You can validate all responses with no DNSSEC support in your DNS resolvers. All you need is the root zone key and verify from there down. Example: run your own BIND server with DNSSEC enabled and never use your ISP's.
I grew up buying vinyl instead of tapes as my dad had a great bazillion dollar setup (don't know how much, but thousands in '70s era money - hey, we even had a VCR that didn't support SLP and couldn't play friends' movie recordings from the pay channels), which included this perfect-sounding phonograph (all super-balanced floating on these cool legs so the base wouldn't cause it to skip) which we had hooked up to a very high-end tape recorder (even had a 8-track too, oh, and the receiver was a quadraphonic deal, but I never had any vinyl that took advantage of that as only one of our vehicles had 8-track, and we replaced it with tape before I was buying my own music). When I bought a vinyl album, I bought a high-end metal tape to copy it to and listen from. I'd wear out the tapes, then create new ones from the vinyl - which was the only time I ever used the vinyl. Still have all my vinyl, but no high-end phonograph to listen to them on.
Other than the metal tape copies, then next thing I remember doing was buying a 5-disc changer with my first summer job monies and a half-dozen CDs. Disc changer lasted about 10 years, receiver was in my daughter's room until recently while cleaning up - but half the time she'd rather listen to mp3's on her phone as it follows around in her pocket.
I own physical copies of all the music I have, or I have detailed records of when and where I downloaded music from (proving it was a free released from an artist, etc.). Not sure what my kiddos will do when they grow up and move out - hopefully the music industry will have solved this. Otherwise, I'll be deleting all the digital copies I have of physical CDs that I've given them when they move out (provided they even care to take them). I'm hoping my kids will continue in integrity, and I'm hoping the media dinosaurs can grow up and not go extinct.
Actually, my preference would be for artists to rise up and overthrow the labels and just deal with fans direct. I'd really rather just have my cash going to them and the folks behind the creation of the art.
I think one major difference was that tapes and especially recordings from the radio sounded pretty poor (especially second and third generation copies) - and tapes wear out.
High-quality (mp3,ogg) digital copies never wear out, and FLAC is identical to the original. Storage is so cheap, only a luddite would still put a CD in a PC more than twice. Actually, these days the kids barely know what a CD is and are fine getting low-quality mp3s from online services.
The mp3s that I downloaded from an artist (as part of a pre-release deal when ordering the physical CD) were of better quality (320kb) than those on Amazon (128kb), and better than the 160kb default that I ripped my CD to when creating my own ogg files.
As I read the story, the undercover cop ran as soon as the motion-sensitive floodlights detected him. The suspect chased him down and shot him dead.
Unnecessary force and vigilante actions of taking the law (meeting out death for what should have been perceived as auto-theft) - uhm, yeah, do not collect $200, go straight to jail.
The proper response would have been to hold the undercover cops until law enforcement arrived.
KeePass for your PC (runs fine with Mono under Fedora/RedHat-ish distros) + KeePassDroid for your Android device(s) + Rsync 4 Android to sync it (or just manually pop the memory card in to transfer it).
I have a different KeePass Database file for Personal (high-security items) and Work. I wouldn't trust Dropbox to move the file around as some propose. If you absolutely insist on using an insecure transport like Dropbox, at least add the Key File method when you generate your databases and transport the Key File OOB (not via Dropbox).
I hear from a co-worker that KeeFox is a nice Firefox + KeePass integration. I may move all my low-security sites' passwords to another KeePass database if this works well so that I could also have all of them available on my phone.
For now, I use SyncPlaces (stored to a local file) + Dropbox to keep my low-security sites' passwords and bookmarks synced (as they change and are added to very often).
Banks can be service providers as well. I know for a fact that Wells Fargo is. Perhaps a different unit of Wells Fargo from their core banking unit, but still Wells Fargo, a bank.
That is incorrect. With External Registrar (PIN) method nothing has to be done on the router and it is all done remote. Per the paper, External Registrar (PIN) is a required feature for all WPS-certified devices. (Note, it doesn't have to be enabled by default, but that wouldn't be user friendly, would it?).
Two flaws: 1. The WPS access point should not NACK the PIN before the entire PIN is transmitted. This cut the amount of guesses down from 100,000,000 (10^8) to 11,000 (10^4 + 10^3). 2. Most access points don't block further authentication after failures. Because of this you can test all 11,000 PINs in less than 4 hours on most models.
