It's not all that ironic that the justifications overlap. These are the excuses they use. They start in the US with: "We need to Sync up with Europe." then they change something just slightly so that it's longer than Europe. Then they goto Europe and say: "We need to Sync up with America." Rinse, repeat.
Generally, a web farm with a lot of bandwith that only does dynamic content for necessary sections (i.e. comments) but otherwise has static articles. A excellent database server (hardware, not software wise) on the back end helps, too. Building a system that can support 10,000 hits in a matter of minutes takes a good bit of work. Both code, software, and hardware wise. That makes it expensive, and frequently not worth it. Unless, of course, you plan on having that kind of traffic frequently.
And what would you suggest then? PHP/MySQL? Go visit groklaw right now. If you can even get the server to respond, you get a nice PHP/MySQL error.
When it comes to the Slashdot effect, it's much less what you run, but what you run it on. Prettymuch anything dynamic is going to die. There are few sites on the web that can actually stand up to slashdot.
Well, the problem is that each time you try to upgrade you can either upgrade "Critical Updates" OR "Themes" OR "extensions" OR etc. It'd be nice to have the option to pick them all at once. This is the problem from my experience, anyway.
You either weren't using FireFox to post this or you just couldn't be bothered to look before you posted. There are "Critical Updates" or "Themes AND Extensions", and that's it.
Did you even read that post, or the original post by me? I flat out said "Security by obscurity" wasn't acceptable. In no way did I imply that changing the banner was security, I just find it amusing when the just above script kiddies can't figure out why they can't get in when they just know the server is vulnerable to that attack.
Yes, most blackhat tools are going to try them all anyway, some won't, and anyone looking at it manually is going to be confused, at least briefly. Their fingerprinting will be useless at worst, or completely misleading at best.
If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet.
Risk mitigation doesn't necessarily mean you have to close the "hole". Simply that you are aware of it and you've done what make sense to address it. If there is a hole that's risk is very low to the point where it would cost more to fix it than to recover, the mitigation is that you are aware of it and can recover from it if it happens.
Sorry. I don't consider it a hole that the webserver reports which Apache version it's running. Neither do I consider it a hole that BIND returns which version it is. Neither do I consider it a hole that the FTP server puts up a banner identifying it... and so forth
I agree, hence my comment:
If it's not a risk, explain why it is not.
It's easy to break down a risk such as that. i.e.:
The Bad: The banner tells the person looking of potential holes to search for, quickly reducing the number of things they need to try and also reducing the profile of the attack.
Why it may not matter: If you're webserver is secure, regularly patched, configured correctly, and well monitored, it doesn't really matter. The risk related to letting it identify itself has been mitigated.
My preference: Set it to identify itself as something it's not. Then watch the logs for know attacks targeted at what it identifies itself as. *
* Yes, I know this could cause some specific issues. As with all things, if you don't know what you're doing, don't do it.
If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet. NEVER rely on security by obscurity. There is no such thing as a hole "so obscure as to be meaningless." If you mean that the report is vague in defining what the hole is, then you or your boss should get more information from the person you paid to do it.
In the end, if you can't specify why it SHOULD be that way, then you should make it secure. If you can say it HAS to be that way for a specific reason, then you should say how you are mitigating the risk. If you're not mitigating the risk, well, you better come up with a really good reason your boss is going to like.
Well, because it's simple for you to use some other company's servers, but Comcast's are completely down. I had to inform one of their operators how to change the DNS server IPs and gave him some to use. He had no idea that you could do such a thing.
Better try the "Office Address" (which is listed as not open to the public) than the masked PO box.
Jump Domain, LLC 1700 W 40 HWY Blue Springs, MO 64015
Amusingly enough, from their site: "The ownership of Jump Domain still vests in it's founder. He is active in the day-to-day operations handling most communications with customers. He holds a Bachelors Degree and a Jurist Doctor (Law) Degree." (Bolding mine.)
You'd think he'd realize this kind of stuff can get him sued.
IANAL, but it sounds like you have a fraud case at the least (paid for the service, but not received). If they're business domains you may be able to collect damages due to their negligence. If you can't afford a lawyer, just threaten one. Frequently a lawsuit will get a company's attention real quick. If they've done it to a number of people (likely), they should realize it could easily turn into a class action. It's a good way to be put into bankruptcy/liquidation by the court, given they probably don't have much, if anything, that's worth anything.
At the same time, you can dig through ICANN's website and see if they have any procedures for this sort of thing. Don't hold your breath.
