Er, no, because then you end up wondering whether it's your bug or a hardware problem.
A friend spent a long time debugging some maths in a game engine he's working on. First of all, he assumed it was his code, then after eliminating that possibility, assumed it was a gcc bug, then eventually found that the problem was caused by the motherboard's voltage settings being incorrectly documented and therefore he'd mistakenly configured it to supply the CPU with the wrong voltage.
Cisco's 4210 SecureIDS appliances are Dell PowerEdge 1U PCs. They even put a small black sticker over the the Dell logo on the flimsy plastic under the metal facia (the asset tags are still obviously Dell though).
If my company was paying several (tens of) thousands for "professional" support, which was never able to help me with the problems I was experiencing, and the techs at the other end of the phone couldn't even spend the time to try and replicate my problem, even though I've demonstrated I'm at least vaguely competent, I think I'd take on that sort of attitude too.:-(
Only if the source IP address (-s 101.102.103.104) matches that of Slashdot's servers.:-P
But yes, that is a problem with doing it at this layer, rather than with a filtering proxy. To do it properly you need to build all sorts of recursive file decomposition stuff (.doc,.tar,.gz,.zip, etc.) into a kernel module or INSPECT code (ewww!) or your policy ends up being too weak, or too strong. That's probably a hint that this is the wrong place to be performing this kind of filtering.
If all you wanted to do was block inline images, I'm pretty sure you could use netfilter's 'string' target to look for the appropriate MIME type first, mark the packet, then look for GIF89a in marked packets (a logical AND, in effect). But I can't be arsed to try and get that working for a silly slashdot argument. On the other hand, if someone wants to pay Assursys to develop such a policy, I'll be happy to take it on.;-)
OK, that's a bit brutal, and it could do with a "only match between byte ranges xx and yy of the stream", but that'll come, I'm sure (besides, you said "all GIF images", and it's as hard to do that completely [i.e. including GIFs embedded in other file types such as.doc and.tar] and solely with iptables as it is with INSPECT - using a filtering proxy would be a better approach).
My point was that although you can do that sort of thing with INSPECT, I know of precisely one person at one organisation from my former employer's entire European customer base who's done that. And they went through a fair bit of pain when they wanted to upgrade from 3.0b to 4 because of that and the changes in the layout of the standard INSPECT code between 3.0b and 4. (They ended up abandoning their custom INSPECT cleverness when they upgraded, due to lack of migration support from CheckPoint, if I remember correctly).
Oh, and no CVP helper for FW-1 that I've ever used, used INSPECT to help out with stream disassembly and recognition. They only used the equivalent of netfilter's ROUTE or DNAT targets to provide the equivalent of a transparent proxy implementation.
I've been using and supporting FW-1 since 1998 and I don't deny that it's a pretty solid product, but it's overkill and overpriced for most users. Similarly, there's very little to defend the hack described in the original story; if you've already got Nokia IPxxx hardware and a FW-1 license, either use it to run FW-1, or sell it and buy a Dell with the proceeds to run Linux+iptables or BSD+[i]pf instead.
Finally, if you want enterprise management of Linux+iptables, you're probably best off going with something like ASL plus Solsoft NP.
Wrong. Netfilter (iptables is just the normal tool to configure it from the command line) does use stateful inspection (as does *BSD's [i]pf). Its predecessor (ipchains) was a stateless filter.
What is true is that CheckPoint's SMLI architecture has a lot of flexibility inherent in its design that Netfilter doesn't. OTOH, I haven't seen anything that uses it. I would have thought that CKPT would have added better support for sophisticated protocols by now (e.g. NetBIOS, NetMeeting, DCE-RPC).
You left out the following points of your analogy:
You need to pay for any repairs and maintenance of the safe
You have the added cost of buildings insurance. You really don't want to be paying off the mortgage on top of everything else if the place burns down.
In a few months time, there's a reasonable chance you'll be able to get the same deal for 50-90% of the current $100,000
The government will ask you for some money to start this whole deal off (at least here in the UK). Remember to amortize it over your stay and add it to that "small monthly amount"
With the increasing mobility expected by the employment market, you may need to move before you've recouped the savings between renting, due to the costs above, and the fact that you might have paid $100,000, but now the going rate is $80-90,000.
If you're planning on staying put for a while (the textbooks seem to say 5-6 years is breakeven) then there are very good reasons to buy. But if that's not the case, it may be worth paying the "extra" to have the flexibility of renting.
My experience with RH8 and some of the components included in RH9 is that RH8 can probably be thought of as 8.1, whilst RH9 should be thought of as 9.0.
Agreed, I've got a second-hand 21" Sun Hurricane monitor I picked up for 100GBP+VAT. Not quite as good a deal as those 23" SGI jobs, but...
