Yeah, Well as a UK Citizen, we signed an agreement that allowed USUK extradition.
However, the US hasn't, and won't sign their half !!!
In contract-law speak, this is called being 'screwed over'.
Blair (et al.) doesn't have the balls to revoke our ratification, despite the fact that several high-profile extradition cases have gone to the high court, and several high profile US->UK cases are just piling up, e.g. US servicemen causing in a large proportion of UK military deaths and casualties in Iraq/Afghanistan.
To quote one US airman, who had just strafed and killed solders in a UK convoy - "Man, we're going to jail.". But luckily, US laws only apply when/where they say it does.
You tail one Sukhoi, when you fire you give away your position to the rear-facing radar, and the Sukhoi pilot acquires and throws 2 missiles 'over the shoulder' at you, chaffs and flares and avoids your missile.
Now you'd better hope that you can run away before the Sukhoi gets a visual/thermal on you - because at visual range, you can't ever engage him before he engages you. ever.
What can I say, when NATO gives a plane the designation 'Terminator' ?
If a Sukhoi gets to visual with any western fighter, it's the Martin-Baker, not 'oooooh, scarey stealth' technology that's going to get exercised.
If you want proof: Check out youtube for raptor videos - "F-22 banking sharply". wooo. Do the same for the super-flanker videos: CONTROLLED FLAT SPIN !? 'Stalling flip' (I'm not even sure that there is a non-russian word for this move?)
The super-flanker family puts the pilot firmly back as the weakest link.
Exactly. Traffic is managed. I work for Virgin Media, 5m+ UK provider, and know this leading story is utter rubbish.
Transit bandwidth costs is going down ALL THE TIME, but this is small potatoes compared to the cost of infrastructure to get the data from the customer to the transit/peering points.
I know people that put in requests for 10Gig transits like they are ordering cereal boxes - it's just part of the Virgin Media success story, most customers == more transit/peering bandwidth, and more upgrades through the network to support the extra customers.
P2P is still the big player, accounting for most of the traffic, and this has helped ensure that on-demand services are never at threat - though we've never had to contend the two.
If we ever had a problem we'd just offer to host a YouTube mirror in the UK, but the expenditure would need to match the transit costs, and that's why it's never happened, and isn't likely to happen soon.
It's just a scare story - either that of Qwest have really serious problems with their business model.
Hey, trust me, a rover is just like a young and adventure-hungry student - too much autonomy is a bad thing.
The last thing we want when we finally get to the red planet, is some pregnant Martian holding a picture of 'opportunity' and saying "Is this your son?"
And didn't you go to the movies in the 60s, 70s or early 80s? Autonomous computers *always* kill people and attempt to take over the world. Those films pretty much all died out when MS-DOS got released.
Since the 'voice modem' was in existance such GUIs were around - certainly as easy as 1995. Though this was over PSTN not internet/LAN/WAM, 99% of the patent's detail is invalidated.
US patent office is a waste of time, they approve everything and let the courts sort it out.
You could patent a 'round low friction shape that spins about it's centre' I reckon....
This is an old BSD 4.4 FFS feature, IIRC, and a great one. Solaris has a similar thing too.
Rebooting and resetting attribs is only possible if the attacker can change one of the programs executed (or utilised) before the runlevel goes out of single user. Consequently if you plan to use this feature serously, you need to examine and protect every file AND DEVICE (/dev/hd* etc) that is read before going into multiuser mode, and their dependants.
This isn't actually as bad as it seems for an already tight system.
This feature also makes patching usually require a reboot, as you can live-patch, obviously.
It's well worth the effort for multiuser systems, at sites with dodgy users like students, and anywhere where jails/chroot are used, to protect the integrity of the jailed/chrooted files.
In the paper, it goes into tedious detail on the architecture and low-level operation of the application. Why do you think it does this? Because it is the application that *totally* depicts the solution, they chose lots of systems because of reliability, they made those systems "desktop class" because they didn't get much extra from using super-MP/MC systems.
It's a great article, I strongely suggest you read properly, and do what they said they did - evaluate need against what's available.
I discussed this with the MS Head of UK security (during a MS/ISSA conference) and he nearly bit my head off. Mostly because I wouldn't back down, saying "You only confirm a problem, and release a fix when you know bad press is on the way." and followed up with "What is the point of announcing 'There is a big windows but out on Tuesday', whithout aenough information to judge impact - either before or after the announcement...
I seriously doubt that this will make any difference, except to CTOs who are getting pressure to go to Linux...
MS is a sales and marketing machine, with massive numbers of legal eagles, and a few software engineers.
