Contractors finish the job and move on they are by difinition temps. Just another people doing there assigned tasked. Now if they are a Consultant then they need to speek up. I only do Consulting work because of this distinction (that and the pay rate:) If your imput is not desired then you just playing code monkey because one of the resident ones was to bussy or dosent have the optional tail like you:P Consultants come in to lend there experience and expertise one of the reasons I find 20 year olds and fresh colledge grads looking for consulting work so funny they have no expereince to lend to a project.
OF something is classified then it now becomes a crime to mirror the data. And were talking a Jack booted Homeland security breaking down your door sort of crime. A government has a valid need to keep things secret now with that being said we do still need ballance and this looks like nothing more than keeping things in the closet duing a war.
Thats a pretty flawed analogy. It would be more correct to say they released the report and some people started looking for cars with those child seets and chashing into them for fun and profit.
The big reason to release vulerability information is to allow other security measures to taken mitigate the problem. If youre relying on a single layer of security then that is youre problem and not the fault of the rest of the world that has a proper multi layer defence. Take DOS attacks some people stop them at the host this isn't very efficient and it can be expensive, now most of the time I configure the IDS or the Firewall or the Host to block the DOS packets and to forward to a responce machine that can send up a null route community via BGP so I'm not billed for that data as I never see it on my leased lines and peering connections. This is something important as it keep my networks safe and congestion free.
Lets look at a vulerability like say open SSH now that came out I allowed SSHv2 to my boxes since I couldent patch them fast enough I blocked SSH at my routing edge and those that needed remote access were instructed to use a VPN then use SSH mitigating the issue while the patch was rolled out. This layering approach meant I was able to keep a valuable but now vulerable service running while testing for vulerable machines and allowing direct access to the patched machines.
If your running a single box on the end of a flat rate T or DSL you might not care about getting these layers in place but in my eyes it's moraly wrong for the majority that dosent care enough to implment real layers of protection to force those that do to remain ignorant of the problem.
SCSI is more expensive mostly due to the ammount of QA done on the drives compared to IDE. Now that being said you can find reasonably priced drives on the internet granted nowhere close to the cheapness of IDE. SCSI still wins out due to protocal differences in a system with lots of random disk IO. SATA is nice but is realy still limited to drives built into the case and did they get hotswap built into that spec??? It's one thing to down a workstation to swap out a raid drive it's entirly another thing to shutdown a server to do so. Even with SCSI disks in an 18 month old datacenter the techs are swapping out failed HD's weekly but there are over 1000 servers on site.
Yea they probably have GPS have on in a civilian noncomercial plane. But 100 meters isn't going to matter much when your talking about reaching your destination then ILS will generaly be there to get you to the runway. This is something simple DO NOT RELY on GPS it's a navigation aid not a replacement for a compotent and awake navigator. There are also a slew of localize systems that dot he same thing for shipping etc.
Thats funny a 30 sec FF is an easter egg on a the Tivo's and considering most tivo owners would seem to be at little resourcefull they have probably googled for the code.
Actualy running Paralell server with Oracle's shim you can pretty mcuh remove hardware and not notice it; at least this workded very well on an SP cluster running parallel server under AIX we lost a node and didn't notice anything on the things connected to them.
OK so they can throw a little box into your network. Now how do you mitigate well lets see first thigns first why should your firewall allow just anything to go out the door even simple encrypted passwords would lock down general inet access. Now yea some automated things need to run etc etc etc force them through logging proxies. DOnt you have a log of what ports are supposed to be active??? Get some control over your internal network svlans at least assuming your on a cisco network.
Actualy the cheap stuff is 30 a month for a 100 meg commit and good bandwidth is under a hundred and if anybody quotes you over 200 for IP bandiwth not delivered in the US on a 200 Meg commitiment laugh at them as even Sprint, AT&T and UUNet can get down to that level (traditionaly the highest priced providers) Now if your an ISP that in a lit city say any of the top 13 NFL cites (Dont ask me why but thats where providers nearly allways are but I dont watch football anyway) Even here is Connecticut you can get most providers from Stamford or Hartford and backhaul yourself.