Lucas told SWG that Mon Cal females didn't have breasts (not being mamals afterall). There was an on going fight about if they should or shouldn't on the SWG boards, wouldn't want to be there now.
From the AC.... An improved emulator is still useful for developing other operational platforms.
I agree. PearPC has many uses, and I fully support its development. My response was strictly to the question of "does it matter to those who want to run OS X."
Does it really matter to the common user that wants to run OSX on their windows box?
You're right, it doesn't matter. Since the OS X license agreement specifically says you can only run it on Apple hardware, so it's illegal to do so. And we've seen just how eager Apple can be to sue at times. No, I don't hate Apple, I use all OSes (okay, most).
Well, lets see.... Perhaps when you finally RTFA you'll see the part about the launch window is determined by the space station's orbit. Or, perhaps you'll read a bit of the past stories and find out that all future shuttle missions must be in range of the space station. OR, maybe you'll read one of the dozen Hubble articles that says it will be scrapped because no shuttle mission can repair it AND be able to get to the space station.
You know, with so little coverage I can see why you missed that fact...
And what will that second shuttle be used for? Wasn't the result of the first shuttle being damaged by foam that it blew up? The second shuttle obviously wont be needed for any rescue operation. Are they going to keep a second crew as well, on standby to take over the mission?
Must have missed the part where they CHECK for damage.... They KNEW it was damaged before last time, they just didn't CHECK how bad... So, they CHECK and determine it's too damaged to return and abandon it using the second to return....duh?
The other organizations can stick their heads in the sand if they wish, but I've seen this first hand and am just glad that the people doing it art stupid. They very easily could have redirected banking sites to spoofed sites, etc and caused a lot more trouble than just redirecting to a single, obviously incorrect website.
Just going off what summary.... Think they realize that this would make the iTunes free download of the week illegal? Politicians just prove what we think of them more and more each day....
It's simple... Refuse to read PDFs that require the technology. Publishers won't get any data from it, and given a loud enough voice, will find that the tool reduces their distribution. It does them no good if the users won't read their documents because of it.
Slashdot Mirror
It's not all that ironic that the justifications overlap. These are the excuses they use. They start in the US with: "We need to Sync up with Europe." then they change something just slightly so that it's longer than Europe. Then they goto Europe and say: "We need to Sync up with America." Rinse, repeat.
Try using photoshop without a mouse. Not a problem, I'll use my tablet. It's easier anyway.
I've hit a mine on the first try several times, it's definately possible.
Easy to figure out.
Generally, a web farm with a lot of bandwith that only does dynamic content for necessary sections (i.e. comments) but otherwise has static articles. A excellent database server (hardware, not software wise) on the back end helps, too. Building a system that can support 10,000 hits in a matter of minutes takes a good bit of work. Both code, software, and hardware wise. That makes it expensive, and frequently not worth it. Unless, of course, you plan on having that kind of traffic frequently.
And what would you suggest then? PHP/MySQL? Go visit groklaw right now. If you can even get the server to respond, you get a nice PHP/MySQL error. When it comes to the Slashdot effect, it's much less what you run, but what you run it on. Prettymuch anything dynamic is going to die. There are few sites on the web that can actually stand up to slashdot.
Well, the problem is that each time you try to upgrade you can either upgrade "Critical Updates" OR "Themes" OR "extensions" OR etc. It'd be nice to have the option to pick them all at once. This is the problem from my experience, anyway.
You either weren't using FireFox to post this or you just couldn't be bothered to look before you posted. There are "Critical Updates" or "Themes AND Extensions", and that's it.
Did you even read that post, or the original post by me? I flat out said "Security by obscurity" wasn't acceptable. In no way did I imply that changing the banner was security, I just find it amusing when the just above script kiddies can't figure out why they can't get in when they just know the server is vulnerable to that attack.
Yes, most blackhat tools are going to try them all anyway, some won't, and anyone looking at it manually is going to be confused, at least briefly. Their fingerprinting will be useless at worst, or completely misleading at best.
As I said in my first paragraph:
If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet.
Risk mitigation doesn't necessarily mean you have to close the "hole". Simply that you are aware of it and you've done what make sense to address it. If there is a hole that's risk is very low to the point where it would cost more to fix it than to recover, the mitigation is that you are aware of it and can recover from it if it happens.
Sorry. I don't consider it a hole that the webserver reports which Apache version it's running. Neither do I consider it a hole that BIND returns which version it is. Neither do I consider it a hole that the FTP server puts up a banner identifying it. .. and so forth
I agree, hence my comment:
If it's not a risk, explain why it is not.
