I do sympathize with those who like to run webservers on their home systems. I'm always torn on these issues. For one, most users running servers are doing so quite innocently, but OTOH if the contract says no servers, they have every right to block port 80, especially when there's such a good reason.
This reminds me of the port 25 issue. I used to get so mad when an ISP would block outgoing mail, but with the massive amount of spam I receive each day, I almost think more ISPs should block port 25...
BTW, -1 Redundant, that doesn't make sense considering it was one of the first comments posted... or is it that someone disagrees with me, and modded me down unfairly?
- Jman
It's about time...
on
Code Redux
·
· Score: 0, Redundant
I agree that cable users are causing the most damage from what I can see. I wish Road Runner (Time Warner Cable) would cut off port 80 as well. I'm logging thousands of attempts from other RR users on my firewall.
My webserver is also logging in the hundreds, mostly from various cable and DSL users. Personally I think it would be nice if they could re-enable port 80 on request for those who actually need it, but unless you're a business customer, I would think blocking port 80 temporarily would be for the greater good...
BTW, visiting most of the Road Runner IPs I'm logging, most of them don't have a page up at all. I get an IIS error about there being no "default" page... IOW, I suspect these users have no idea that they're even running IIS, much less that they're infected. Others show a page saying that too many connections are open (is this some sort of artificial limit in IIS, which depends on the license you've purchased, or is it actually an overload condition? Or an OS limitation?)
It seems like the cable networks should let their users know (this could easily be automated: "Dear Customer, you are infected with Code Red, go here...")
Besides, these people are killing my ping times in UT:)
PPPoE is no less "always-on" than DHCP. With DHCP, you must obtain an IP using a DHCP client. The only real difference is the perception that DHCP is automatically there, only because most DHCP client implementations obtain the IP on boot, where PPPoE (or PPP in general) is initiated later, when needed.
IMO, when ISPs advertise "always-on", I believe they are more refering to the fact that you don't have to dial in (which takes a lot longer, is subject to busy signals etc), and that you don't really have any reason to disconnect. This still applies with PPPoE, just as DHCP.
It's still always there, and both take about the same amount of time to get connected, give or take a couple seconds. If you were to place a shortcut to your connection in your 'Startup' menu (or create an init script in Linux, etc), you'd have the very same "always-on" perception.
After switching from ADSL (PPPoE) to Cable (DHCP), I personally have noticed no difference at all. In both cases, a startup script takes care of the connection (with DHCP, it's/etc/sysconfig/network-scripts/ifcfg-eth1, before it was/etc/rc.d/init.d/adsl -- neither of which make any difference to me).
I haven't yet seen a good argument as to why PPPoE is such a bad thing. Five minutes of re-configuring your PC or firewall box, and you won't know or care that PPPoE is there.
As has been pointed out, you can't have literal '/' or '?' in the username portion of the URL (that before the @)... I didn't realize this before, so it does make it a little more difficult.
Using %-encoding would work for hovering over the link, but not what's shown in the address bar of the browser after the link is clicked.
On another note, something else the article mentioned was DNS spoofing. One quick way to do that would be to sign up at some large ISP to host "passport.com", and hope that the signup process is automated. Then, for users of that ISP (or rather for users of their name servers), passport.com would resolve to your webserver, assuming that ISP uses the same DNS servers for both authoritive and non-authoritive requests.
Of course, this would be difficult to pull off, but I'm sure with some creative thinking it could be done. I've seen domains resolve to the wrong host many times due to similar tricks (intentional or otherwise). We once had "firefly.com" (coincidently an MS-owned domain) in our DNS thanks to automated signups for domain hosting; luckily, we only served authoritive requests (we were a webhost, not an ISP).
Sure it does... Just like any PPP connection, you can specify an IP address or choose to automatically assign one. I had ADSL through Sprint for over a year; for a fee, they did offer static IPs, which still used the PPPoE protocol for authentication.
Before switching to Cable (only due to lower cost), I had ADSL with PPPoE for over a year. I never once had a problem with PPPoE. I logged in with FreeBSD originally, then switched to Linux. I'm not sure I see the issue with PPP, it's really only used for authentication purposes I would imagine...
Can someone clarify why PPPoE is an issue? I'm pretty sure any OS can handle it (as can some stand-alone DSL routers, etc), and I don't think there's any associated performance hit involved. I personally stayed connected (with same dynamic IP) for months at a time.
The article mentions the possibility of one registering pasport.com (note the missing 's') to fool users into giving their username/password to the wrong site. A much easier way would be to redirect the user to a URL like this:
Crafted to look like a legitimate Passport login URL before the '@'. Then, put a passport spoof site at evilhacker.com. Everything before the '@' is ignored, and the user will simply see a long passport.com URL in the address bar. The browser actually connects to evilhacker.com.
