Since the american government is in no way involved with this issue, your 1st ammendment is not relevant.
You might also want to consider that legislative solutions are rarely effective across borders (although you fucking imperialist asshole americans are working on that).
Obviously you're not a sys-admin and have never worked in the field. Spam was about 25% to 27% of the email traffic on my systems. Spam cost me for the bandwidth to recieve it (was about $45 / month), and for the extra disk to store it until users get around to deleting it (about $3000), and for the extra processing power to filter it for viruses (because users are too dumb not to click on the attachement) and handle big ass mailboxes.
It damages the responsiveness of the systems (leading to users bitching about slow email), and hence my credibility. I do not have the budget to throw money at the problem. I do not have the resources to build and maintain my own blackhole list. So I implemented MAPS and the spam has dropped off significantly. Users who don't like the policy can complain to their manager who can either pony up some of his own damn budget or bite my shiny white ass.
People who end up with an ISP that's blacklisted should quit bitching about the blacklist and instead tell their ISP to either clean up their act or they'll take their business elsewhere.
Briefly: spam is a problem, and we can either act together as a community to solve it (black hole lists) or wait until some moronic politician imposes a bunch of ignorant and ineffective laws that don't solve it but make it harder for people to complain.
apt came from the debian distro, not redhat. debian stable is exactly what the name implies. Running this from cron to apply patches when you're only sourcing debian stable and the security is not going to break anything.
If one of my users came to me with a problem report as helpful as that, I'd probably die of shock. Most of mine say stuff like "is the server down?" Which is really helpful when you run well over a hundred servers. Or my personal favourite, "is the internet down?"
Bruce Schnier of Counterpane systems wrote an article for the ieee computer society that described exactly why PPtP was a steaming pile. I think it was back around 1999.
You don't need to hack the switch. All you need to do is mess with it's head. Switches operate by figuring out which computer(s) are on each port and then forwarding traffic appropriately. They mostly do this automatically by watching the traffic in and out of each port (although there are manually configurable swtiches which are immune to this kind of attack). If you set up some computers to lie about who they are, it'll eventually overload the switches ability to remember which computer is where. And then it reverts to broadcasting everything everywhere, like a hub. So, no, just because most networks are switched these days doesn't mean that it's impossible to snoop.
An of course there's the issue of connecting over the net. I don't know about you, but personally I don't really trust everyone between my home box and the various boxes I admin over the net.
You're making a common assumption here: that writing software is comparable to building bridges. Last months issue of the Communications of the ACM had a good article
(registration required, but I think it's available free) by Wei-Lung Wang on the subject. He (she?) argues that that writing software is more similar to the work of a mathematician than an engineer.
...engineering operates within the framework of the immutable laws of nature. These laws dictate the realm of engineering possibility, and engineers work by designing and constructing within the bounds of these laws. Their permanence and universality allow engineering principles, which signal the boundary of what is safely possible, to be established...
...Software engineering, on the other hand, has no fixed framework in which to operate......unlike the world of engineering, there are not immutable laws to violate... ...These implications reflect the mathematical nature of software, and are sympomatic of the limits of the engineering approach. As a mechanism for information computation, a piece of bug-free software is essentially a mathematical function is some system of axioms... ...In this light, the work of building software is a mathematical exercise within two distinct phases: the determination of the set of information requirements (the parameters of the function); and the creation of a mathematically rigorous function that meets these requirements...
Java is a nice enough programming language, and it's bytecode is ok, but for a really elegant solution to the problem, check out Slim Binaries (native PDF format or google's html format, Communications of the ACM, Dec 1997, Vol. 40, No. 12.
Slim Binaries not only solve the problem of compatibility between different architectures, they also allow to fine-tune the object code towards the specific processor and operating system version that it will run on.
The basic idea is that the compiler stops after generating the parse tree and encodes that. Code generation is then done at runtime. It's similar to the idea of using bytecode for a virtual machine, except that unlike bytecode, parse trees are much easier to inspect as they are of a symantically higher level. This means that it's a heck of a lot easier to recognize (for example) IPsec crypto processing and offload it to the integrated IPsec hardware on your ethernet card without the programmer having to do the footwork involved in detecting the device.
