Which is why you buy the afforementioned Zaurus. And oh yeah, did I mention they're almost as cheap as the Kaii's retail these days?
In fact, a friend bought his Zaurus for 265USD+tax a week ago due to some price-matching trickery, rebates, and another special at Office Depot or Office Max (I forget which).
We have a few hundred AP's on campus at UF, that cover a fairly large piece of a very large campus. The coverage map (mostly accurate) is online, as well as instructions on connecting.
The nice thing about the network here is that no mac registration is necessary. The wireless network is seperated from campus by filters that can only be broken through via VPN connection to the campus VPN server, or authenticated with their campus 'gatorlink' login. When we first developed the system, no commercial products existed to do what we needed (though today there are many); any web traffic is automatically redirected to the authentication server that allows the users to login with their campus login, and their mac is added to the auth table after a successful login. This makes the service easy to use, transparent, and compatible with just about every platform you can think of. Of course, no encryption by default if people choose to take that route, but that's why we offer the VPN as well.
I just read your article (http://www.newarchitectmag.com/documents /s=2442/n a0802g/index.html) about open relays and figured I'd email you with my experience. For my day job, I work network security (handling spam complaints, hacking, etc) for an extremely large public educational institution, so I see an extremely large number of spam complaints, spam issues and whatnot every day.
If your mail server is allowing mail to be relayed to it through the domain it advertises, it is an open relay. Period. An open relay is a relay that permits an unauthenticated, unidentified host on the network to send mail through it. Your claim that you are not running an open relay simply because you only allow mail from users on your domain demonstrates a fundamental lack of understanding of the mail protocol. The FROM field is not any kind of authorization, it's not a login, it's completely arbitrary and should never be used to allow or disallow mail except in rare cases where virii may email out with fixed FROM addresses that are known to not be legitimate.
Your mail server advertises what domain it claims to be (and likely has reverse dns to supply a spammer with the domain), therefore it's trivial for any spammer to (as the denmark organization did) simply but a from address of your domain. And are they lying? It might be interesting to note that since your mail server is sending the message, the mail ~is~ from the domain they put in the from field.
The issue is not that some anti-spammers spoofed a from field. The issue is that your mail server allows relaying of spam email. I'm sorry you see it otherwise. There are other effective ways to secure your mail server so you can travel and still have access to it, but your current 'protection' is not.
If you would like more information on how exactly you can configure your mail server to not be an open relay and still allow remote access, please feel free to respond via email and I'd be glad to help.
Historical and Cultural Analysis
on
Essential Blogging
·
· Score: 2, Interesting
I'd be much more interested in a novel that charted the historical and cultural development of the blog. I've never been too sucked in, but there is definitely a distinct and unique culture that has developed in the blogging scene. When someone is running for government office on a blogging platform, it says something. What, I'm not sure, but something.
Of course, it is easy to ridicule and mock the blogging scene, but an indepth look at it could be both honest about the shortcomings and faults, as well as the many lessons blogging has taught us. Google bombing anyone? And has anyone been more on the forefront of accessibility pages than blogs?
Maybe someone's already done this for some sort of masters thesis; if so, point out the links, I'd like to see some serious scholarship on the issue.
Yeah, I realize it is undocumented; Sharp has explicitly said that not only is it undocumented, but it will likely change too. I'd dig up the irc logs if I wasn't so dang lazy.
2) Ask and ye shall receive. Haven't tried it myself, so I can't verify it, but it's not the zesync project. Also, zesync was updated August 28, what do you mean it hasn't been updated in months?
That's true, linux cannot be the only selling factor for a device and expect it to do well.
Then again, it can be an added bonus if the other features are done well, the Sharp Zaurus being a great example. I don't own one just because it runs linux (there are a number of other linux-driven pda's), but the fact that it has a CF slot, MMC/SD slot, and a built in keyboard, all for around $350, ~and~ it's running linux all combine to make one great product.
Xscreensaver already does this. It's exactly how I have my screensaver set up at work.
Run xscreensaver-demo, flip to the Advanced tab, under Image Manipulation, change from Grab Desktop Images to either Grab Video Frames (if you have a video feed; webcam, tv card, etc), or Choose Random Image otherwise.
I have a nice selection of whacky images from my trip to China last summer constantly being rotated, blitted, and distorted when I lock my machine.
A thread on pen-test over at securityfocus has developed into an extremely well developed list of wireless security tools. The most recent thread post is archived at neohapsis, among other places, and the list of all the tools with description and license information is also online.
Not at all true. Honepots have gathered a number of very interesting exploits long before they become publically accessible on common hacking webpages. Check out the honeynet project if you don't believe me.
It stands to reason that a wireless honeynet would be just as useful for the same reasons, maybe even more since I would expect the odds of getting someone more sophisticated on a wireless intrusion are higher than random internet ip scans.