So it's much easier than the article describes to trick a user into providing credentials to the wrong site; all that is needed is an SSL cert, a copy of the Passport login screen, and a clever URL...
As the article notes, users won't check the cert (as long as it's valid and doesn't give a warning). They'll just type in their username and password. Even if they glance at the address bar, most users won't have any clue about the '@' trick, and if the URL is long enough they won't even see it.
Over all, I think the article makes a very good analisys of the problems in Passport (or really any central login system).
I'll second that it's damned fast. All around, I'm quite impressed with this browser. I've pretty much used only IE on Windows and Konqueror under Linux, but for once I'm impressed with Mozilla.
As for Flash, personally I disabled ActiveX in IE anyway. Hm, just checked out a Flash site in Mozilla, seems the plugin is there (and working), must have carried over from some Netscape version I have lying around:) No crashes, either, but I'll probably still disable it (and no doubt it won't pop up a box every time I hit a Flash site like IE does...)
I'm going to surf around for a while, see if this might be worth switching to...
It looks too much like IE's "The page cannot be displayed" error page to me... where's the navigation? All I have is Refresh, Back, and something about detecting my net settings...
OTOH, it is a much cleaner interface -- no more Fr1st P0sts and no more green tables!
Oh, wait... maybe running out of coffee this morning was a bad thing...
- Jman, with another shameless attempt at humor...
I ordered a pizza from Papa John's (via Food.com) a while back. I figured that since I do most everything online, it only made sense to give it a try.
It turns out that Food.com, based in some other state (I forget where exactly), places a long distance call to my local Papa John's and places the order. I had assumed they'd get a fax/printout/email, but no, a human places the order via phone.
Naturally, given my luck, they botched the address. Papa John's explained the process to me when I called 2 hours later asking about my order... and ever since, I decided it was just so much easier to call.
Of course Papa John's doesn't use Food.com anymore (last I checked anyway)...
I only started on Linux with RH 6.1, and I had DSL at the time. I've since had 6.2, 7.1, and FreeBSD 4.3, and I've spent a total of about $5.00 in blank CDs. I also have several TurboLinux CDs that I haven't looked at yet. Seems one came with every LinkSys product I've bought...
OTOH, I have Win98 and Win2k, both purchased (I tend to stay away from OEM PCs), and I paid the MS tax when I bought my notebook. It came with ME, which I booted only briefly, then partitioned/formatted.
Approximate comparison (recent years only):
MS OS's: $300-$400
Free OS's: $5.00 (for the blank CDs)
This doesn't even count MS Office 2000, Visual Studio, SecureCRT, and many many other things that are included/can download for free with Free OS's...
As long as we aren't counting bandwidth/time spent downloading/compiling kernel updates...;)
I will admit that I have spent FAR more time learning how to do things in Linux/FreeBSD than I would in Windows. To me it's well worth it, but that's me. I hate when my OS hides things from me, even if it means I have to learn how to do things instead of them happening automatically.
Of course last month, Code Red started with just a few infected machines and built up to some incredible number. At the beginning of this month, Code Red is supposed to start out with about 200,000 existing infected, unpatched machines and grow from there.
If I'm not mistaken (which is likely), I thought only machines with the date set incorrectly could spread it initially. Then, once other machines are (re)infected, they would spread it like normal... Thus, this time around, still, a relatively small number of machines are initiating the infection.
Add to that, last time it had only 7 days to spread; now we have a full 20 days. But this is also negated by the fact that the infection rate started to top off sometime within that 7 days anyway, at which point you simply have a bunch of sick people coughing on each other (bad analogy?). They're wasting precious air, but the rest of us are immune or vaccinated anyway.
Hopefully a good number of vulnerable machines are patched this time. Having an NT webserver in the first place is bad. Having an unpatched NT machine after a month's notice of a hole is very bad; having an unpatched NT machine NOW is grounds for a hanging. But I digress...
So far since last night, I've only logged 2 unique attempts each for two IPs, and 4 on my home (dynamic) IP. Last time, in 7 days, I logged about 30 uniques per IP per day, starting on the 13th (it didn't really fluctuate much for me).
Ah, try VMWare if you get the chance... and you ever need to run something in Windows when your primary box is Linux. Its a fantastic program.
I actually downloaded it a few days ago, and can't quite get it working on my notebook. I'm already set up dual-boot, and tried to boot my existing Win2k installation under vmware, but vmware crashes before I get to the "Choose Hardware Profile" (I followed the FAQ, including setting up a second hardware profile under Windows)...
I can boot my other Linux partition though, and there are some power management issues (especially on a notebook) in the FAQ that I haven't gotten around to messing with yet...
I'll probably muck with it later, right now I'm fighting with RPM (never upgrade 'rpm' itself using 'rpm --nodeps...' -- or should that be don't log in and play as root after a few beers?:)
For now, dual boot (with Win2k's Hybernate) works decent enough...