Slim Binaries also make code verification a reasonable prospect, which is very exciting when you consider the security implications of applets and agents.
Reality check! The recent bitching about bugs in IE (Mac version) and IIS had to do with the fact that they had huge security holes in them. As you may or may not recall, Code Red and more recently Nimda have been grinding the net for the last couple of months.
Calling this bug a “showstopper flaw” is wrong and uninformed. It caused a problem with one application in one distribution that was doing something that it probably shouldn't have been doing (creating files through a dangling symlink? ugly!).
A 24 hour patch release from MS is insanely unlikely, especially for a small bug like this one. It took them months to fix the ping-o-death bug, and they didn't even fix it correctly the first time.
If windows flaws recieve greater attention than linux flaws, it's probably because there are so many more of them and they're so much more severe.
I don't think IDG has published a book about PostgreSQL. However, hiring a dummy to build your database is probably a Bad Idea. See also below.
or nice comprehensive manuals?
The docs provided with it are pretty good (debian package postgresql-doc for local)
or 3rd party books?
"PostgreSQL: Introduction and Concepts" by Bruce Momjian (one of the primary developers), pub Addison Wesley, ISBN 0-201-70331-9.
I have this book and it's excellently written. It's targeted at the beginner to intermediate level, and serves double purpose as a reasonably handy reference. It didn't cover some of the more advanced features in the depth I would have like.
A quick search of amazon for keyword postgresql turns up 9 other titles.
1) If your passwords are dictionary crackable you have problems even without keytiming sniffing.
You can crack a dictionary password using the WHOLE dictionary in less than 10 seconds, why
should eliminating 95% of the keyspace be that valuable in this case?
Bruteforcing your way through a dictionary in 10 seconds? Perhaps if you've got a passwd file
local you can bang away at this rate.
However, I suspect that if the attacker is going for a non-root password, then they don't have local access to the encrypted password. That means that the only way to test it is by attempting a connection. Which is horribly inefficient, and would set off any reasonable intrusion detection system.
I suspect that eliminating 95% of the dictionary would make a big difference in the feasability of this form of attack.
a black list for litigious companies?
on
ORBS Forks
·
· Score: 1
I would be very interested in a black list of companies or persons who have resorted to litigation to get off of the various dynamic blacklists. Ideally, the criteria for getting on the list should simply be
They were at one time listed by ORB*, RBL, or a similar service.
They used lawyers and courts to be removed from that list.
The criteria to get off the list should be
Repayment in full of all costs which their litigation incurred on the blacklist service.
A sincere and convincing written public appology for interfering with a publicly valuable service.
Vigilantes aren't all bad.
on
Eco-Terrorism
·
· Score: 1
I agree that this particular "protest" is among the dumbest environmental actions I've ever heard of. However I think you're wrong in your characterization of vigilante justice. The classic image of vigilantes involves ravening hordes of ignorant southerners intent on lynching some poor innocent for the crime of offending local sensibilities. However, history tells us that this is not the case. Furthermore, we have interesting statistics which tells us that in situations where guns are fired, armed citizens are significantly less likely to shoot the wrong person than police officers.
In brief, please don't denigrate vigilantes simply because they don't belong to the formal law enforcement community.
Another way of looking at the situation is that this group is at least doing something, however misguided. Personally I take a much more constructive approach to environmentalism: riding my bike instead of driving, minimizing waste by choosing products with minimal packaging, etc.
Their solution apparently relies on encoding data (UNICODE strings by the looks of it) in a different format. This leads me to suppose that the following would be sufficient as examples of prior art. Of course "I Am Not A Leach". In approximatly cronological order.
ASCII - encodes english text into numerical representations
uuencode/uudecode - encodes arbitrary binary data into a 7 bit ASCII representation
PGP's ASCII armour - encodes arbitrary binary data into a 7 bit ASCII representation
The only idea worthy of patent in this entire discussion was discovered by Alan Turing quite some time ago. Everything following it has merely been competent engineering as opposed to brilliant innovation.
