPU cost.
On my mailserver, if Spamhaus SBL-XBL fails to return an answer, SpamCop's BL will still be up and working. I've got my MTA configured to check for both. In the past day, Spamhaus SBL-XBL has rejected 25,791 emails and after checking through that list SpamCop has found an additional 4,256 emails to block. If I switch which service is checked first, the numbers are roughly the same (SpamCop will catch ~80% and Spamhaus will catch the other 20%). I'm sure any ISP mail admin knows at least this much.
However, that other 20% that Spamhaus SBL-XBL would have blocked will then get through, and SpamAssassin will start checking against SURBL.org for spam-vertized domains in the email content and catch the rest. This is at a much larger CPU cost to use SpamAssassin than using Spamhaus SBL-XBL on the MTA before it even accepts the email.
BTW, SpamAssassin with SURBL and a number of other filters (pyzor, dcc) still tagged another 5,135 emails as spam (I don't auto-delete, just add headers).
That's pretty scary to me that my system, which houses a few domains for friends and family, has blocked/tagged 35182 spam messages in the last 24 hours.
He took some classes. He doesn't say he ever took or passed the tests.
r eer_certifications_and_learning_paths_home.html
Secondly, the CCNA is only good for 3 years, so if he had taken and passed the CCNA test, then he's 2 years expired unless he either renewed it or went on to a Professional level certification (CCNP, CCDP, CCVP, CCSP etc.).
A CCNA would be just the first step, with the Cisco Certified Security Professional as the next logical step if he wants to stick with Cisco gear.
Cisco spells it all out on their site:
http://www.cisco.com/web/learning/le3/learning_ca
If you're in the US, young and the military interests you at all, consider going in with a guaranteed crypto MOS (in writing from your recruiter). IF you're worth your salt at all, you'll come out with a ton of experience, Top Secret clearance, and a long list of good references.
I know my employer doesn't want to hire anyone without a CCNP/CCVP, but even with that we find folks that are booksmart and little real experience. We still require one of those certs within the probation period, but we provide a full-blown CCIE Voice lab for new hires to study and practice in.
I have worked at employers that had partner obligations that required us to have certs. From my A+ that I had to have within 6 months for our site to continue to be an "All A+ certified" shop in 1998, my CNA (Novell) that got me into the "Network Engineering" department (vs. the desktop tech service department), my MCSE (NT) that actually got me to full-blown Network Engineer status, followed a few months later with my CCNA, and 8 months later with my CCNP, CCDA, CCDP (each a week apart), and a month later the CCNP:Security (no longer offered), and then all the Cisco voice tests that my employers relationship with Cisco required (right after they bought the Selsius CallManager and ActiveVoice's Unity), I've pretty much always had to take tests. What does that give me personally? The tests mean little, as you can memorize a bunch of Q&As, but they do filter out some folks. But between myself and my co-workers, it just kept my employer on the top of Cisco's list and the customer referals keep coming in.
I just passed the Gateway/Gatekeeper (GWGK) test for my CCVP two days ago after basically two days of study. I studied the first time the morning of the test two weeks ago and failed by 7 points. Having seen the test and knowing exactly what I needed to fill in, I spent last Thursday morning researching the stuff I needed, wrote out a 3x5 card of the exact lab-sim commands I needed, memorized them, and passed the test with 80 more points than the first time and with 30 minutes to spare. There aren't too many folks who could pass the GWGK test with basically 8 hours of study time, but anyone with enough time and drive can do it.
Our CEO is a CCIE (#14888), and I'd said that cert has the most pull of any I know about. But you don't just go and pass the CCIE. It took him 5 or 6 times.
I know a number of people who have been wanting to get their CCNA for years... the fact that they can't buckle down and study for a month and pass the test tells me they're not worth hiring. I've even given a few guys I knew that were interested in moving past the desktop tech to network engineer access to full-blown CCNP/CCVP online lab courses via Thomson NETg (each course worth $1,000+), and none of them even completed the courses.
A cert doesn't get your foot in the door, but a lack of it can keep you locked out. That's my two cents from my point of view and 8 years of Networking experience.
You mean like the Kyocera Slider Remix? Add on stereo headphones that let you talk to callers as well (and automatically mute your music when you answer a call), plus 512mb of storage for all that music and pictures (1.3megapixel is kinda fun on a phone).
From the article:
..." Including a link to SecureWorks.
"SecureWorks announced
A Network Intrusion Prevention System and Host Intrusion Prevention System can offer many of these protections, especially if they are being monitored by a 24x7x365 security team that can stay on top of the newest types of SQL Injection attacks, as there are new variances being released all the time."