Personally I don't think it's an issue of copyright at all. Other posters brought up some good reasons, and I tend to agree with that part - no copyrights are being violated when a client-side program alters the HTML (but of course IANAL).
The problem I have is this: Your average AOL user probably won't know that the yellow links are not part of your page. It will appear that your site is advocating the products or services being advertised (linked to). A lot of new users assume that a linked page is part of the same site, or that the current site is somehow associated. Remember when MS had a warning message whenever you'd click an external link on their site a few years ago? Warnings are always there for a reason (but that was damned annoying).
From the article I get the feeling that a user isn't informed as to what the links are, or that the software was even installed without really reading through the install messages (users are used to clicking "OK" "I AGREE" "Install the damned thing already!")
Imagine if your own website was linked to something you (as the webmaster) are against or otherwise object to (say, RedHat.com linking to Microsoft.com wherever you see the word "Operating System"). This false impression is what is wrong with the system, much like that whole Smart Tag thing.
Besides all of that, secretly installing something that mucks with web pages, hiding the details, and apparently making no effort to inform the user that this is happening -- is yet another issue I have with this.
Insert RedHat CD (substitute your favorite distro)
Make sure BIOS is set to boot from CD
Forget about any MSN/AOL icons
More seriously though, this is one of the reasons I stay away from OEM machines. Whether I intend to run Windows, Linux, or *BSD, I'll buy (or download) the OS and install it myself.
Now, getting back to the point, the average user who would even consider using MSN or AOL isn't sophisticated enough to delete icons. They don't format hard drives or configure operating systems, and these are the very people those icons are targetted toward. Replacing an MSN icon with an AOL icon can easily mean the loss of an MSN customer. Don't forget we're talking Compaq PCs here, too... same target users...
Now, as for whether MS should be allowed to do this, I am a little bit torn... Someone used the grocery store analogy earlier, but there are many cases where this applies.
In general, if you resell someone else's product, you can't modify it unless you have an agreement with the original company. Generally will only find this on non-proprietary products. You won't find Intel chips resold under another name.
I don't think I'd want someone reselling my OS after removing my ISPs ads, and replacing them with ads for a competing ISP. Whether it's legal or wrong or whatever, I'm sure I'd do the same in their position... I won't say I agree with MS, but in this one particular issue, I can at least understand their concern.
What happens when you get a sample of some General's voice and then use a synthesiser to call up the poor kid on guard duty and get him to let a bunch of terrorists enter the base?
If Sideshow Bob could do this without a computer at an air show, and get away with a (dud) nuclear weapon, just imagine what one can do with a computer.
But seriously, I'm sure it doesn't work like that in the real world. I'm sure it would take more than a simple phone call...
Unless one could hack into the Red Phone (if that really exists)...
Say you find a show (obPlug: Whose Line Is It Anyways) that you enjoy. You set it to record. Say they cancel the second episode each night, and replace it with something else. You're no longer taping it, since it's not Your Show. You'll notice it eventually, but the first few weeks are key to see whether a show will survive.
Assuming the network keeps their listings updated, the Tivo will do the right thing. The only time I've seen the Tivo get it wrong is when a football/baseball/whatever game runs long -- I've missed more than one Futurama over this...
But a scheduled lineup change won't affect PVRs.
Having had a Tivo for over a year now, I've gotten really good with the remote, and I pretty much never watch commercials. Most networks do put their logo on the bottom, and sometimes Comedy Central puts a large, annoying ad covering the bottom 25% of the screen (in particular "Thats my Bush" ads showing on South Park a while back -- extremely annoying).
I almost always know what channel I'm watching, but I do skip commercials. I don't use the Tivo for that reason primarily -- being able to pause/delay/replay live TV, and watch shows I wouldn't normally be around to watch, are the reasons I bought it (plus, it runs Linux). Skipping commercials is just a bonus.
I don't watch that much TV, but those couple hours I do watch per day are much higher quality when I can pick and choose what will be available to me, rather than having to deal with whatever happens to be on at that time.
I'm not sure I see it this way. It seems to me that using the office PC/network is no different than using the office phone/line. If you make personal calls (toll or otherwise), management will certainly want to know about it. They may or may not want to monitor such calls, and while that is pushing the limit in my book, it seems that it should be their right. Maybe disclosure on this policy should be required though.
So with monitoring/restricting your 'net access, it's their equipment/bandwidth, and I don't see why they shouldn't be allowed to monitor what you do. Reading your email is, again, borderline (IMO), but still, maybe with proper disclosure, it should be their right.
Now, as for the issue of creating distrust and causing other problems in the workplace that another poster mentioned, I fully agree. Really, if an employee needs to be monitored, he or she probably doesn't need to be there at all. Then the rest of us can read/. when appropriate without worrying about it.