Ok, This takes a bit of setting up, but when done this is brilliant. If done right, you'll never get a support phone call again, and you can even use the system to ensure that everyone recieves urgent messages, e.g. "A new virus came out today, click here to download & run this patch, and then you will be allowed to continue surfing."
Step 1. Setup triggers, ideally something like Snort with extra triggers for bandwidth oveuse, large packets/second, too many of packet X, whatever. The trigger stores the IP, and kind of "triggering offence" for use in later steps.
Step 2. From the IP you have the MAC, as you own the DHCP.
Step 3. You reconfigure the DHCP so that the offending MAC gets a private IP (which you block, right?), next time they request one, and a "special" DNS server.
Step 4. You send a DHCP NACK to that IP to force them to release their IP address (+ DNS settings) and re-request them again.
Step 5. Your "special" DNS server always returns the same IP for 'A' record lookups - a special web server, also with a private address. MX lookups should also always either fail, or return 127.0.0.1, just to slow email viruses down. Now the offender types "www.google.com", but always goes to your special web server !:-)
Step 6. Your special web server says "Hi user, you have been quarentined because it looks like you have a virus! Download & install this antivirus program, anti-spyware, firewall and patches, and then your PC should be both clean of nasties, and able to use the internet. Once you've done all this you will still need to wait one hour before access is restored."
Step 7. Provide the stuff they need, as above, on the special webserver.
Step 8. Verify they have done as asked (at least downloaded the stuff, from the www logs), and if so, reconfigure the DHCP to give them normal access, after an hours ("negetive reinforcement") delay.
Really smart folk can make the returned MX lookup replies in step 5 point to a "special" email server, which runs everything through ClamAV, and logs back to the special webserver. Now the users get the message "You are infected with the XXX virus. Click here to download antivirus, bla, bla". Cute eh?
Cisco's "How to build a datacentre" should give sdome insights.
e.g. Multi-peer BGP'd address space, feeding something like a Cisco 6509, with PIX, IDS, CSS and maybe the SSL modules. A 16-port GigE could then be used for upstream and downstream links, maybe just straight into your ~10 frontend servers, ideally caching reverse-proxies, with connections to another 6509 with GigE, which connects to your content web servers. Obvious databases etc. should also hand of this stuff.
On the side of all this would be a terminal server (Cyclades are good) for "oh shit" access, and preferaably a management network, again, using a totally different switch, and a dedicated line to your Office (preferably 2, one going east, one going west).
Oh and dont' forget power - UPS for the little 30 minute glitches, and generators for really bad times. Good aircon/dust filters and also get some FM200 to make sure that the place doesn't burn to the ground.
After you've got all this, you should be away, but just like software, MEASURE and UNDERSTAND where the bottlenecks are (leased lines, network, firewall, CPU, memory, BUS, DISK, Web server, database etc.etc.) and know what you can do get 50% more out of your current solution.
Actually Microsoft have done some VERY GOOD security books. I guess the MS coders can't read:-)
One of the first security books I read (1985 - 19.5 years ago) is Microsoft Press: "Out of the Inner Circle" by Bill Landreth ( http://www.amazon.com/exec/obidos/tg/detail/-/0914 845365/qid=1099435817/sr=1-1/ref=sr_1_1/103-306444 7-0498204?v=glance&s=books )
It's still definitive at cataloging the diffeent ""hacker"" personalities and motives.
Doh! Idiot! "This rendering a DDoS ineffective" ???? You just sent your site down the tubes!
Null routing is only any use if they are performing a resource attack against a shared resource (bandwidth, connections, CPU etc) were you can take the "hit" of loosing one entity to ensure another survives. In most cases nullrouting is useless for businesses.
While building on an old piece of Poole (Dorset, England) harbour they found a load of phosphorour barrels from WWII. Not sure if they were for grenades or flares, but storing Phosphorous next to the shore? Great idea!
Slashdot Mirror
Virgin Media has around 4.5 million and is around the joint biggest with BT, followed by Tiscali, so that's around 15m including the smaller ISPs.
Still 6m people (households) are involved in piracy? That's enough to overthrow out the government!
Statistics, damn statistics and MPAA/RIAA figures....
Yeah,
Well as a UK Citizen, we signed an agreement that allowed USUK extradition.
However, the US hasn't, and won't sign their half !!!
In contract-law speak, this is called being 'screwed over'.
Blair (et al.) doesn't have the balls to revoke our ratification, despite the fact that several high-profile extradition cases have gone to the high court, and several high profile US->UK cases are just piling up, e.g. US servicemen causing in a large proportion of UK military deaths and casualties in Iraq/Afghanistan.
To quote one US airman, who had just strafed and killed solders in a UK convoy - "Man, we're going to jail.". But luckily, US laws only apply when/where they say it does.