Lets not forget cable lengths especialy with differential. Were talking about a LOT of drives on a server it's pretty normal to have at least one external chassie on a file server with say 14 disks attached. ATA only goes 18 inches or some such vs SCSI thats rated in meters. From the looks of this it's a step backwards or were moving to Fiber channel for the external stuff and religating SAS to internal expsnsion of low end servers (a lot of my high end servers dont contain any disks)
OK I work with routers all the time in general you allways pay on PtP circuts and burstables. Hosted envirnments with IDS's in place etc etc it's up to them as they claim to have protection in place. Now with this being said 95th percentile billing gives you 36 hours to deal with the problem before it's on your bill during that time you need to be proactive. Slammer is a special case as most sencible ISP's turned off that port period as it's affected there routers as well (that nasty netflow bug in the GSR oversubscribed GigE cards) 5 of the ISP's that I consulat at still have the port blocked in general with openings on a request only basis.
This is only an issue on badly configured routers. As for spoofing we have md5 sums and source address verification so that would require you to figure out the shared key while generating all sorts of logs on the end router. BGP works with low TTL's (generaly 1 or specified higher) so you can only get packets in never responces unless you share a subnet and most BGP links are on PtP lines. OK thats pretty much takes care of spoofing.
Next router takeovers they can happen especialy as people arent using proper seperate management networks. This is a straight security thing. Next except between tier 1 is there a full trust relationship tier ones dont trust there clients they filter all prefixes not owned by the client general requiring the client to email them to allow out a new announcement. So you realy have to break into a tier ones routers to pop up a new announcement at best you can funnel traffic to that netblock from people that are relitivly close to that teir one. This will show up on just about everybodies radar screen as it's a netblock advertized by 2 AS numbers thats generaly a no no or som moron that insists they NEED to be redundant but isn't big enough to get there own IP block or AS (Joe corprate does not need there own AS for as much as they want one there are 65k of them to go around gets a good IPP to host your corp site and deal with multi directional NAT for the rest) Now you could take over the adversisement for a whole AS now this AS is going to start getting calles from perturbed individuals who cant get to here etc etc etc go visit a looking glass see the new advertisement and call up that ISP's noc to get things settled out. BGP has a lot of problems but we need out routing protocals doing crypto like a hole in the head. Oh yea anybody worth a grain of salt has started null routing all the bogons (addresses that shouldent be advertised the spammers used to love those) it's clean it's easy and you can do it automaticaly via a slew of services or by hand new/8's dont go out that often and some of the services are even working on non alocated sections of/8's as well.
It's funny I built all of this 3 years ago at a failed startup. Wonder why it failed the big networks couldent get there content away from the affiliates due to some binding arbitration thatsaid affiates had rights to the conent over the internet as well for there contract area. You know how hard it is to deal with finding out exactly where somebody is at the time they view content on the internet without some unhackable hardware shim with GPS? Servers have gotten cheaper and encoding racks have gotten cheaper (it used to take 12 Dual PIII 800's to encode 2 formats in 3 differnt VBR streams redundantly at about 10 grand a pop) Multicast is nice but the major carriers dont want to make it work between them and it cant be assumed to work untill IPv6 (it's required to under IPv6) It's the question of getting content people want to watch (that million viewer network needed 100,000 people watching 4 hours a day to break even)
Codecs have gotten better and bandwith has increased. 500 kbit a sec streams look pretty good if encoded properly (read 2 pass) as in VHS but different artifacts. 1 Megabit which most DSL boxes could deal with would be nice but in reality the best way to get multicast working in the near run for this is DSL to the TV delivered to there POPS via a sat multicast this could be a great serive add on for a telco.