With that said, I wouldn't work for a company with such strict policies, or for one who monitored such activity. That's my right, I don't have to work there if I don't like their policies -- just as it should be their right to *have* such policies, if they can get anyone to work for them. I'm not disagreeing that this type of monitoring sucks, I'm only disagreeing about whether the company has the right to monitor such activity.
You make a good point. Outlook by default adds everyone you reply to to your Address book, which means if you "reply with REMOVE in the subject", you've added the spammer to your address book.
So Aunt Dawn now forwards the message about the virus that will blow your PC speakers and melt your CDROM to her entire address book, complete with your address and the spammers in the CC line...
Of course generally SPAM reply addresses don't go anywhere, but I'm sure some go to a bot that verifies that you have a valid address.
...just how often attempts are made on systems. My webserver runs RedHat 6.2 and ipchains, and so does my home firewall (cable modem). I constantly see NetBIOS attempts, which of course have no effect. My home system has a dynamic IP, but I get about the same number of attempts on both setups (about 30 attempts per day), all unique source IPs, most resolving to DSL and cable providers.
A friend using dialup receives about 20 attempts per day, also Linux/ipchains, and of course also dynamic IP. This is most likely random scans for vulnerable Windoze boxen...
I have to wonder, with 20 to 30 attempts per day on my own systems, how many Windoze boxen are comprimized each day, with the owner probably knowing nothing about it? I suspect the attackers would install a trojan of some sort for later use...
I also log other attempts, but it seems the NetBIOS ones are the most common. They all follow the same pattern, with three attempts. The second attempt is 2 seconds after the first, and the third 1 second later (mind you, ipchains is set to DENY, so the attacker apparently has a very short timeout set). The pattern suggests either the same hacker tool in use, or (more likely IMO) perhaps a worm seeking more systems to infect...
I just find this disturbing; more and more home users run Windoze with cable/xDSL and are staying connected all the time, with no firewalling. Some run home networks and thus have NetBIOS enabled over TCP/IP...
I'm not sure what my point is, other than to corroborate with the article. Security by obscurity especially doesn't apply in this case (I have a dynamic IP thus it's not likely I'll be attacked - which is no longer the case). Not to mention the false sense of security some Linux users have (eg, those who install RedHat 6.2 and keep all defaults, with FTP/telnet open, etc). I've seen many a stock RH box comprimised in less than a week.
I fully agree that it's sad we must protect ourselves against thieves. Sad but true.
My problem is with people using that as an excuse for not protecting themselves. You certainly wouldn't leave the keys in your car, saying "I shouldn't have to take the keys out. Stealing is illegal and wrong!" It's true you shouldn't have to; but you do have to. Nobody said life was fair.
Likewise, one shouldn't run executable code on their computer that was blindly mailed to them. Doing so is asking for trouble. A tiny bit of education goes a long way, and it doesn't take much. Remove the keys, lock the doors, arm the alarm. Likewise, don't run attachments. Don't use mail programs that run attachments automatically. With a minimal amount of effort, an average PC user can avoid most any virus infection.
The default settings in Outlook (as an example) could be better. Some cars' doors automatically lock. Some alarms automatically arm. Some seatbelts are automatic.
BUT, just because your particular car doesn't automatically lock doesn't mean you can blame the manufacturer when it gets stolen. It might mean that next time you're car shopping, you look for these features; or, it might mean that you remember next time to lock the doors. In either case, you learned something.
But I've already taken this analogy way too far, I promise to stop now;)
Let's expand your analogy a bit. Getting hit by a virus is like getting your car stolen. So yes, the criminal is at fault in both cases. What I don't agree with is that you, the car owner, have no responsibility to prevent theft. In both cases preventative measures could have been taken, knowing that your valuables are at stake.
You can't just use a weak protection, and hide behind a law in hopes that the legal aspect of it will protect you <cough>CSS</cough>.
Outlook is like a shiny new car with no alarm and a very simple lock. It's a very popular car, and like the 1986 Camero it is a commonly stolen car. Put it on the internet, and you just parked it in a very bad neighborhood. Sure, if it's broken into, the thief is the one at fault. At the same time, however, you could have done more to avoid the situation (as could the car manufacture). Maybe with better locks or an alarm system, the 12 year old car theif would have moved on to an easier target. The determined thief would have to work much harder to get your car.
If you are unwilling to take some responsibility by, say, getting an alarm system, you shouldn't be parking your car here. Likewise, if the car manufacturer doesn't want to learn how to prevent theft or break-ins, they shouldn't be making cars. Or at least we shouldn't buy them. Especially when everyone else has the same damned car and it runs like shit (Outlook, not the Camero;)
Slashdot Mirror
I do sympathize with those who like to run webservers on their home systems. I'm always torn on these issues. For one, most users running servers are doing so quite innocently, but OTOH if the contract says no servers, they have every right to block port 80, especially when there's such a good reason.