Interesting that this is SecureWorks business - doing 24/7 monitoring. So, you can skip fixing your apps so long as you hire SecureWorks, is basically what the last paragraph is saying.
However, this makes the assumption that all someone is doing is voice. If you looked at my ssh tunnels over tcp/443, it has everything I'm doing going through it (essentially like a VPN), and it is all to the same remote box that proxies what I do.
I don't think NARUS can tell when voice calls start and stop if I'm running remote Terminal Services (RDP and/or Citrix), other VPNs to other customers (within the SSH), web traffic, email, steaming music (last.fm. While I'm very unique, and what I do is unique, I don't think TS and/or steaming music is unique. My workflow involves constant open VPNs with SSH and/or telnet and/or RDP. With it all run over a single SSH over TCP/443, there is no way to break down what is going on by traffic signatures, unless I do nothing but the voice call. However, I always have debugs and remote desktop running in the background coming in.
I think a NARUS box only works if it can see where the traffic is really going to. Since I proxy/tunnel all my traffic to a host I have on a DS3, it would be totally blind without being able to see what traffic is coming out of that host (which has tunnels of many of my users coming out).
Using "SSL" over 443 has long worked for bypassing firewalls and even proxies. I wrote about this back in 2003 and have been using ever since. It works even through a proxy server, as the proxy server just has to blindly forward all "SSL" traffic over port 443. By the very nature of SSL traffic, there is nothing you can do about it. All I do is wrap my SSH (or whatever) traffic inside an "SSL" stream and you can't touch it without breaking every other https site.
The only way to block this would be to create a whitelist of SSL/https sites and allow only those access. Since every business relationship is driven online these days and everyone wants it encrypted, unless you sell tires to folks that walk in and just have a cash register, you'll still going to have to allow SSL.
Telco will probably never upgrade a copper house to fiber. However, all new homes should definately be getting fiber.
In Patterson, California, that is the case and you can get 25mbit down/5mbit up for $80/month. They actually could offer up to 100mbit on the fiber they have.
http://www.gvni.net/products.php?id=3
But the point the person warning made is valid. I would add: do you want to go through the hassle of having your gear siezed for a week+ (if you're lucky it'll be that short) while the local PD check it for whatever? No thanks.
I used to run an open AP (freenet.artoo.net) and friends would often park in front my house and use it (since that's mostly who knew about it)... it was kinda funny to see someone pop in front to check their email real fast (actually, they were independant consultants and linux geeks that I knew). At least I made people register a username and password so I could keep track of them and their MAC address. I had things pretty locked down and forced them through a proxy (with logs of websites). I had a proxy that filtered stuff as well (squidguard) so noone was surfing "questionable stuff" through my ADSL.
It was pretty cool, but still not work the risk of getting all my computer gear seized.
$60/month for just a cablemodem (no cabletv) will get you 3mbit/s download.
$15/month mini-basic cable (normal broadcast channels plus 1-2 more) + $45/month cablemodem will get you 6mbit/s download.
If you didn't do the math, it costs the same (actually about $.50 less for the combo deal), and you get perfectly clear broadcast channels and twice the speed.
I'm sorry, DSL just can't touch that. While I don't have a guarantee of a static address, I've had the same one for 2 years now, even after moving 6 months ago across town.
Anywhere I can get Comcast cabletv, I know I can get internet. With SBC/AT&T it's a crap shoot, and often they lie or don't have accurate info. I'm one of those households where all the adults have cell phones and we can't see the point in paying $33/month just to have call waiting, callerid, and pay all those taxes - just to have a land line.
Gah, and the hassle of moving with DSL! Comcast cablemodem, you just move, plug in the cablemodem and call them up and they pop in your new address.
That's actually relative. If you call my cell when I'm roaming (or if it were another provider and I was out of my plans' minutes), I pay to receive the call. If I have ISDN BRI circuits, I have to pay per minute charges for phone calls in or out (including voice). Then there are things like 800 numbers that allow the caller to not pay and the receiving party agrees to pay any toll/LD charges.
But the point here is that these are all based on established contractual agreements. AT&T is trying to change the rules. Fine, let them change the rules and everyone will switch.
Gcom pays their upstream to get to the "cloud," as does Ucom. It's up to their providers to keep their peering agreements in place and route the traffic. If they won't their customers will leave. If a peer advertises a route to another peer, they are bound to route that traffic as efficiently as possible, not slow it down. If a peer doesn't want to route traffic, then don't advertise the prefixes to their downstream peers.