Hrm I'm running at least 2 on a workstation (4 512 meg sticks) and as much as I can cram into a server (PIII servers have 1 gig chips cheap enough) Cmon a modern video card has 128 megs of ram on it with the exception of RamBus ram is cheap comparitivly. Run under Linux and Ram can be one of the largest speed ups out there I runn about a 1 gig used memory heap on my workstation and another 2 gigs that ends up beind drive cache for a mid size scsi raid and that cache makes all the difference in the long run.
E-Tools there tool is the worst investment in RPG kit I ever paid for. It;s stuck in the basic book set ok I can deal with this. It's overly complicated and not being expanded as promised with new material. The second ed computer gear was much more usable even with it's simple PDF searching as thats probably the nicest feature that each of them are missing.
Now with this being said I still like 1st and 2nd Ed better but I can do simple math in my head and THAC0 makes a decent amount of sence to me.
Compaq allready has had everything your talking about in there remote insite boards they fully redirect the console can deal with virtual floppies and CDRom's and even have there own power as an option. IT has it's own nic and pretty much looks like a server class video card (allthough I think 8 megs of ram is a bit much for a server card but hey)
Now the things I would like to see are better Serial interace and open bios has provided this on Sum hardware at least (Cmon it's like 2 IO pins to deliver 9600 baud serial to a management port and serial port servers are cheap)
More importantly you dont have a reasonable expectation of privacy at ANY time comming into a country. Remember it's legal for them to strip search you randomly. (OK IANAL etc etc etc)
Am I the only one that things the last mile bits need to be fully deregulated. Let the state / town own the line and lease them out individualy to telco's at there expense to repair and maintain them. Now failing this as it has a lot of issues here in CT I know it costs the same wholesale to get a DSL line as the constantly on sale price from the telco and they throw in a DSL bridge. Now they have soso SBC bandwith and a bad habit of haing upstream network problems (they are NOT multi homed) my old ISP was significantly better but cant touch SBC's prices as they have no markup. And oh yea in 2 years SBC has determined that there is a problem with one of my DSL lines but refuses to fix it (retraining on ring) besides a new DSL bridge. Now granted truck rolls are expensive but cmon they should be REQUIRED to fix a malfunctioning line.
Unfortunatly this dosent work working with ISP's that send thoudands of emails an hour this would just increase the load on those servers. Spammers make money directly with the mail tey wont mind picking up a few hundred PC's to mail from but thats a big cost to an ISP.
You could just expand SMTP like has been done before. If the capability to authenticate micro pay etc was added in in such a way that didn't break old versions thats gives people the ability to migrate then turn off old non generation X clients or even better severly limit there ability to send mail.
Authentication isn't that hard user name and password backed by radius like nearly all the dial in and PPoE connections are handled now this makes trust relationships easy to set up etc and it's not something new for the ISP's
Removal of random relays not allowing outgoing syn's to destination port 25 is pretty easy and smart hosts are easy as well. This lets you still get all the incomming eamil you want with you own server etc but says no you must authenticate to leave the ISP if something gets sent along with this as in an appended header again it's easy enough to trace. Yea this does make it suck when the ISP's mail server goes down but hey if your that worried then you have a backup ISP right use that one (this is starting to sound like UUCP)
Throw is some crypto say a PGP signing with the public keys stored in a DNS record to make it easy. This means the headers can be signed and we can reject anything that failed that test.
Hrm what do we end up with a decent solution for a few years from now the sooner it gets started the sooner we get less spam.
Ah but right now the voter can look at the system it's intended to be transparent as posible with oversight by the parties involved. Closed source stops some of that. There is nothing wrong with this they dont have to liscence the code for redistribution just publicly avalible source protected by copyright.