User fix: Disable WPS External Registrar PIN. If that is not an option, demand your vendor release new firmware (see vendor fix below). If that is not an option, replace your wireless device.
Vendor fix: Block further authentication for Z minutes after X attempts. The paper has a nice table showing the maximum attack time given different variables for Z and X.
This is incorrect. Look at the paper. It states WPS has three methods: Push-button-connect PIN - Internal Registrar (web interface) PIN - External Registrar (PIN)
Default on the Buffalo WHR-HP-G300N I just reviewed is to have External Registrar (PIN) enabled.
The paper further states that if a device is WPS certified then it must have the External Registrar (PIN). To make it "user friendly" it will be enabled by default. Hopefully your devices have the ability to disable it.
Side note: trust no wireless. Best method is to put the wireless in a DMZ and VPN/encrypt all traffic, so even if the wireless is compromized you're still safe. If you restrict all traffic to just DNS and VPN to your device, then would-be freeloaders will just move on even if they found your PIN as they cannot get anywhere.
Hmm, how do you know and prove it is one nation vs. another or just some independent citizens? Take Stuxnet - was it Israel, the CIA, someone else? Is sabotage an act of war? Seems to me that cyberwarfare is in some ways like gorilla warfare with an unseen enemy. If I set up a remote system in Canada to route my control traffic through before hitting another system in the US and attack China from there, what then? Same with China - there are plenty of places one can get a legitimate and illegitimate account on a server and from there attack Japan, the US, etc.
If it's that critical anyway, why is it connected to the Internet in the first place? Why no air gap?
Only thing good I can see there is the midnight - 6am being free. My home server actually downloads all my video/podcasts and rsyncs all my Linux mirrors starting at 2am each night (typically done by 6am). Other than video streaming (NetFlix, Amazon Prime), our daytime usage is pretty minimal.
If all the major ISPs did this, perhaps we could have pre-buffered real HD (not this "better than SD" so we can call it HD) online streaming from NetFlix, Hulu Plus, Amazon Prime, etc.
Except when your uber-important report or presentation or project or whatever is lost and when your laptop goes belly-up and you want to waste IT's time to try and recover it.
Yeah, the problem is these folks want all the freedom and none of the responsibility for maintaining their own gear.
How about when there is a lawsuit and all emails, IMs, etc., must be collected? Do you really want your personal laptop being inventoried for all of this? I think not. There is a good reason for a line between business and personal.
Some of the best ideas and designs start on napkins. Might have been research/think time.
If I'm solving a problem for a customer in the shower, should I not bill for that time if I'm getting results (especially when I'm holding down two jobs, and my personal time is where I fit my second job)? Granted, I shouldn't be able to bill for all my shower time, but time specifically devoted to a customer, sure, it's legit.
I do some of my best thinking while sleeping (and prepping before going to bed) and usually piece it together in the shower. I just can't get much think time once I'm taking the kids to school or getting interrupted at my day job or in the evening until the kids get to bed.
If I want to write it down while at lunch on a napkin, that's totally billable. Granted, I only do so in quarter hour chunks and I keep accurate time.
Further, there is nothing wrong with double or even triple billing (beyond that, and I think you're going to be kidding yourself at your multitasking skills). Take for instance patching VoIP servers back Cisco CallManagers ran on Windows 2000 and required tons of reboots for the OS, SQL, CCM app, Security Agent, etc. Say I know it is going to take 1 hour to do the patching, and another 15 minutes prior going through my check lists, and 15 minutes post to verify everything is good. So if I have 3 customers that I'm going to patch in one night, so I do it serially or in parallel? I'm going to do it in parallel and triple bill some of that time. I start first pre-patching checklist, then patching. Then I do the second per-patching check-list, and patching. Finally I start the third pre-patching checklist, and patching. Time for a quick bathroom break and then time to start the post-patching check of customer 1, then 2, then 3. Sure, if I run into a snag with one customer I have to pause all the billing for the other customers, but that's on me, and it's also why we have redundant systems.
Yeah, that's how to do it. Customers each get billed 1.5 hours. Takes me 2 hours to do it total, I bill 4.5. Everyone gets what they asked for, I'm efficient with my time, win win.
Now, billing >24 hours in a day, that would take some gravitational time dilation, and even then I think it's only on the order of seconds, not hours more per day.