......nuke Redmond from orbit.
Ha,
You tail one Sukhoi, when you fire you give away your position to the rear-facing radar, and the Sukhoi pilot acquires and throws 2 missiles 'over the shoulder' at you, chaffs and flares and avoids your missile.
Now you'd better hope that you can run away before the Sukhoi gets a visual/thermal on you - because at visual range, you can't ever engage him before he engages you. ever.
Yeah right.
One word. Sukhoi.
What can I say, when NATO gives a plane the designation 'Terminator' ?
If a Sukhoi gets to visual with any western fighter, it's the Martin-Baker, not 'oooooh, scarey stealth' technology that's going to get exercised.
If you want proof: Check out youtube for raptor videos - "F-22 banking sharply". wooo.
Do the same for the super-flanker videos: CONTROLLED FLAT SPIN !? 'Stalling flip' (I'm not even sure that there is a non-russian word for this move?)
The super-flanker family puts the pilot firmly back as the weakest link.
Exactly. Traffic is managed.
I work for Virgin Media, 5m+ UK provider, and know this leading story is utter rubbish.
Transit bandwidth costs is going down ALL THE TIME, but this is small potatoes compared to the cost of infrastructure to get the data from the customer to the transit/peering points.
I know people that put in requests for 10Gig transits like they are ordering cereal boxes - it's just part of the Virgin Media success story, most customers == more transit/peering bandwidth, and more upgrades through the network to support the extra customers.
P2P is still the big player, accounting for most of the traffic, and this has helped ensure that on-demand services are never at threat - though we've never had to contend the two.
If we ever had a problem we'd just offer to host a YouTube mirror in the UK, but the expenditure would need to match the transit costs, and that's why it's never happened, and isn't likely to happen soon.
It's just a scare story - either that of Qwest have really serious problems with their business model.
Hey, trust me, a rover is just like a young and adventure-hungry student - too much autonomy is a bad thing.
The last thing we want when we finally get to the red planet, is some pregnant Martian holding a picture of 'opportunity' and saying "Is this your son?"
And didn't you go to the movies in the 60s, 70s or early 80s?
Autonomous computers *always* kill people and attempt to take over the world. Those films pretty much all died out when MS-DOS got released.
Since the 'voice modem' was in existance such GUIs were around - certainly as easy as 1995.
Though this was over PSTN not internet/LAN/WAM, 99% of the patent's detail is invalidated.
US patent office is a waste of time, they approve everything and let the courts sort it out.
You could patent a 'round low friction shape that spins about it's centre' I reckon....
Clearly, he was on the phone to his wife.
yadayadayadayada
The HP see-through 4670 (and 4650?) are great.
No idea about non-ms compatibility, but it scans a page in 6 seconds. Compared to 50+ for other scanners, it's a whizz.
This is an old BSD 4.4 FFS feature, IIRC, and a great one. Solaris has a similar thing too.
Rebooting and resetting attribs is only possible if the attacker can change one of the programs executed (or utilised) before the runlevel goes out of single user. Consequently if you plan to use this feature serously, you need to examine and protect every file AND DEVICE (/dev/hd* etc) that is read before going into multiuser mode, and their dependants.
This isn't actually as bad as it seems for an already tight system.
This feature also makes patching usually require a reboot, as you can live-patch, obviously.
It's well worth the effort for multiuser systems, at sites with dodgy users like students, and anywhere where jails/chroot are used, to protect the integrity of the jailed/chrooted files.
I guess that's what they call "twin towns" ??? :-)
The paper mentioned in the article!
Doesn't anyone read before posting?
In the paper, it goes into tedious detail on the architecture and low-level operation of the application. Why do you think it does this? Because it is the application that *totally* depicts the solution, they chose lots of systems because of reliability, they made those systems "desktop class" because they didn't get much extra from using super-MP/MC systems.
It's a great article, I strongely suggest you read properly, and do what they said they did - evaluate need against what's available.
How could you consider this even vaugely unbiased, when ZDNet have a HUGE great Microsoft advert at the top of the page ?
Sheesh.
I discussed this with the MS Head of UK security (during a MS/ISSA conference) and he nearly bit my head off. Mostly because I wouldn't back down, saying "You only confirm a problem, and release a fix when you know bad press is on the way." and followed up with "What is the point of announcing 'There is a big windows but out on Tuesday', whithout aenough information to judge impact - either before or after the announcement...
I seriously doubt that this will make any difference, except to CTOs who are getting pressure to go to Linux...
MS is a sales and marketing machine, with massive numbers of legal eagles, and a few software engineers.