Slashdot Mirror
Contractors finish the job and move on they are by difinition temps. Just another people doing there assigned tasked. Now if they are a Consultant then they need to speek up. I only do Consulting work because of this distinction (that and the pay rate :) If your imput is not desired then you just playing code monkey because one of the resident ones was to bussy or dosent have the optional tail like you :P Consultants come in to lend there experience and expertise one of the reasons I find 20 year olds and fresh colledge grads looking for consulting work so funny they have no expereince to lend to a project.
Hrm I'm getting 116k Down and 170k Up on a wifi connection mind you but that goes to a network with about 180 megs a sec of free incomming bandwith.
Um I have seen and used the Nextel i88 that has built in GPS with directions so how is this new?
OF something is classified then it now becomes a crime to mirror the data. And were talking a Jack booted Homeland security breaking down your door sort of crime. A government has a valid need to keep things secret now with that being said we do still need ballance and this looks like nothing more than keeping things in the closet duing a war.
Thats a pretty flawed analogy. It would be more correct to say they released the report and some people started looking for cars with those child seets and chashing into them for fun and profit.
The big reason to release vulerability information is to allow other security measures to taken mitigate the problem. If youre relying on a single layer of security then that is youre problem and not the fault of the rest of the world that has a proper multi layer defence. Take DOS attacks some people stop them at the host this isn't very efficient and it can be expensive, now most of the time I configure the IDS or the Firewall or the Host to block the DOS packets and to forward to a responce machine that can send up a null route community via BGP so I'm not billed for that data as I never see it on my leased lines and peering connections. This is something important as it keep my networks safe and congestion free.
Lets look at a vulerability like say open SSH now that came out I allowed SSHv2 to my boxes since I couldent patch them fast enough I blocked SSH at my routing edge and those that needed remote access were instructed to use a VPN then use SSH mitigating the issue while the patch was rolled out. This layering approach meant I was able to keep a valuable but now vulerable service running while testing for vulerable machines and allowing direct access to the patched machines.
If your running a single box on the end of a flat rate T or DSL you might not care about getting these layers in place but in my eyes it's moraly wrong for the majority that dosent care enough to implment real layers of protection to force those that do to remain ignorant of the problem.
SCSI is more expensive mostly due to the ammount of QA done on the drives compared to IDE. Now that being said you can find reasonably priced drives on the internet granted nowhere close to the cheapness of IDE. SCSI still wins out due to protocal differences in a system with lots of random disk IO. SATA is nice but is realy still limited to drives built into the case and did they get hotswap built into that spec??? It's one thing to down a workstation to swap out a raid drive it's entirly another thing to shutdown a server to do so. Even with SCSI disks in an 18 month old datacenter the techs are swapping out failed HD's weekly but there are over 1000 servers on site.
Yea they probably have GPS have on in a civilian noncomercial plane. But 100 meters isn't going to matter much when your talking about reaching your destination then ILS will generaly be there to get you to the runway. This is something simple DO NOT RELY on GPS it's a navigation aid not a replacement for a compotent and awake navigator. There are also a slew of localize systems that dot he same thing for shipping etc.
Thats funny a 30 sec FF is an easter egg on a the Tivo's and considering most tivo owners would seem to be at little resourcefull they have probably googled for the code.
Actualy running Paralell server with Oracle's shim you can pretty mcuh remove hardware and not notice it; at least this workded very well on an SP cluster running parallel server under AIX we lost a node and didn't notice anything on the things connected to them.
Funny showd up under Children for me with a Direct TV series 2.
OK so they can throw a little box into your network. Now how do you mitigate well lets see first thigns first why should your firewall allow just anything to go out the door even simple encrypted passwords would lock down general inet access. Now yea some automated things need to run etc etc etc force them through logging proxies. DOnt you have a log of what ports are supposed to be active??? Get some control over your internal network svlans at least assuming your on a cisco network.