This reminds me of the port 25 issue. I used to get so mad when an ISP would block outgoing mail, but with the massive amount of spam I receive each day, I almost think more ISPs should block port 25...
BTW, -1 Redundant, that doesn't make sense considering it was one of the first comments posted... or is it that someone disagrees with me, and modded me down unfairly?
- Jman
I agree that cable users are causing the most damage from what I can see. I wish Road Runner (Time Warner Cable) would cut off port 80 as well. I'm logging thousands of attempts from other RR users on my firewall.
:)
My webserver is also logging in the hundreds, mostly from various cable and DSL users. Personally I think it would be nice if they could re-enable port 80 on request for those who actually need it, but unless you're a business customer, I would think blocking port 80 temporarily would be for the greater good...
BTW, visiting most of the Road Runner IPs I'm logging, most of them don't have a page up at all. I get an IIS error about there being no "default" page... IOW, I suspect these users have no idea that they're even running IIS, much less that they're infected. Others show a page saying that too many connections are open (is this some sort of artificial limit in IIS, which depends on the license you've purchased, or is it actually an overload condition? Or an OS limitation?)
It seems like the cable networks should let their users know (this could easily be automated: "Dear Customer, you are infected with Code Red, go here...")
Besides, these people are killing my ping times in UT
PPPoE is no less "always-on" than DHCP. With DHCP, you must obtain an IP using a DHCP client. The only real difference is the perception that DHCP is automatically there, only because most DHCP client implementations obtain the IP on boot, where PPPoE (or PPP in general) is initiated later, when needed.
/etc/sysconfig/network-scripts/ifcfg-eth1, before it was /etc/rc.d/init.d/adsl -- neither of which make any difference to me).
IMO, when ISPs advertise "always-on", I believe they are more refering to the fact that you don't have to dial in (which takes a lot longer, is subject to busy signals etc), and that you don't really have any reason to disconnect. This still applies with PPPoE, just as DHCP.
It's still always there, and both take about the same amount of time to get connected, give or take a couple seconds. If you were to place a shortcut to your connection in your 'Startup' menu (or create an init script in Linux, etc), you'd have the very same "always-on" perception.
After switching from ADSL (PPPoE) to Cable (DHCP), I personally have noticed no difference at all. In both cases, a startup script takes care of the connection (with DHCP, it's
I haven't yet seen a good argument as to why PPPoE is such a bad thing. Five minutes of re-configuring your PC or firewall box, and you won't know or care that PPPoE is there.
- Jman
As has been pointed out, you can't have literal '/' or '?' in the username portion of the URL (that before the @)... I didn't realize this before, so it does make it a little more difficult.
Using %-encoding would work for hovering over the link, but not what's shown in the address bar of the browser after the link is clicked.
On another note, something else the article mentioned was DNS spoofing. One quick way to do that would be to sign up at some large ISP to host "passport.com", and hope that the signup process is automated. Then, for users of that ISP (or rather for users of their name servers), passport.com would resolve to your webserver, assuming that ISP uses the same DNS servers for both authoritive and non-authoritive requests.
Of course, this would be difficult to pull off, but I'm sure with some creative thinking it could be done. I've seen domains resolve to the wrong host many times due to similar tricks (intentional or otherwise). We once had "firefly.com" (coincidently an MS-owned domain) in our DNS thanks to automated signups for domain hosting; luckily, we only served authoritive requests (we were a webhost, not an ISP).
- Jman
It doesn't allow static IPs, which is a pain.
Sure it does... Just like any PPP connection, you can specify an IP address or choose to automatically assign one. I had ADSL through Sprint for over a year; for a fee, they did offer static IPs, which still used the PPPoE protocol for authentication.
- Jman
Before switching to Cable (only due to lower cost), I had ADSL with PPPoE for over a year. I never once had a problem with PPPoE. I logged in with FreeBSD originally, then switched to Linux. I'm not sure I see the issue with PPP, it's really only used for authentication purposes I would imagine...
Can someone clarify why PPPoE is an issue? I'm pretty sure any OS can handle it (as can some stand-alone DSL routers, etc), and I don't think there's any associated performance hit involved. I personally stayed connected (with same dynamic IP) for months at a time.
- Jman
The article mentions the possibility of one registering pasport.com (note the missing 's') to fool users into giving their username/password to the wrong site. A much easier way would be to redirect the user to a URL like this:
r .com
https://www.passport.com/very/long/path@evilhacke
Crafted to look like a legitimate Passport login URL before the '@'. Then, put a passport spoof site at evilhacker.com. Everything before the '@' is ignored, and the user will simply see a long passport.com URL in the address bar. The browser actually connects to evilhacker.com.
So it's much easier than the article describes to trick a user into providing credentials to the wrong site; all that is needed is an SSL cert, a copy of the Passport login screen, and a clever URL...