Ditto to what another commented regarding a work connection not being for your own personal amusement. As one of those IT Department folks, I tell folks so surf from their phone and/or tether and bring their own personal laptop to surf from. I don't care how you use your time, that's not my job, and you could just as easily be reading a book or on the phone all day taking bets. From a security standpoint, where staff surf with work PCs exposes my network, which is why I'm strict. Yes, we've got many layers of security (blacklists, botnet lists, malware lists, dns filters, url filters, ids, anti-virus/malware), but I still see stuff hitting the 3rd and 4th layers, and it is rather disconcerting.
Further, some of it has to do with a finite amount of bandwidth. While we have a large amount of bandwidth, it's not for unlimited personal surfing. Folks were peeved and complaining to the Help Desk today (cyber Monday) when they were getting blocked constantly from personal sites - see we limit bandwidth when we're near 75% utilization, because there are people actually trying to get work done (who are happy that we do this). An increase in personal surfing with video or large-content-heavy stuff shouldn't cause my Internet pipes to need to be upgraded.
They can challenge it in court, but I'm doubt there will be any such challenge as they know it's a slam dunk with the domain caught red-handed selling counterfeit goods but passing them off as real.
Speaking of NAS - dedupe is a great benefit. Previously one would use NFS to mount common binaries and libraries between systems from a common server. Now, with a NAS, instead of having to maintain an identical binary/library to use on all these systems, the NAS can dedupe where ever all the identical blocks (especially when a file only changes say 1%), and great storage savings can be found.
Although, I would suggest buying support for at least one set of systems in your test environment. That way you can get RH support and resolve any issues there.
Not disagreeing, but I would point out that the CentOS CR repo has been pushing security updates found in EL6.1. So while CentOS 6.1 as a full release is behind 250 days, the updates are still flowing, just delayed. For instance, Firefox 3.6.23, shipped for RHN 28 Sep 2011 vs. CentOS CR repo on 06 Oct 2011. 8 day delay - much better than CentOS had been at for a while.
On the other hand the Apache webserver, httpd, was delayed a far longer amount: 06 Oct 2011 vs 21 Oct 2011 - ouch.
To me, a 1-3 week delay for an internal-only server/service is acceptable. For something Internet-facing, totally unacceptable.
Not to mention you can patch based on CVE, RHSA, security severity, etc. with RHN. CentOS has no such support for patching based on a specific security release (yes, there is a yum plugin, but there is no repository/package information for any security content).
CentOS doesn't keep around older updates once they are superseded, but many times you may need to patch up to just a certain point (see the update-minimal yum option). Not a problem with RHN.
Here are the yum options that are rather useful and supported with RHN:
Plugin Options:
--security Include security relevant packages
--bugfixes Include bugfix relevant packages
--cve=CVE Include packages needed to fix the given CVE
--bz=BZ Include packages needed to fix the given BZ
--sec-severity=SEVERITY
Include security relevant packages, of this severity
--advisory=ADVISORY
Include packages needed to fix the given advisory
pop3s, imaps, smtps, etc. anything that uses ssl should be tested and is probably vuln (quick dovecot & sendmail tests were). I'd really like to see the "private" code that works w/o renegotiation in order to test against https.
As F14 is about to sunset, I will comment and say that I'm rather happy with C6. Wish the updates were coming faster, but I know they'll get there and the joy of EL is 7 years minimum of updates.
I'm guessing getting a $2M insurance bond wouldn't be terribly expensive either. Not that they are one-in-the-same, but a $2M Professional Liability policy only ran me $312/year for a number of years. He only needs it to be good for a day, so I'm betting it wouldn't be more than a few hundred, if that.
Save up the money and do it right and follow all the rules, or go home and film it. Just because it is a public park doesn't mean it is a free ride for your own promotional videos. Further, what if every high school and junior college wants to start filming in the park? No real problem, except they need to be policed and insure they are cleaning up, etc., and that costs money, which is why the rules are there in the first place.
Slashdot Mirror
You can validate all responses with no DNSSEC support in your DNS resolvers. All you need is the root zone key and verify from there down. Example: run your own BIND server with DNSSEC enabled and never use your ISP's.