In related news, I have applied for a patent on a new method of wiping one's ass. I'm call it the front to back technique. This is clearly an innovative and non-obvious solution. In light of this, I have decided to require all persons using my patented technique to submit as royalties the results of their wiping to my new company, inWalid Technologies Inc.
Is NSS based on OpenSSL? I read the web page and it isn't clear. Does the open source world really need yet another crypto library?
OpenSSL
has been around for several years now (although
it was originally known as SSLeay, the eay for Eric A. Young, it's first and primary author).
It's reasonably stable and secure. I believe that
stronghold was originally based on a combination of Apache and SSLeay, although I can't offer any references to back that up. If the dependencies in debian can be trusted, then OpenSSH (in the form of libssl0.9) is used by OpenSSH, the ssl enabled telnet stuff, some apache stuff, and other stuff.
Is this another example of reinventing the wheel? I hope that "a new implementation of the RSA algorithm" is just another way of saying that they're not using the libraries from RSADSA as opposed to saying that they've written another (mozilla-free) version of something that already exists (apache-free) as open source. What would a new implementation provide that wasn't there before?
Can anyone think of a good reason not to use the OpenSSL libraries? I sure would like to avoid code duplication, especially when it's going to suck up RAM on my computer. Even more especially when it's something as tricky and specialized as crypto code. And what's the point of having shared, dynamically linked libraries when everyone goes and writes their own version.
Slashdot Mirror
Since the american government is in no way involved with this issue, your 1st ammendment is not relevant.
You might also want to consider that legislative solutions are rarely effective across borders (although you fucking imperialist asshole americans are working on that).
Obviously you're not a sys-admin and have never worked in the field. Spam was about 25% to 27% of the email traffic on my systems. Spam cost me for the bandwidth to recieve it (was about $45 / month), and for the extra disk to store it until users get around to deleting it (about $3000), and for the extra processing power to filter it for viruses (because users are too dumb not to click on the attachement) and handle big ass mailboxes.
It damages the responsiveness of the systems (leading to users bitching about slow email), and hence my credibility. I do not have the budget to throw money at the problem. I do not have the resources to build and maintain my own blackhole list. So I implemented MAPS and the spam has dropped off significantly. Users who don't like the policy can complain to their manager who can either pony up some of his own damn budget or bite my shiny white ass.
People who end up with an ISP that's blacklisted should quit bitching about the blacklist and instead tell their ISP to either clean up their act or they'll take their business elsewhere.
Briefly: spam is a problem, and we can either act together as a community to solve it (black hole lists) or wait until some moronic politician imposes a bunch of ignorant and ineffective laws that don't solve it but make it harder for people to complain.
apt came from the debian distro, not redhat. debian stable is exactly what the name implies. Running this from cron to apply patches when you're only sourcing debian stable and the security is not going to break anything.
Fetch me the cluebat.
rm -f -- -p
Just like every other unix. Duh.
Then you should check again. 3com's had fiber NICs since 2000, IIRC.
Bruce Schnier of Counterpane systems wrote an article for the ieee computer society that described exactly why PPtP was a steaming pile. I think it was back around 1999.
Which article did you read? NONE of the benchmarks in the article I read were at resolutions of less than 1024x768x32bpp.
An of course there's the issue of connecting over the net. I don't know about you, but personally I don't really trust everyone between my home box and the various boxes I admin over the net.
Hell yeah! I still can't stream p0rn, even though I bought this brand new modem, and it's ALL THEIR FAULT!
You mean kinda like tasksel under debian?
dpkg --purge libc6
Create network shares on the server, and then make your hdd's read only so the lusers are forced to use them. Yes, it can be done, even on modern machines.
Slim Binaries not only solve the problem of compatibility between different architectures, they also allow to fine-tune the object code towards the specific processor and operating system version that it will run on.
The basic idea is that the compiler stops after generating the parse tree and encodes that. Code generation is then done at runtime. It's similar to the idea of using bytecode for a virtual machine, except that unlike bytecode, parse trees are much easier to inspect as they are of a symantically higher level. This means that it's a heck of a lot easier to recognize (for example) IPsec crypto processing and offload it to the integrated IPsec hardware on your ethernet card without the programmer having to do the footwork involved in detecting the device. Slim Binaries also make code verification a reasonable prospect, which is very exciting when you consider the security implications of applets and agents.