As the article notes, users won't check the cert (as long as it's valid and doesn't give a warning). They'll just type in their username and password. Even if they glance at the address bar, most users won't have any clue about the '@' trick, and if the URL is long enough they won't even see it.
Over all, I think the article makes a very good analisys of the problems in Passport (or really any central login system).
- Jman
Actually you don't need 'cat' or 'wc' here. This works for me, and gets all of my domains/IPs in one swoop:
/home/*/logs/access.today
/home/*/logs/*.gz |grep -c default.ida\?XXX
grep -c default.ida\?XXX
Or for gzipped files:
zcat
- Jman
I'll second that it's damned fast. All around, I'm quite impressed with this browser. I've pretty much used only IE on Windows and Konqueror under Linux, but for once I'm impressed with Mozilla.
:) No crashes, either, but I'll probably still disable it (and no doubt it won't pop up a box every time I hit a Flash site like IE does...)
As for Flash, personally I disabled ActiveX in IE anyway. Hm, just checked out a Flash site in Mozilla, seems the plugin is there (and working), must have carried over from some Netscape version I have lying around
I'm going to surf around for a while, see if this might be worth switching to...
- Jman
It looks too much like IE's "The page cannot be displayed" error page to me... where's the navigation? All I have is Refresh, Back, and something about detecting my net settings...
OTOH, it is a much cleaner interface -- no more Fr1st P0sts and no more green tables!
Oh, wait... maybe running out of coffee this morning was a bad thing...
- Jman, with another shameless attempt at humor...
I ordered a pizza from Papa John's (via Food.com) a while back. I figured that since I do most everything online, it only made sense to give it a try.
It turns out that Food.com, based in some other state (I forget where exactly), places a long distance call to my local Papa John's and places the order. I had assumed they'd get a fax/printout/email, but no, a human places the order via phone.
Naturally, given my luck, they botched the address. Papa John's explained the process to me when I called 2 hours later asking about my order... and ever since, I decided it was just so much easier to call.
Of course Papa John's doesn't use Food.com anymore (last I checked anyway)...
- Jman
I only started on Linux with RH 6.1, and I had DSL at the time. I've since had 6.2, 7.1, and FreeBSD 4.3, and I've spent a total of about $5.00 in blank CDs. I also have several TurboLinux CDs that I haven't looked at yet. Seems one came with every LinkSys product I've bought...
;)
:(
OTOH, I have Win98 and Win2k, both purchased (I tend to stay away from OEM PCs), and I paid the MS tax when I bought my notebook. It came with ME, which I booted only briefly, then partitioned/formatted.
Approximate comparison (recent years only):
MS OS's: $300-$400
Free OS's: $5.00 (for the blank CDs)
This doesn't even count MS Office 2000, Visual Studio, SecureCRT, and many many other things that are included/can download for free with Free OS's...
As long as we aren't counting bandwidth/time spent downloading/compiling kernel updates...
I will admit that I have spent FAR more time learning how to do things in Linux/FreeBSD than I would in Windows. To me it's well worth it, but that's me. I hate when my OS hides things from me, even if it means I have to learn how to do things instead of them happening automatically.
But most users aren't like that
- Jman
Add to that, last time it had only 7 days to spread; now we have a full 20 days. But this is also negated by the fact that the infection rate started to top off sometime within that 7 days anyway, at which point you simply have a bunch of sick people coughing on each other (bad analogy?). They're wasting precious air, but the rest of us are immune or vaccinated anyway.
Hopefully a good number of vulnerable machines are patched this time. Having an NT webserver in the first place is bad. Having an unpatched NT machine after a month's notice of a hole is very bad; having an unpatched NT machine NOW is grounds for a hanging. But I digress...
So far since last night, I've only logged 2 unique attempts each for two IPs, and 4 on my home (dynamic) IP. Last time, in 7 days, I logged about 30 uniques per IP per day, starting on the 13th (it didn't really fluctuate much for me).
- Jman
Ah, try VMWare if you get the chance... and you ever need to run something in Windows when your primary box is Linux. Its a fantastic program.
...' -- or should that be don't log in and play as root after a few beers? :)
I actually downloaded it a few days ago, and can't quite get it working on my notebook. I'm already set up dual-boot, and tried to boot my existing Win2k installation under vmware, but vmware crashes before I get to the "Choose Hardware Profile" (I followed the FAQ, including setting up a second hardware profile under Windows)...
I can boot my other Linux partition though, and there are some power management issues (especially on a notebook) in the FAQ that I haven't gotten around to messing with yet...
I'll probably muck with it later, right now I'm fighting with RPM (never upgrade 'rpm' itself using 'rpm --nodeps
For now, dual boot (with Win2k's Hybernate) works decent enough...
- Jman
Personally I don't think it's an issue of copyright at all. Other posters brought up some good reasons, and I tend to agree with that part - no copyrights are being violated when a client-side program alters the HTML (but of course IANAL).