I grew up buying vinyl instead of tapes as my dad had a great bazillion dollar setup (don't know how much, but thousands in '70s era money - hey, we even had a VCR that didn't support SLP and couldn't play friends' movie recordings from the pay channels), which included this perfect-sounding phonograph (all super-balanced floating on these cool legs so the base wouldn't cause it to skip) which we had hooked up to a very high-end tape recorder (even had a 8-track too, oh, and the receiver was a quadraphonic deal, but I never had any vinyl that took advantage of that as only one of our vehicles had 8-track, and we replaced it with tape before I was buying my own music). When I bought a vinyl album, I bought a high-end metal tape to copy it to and listen from. I'd wear out the tapes, then create new ones from the vinyl - which was the only time I ever used the vinyl. Still have all my vinyl, but no high-end phonograph to listen to them on.
Other than the metal tape copies, then next thing I remember doing was buying a 5-disc changer with my first summer job monies and a half-dozen CDs. Disc changer lasted about 10 years, receiver was in my daughter's room until recently while cleaning up - but half the time she'd rather listen to mp3's on her phone as it follows around in her pocket.
I own physical copies of all the music I have, or I have detailed records of when and where I downloaded music from (proving it was a free released from an artist, etc.). Not sure what my kiddos will do when they grow up and move out - hopefully the music industry will have solved this. Otherwise, I'll be deleting all the digital copies I have of physical CDs that I've given them when they move out (provided they even care to take them). I'm hoping my kids will continue in integrity, and I'm hoping the media dinosaurs can grow up and not go extinct.
Actually, my preference would be for artists to rise up and overthrow the labels and just deal with fans direct. I'd really rather just have my cash going to them and the folks behind the creation of the art.
I think one major difference was that tapes and especially recordings from the radio sounded pretty poor (especially second and third generation copies) - and tapes wear out.
High-quality (mp3,ogg) digital copies never wear out, and FLAC is identical to the original. Storage is so cheap, only a luddite would still put a CD in a PC more than twice. Actually, these days the kids barely know what a CD is and are fine getting low-quality mp3s from online services.
The mp3s that I downloaded from an artist (as part of a pre-release deal when ordering the physical CD) were of better quality (320kb) than those on Amazon (128kb), and better than the 160kb default that I ripped my CD to when creating my own ogg files.
As I read the story, the undercover cop ran as soon as the motion-sensitive floodlights detected him. The suspect chased him down and shot him dead.
Unnecessary force and vigilante actions of taking the law (meeting out death for what should have been perceived as auto-theft) - uhm, yeah, do not collect $200, go straight to jail.
The proper response would have been to hold the undercover cops until law enforcement arrived.
KeePass for your PC (runs fine with Mono under Fedora/RedHat-ish distros) + KeePassDroid for your Android device(s) + Rsync 4 Android to sync it (or just manually pop the memory card in to transfer it).
I have a different KeePass Database file for Personal (high-security items) and Work. I wouldn't trust Dropbox to move the file around as some propose. If you absolutely insist on using an insecure transport like Dropbox, at least add the Key File method when you generate your databases and transport the Key File OOB (not via Dropbox).
I hear from a co-worker that KeeFox is a nice Firefox + KeePass integration. I may move all my low-security sites' passwords to another KeePass database if this works well so that I could also have all of them available on my phone.
For now, I use SyncPlaces (stored to a local file) + Dropbox to keep my low-security sites' passwords and bookmarks synced (as they change and are added to very often).
Banks can be service providers as well. I know for a fact that Wells Fargo is. Perhaps a different unit of Wells Fargo from their core banking unit, but still Wells Fargo, a bank.
That is incorrect. With External Registrar (PIN) method nothing has to be done on the router and it is all done remote. Per the paper, External Registrar (PIN) is a required feature for all WPS-certified devices. (Note, it doesn't have to be enabled by default, but that wouldn't be user friendly, would it?).
Two flaws:
1. The WPS access point should not NACK the PIN before the entire PIN is transmitted. This cut the amount of guesses down from 100,000,000 (10^8) to 11,000 (10^4 + 10^3).
2. Most access points don't block further authentication after failures. Because of this you can test all 11,000 PINs in less than 4 hours on most models.
User fix:
Disable WPS External Registrar PIN. If that is not an option, demand your vendor release new firmware (see vendor fix below). If that is not an option, replace your wireless device.
Vendor fix:
Block further authentication for Z minutes after X attempts. The paper has a nice table showing the maximum attack time given different variables for Z and X.