I'm suprised no one has pointed out systrace yet. Granted, it's not for linux, only OpenBSD and NetBSD at this point, but it seems to be a very promising move in the ACL world. As one other poster commented, the most difficult challenge with any heavily ACL'ed environment is configuring the ACL's and making sure you didn't miss something. It's an extremely tedious process that requires a lot of reloads until it's done right.
Systrace eliminates much (but not all) of that initial trial period with a method of analyzing processes and watching what permissions for what resources they need and generating ACL's based on 'normal' use. This interactive mode ~greatly~ simplifies the otherwise length process of configuring the kind of security modules being discussed.
I carry an ids alerted pager myself and agree very much that false positives dilute the value of actual events. However, the problem is in people's definitions of false positive. And in fact, a long winded discussion on the subject has already started and been closed on bugtraq about this.
The general idea is that an ids should alert when you are attacked. If, for example, you have a signature that detects misuse of cmd.exe against windows hosts, that is going to detect every single nimda and code-red attack you receive. Lots of 'false-positives', right? No! Those are still attacks, just not successful compromises. This distinction was not made in the story.
Does anyone know of good references that cover the security of web applications from the ground up? This is good that they appear to devote some time to security from the mysql side, but typically security flaws in web applications tend to be in the communication between the front-end and the database, or in the front-end itself. What books if any cover the entire process for security?
A good example of a computer proving a hypothesis, with a great deal of human help, of course, is the map coloring problem. The current best-case proof that the minimum number of colors required to color any map is four utilizes a brute-force approach where the solution space is broken down into a finite (but large) number of possibilities that the computer can then attack individually.
This was not the developers doing something sly. There have been a recent rash of compromised servers hosting different pieces of software, and then backdoors being configured in a similar manner in the./configure script as described in this post. Similarly hit was monkey.org where some of dug song's security tools were compromised. Google cache of dug's post.
There was another relatively famous piece of software compromised the same way recently as well. Somebody is going through some great lengths to put backdoors in the source of some good OSS. Makes you wonder how much is being missed.
So let's see, I can spend $200 on a machine that I probably wouldn't otherwise buy to watch divx movies, or I can buy a $50 dreamcast and use the divx player that's been around for a while on that. Hmm... difficult decision. Not to mention there are already emulators for ALL of your favorite old-school platforms for the dreamcast.
-jordan
Yes, 42 ~is~ old. Much older than Douglas Adams, even.
Why is Lewis Caroll (Charles Dodgson) always getting shafted? He was certainly a little off-base, but that's no reason not to honor him as the true 42 obsessee.
Umm, no. Wrong zaurus. That's the japanese zaurus; when most people refer to zaurus generically, they're referring to the SL-5500 (or the developers version which is the 5000, or the german versions of those; stick a (d) at the end of the product) There ~is~ a gameboy for the zaurus though. Just had the wrong link.
How about snes [sourceforge] for the zaurus? There's also a gameboy [killefiz.de] emulator for the zaurus, though it's quite slow as well.
I haven't tried the snes emulator, but I'd imagine it's slow too. It requires installing the x-windows environment instead of the normal Qt windowing system installed by default.
Those emulators work. I've also dumped a 'live' rom from my palmVx that worked fine as well.
Don't get your hopes up though, the speed of the emulator currently is abysmal. 5-30 seconds to register a single click. More than anything it's a demonstration that it can be done. Whether it can be done well or not will take time, and probably some lower-level programming to tell.
The differences in the palm cpu and zaurus cpu mean that just having 6x the sheer clock cycles doesn't necessarily mean you can emulate a palm with any reasonable speed.
To the post a few items down, this is a port OF an emulator. The author ported pose (the linux open source palm emulator) to the zaurus. So it's both a port and an emulator.
Slashdot Mirror
Which is why you buy the afforementioned Zaurus. And oh yeah, did I mention they're almost as cheap as the Kaii's retail these days?
In fact, a friend bought his Zaurus for 265USD+tax a week ago due to some price-matching trickery, rebates, and another special at Office Depot or Office Max (I forget which).
You forgot the preceeding line:
Excited Host Lady: Oh my gosh, this is the first live discovery of space...
Sadly, I'm not not making this up That really was a pathetic show.
We have a few hundred AP's on campus at UF, that cover a fairly large piece of a very large campus. The coverage map (mostly accurate) is online, as well as instructions on connecting.
The nice thing about the network here is that no mac registration is necessary. The wireless network is seperated from campus by filters that can only be broken through via VPN connection to the campus VPN server, or authenticated with their campus 'gatorlink' login. When we first developed the system, no commercial products existed to do what we needed (though today there are many); any web traffic is automatically redirected to the authentication server that allows the users to login with their campus login, and their mac is added to the auth table after a successful login. This makes the service easy to use, transparent, and compatible with just about every platform you can think of. Of course, no encryption by default if people choose to take that route, but that's why we offer the VPN as well.