Suspend To Disk? Damn, that acronym's going to make for some serious false positives in my BOFH email scanning system.
Calling this bug a “showstopper flaw” is wrong and uninformed. It caused a problem with one application in one distribution that was doing something that it probably shouldn't have been doing (creating files through a dangling symlink? ugly!).
A 24 hour patch release from MS is insanely unlikely, especially for a small bug like this one. It took them months to fix the ping-o-death bug, and they didn't even fix it correctly the first time.
If windows flaws recieve greater attention than linux flaws, it's probably because there are so many more of them and they're so much more severe.
I don't think IDG has published a book about PostgreSQL. However, hiring a dummy to build your database is probably a Bad Idea. See also below.
The docs provided with it are pretty good (debian package postgresql-doc for local)
"PostgreSQL: Introduction and Concepts" by Bruce Momjian (one of the primary developers), pub Addison Wesley, ISBN 0-201-70331-9.
I have this book and it's excellently written. It's targeted at the beginner to intermediate level, and serves double purpose as a reasonably handy reference. It didn't cover some of the more advanced features in the depth I would have like.
A quick search of amazon for keyword postgresql turns up 9 other titles.
Yeah, pretty tricky: apt-get install postgresql. Of course you probably believe that mandrake is easier than debian?
Bruteforcing your way through a dictionary in 10 seconds? Perhaps if you've got a passwd file local you can bang away at this rate.
However, I suspect that if the attacker is going for a non-root password, then they don't have local access to the encrypted password. That means that the only way to test it is by attempting a connection. Which is horribly inefficient, and would set off any reasonable intrusion detection system.
I suspect that eliminating 95% of the dictionary would make a big difference in the feasability of this form of attack.
tacky, but so very american.
I would be very interested in a black list of companies or persons who have resorted to litigation to get off of the various dynamic blacklists. Ideally, the criteria for getting on the list should simply be
- They were at one time listed by ORB*, RBL, or a similar service.
- They used lawyers and courts to be removed from that list.
The criteria to get off the list should beIn brief, please don't denigrate vigilantes simply because they don't belong to the formal law enforcement community.
Another way of looking at the situation is that this group is at least doing something, however misguided. Personally I take a much more constructive approach to environmentalism: riding my bike instead of driving, minimizing waste by choosing products with minimal packaging, etc.
Their solution apparently relies on encoding data (UNICODE strings by the looks of it) in a different format. This leads me to suppose that the following would be sufficient as examples of prior art. Of course "I Am Not A Leach". In approximatly cronological order.
The only idea worthy of patent in this entire discussion was discovered by Alan Turing quite some time ago. Everything following it has merely been competent engineering as opposed to brilliant innovation.
In related news, I have applied for a patent on a new method of wiping one's ass. I'm call it the front to back technique. This is clearly an innovative and non-obvious solution. In light of this, I have decided to require all persons using my patented technique to submit as royalties the results of their wiping to my new company, inWalid Technologies Inc.
Is NSS based on OpenSSL? I read the web page and it isn't clear. Does the open source world really need yet another crypto library? OpenSSL has been around for several years now (although it was originally known as SSLeay, the eay for Eric A. Young, it's first and primary author). It's reasonably stable and secure. I believe that stronghold was originally based on a combination of Apache and SSLeay, although I can't offer any references to back that up. If the dependencies in debian can be trusted, then OpenSSH (in the form of libssl0.9) is used by OpenSSH, the ssl enabled telnet stuff, some apache stuff, and other stuff.
Is this another example of reinventing the wheel? I hope that "a new implementation of the RSA algorithm" is just another way of saying that they're not using the libraries from RSADSA as opposed to saying that they've written another (mozilla-free) version of something that already exists (apache-free) as open source. What would a new implementation provide that wasn't there before?
Can anyone think of a good reason not to use the OpenSSL libraries? I sure would like to avoid code duplication, especially when it's going to suck up RAM on my computer. Even more especially when it's something as tricky and specialized as crypto code. And what's the point of having shared, dynamically linked libraries when everyone goes and writes their own version.