It's easy to break down a risk such as that. i.e.:
The Bad: The banner tells the person looking of potential holes to search for, quickly reducing the number of things they need to try and also reducing the profile of the attack.
Why it may not matter: If you're webserver is secure, regularly patched, configured correctly, and well monitored, it doesn't really matter. The risk related to letting it identify itself has been mitigated.
My preference: Set it to identify itself as something it's not. Then watch the logs for know attacks targeted at what it identifies itself as. *
* Yes, I know this could cause some specific issues. As with all things, if you don't know what you're doing, don't do it.
If the boss wants you to "fix" them all, give him a report of your own. "This is setup this way because of X, and the risk is mitigated by Y." If it's not a risk, explain why it is not. If you can't explain why it's a risk or how you're mitigating the risk, then you should be called out on the carpet. NEVER rely on security by obscurity. There is no such thing as a hole "so obscure as to be meaningless." If you mean that the report is vague in defining what the hole is, then you or your boss should get more information from the person you paid to do it.
In the end, if you can't specify why it SHOULD be that way, then you should make it secure. If you can say it HAS to be that way for a specific reason, then you should say how you are mitigating the risk. If you're not mitigating the risk, well, you better come up with a really good reason your boss is going to like.
Well, because it's simple for you to use some other company's servers, but Comcast's are completely down. I had to inform one of their operators how to change the DNS server IPs and gave him some to use. He had no idea that you could do such a thing.
Google.
Better try the "Office Address" (which is listed as not open to the public) than the masked PO box.
Jump Domain, LLC
1700 W 40 HWY
Blue Springs, MO 64015
Amusingly enough, from their site:
"The ownership of Jump Domain still vests in it's founder. He is active in the day-to-day operations handling most communications with customers. He holds a Bachelors Degree and a Jurist Doctor (Law) Degree." (Bolding mine.)
You'd think he'd realize this kind of stuff can get him sued.
IANAL, but it sounds like you have a fraud case at the least (paid for the service, but not received). If they're business domains you may be able to collect damages due to their negligence. If you can't afford a lawyer, just threaten one. Frequently a lawsuit will get a company's attention real quick. If they've done it to a number of people (likely), they should realize it could easily turn into a class action. It's a good way to be put into bankruptcy/liquidation by the court, given they probably don't have much, if anything, that's worth anything.
At the same time, you can dig through ICANN's website and see if they have any procedures for this sort of thing. Don't hold your breath.
Lucas told SWG that Mon Cal females didn't have breasts (not being mamals afterall). There was an on going fight about if they should or shouldn't on the SWG boards, wouldn't want to be there now.
From the AC.... An improved emulator is still useful for developing other operational platforms.
I agree. PearPC has many uses, and I fully support its development. My response was strictly to the question of "does it matter to those who want to run OS X."
Does it really matter to the common user that wants to run OSX on their windows box?
You're right, it doesn't matter. Since the OS X license agreement specifically says you can only run it on Apple hardware, so it's illegal to do so. And we've seen just how eager Apple can be to sue at times. No, I don't hate Apple, I use all OSes (okay, most).
Well, lets see.... Perhaps when you finally RTFA you'll see the part about the launch window is determined by the space station's orbit. Or, perhaps you'll read a bit of the past stories and find out that all future shuttle missions must be in range of the space station. OR, maybe you'll read one of the dozen Hubble articles that says it will be scrapped because no shuttle mission can repair it AND be able to get to the space station.
You know, with so little coverage I can see why you missed that fact...
And what will that second shuttle be used for? Wasn't the result of the first shuttle being damaged by foam that it blew up? The second shuttle obviously wont be needed for any rescue operation. Are they going to keep a second crew as well, on standby to take over the mission?
Must have missed the part where they CHECK for damage.... They KNEW it was damaged before last time, they just didn't CHECK how bad... So, they CHECK and determine it's too damaged to return and abandon it using the second to return....duh?
The other organizations can stick their heads in the sand if they wish, but I've seen this first hand and am just glad that the people doing it art stupid. They very easily could have redirected banking sites to spoofed sites, etc and caused a lot more trouble than just redirecting to a single, obviously incorrect website.
Start by clicking the "HERE" in the article and, oh, wow, there's a whole report on how it happens!
Just going off what summary.... Think they realize that this would make the iTunes free download of the week illegal? Politicians just prove what we think of them more and more each day....
It's simple... Refuse to read PDFs that require the technology. Publishers won't get any data from it, and given a loud enough voice, will find that the tool reduces their distribution. It does them no good if the users won't read their documents because of it.
A case where a video game actually had something to do with a murder...