The problem I have is this: Your average AOL user probably won't know that the yellow links are not part of your page. It will appear that your site is advocating the products or services being advertised (linked to). A lot of new users assume that a linked page is part of the same site, or that the current site is somehow associated. Remember when MS had a warning message whenever you'd click an external link on their site a few years ago? Warnings are always there for a reason (but that was damned annoying).
From the article I get the feeling that a user isn't informed as to what the links are, or that the software was even installed without really reading through the install messages (users are used to clicking "OK" "I AGREE" "Install the damned thing already!")
Imagine if your own website was linked to something you (as the webmaster) are against or otherwise object to (say, RedHat.com linking to Microsoft.com wherever you see the word "Operating System"). This false impression is what is wrong with the system, much like that whole Smart Tag thing.
Besides all of that, secretly installing something that mucks with web pages, hiding the details, and apparently making no effort to inform the user that this is happening -- is yet another issue I have with this.
- Jman
- Insert RedHat CD (substitute your favorite distro)
- Make sure BIOS is set to boot from CD
- Forget about any MSN/AOL icons
More seriously though, this is one of the reasons I stay away from OEM machines. Whether I intend to run Windows, Linux, or *BSD, I'll buy (or download) the OS and install it myself.Now, getting back to the point, the average user who would even consider using MSN or AOL isn't sophisticated enough to delete icons. They don't format hard drives or configure operating systems, and these are the very people those icons are targetted toward. Replacing an MSN icon with an AOL icon can easily mean the loss of an MSN customer. Don't forget we're talking Compaq PCs here, too... same target users...
Now, as for whether MS should be allowed to do this, I am a little bit torn... Someone used the grocery store analogy earlier, but there are many cases where this applies.
In general, if you resell someone else's product, you can't modify it unless you have an agreement with the original company. Generally will only find this on non-proprietary products. You won't find Intel chips resold under another name.
I don't think I'd want someone reselling my OS after removing my ISPs ads, and replacing them with ads for a competing ISP. Whether it's legal or wrong or whatever, I'm sure I'd do the same in their position... I won't say I agree with MS, but in this one particular issue, I can at least understand their concern.
- Jman
What happens when you get a sample of some General's voice and then use a synthesiser to call up the poor kid on guard duty and get him to let a bunch of terrorists enter the base?
If Sideshow Bob could do this without a computer at an air show, and get away with a (dud) nuclear weapon, just imagine what one can do with a computer.
But seriously, I'm sure it doesn't work like that in the real world. I'm sure it would take more than a simple phone call...
Unless one could hack into the Red Phone (if that really exists)...
- Jman
Say you find a show (obPlug: Whose Line Is It Anyways) that you enjoy. You set it to record. Say they cancel the second episode each night, and replace it with something else. You're no longer taping it, since it's not Your Show. You'll notice it eventually, but the first few weeks are key to see whether a show will survive.
Assuming the network keeps their listings updated, the Tivo will do the right thing. The only time I've seen the Tivo get it wrong is when a football/baseball/whatever game runs long -- I've missed more than one Futurama over this...
But a scheduled lineup change won't affect PVRs.
Having had a Tivo for over a year now, I've gotten really good with the remote, and I pretty much never watch commercials. Most networks do put their logo on the bottom, and sometimes Comedy Central puts a large, annoying ad covering the bottom 25% of the screen (in particular "Thats my Bush" ads showing on South Park a while back -- extremely annoying).
I almost always know what channel I'm watching, but I do skip commercials. I don't use the Tivo for that reason primarily -- being able to pause/delay/replay live TV, and watch shows I wouldn't normally be around to watch, are the reasons I bought it (plus, it runs Linux). Skipping commercials is just a bonus.
I don't watch that much TV, but those couple hours I do watch per day are much higher quality when I can pick and choose what will be available to me, rather than having to deal with whatever happens to be on at that time.
- Jman
When in doubt about a TLD, try http://nic.tld and see what comes up ;)
It is in fact Christmas Island: http://www.nic.cx/
- Jman
I'm not sure I see it this way. It seems to me that using the office PC/network is no different than using the office phone/line. If you make personal calls (toll or otherwise), management will certainly want to know about it. They may or may not want to monitor such calls, and while that is pushing the limit in my book, it seems that it should be their right. Maybe disclosure on this policy should be required though.
/. when appropriate without worrying about it.
So with monitoring/restricting your 'net access, it's their equipment/bandwidth, and I don't see why they shouldn't be allowed to monitor what you do. Reading your email is, again, borderline (IMO), but still, maybe with proper disclosure, it should be their right.
Now, as for the issue of creating distrust and causing other problems in the workplace that another poster mentioned, I fully agree. Really, if an employee needs to be monitored, he or she probably doesn't need to be there at all. Then the rest of us can read
With that said, I wouldn't work for a company with such strict policies, or for one who monitored such activity. That's my right, I don't have to work there if I don't like their policies -- just as it should be their right to *have* such policies, if they can get anyone to work for them. I'm not disagreeing that this type of monitoring sucks, I'm only disagreeing about whether the company has the right to monitor such activity.