The only downside is that it weighs 31Kg, which makes it a little awkward to move. It'll probably outlive me though.;-)
Other monitors I've used were a slightly damaged 17" rebadged MAG or CTX I got for free (after it was slightly damaged during a move at my former employer) and a 15" Iiyama that I paid ~300GBP for back in 1995. Iiyamas are worth every penny.
Not quite true. Growing up in Bristol during the 70s, I remember plenty of sonic booms from Concorde going supersonic overhead. Used to shake the windows something rotten.;-)
Though it's horribly inefficient and costly, I'll still be sad to see it go. It's a fine piece of engineering.
Oh, indeed - I'm not denying the usefulness of Gentoo in a sociological way (along with Debian in particular, but Red Hat and SuSE too in some areas). What I'm protesting is the rash of "midbies" banging on about how l33t they are for building their distro from scratch, but then wasting everyone's time trying to get dialup PPP working using some GUI that's unique to their system and that they haven't integrated properly (for example).
[flame mode="high"] I've seen an increasing tendency for folks to use Gentoo, and I've also seen a rise in a set of problems; firstly, that even if we're both nominally running the same set of packages, it's not always possible to support each other as the packages in question (and the libraries they depend upon) may have been compiled with different options. Secondly, some Gentoo users are switching on all sorts of optimization flags ("because anything compiled with -O6 will run faster!!!") without being aware of the problems that can be caused by mis-compilation (buggy gcc or buggy application, I don't care).
Just as I learnt my chops using an early version of Slackware, it probably is worthwhile to play around with Gentoo at some point. But unless you're prepared to manage the complexity (and most Gentoo users I've run across aren't) then I can't see how it can be recommended for general purpose use. [/flame] --
I always make ASUS, GigaByte and Intel my first recommendations, and they're what I've been using myself for the last six years or so. I've never been burnt by instability issues, and I've generally had pretty good upgrade experiences.
Then again, I'm not an overclocker or a gamer, so price/performance isn't the most important factor for me.
I tried using a Super Socket 7 ECS board once, and it didn't work out at all well. This was to upgrade my first PC which came with an ECS board, and which sucked at least as hard.
I'd like to be able to recommend Tyan as they do some unusual high-end boards that don't seem to have any competitors, but I haven't seen any in the UK.
Some folks I know have used ABIT and A-Open boards and got on alright with them, but they're mostly Windows gamers, so they probably wouldn't notice the kinds of instability issues that I get upset about.
Recently, lots of small-scale white-box assemblers have been trying to convince me that they've had no end of problems with ASUS and GigaByte boards, but I'm reassured to see someone from a Tier 2 disti back up my gut feeling. I suspect that these smaller places probably don't take much notice of anti-static guidance and confuse stability for robustness to abuse.
I happen to believe that nuclear power can be used safely, but isn't right now because it isn't seen as a priority. Additionally, as I see it, the main reason for the nuclear power plants we do have is to generate fissionable material for our weapons programme, rather than to generate energy - that comes as a side effect.
Oh, incidentally, nuclear waste from two local nuclear installations passes within 500m of my front door (and has done for ~40 years). I've also lived in between the UK's two atomic weapons establishments for ~6 years. Safety can certainly be improved, but it doesn't worry me enough to move either. Maybe I'd think differently if I lived downwind of Sellafield.
But that's getting away from my point; that not enough is being done to ensure that in the long term, a combination of energy conservation and alternative energy sources can be relied upon for a secure energy supply. The way things are going, it looks as though the UK is heading for California-style blackouts soon, in a mirror image of the way the rail service has fallen apart.
Literally billions of dollars per year are spent on this research. This might not be enough, but I would like to know how much you want to be spent on this.
I have no idea, not being a fulltime energy policy geek. But there's a saying regarding pensions that "if it doesn't hurt, you're probably not saving enough". My gut feeling is that funding for renewable/alternative energy sources probably works the same way. For comparison, how much is spent annually on R&D into and securing conventional energy sources?
My fear is that if we leave it too late, we'll find that we don't have enough in the way of conventional energy reserves to build the systems required to extract energy from alternative sources. Then we'll be really screwed.
...especially seeing as this is only a week after this story about how "the government has abandoned its target to produce a fifth of the UK's electricity from renewable sources by 2020".
Fossil fuels are causing many problems (environmental, foreign policy in the middle east), nuclear is politically incorrect and subject to NIMBYs and not enough investment is being made into renewable/alternative sources of energy. Duh. Does anyone see the problem with this picture?
It seems as though a lot of work has been put into GNU.FREE, a package to enable Internet voting. I find it particularly interesting that the lead developer has essentially abandoned it after coming to the conclusion that Internet voting cannot be done in a way that's sufficiently safe enough to be entrusted with our democracies (or whatever they are these days...)