Guess what happens when you advertise less prefixes? You get less traffic. At some point, whoever has less traffic through their cloud pays their peers who have more traffic.
If AT&T starts to mess with content people want to access, people will leave AT&T. Or, customers may sue AT&T for messing with their content which AT&T has agreed to provide them access to. Either way, AT&T will lose in the end - with our without net neutrality.
I ditched SBC when they said they could get me ADSL at a property I was moving to, and then after I moved in and couldn't get it to train up, said my order had been cancelled due to being beyond the length limits - but the never bothered to call me and their policy is to inform the customer when they call in saying it won't work. Guess who I stopped doing business with? I'll go with Vonage, etc. before I'll ever do personal business with SBC/AT&T again. I've 3 other different high-speed internet providers (Fire2Wire, a local 802.11b provider, ClearW1re some other new wireless provider, and Comcast cablemodem). The only people this will hurt are the folks without another choice - but guess what, another choice will pop up if there are enough peeved customers.
I ditched Cingular for the same reason. To get a new "free" phone or make any changes to my plan, I have to agree to a two year contract with less minutes, more money, and moving free evening to 7, 8, or 9pm instead of my existing 6pm. Thanks, but no thanks. I switched to a local cell provider for unlimited minutes, all the time (Cricket), one flat rate, period - oh, and unlimited text and picture messages too - and no monthly contract.
Choice rocks, and it keeps businesses in check. The government just needs to make sure no monopoly can lock out choice, and the market will decide.
BTW, I tried a tunnel to freenet6 (very simple interface) just now, and tested stuff like ipv6.chat.freenode.net, a few random ipv6 sites, and even an FM broadcasting site in mplayer. It all worked, but it was still way laggy as before... non-native (tunneled) ipv6 is just too slow. Other than the geek factor of being on freenode with an ipv6 address, I don't see the point just yet since 99.999% of the internet doesn't even support ipv6, and you have to hunt for sites that even support it (feels like the days of '94 when I used to comb geek magazines for cool sites to visit since there really wasn't much to see on the internet then).
I've thought for a long time that IPv6 is going to be one area that the US will lag behind in networking. Cisco/Linksys will have support (Cisco routers all do now) as they compete in Asia, etc. where IPv6 is already in widespread use.
/48 from Sprintlink.
Can you name 2 ISPs in the US that you can get native IPv6 assignments from?
For some time, I had a 6-bone
I know that Verio announced IPv6 service some time ago (2+ years) and that Hurricane Electric has had IPv6 service for a very long time (you can even use HE as a Tunnel Broker).
But how about small/medium businesses or home users that aren't going to pay for a dedicated T1 to one of these ISPs when a cablemodem/dsl is just as fast for downloading and works just fine? While I can tunnel to HE, I'd really like to have native IPv6 service.
Having said that, I haven't dinked with IPv6 in 2 years, and it's been 3 years since I was doing anything serious with it (hosting an IRC node and a MUD, both with native IPv6 access). I want to use it, but it's like the internet in '93 vs. '06...
Regarding the last one with an email: What if the password exists, but you don't have and were never in possession of them? How do you prove you never knew a password?
I guess it is right along side if someone sends you some pedophile pictures and you delete them - how do you prove you never requested them and have nothing to do with them?
Here is one for them to stop and ponder:
What if someone is totally innocent, has a bunch of different encryption programs and passphrases, and is raided by law enforcement.
What if they cannot recall every single passphrase? If they forget just one, are they going to jail until they can remember?
Think about that, I've got PCs sitting around from years back. I've used different password systems over time, and often I cannot remember very old passwords. If I were living in the UK and were to get raided (I have no reason to, I don't even download TV shows or have MP3, just OGGs of stuff I own, so move along), I'd be sitting in jail, I suppose.
What if, because you cannot recall a password, you reformat a hard drive? Then they find the drive and want the password because they can recover the data?
What if someone send you an email with an encrypted content (whatever the method), and you don't legitimately have the means to decrypt it? Sounds like a great way to set up a suspected criminal. "Yes, we see you have several emails in your trash with encrypted contents. Tell us how to decrypt it or you're going to rot in jail."
How about amnesia? It goes on and on...
It's not hard to blow massive holes in this playing devil's advocate. Then all a real criminal has to do is play ignorant.
I'm no scientist, but I recall that just by observing something, you are inherently changing it. While it may be subtle and unnoticable ("hidden" cameras on a beach or home that no one notices), but things are not unchanged.