This is incorrect. Look at the paper. It states WPS has three methods:
Push-button-connect
PIN - Internal Registrar (web interface)
PIN - External Registrar (PIN)
Default on the Buffalo WHR-HP-G300N I just reviewed is to have External Registrar (PIN) enabled.
The paper further states that if a device is WPS certified then it must have the External Registrar (PIN). To make it "user friendly" it will be enabled by default. Hopefully your devices have the ability to disable it.
Side note: trust no wireless. Best method is to put the wireless in a DMZ and VPN/encrypt all traffic, so even if the wireless is compromized you're still safe. If you restrict all traffic to just DNS and VPN to your device, then would-be freeloaders will just move on even if they found your PIN as they cannot get anywhere.
Hmm Radical Breeze's Illumination Software Creator seems to fit the bill pretty good. They even have a couple Hello World examples posted.
Hmm, how do you know and prove it is one nation vs. another or just some independent citizens? Take Stuxnet - was it Israel, the CIA, someone else? Is sabotage an act of war? Seems to me that cyberwarfare is in some ways like gorilla warfare with an unseen enemy. If I set up a remote system in Canada to route my control traffic through before hitting another system in the US and attack China from there, what then? Same with China - there are plenty of places one can get a legitimate and illegitimate account on a server and from there attack Japan, the US, etc.
If it's that critical anyway, why is it connected to the Internet in the first place? Why no air gap?
Only thing good I can see there is the midnight - 6am being free. My home server actually downloads all my video/podcasts and rsyncs all my Linux mirrors starting at 2am each night (typically done by 6am). Other than video streaming (NetFlix, Amazon Prime), our daytime usage is pretty minimal.
If all the major ISPs did this, perhaps we could have pre-buffered real HD (not this "better than SD" so we can call it HD) online streaming from NetFlix, Hulu Plus, Amazon Prime, etc.
Except when your uber-important report or presentation or project or whatever is lost and when your laptop goes belly-up and you want to waste IT's time to try and recover it.
Yeah, the problem is these folks want all the freedom and none of the responsibility for maintaining their own gear.
How about when there is a lawsuit and all emails, IMs, etc., must be collected? Do you really want your personal laptop being inventoried for all of this? I think not. There is a good reason for a line between business and personal.
Some of the best ideas and designs start on napkins. Might have been research/think time.
If I'm solving a problem for a customer in the shower, should I not bill for that time if I'm getting results (especially when I'm holding down two jobs, and my personal time is where I fit my second job)? Granted, I shouldn't be able to bill for all my shower time, but time specifically devoted to a customer, sure, it's legit.
I do some of my best thinking while sleeping (and prepping before going to bed) and usually piece it together in the shower. I just can't get much think time once I'm taking the kids to school or getting interrupted at my day job or in the evening until the kids get to bed.
If I want to write it down while at lunch on a napkin, that's totally billable. Granted, I only do so in quarter hour chunks and I keep accurate time.
Further, there is nothing wrong with double or even triple billing (beyond that, and I think you're going to be kidding yourself at your multitasking skills). Take for instance patching VoIP servers back Cisco CallManagers ran on Windows 2000 and required tons of reboots for the OS, SQL, CCM app, Security Agent, etc. Say I know it is going to take 1 hour to do the patching, and another 15 minutes prior going through my check lists, and 15 minutes post to verify everything is good. So if I have 3 customers that I'm going to patch in one night, so I do it serially or in parallel? I'm going to do it in parallel and triple bill some of that time. I start first pre-patching checklist, then patching. Then I do the second per-patching check-list, and patching. Finally I start the third pre-patching checklist, and patching. Time for a quick bathroom break and then time to start the post-patching check of customer 1, then 2, then 3. Sure, if I run into a snag with one customer I have to pause all the billing for the other customers, but that's on me, and it's also why we have redundant systems.
Yeah, that's how to do it. Customers each get billed 1.5 hours. Takes me 2 hours to do it total, I bill 4.5. Everyone gets what they asked for, I'm efficient with my time, win win.
Now, billing >24 hours in a day, that would take some gravitational time dilation, and even then I think it's only on the order of seconds, not hours more per day.
"[T]he company noted that Adobe Reader X Protected Mode and Acrobat X Protected View offer some mitigation against the exploit."