In the case of Unreal, there are not many (if any) businesses (or lives) depending on this software.
That may be the case, but how many employees run the clients on their employers' networks? Quite a few, I'd wager. Each of those clients is a potential entry point for an intruder to exploit and do who-knows-what.
Expect to see security officers/network admins clamping down harshly on folks running "unapproved" applications, such as games. Yes, even on the techies. I've been suspicious of multi-player network games for some time, and this event confirms my concerns.
My only hope is that the blackhat community haven't been aware of this for the year or more that some security researchers have been. I'm not optimistic though. This also demonstrates why full disclosure is important - if those security researchers had disclosed when they found out, people could have abandoned Unreal-based games until a fix was released, as opposed to continuing to run dangerous client software and leaving themselves exposed without even knowing it.
Sounds like you want Hogwash - it's based on the Snort Network IDS, but instead of just reporting suspicious traffic, it drops it. Note that this differs from just coupling a NIDS with a firewall, as most of those solutions are susceptible to DoS attacks by spoofing attacks from the upstream router, or key DNS servers (they usually block *all* traffic from "attacking" hosts, not just the offending packets).
Slashdot Mirror
A friend spent a long time debugging some maths in a game engine he's working on. First of all, he assumed it was his code, then after eliminating that possibility, assumed it was a gcc bug, then eventually found that the problem was caused by the motherboard's voltage settings being incorrectly documented and therefore he'd mistakenly configured it to supply the CPU with the wrong voltage.
--
--
Sadly, NTK report that they're in receivership. :-(
--
--
--
But yes, that is a problem with doing it at this layer, rather than with a filtering proxy. To do it properly you need to build all sorts of recursive file decomposition stuff (.doc, .tar, .gz, .zip, etc.) into a kernel module or INSPECT code (ewww!) or your policy ends up being too weak, or too strong. That's probably a hint that this is the wrong place to be performing this kind of filtering.
If all you wanted to do was block inline images, I'm pretty sure you could use netfilter's 'string' target to look for the appropriate MIME type first, mark the packet, then look for GIF89a in marked packets (a logical AND, in effect). But I can't be arsed to try and get that working for a silly slashdot argument. On the other hand, if someone wants to pay Assursys to develop such a policy, I'll be happy to take it on. ;-)
--
iptables -I INPUT -j DROP -p tcp -s 101.102.103.104/32 --sport 80 -m string --string "GIF89a"
OK, that's a bit brutal, and it could do with a "only match between byte ranges xx and yy of the stream", but that'll come, I'm sure (besides, you said "all GIF images", and it's as hard to do that completely [i.e. including GIFs embedded in other file types such as .doc and .tar] and solely with iptables as it is with INSPECT - using a filtering proxy would be a better approach).
My point was that although you can do that sort of thing with INSPECT, I know of precisely one person at one organisation from my former employer's entire European customer base who's done that. And they went through a fair bit of pain when they wanted to upgrade from 3.0b to 4 because of that and the changes in the layout of the standard INSPECT code between 3.0b and 4. (They ended up abandoning their custom INSPECT cleverness when they upgraded, due to lack of migration support from CheckPoint, if I remember correctly).
Oh, and no CVP helper for FW-1 that I've ever used, used INSPECT to help out with stream disassembly and recognition. They only used the equivalent of netfilter's ROUTE or DNAT targets to provide the equivalent of a transparent proxy implementation.
I've been using and supporting FW-1 since 1998 and I don't deny that it's a pretty solid product, but it's overkill and overpriced for most users. Similarly, there's very little to defend the hack described in the original story; if you've already got Nokia IPxxx hardware and a FW-1 license, either use it to run FW-1, or sell it and buy a Dell with the proceeds to run Linux+iptables or BSD+[i]pf instead.
Finally, if you want enterprise management of Linux+iptables, you're probably best off going with something like ASL plus Solsoft NP.
--
What is true is that CheckPoint's SMLI architecture has a lot of flexibility inherent in its design that Netfilter doesn't. OTOH, I haven't seen anything that uses it. I would have thought that CKPT would have added better support for sophisticated protocols by now (e.g. NetBIOS, NetMeeting, DCE-RPC).
--
You need to pay for any repairs and maintenance of the safe
You have the added cost of buildings insurance. You really don't want to be paying off the mortgage on top of everything else if the place burns down.
In a few months time, there's a reasonable chance you'll be able to get the same deal for 50-90% of the current $100,000
The government will ask you for some money to start this whole deal off (at least here in the UK). Remember to amortize it over your stay and add it to that "small monthly amount"
With the increasing mobility expected by the employment market, you may need to move before you've recouped the savings between renting, due to the costs above, and the fact that you might have paid $100,000, but now the going rate is $80-90,000.