Ok,
:-)
This takes a bit of setting up, but when done this is brilliant. If done right, you'll never get a support phone call again, and you can even use the system to ensure that everyone recieves urgent messages, e.g. "A new virus came out today, click here to download & run this patch, and then you will be allowed to continue surfing."
Step 1.
Setup triggers, ideally something like Snort with extra triggers for bandwidth oveuse, large packets/second, too many of packet X, whatever. The trigger stores the IP, and kind of "triggering offence" for use in later steps.
Step 2.
From the IP you have the MAC, as you own the DHCP.
Step 3.
You reconfigure the DHCP so that the offending MAC gets a private IP (which you block, right?), next time they request one, and a "special" DNS server.
Step 4.
You send a DHCP NACK to that IP to force them to release their IP address (+ DNS settings) and re-request them again.
Step 5.
Your "special" DNS server always returns the same IP for 'A' record lookups - a special web server, also with a private address. MX lookups should also always either fail, or return 127.0.0.1, just to slow email viruses down. Now the offender types "www.google.com", but always goes to your special web server !
Step 6.
Your special web server says "Hi user, you have been quarentined because it looks like you have a virus! Download & install this antivirus program, anti-spyware, firewall and patches, and then your PC should be both clean of nasties, and able to use the internet. Once you've done all this you will still need to wait one hour before access is restored."
Step 7.
Provide the stuff they need, as above, on the special webserver.
Step 8.
Verify they have done as asked (at least downloaded the stuff, from the www logs), and if so, reconfigure the DHCP to give them normal access, after an hours ("negetive reinforcement") delay.
Really smart folk can make the returned MX lookup replies in step 5 point to a "special" email server, which runs everything through ClamAV, and logs back to the special webserver. Now the users get the message "You are infected with the XXX virus. Click here to download antivirus, bla, bla". Cute eh?
Good hunting,
Dom
Gee, how many PHDs does it take.
I can just imagine the scene:
"Put that instrument it in the one on the left."
"Your left, or my left?"
"Whatever."
Maybe this is true in the US, but in Europe the rules are very, very, varied.
Cisco's "How to build a datacentre" should give sdome insights.
e.g. Multi-peer BGP'd address space, feeding something like a Cisco 6509, with PIX, IDS, CSS and maybe the SSL modules. A 16-port GigE could then be used for upstream and downstream links, maybe just straight into your ~10 frontend servers, ideally caching reverse-proxies, with connections to another 6509 with GigE, which connects to your content web servers. Obvious databases etc. should also hand of this stuff.
On the side of all this would be a terminal server (Cyclades are good) for "oh shit" access, and preferaably a management network, again, using a totally different switch, and a dedicated line to your Office (preferably 2, one going east, one going west).
Oh and dont' forget power - UPS for the little 30 minute glitches, and generators for really bad times. Good aircon/dust filters and also get some FM200 to make sure that the place doesn't burn to the ground.
After you've got all this, you should be away, but just like software, MEASURE and UNDERSTAND where the bottlenecks are (leased lines, network, firewall, CPU, memory, BUS, DISK, Web server, database etc.etc.) and know what you can do get 50% more out of your current solution.
Enjoy.
Dom De Vitto
Actually Microsoft have done some VERY GOOD security books. I guess the MS coders can't read :-)
4 845365/qid=1099435817/sr=1-1/ref=sr_1_1/103-306444 7-0498204?v=glance&s=books
One of the first security books I read (1985 - 19.5 years ago) is Microsoft Press:
"Out of the Inner Circle" by Bill Landreth
http://www.amazon.com/exec/obidos/tg/detail/-/091
It's still definitive at cataluging the diffeent ""hacker"" personalities and motives.
Actually Microsoft have done some VERY GOOD security books. I guess the MS coders can't read :-)
4 845365/qid=1099435817/sr=1-1/ref=sr_1_1/103-306444 7-0498204?v=glance&s=books )
One of the first security books I read (1985 - 19.5 years ago) is Microsoft Press:
"Out of the Inner Circle" by Bill Landreth
( http://www.amazon.com/exec/obidos/tg/detail/-/091
It's still definitive at cataloging the diffeent ""hacker"" personalities and motives.
Doh! Idiot!
"This rendering a DDoS ineffective" ????
You just sent your site down the tubes!
Null routing is only any use if they are performing a resource attack against a shared resource (bandwidth, connections, CPU etc) were you can take the "hit" of loosing one entity to ensure another survives.
In most cases nullrouting is useless for businesses.
OFTEL don't need to push the interception stance, because RIPA already covers it.
The US survelliance laws are _totally_ different to those of the UK.
While building on an old piece of Poole (Dorset, England) harbour they found a load of phosphorour barrels from WWII. Not sure if they were for grenades or flares, but storing Phosphorous next to the shore? Great idea!