- Jman
You make a good point. Outlook by default adds everyone you reply to to your Address book, which means if you "reply with REMOVE in the subject", you've added the spammer to your address book.
So Aunt Dawn now forwards the message about the virus that will blow your PC speakers and melt your CDROM to her entire address book, complete with your address and the spammers in the CC line...
Of course generally SPAM reply addresses don't go anywhere, but I'm sure some go to a bot that verifies that you have a valid address.
- Jman
...just how often attempts are made on systems. My webserver runs RedHat 6.2 and ipchains, and so does my home firewall (cable modem). I constantly see NetBIOS attempts, which of course have no effect. My home system has a dynamic IP, but I get about the same number of attempts on both setups (about 30 attempts per day), all unique source IPs, most resolving to DSL and cable providers.
A friend using dialup receives about 20 attempts per day, also Linux/ipchains, and of course also dynamic IP. This is most likely random scans for vulnerable Windoze boxen...
I have to wonder, with 20 to 30 attempts per day on my own systems, how many Windoze boxen are comprimized each day, with the owner probably knowing nothing about it? I suspect the attackers would install a trojan of some sort for later use...
I also log other attempts, but it seems the NetBIOS ones are the most common. They all follow the same pattern, with three attempts. The second attempt is 2 seconds after the first, and the third 1 second later (mind you, ipchains is set to DENY, so the attacker apparently has a very short timeout set). The pattern suggests either the same hacker tool in use, or (more likely IMO) perhaps a worm seeking more systems to infect...
I just find this disturbing; more and more home users run Windoze with cable/xDSL and are staying connected all the time, with no firewalling. Some run home networks and thus have NetBIOS enabled over TCP/IP...
I'm not sure what my point is, other than to corroborate with the article. Security by obscurity especially doesn't apply in this case (I have a dynamic IP thus it's not likely I'll be attacked - which is no longer the case). Not to mention the false sense of security some Linux users have (eg, those who install RedHat 6.2 and keep all defaults, with FTP/telnet open, etc). I've seen many a stock RH box comprimised in less than a week.
- Jman
I fully agree that it's sad we must protect ourselves against thieves. Sad but true.
;)
My problem is with people using that as an excuse for not protecting themselves. You certainly wouldn't leave the keys in your car, saying "I shouldn't have to take the keys out. Stealing is illegal and wrong!" It's true you shouldn't have to; but you do have to. Nobody said life was fair.
Likewise, one shouldn't run executable code on their computer that was blindly mailed to them. Doing so is asking for trouble. A tiny bit of education goes a long way, and it doesn't take much. Remove the keys, lock the doors, arm the alarm. Likewise, don't run attachments. Don't use mail programs that run attachments automatically. With a minimal amount of effort, an average PC user can avoid most any virus infection.
The default settings in Outlook (as an example) could be better. Some cars' doors automatically lock. Some alarms automatically arm. Some seatbelts are automatic.
BUT, just because your particular car doesn't automatically lock doesn't mean you can blame the manufacturer when it gets stolen. It might mean that next time you're car shopping, you look for these features; or, it might mean that you remember next time to lock the doors. In either case, you learned something.
But I've already taken this analogy way too far, I promise to stop now
- Jman
Let's expand your analogy a bit. Getting hit by a virus is like getting your car stolen. So yes, the criminal is at fault in both cases. What I don't agree with is that you, the car owner, have no responsibility to prevent theft. In both cases preventative measures could have been taken, knowing that your valuables are at stake.
;)
You can't just use a weak protection, and hide behind a law in hopes that the legal aspect of it will protect you <cough>CSS</cough>.
Outlook is like a shiny new car with no alarm and a very simple lock. It's a very popular car, and like the 1986 Camero it is a commonly stolen car. Put it on the internet, and you just parked it in a very bad neighborhood. Sure, if it's broken into, the thief is the one at fault. At the same time, however, you could have done more to avoid the situation (as could the car manufacture). Maybe with better locks or an alarm system, the 12 year old car theif would have moved on to an easier target. The determined thief would have to work much harder to get your car.
If you are unwilling to take some responsibility by, say, getting an alarm system, you shouldn't be parking your car here. Likewise, if the car manufacturer doesn't want to learn how to prevent theft or break-ins, they shouldn't be making cars. Or at least we shouldn't buy them. Especially when everyone else has the same damned car and it runs like shit (Outlook, not the Camero
Just ask your insurance company...
- Jman
EBG-13 Qrpbqre va yrff yvarf bs Crey guna QrPFF:
ge/[n-mN-M]/[a-mn-zA-MN-Z]/;
-Wzna
(bx, V xabj gung jnf purnc...)