I'm guessing that while the bug exists in X, it is not exploitable, or at least there is no code in the wild that is able to exploit it.
Ditto to what another commented regarding a work connection not being for your own personal amusement. As one of those IT Department folks, I tell folks so surf from their phone and/or tether and bring their own personal laptop to surf from. I don't care how you use your time, that's not my job, and you could just as easily be reading a book or on the phone all day taking bets. From a security standpoint, where staff surf with work PCs exposes my network, which is why I'm strict. Yes, we've got many layers of security (blacklists, botnet lists, malware lists, dns filters, url filters, ids, anti-virus/malware), but I still see stuff hitting the 3rd and 4th layers, and it is rather disconcerting.
Further, some of it has to do with a finite amount of bandwidth. While we have a large amount of bandwidth, it's not for unlimited personal surfing. Folks were peeved and complaining to the Help Desk today (cyber Monday) when they were getting blocked constantly from personal sites - see we limit bandwidth when we're near 75% utilization, because there are people actually trying to get work done (who are happy that we do this). An increase in personal surfing with video or large-content-heavy stuff shouldn't cause my Internet pipes to need to be upgraded.
They can challenge it in court, but I'm doubt there will be any such challenge as they know it's a slam dunk with the domain caught red-handed selling counterfeit goods but passing them off as real.
Newsflash, most (all?) of the gTLDs are run by US countries. Therefore they are under US jurisdiction.
Speaking of NAS - dedupe is a great benefit. Previously one would use NFS to mount common binaries and libraries between systems from a common server. Now, with a NAS, instead of having to maintain an identical binary/library to use on all these systems, the NAS can dedupe where ever all the identical blocks (especially when a file only changes say 1%), and great storage savings can be found.
Don't buy support, just buy timely updates.
Self-support Subscription (1 year) $349
Although, I would suggest buying support for at least one set of systems in your test environment. That way you can get RH support and resolve any issues there.
Not disagreeing, but I would point out that the CentOS CR repo has been pushing security updates found in EL6.1. So while CentOS 6.1 as a full release is behind 250 days, the updates are still flowing, just delayed. For instance, Firefox 3.6.23, shipped for RHN 28 Sep 2011 vs. CentOS CR repo on 06 Oct 2011. 8 day delay - much better than CentOS had been at for a while.
On the other hand the Apache webserver, httpd, was delayed a far longer amount:
06 Oct 2011 vs 21 Oct 2011 - ouch.
To me, a 1-3 week delay for an internal-only server/service is acceptable. For something Internet-facing, totally unacceptable.
Not to mention you can patch based on CVE, RHSA, security severity, etc. with RHN. CentOS has no such support for patching based on a specific security release (yes, there is a yum plugin, but there is no repository/package information for any security content).
CentOS doesn't keep around older updates once they are superseded, but many times you may need to patch up to just a certain point (see the update-minimal yum option). Not a problem with RHN.
Here are the yum options that are rather useful and supported with RHN:
Plugin Options:
--security Include security relevant packages
--bugfixes Include bugfix relevant packages
--cve=CVE Include packages needed to fix the given CVE
--bz=BZ Include packages needed to fix the given BZ
--sec-severity=SEVERITY
Include security relevant packages, of this severity
--advisory=ADVISORY
Include packages needed to fix the given advisory
pop3s, imaps, smtps, etc. anything that uses ssl should be tested and is probably vuln (quick dovecot & sendmail tests were). I'd really like to see the "private" code that works w/o renegotiation in order to test against https.
As F14 is about to sunset, I will comment and say that I'm rather happy with C6. Wish the updates were coming faster, but I know they'll get there and the joy of EL is 7 years minimum of updates.
I'm guessing getting a $2M insurance bond wouldn't be terribly expensive either. Not that they are one-in-the-same, but a $2M Professional Liability policy only ran me $312/year for a number of years. He only needs it to be good for a day, so I'm betting it wouldn't be more than a few hundred, if that.
Save up the money and do it right and follow all the rules, or go home and film it. Just because it is a public park doesn't mean it is a free ride for your own promotional videos. Further, what if every high school and junior college wants to start filming in the park? No real problem, except they need to be policed and insure they are cleaning up, etc., and that costs money, which is why the rules are there in the first place.
Riiiiiiiight, and no government would ever set up thousands of Tor exit nodes just to watch traffic. Couldn't be done