Actualy the cheap stuff is 30 a month for a 100 meg commit and good bandwidth is under a hundred and if anybody quotes you over 200 for IP bandiwth not delivered in the US on a 200 Meg commitiment laugh at them as even Sprint, AT&T and UUNet can get down to that level (traditionaly the highest priced providers) Now if your an ISP that in a lit city say any of the top 13 NFL cites (Dont ask me why but thats where providers nearly allways are but I dont watch football anyway) Even here is Connecticut you can get most providers from Stamford or Hartford and backhaul yourself.
Lets not forget cable lengths especialy with differential. Were talking about a LOT of drives on a server it's pretty normal to have at least one external chassie on a file server with say 14 disks attached. ATA only goes 18 inches or some such vs SCSI thats rated in meters. From the looks of this it's a step backwards or were moving to Fiber channel for the external stuff and religating SAS to internal expsnsion of low end servers (a lot of my high end servers dont contain any disks)
Even better only request the ports that you require be open. This isn't as hard as it sounds and no it's not censorship if your requesting it.
OK I work with routers all the time in general you allways pay on PtP circuts and burstables. Hosted envirnments with IDS's in place etc etc it's up to them as they claim to have protection in place. Now with this being said 95th percentile billing gives you 36 hours to deal with the problem before it's on your bill during that time you need to be proactive. Slammer is a special case as most sencible ISP's turned off that port period as it's affected there routers as well (that nasty netflow bug in the GSR oversubscribed GigE cards) 5 of the ISP's that I consulat at still have the port blocked in general with openings on a request only basis.
This is only an issue on badly configured routers. As for spoofing we have md5 sums and source address verification so that would require you to figure out the shared key while generating all sorts of logs on the end router. BGP works with low TTL's (generaly 1 or specified higher) so you can only get packets in never responces unless you share a subnet and most BGP links are on PtP lines. OK thats pretty much takes care of spoofing.
/8's dont go out that often and some of the services are even working on non alocated sections of /8's as well.
Next router takeovers they can happen especialy as people arent using proper seperate management networks. This is a straight security thing. Next except between tier 1 is there a full trust relationship tier ones dont trust there clients they filter all prefixes not owned by the client general requiring the client to email them to allow out a new announcement. So you realy have to break into a tier ones routers to pop up a new announcement at best you can funnel traffic to that netblock from people that are relitivly close to that teir one. This will show up on just about everybodies radar screen as it's a netblock advertized by 2 AS numbers thats generaly a no no or som moron that insists they NEED to be redundant but isn't big enough to get there own IP block or AS (Joe corprate does not need there own AS for as much as they want one there are 65k of them to go around gets a good IPP to host your corp site and deal with multi directional NAT for the rest) Now you could take over the adversisement for a whole AS now this AS is going to start getting calles from perturbed individuals who cant get to here etc etc etc go visit a looking glass see the new advertisement and call up that ISP's noc to get things settled out. BGP has a lot of problems but we need out routing protocals doing crypto like a hole in the head. Oh yea anybody worth a grain of salt has started null routing all the bogons (addresses that shouldent be advertised the spammers used to love those) it's clean it's easy and you can do it automaticaly via a slew of services or by hand new
It's funny I built all of this 3 years ago at a failed startup. Wonder why it failed the big networks couldent get there content away from the affiliates due to some binding arbitration thatsaid affiates had rights to the conent over the internet as well for there contract area. You know how hard it is to deal with finding out exactly where somebody is at the time they view content on the internet without some unhackable hardware shim with GPS? Servers have gotten cheaper and encoding racks have gotten cheaper (it used to take 12 Dual PIII 800's to encode 2 formats in 3 differnt VBR streams redundantly at about 10 grand a pop) Multicast is nice but the major carriers dont want to make it work between them and it cant be assumed to work untill IPv6 (it's required to under IPv6) It's the question of getting content people want to watch (that million viewer network needed 100,000 people watching 4 hours a day to break even)
Codecs have gotten better and bandwith has increased. 500 kbit a sec streams look pretty good if encoded properly (read 2 pass) as in VHS but different artifacts. 1 Megabit which most DSL boxes could deal with would be nice but in reality the best way to get multicast working in the near run for this is DSL to the TV delivered to there POPS via a sat multicast this could be a great serive add on for a telco.