If you're planning on staying put for a while (the textbooks seem to say 5-6 years is breakeven) then there are very good reasons to buy. But if that's not the case, it may be worth paying the "extra" to have the flexibility of renting.
--
--
The only downside is that it weighs 31Kg, which makes it a little awkward to move. It'll probably outlive me though. ;-)
Other monitors I've used were a slightly damaged 17" rebadged MAG or CTX I got for free (after it was slightly damaged during a move at my former employer) and a 15" Iiyama that I paid ~300GBP for back in 1995. Iiyamas are worth every penny.
--
Though it's horribly inefficient and costly, I'll still be sad to see it go. It's a fine piece of engineering.
--
--
Oh, indeed - I'm not denying the usefulness of Gentoo in a sociological way (along with Debian in particular, but Red Hat and SuSE too in some areas). What I'm protesting is the rash of "midbies" banging on about how l33t they are for building their distro from scratch, but then wasting everyone's time trying to get dialup PPP working using some GUI that's unique to their system and that they haven't integrated properly (for example).
--
[flame mode="high"]
I've seen an increasing tendency for folks to use Gentoo, and I've also seen a rise in a set of problems; firstly, that even if we're both nominally running the same set of packages, it's not always possible to support each other as the packages in question (and the libraries they depend upon) may have been compiled with different options. Secondly, some Gentoo users are switching on all sorts of optimization flags ("because anything compiled with -O6 will run faster!!!") without being aware of the problems that can be caused by mis-compilation (buggy gcc or buggy application, I don't care).
Just as I learnt my chops using an early version of Slackware, it probably is worthwhile to play around with Gentoo at some point. But unless you're prepared to manage the complexity (and most Gentoo users I've run across aren't) then I can't see how it can be recommended for general purpose use.
[/flame]
--
--
Then again, I'm not an overclocker or a gamer, so price/performance isn't the most important factor for me.
I tried using a Super Socket 7 ECS board once, and it didn't work out at all well. This was to upgrade my first PC which came with an ECS board, and which sucked at least as hard.
I'd like to be able to recommend Tyan as they do some unusual high-end boards that don't seem to have any competitors, but I haven't seen any in the UK.
Some folks I know have used ABIT and A-Open boards and got on alright with them, but they're mostly Windows gamers, so they probably wouldn't notice the kinds of instability issues that I get upset about.
Recently, lots of small-scale white-box assemblers have been trying to convince me that they've had no end of problems with ASUS and GigaByte boards, but I'm reassured to see someone from a Tier 2 disti back up my gut feeling. I suspect that these smaller places probably don't take much notice of anti-static guidance and confuse stability for robustness to abuse.
--
Oh, incidentally, nuclear waste from two local nuclear installations passes within 500m of my front door (and has done for ~40 years). I've also lived in between the UK's two atomic weapons establishments for ~6 years. Safety can certainly be improved, but it doesn't worry me enough to move either. Maybe I'd think differently if I lived downwind of Sellafield.
But that's getting away from my point; that not enough is being done to ensure that in the long term, a combination of energy conservation and alternative energy sources can be relied upon for a secure energy supply. The way things are going, it looks as though the UK is heading for California-style blackouts soon, in a mirror image of the way the rail service has fallen apart.
--
I have no idea, not being a fulltime energy policy geek. But there's a saying regarding pensions that "if it doesn't hurt, you're probably not saving enough". My gut feeling is that funding for renewable/alternative energy sources probably works the same way. For comparison, how much is spent annually on R&D into and securing conventional energy sources?
My fear is that if we leave it too late, we'll find that we don't have enough in the way of conventional energy reserves to build the systems required to extract energy from alternative sources. Then we'll be really screwed.
--
Fossil fuels are causing many problems (environmental, foreign policy in the middle east), nuclear is politically incorrect and subject to NIMBYs and not enough investment is being made into renewable/alternative sources of energy. Duh. Does anyone see the problem with this picture?
--
--
--
That may be the case, but how many employees run the clients on their employers' networks? Quite a few, I'd wager. Each of those clients is a potential entry point for an intruder to exploit and do who-knows-what.
Expect to see security officers/network admins clamping down harshly on folks running "unapproved" applications, such as games. Yes, even on the techies. I've been suspicious of multi-player network games for some time, and this event confirms my concerns.
My only hope is that the blackhat community haven't been aware of this for the year or more that some security researchers have been. I'm not optimistic though. This also demonstrates why full disclosure is important - if those security researchers had disclosed when they found out, people could have abandoned Unreal-based games until a fix was released, as opposed to continuing to run dangerous client software and leaving themselves exposed without even knowing it.
--
Blah.
--