Just the fact that the parents know there is recording going on is going to modify things. The extra time they take to deal with it and delete things is going to modify how the child learns.
I'm not saying it's not cool, but it's not without some effects (even if small) on the child. Sine the parents know about the taping and have control of it, it's going to be a bigger change that if not.
Just try and sign up for a class at a local junior college or community college or state 4-year school. SSN is required and often some, if not all, is used routinely for identification.
I remember a friend that was going to take some programming classes, and even after meeting with the dean they were giving him a hassle about not supplying his SSN. I believe their justification was that they needed it to get funding from the state for each student that enrolled.
I believe it was Blockbuster Video or Hollywood Video that wanted my SSN to create an account - uhm, no, I don't think so. Once I refused, they just skipped it.
Good point. I think the main point in all my ramblings was that it is such a gray area and not easy to define.
I should give some background (I'm not a lawyer or law enforcement, just siting personal experience):
/index.html and then tried to have people who accessed my website prosecuted? I know this is an oversimplication of the situation, but what if? What if it was in a "secret" place on my webserver that should have a password, but somehow I broke it and someone finds it from some links (say from Google crawning a webalizer log that I shouldn't have publically available), are they at fault just for pulling up a page that says, "passwords.html" ? In that case, I'd say yes, just due to the nature of the filename. But what if it was just some random filename and they accessed it and saw it was passwords? No crime there that I can see, unless they kept the passwords (saved or printed the file or whatever).
A friend had her husband leave early in the morning and left the front door unlocked. She awoke to find a homeless person sleeping on the couch. She called the police, but all the police said they could do is make him leave once she asked him to and he refused as the homeless person had broken no laws. She told him to leave, he did. According to the local Modesto Police Department, there was no crime.
If this is true (which the story is, even if the MPD were incorrect in their enforcement of the law), then the unlocked (doesn't even need to be an open door) house analogy works just fine: if it is unlocked, one can enter the home until asked to leave.
So I guess at least here where I live, if there is no breaking and entering, there is no crime.
If you want to keep someone out, lock the door. If a laptop happens on your unencrypted open access point and surfs the internet, what crime is there? Especially as Windows' default is to connect to any open APs.
If someone connects to a PUBLICALLY CONNECTED service (web, telnet, whatever) and is prompted with no authentication and no "AUTHORIZED ACCESS ONLY," etc., how is one to know it is private?
But if this guy was purposely looking for military computers, so I'd say that is where he screwed up. While there may have been no banners or passwords telling him it was military, he KNEW it was miltary. No doubt the UFO story was cover after the fact.
However, going back to playing devil's advocate: The military has a ton of public websites for the public to access non-classified info. If the info wasn't marked as classified, couldn't he claim he thought it was a site meant for the public to access?
If it was only this via unsecured webservers, and no passwords, then I can't see there being a real case:
"Though McKinnon was able to view sensitive details about naval munitions and shipbuilding on the secure U.S. systems, he did not access classified information, an investigation found."
However, clearly there was more to it than that, as this was clearly over the line:
"In New Jersey, he is accused of hacking into a network of 300 computers at the Earle Naval Weapons Station in Colts Neck, N.J., and stealing 950 passwords."
That's like copying down someone's credit card info, even if you weren't illegally trespassing to get to the credit card - you're still not supposed to have that info. There is no reason for someone to need someone else's password unless there is unauthorized uses planned.
But what if the passwords were stored unencrypted on an unsecured webserver? What if I put my passwords in
It's all such a slipperly slope with grey lines. The best way with security is to avoid going near the line. If you never go snooping around a bank, they're not going to try and get you arrested for casing the place. I know this doesn't fit with the hacker (not cracker) ethic of "explore and learn everything." Noaways hardware is cheap... hack your own gear.
Addresses that can be spoofed are completely dependant on each ISPs filter rules. No ISP should allow you to use an address they don't own unless you have a BGP peer relationship with them and can show that your ASN has been assigned those addresses.
I've got to say, IMHO, The Painter was the most professional and most "ready for TV" ad in the entire lot (I watched all over them rated with 3 or better stars).
It's a simple message (grandma doesn't understand "viruses," "security," "pop-ups," etc.), it's got great music. It "just works" for the non-technical masses.
Of course, if you're marketing to the TechTV crowd, you need something a bit different and can use all the buzzwords.
I thought the Xraalthraal and John was kinda funny too (could use a bit better acting).
SmellsTerrific is rather funny as well.
squidGuard was doing that years ago (2001). Great reason to use a local proxy.