Hrm I'm running at least 2 on a workstation (4 512 meg sticks) and as much as I can cram into a server (PIII servers have 1 gig chips cheap enough) Cmon a modern video card has 128 megs of ram on it with the exception of RamBus ram is cheap comparitivly. Run under Linux and Ram can be one of the largest speed ups out there I runn about a 1 gig used memory heap on my workstation and another 2 gigs that ends up beind drive cache for a mid size scsi raid and that cache makes all the difference in the long run.
E-Tools there tool is the worst investment in RPG kit I ever paid for. It;s stuck in the basic book set ok I can deal with this. It's overly complicated and not being expanded as promised with new material. The second ed computer gear was much more usable even with it's simple PDF searching as thats probably the nicest feature that each of them are missing.
Now with this being said I still like 1st and 2nd Ed better but I can do simple math in my head and THAC0 makes a decent amount of sence to me.
Compaq allready has had everything your talking about in there remote insite boards they fully redirect the console can deal with virtual floppies and CDRom's and even have there own power as an option. IT has it's own nic and pretty much looks like a server class video card (allthough I think 8 megs of ram is a bit much for a server card but hey)
Now the things I would like to see are better Serial interace and open bios has provided this on Sum hardware at least (Cmon it's like 2 IO pins to deliver 9600 baud serial to a management port and serial port servers are cheap)
More importantly you dont have a reasonable expectation of privacy at ANY time comming into a country. Remember it's legal for them to strip search you randomly. (OK IANAL etc etc etc)
Am I the only one that things the last mile bits need to be fully deregulated. Let the state / town own the line and lease them out individualy to telco's at there expense to repair and maintain them. Now failing this as it has a lot of issues here in CT I know it costs the same wholesale to get a DSL line as the constantly on sale price from the telco and they throw in a DSL bridge. Now they have soso SBC bandwith and a bad habit of haing upstream network problems (they are NOT multi homed) my old ISP was significantly better but cant touch SBC's prices as they have no markup. And oh yea in 2 years SBC has determined that there is a problem with one of my DSL lines but refuses to fix it (retraining on ring) besides a new DSL bridge. Now granted truck rolls are expensive but cmon they should be REQUIRED to fix a malfunctioning line.
Unfortunatly this dosent work working with ISP's that send thoudands of emails an hour this would just increase the load on those servers. Spammers make money directly with the mail tey wont mind picking up a few hundred PC's to mail from but thats a big cost to an ISP.
You could just expand SMTP like has been done before. If the capability to authenticate micro pay etc was added in in such a way that didn't break old versions thats gives people the ability to migrate then turn off old non generation X clients or even better severly limit there ability to send mail.
Authentication isn't that hard user name and password backed by radius like nearly all the dial in and PPoE connections are handled now this makes trust relationships easy to set up etc and it's not something new for the ISP's
Removal of random relays not allowing outgoing syn's to destination port 25 is pretty easy and smart hosts are easy as well. This lets you still get all the incomming eamil you want with you own server etc but says no you must authenticate to leave the ISP if something gets sent along with this as in an appended header again it's easy enough to trace. Yea this does make it suck when the ISP's mail server goes down but hey if your that worried then you have a backup ISP right use that one (this is starting to sound like UUCP)
Throw is some crypto say a PGP signing with the public keys stored in a DNS record to make it easy. This means the headers can be signed and we can reject anything that failed that test.
Hrm what do we end up with a decent solution for a few years from now the sooner it gets started the sooner we get less spam.
Ah but right now the voter can look at the system it's intended to be transparent as posible with oversight by the parties involved. Closed source stops some of that. There is nothing wrong with this they dont have to liscence the code for redistribution just publicly avalible source protected by copyright.