I just read your articles /s=2442/n a0802g/index.html) about
(http://www.newarchitectmag.com/document
open relays and figured I'd email you with my experience. For my day job,
I work network security (handling spam complaints, hacking, etc) for an
extremely large public educational institution, so I see an extremely
large number of spam complaints, spam issues and whatnot every day.
If your mail server is allowing mail to be relayed to it through the
domain it advertises, it is an open relay. Period. An open relay is a
relay that permits an unauthenticated, unidentified host on the network to
send mail through it. Your claim that you are not running an open relay
simply because you only allow mail from users on your domain demonstrates
a fundamental lack of understanding of the mail protocol. The FROM
field is not any kind of authorization, it's not a login, it's completely
arbitrary and should never be used to allow or disallow mail except in
rare cases where virii may email out with fixed FROM addresses that are
known to not be legitimate.
Your mail server advertises what domain it claims to be (and likely has
reverse dns to supply a spammer with the domain), therefore it's trivial
for any spammer to (as the denmark organization did) simply but a from
address of your domain. And are they lying? It might be interesting to
note that since your mail server is sending the message, the mail ~is~
from the domain they put in the from field.
The issue is not that some anti-spammers spoofed a from field. The issue
is that your mail server allows relaying of spam email. I'm sorry you see
it otherwise. There are other effective ways to secure your mail server
so you can travel and still have access to it, but your current
'protection' is not.
If you would like more information on how exactly you can configure your
mail server to not be an open relay and still allow remote access, please
feel free to respond via email and I'd be glad to help.
I'd be much more interested in a novel that charted the historical and cultural development of the blog. I've never been too sucked in, but there is definitely a distinct and unique culture that has developed in the blogging scene. When someone is running for government office on a blogging platform, it says something. What, I'm not sure, but something.
Of course, it is easy to ridicule and mock the blogging scene, but an indepth look at it could be both honest about the shortcomings and faults, as well as the many lessons blogging has taught us. Google bombing anyone? And has anyone been more on the forefront of accessibility pages than blogs?
Maybe someone's already done this for some sort of masters thesis; if so, point out the links, I'd like to see some serious scholarship on the issue.
Yeah, I realize it is undocumented; Sharp has explicitly said that not only is it undocumented, but it will likely change too. I'd dig up the irc logs if I wasn't so dang lazy.
1) Most definitely agree; this is not news.
2) Ask and ye shall receive. Haven't tried it myself, so I can't verify it, but it's not the zesync project. Also, zesync was updated August 28, what do you mean it hasn't been updated in months?
That's true, linux cannot be the only selling factor for a device and expect it to do well.
Then again, it can be an added bonus if the other features are done well, the Sharp Zaurus being a great example. I don't own one just because it runs linux (there are a number of other linux-driven pda's), but the fact that it has a CF slot, MMC/SD slot, and a built in keyboard, all for around $350, ~and~ it's running linux all combine to make one great product.
Xscreensaver already does this. It's exactly how I have my screensaver set up at work.
Run xscreensaver-demo, flip to the Advanced tab, under Image Manipulation, change from Grab Desktop Images to either Grab Video Frames (if you have a video feed; webcam, tv card, etc), or Choose Random Image otherwise.
I have a nice selection of whacky images from my trip to China last summer constantly being rotated, blitted, and distorted when I lock my machine.
A thread on pen-test over at securityfocus has developed into an extremely well developed list of wireless security tools. The most recent thread post is archived at neohapsis, among other places, and the list of all the tools with description and license information is also online.
Are you sure? Scie---logy pulled a similar trick and had no problems doing it. Maybe the Jedi should take a hint.
I don't know, I think it's entirely likely that people will read the satirewire and not know that's exactly what it is.
Never underestimate the stupidity of humanity. If 1 person is smart, 10 are slow, and 100 are stupid, then all of mankind must be retarded.
Not at all true. Honepots have gathered a number of very interesting exploits long before they become publically accessible on common hacking webpages. Check out the honeynet project if you don't believe me. It stands to reason that a wireless honeynet would be just as useful for the same reasons, maybe even more since I would expect the odds of getting someone more sophisticated on a wireless intrusion are higher than random internet ip scans.
I'm suprised no one has pointed out systrace yet. Granted, it's not for linux, only OpenBSD and NetBSD at this point, but it seems to be a very promising move in the ACL world. As one other poster commented, the most difficult challenge with any heavily ACL'ed environment is configuring the ACL's and making sure you didn't miss something. It's an extremely tedious process that requires a lot of reloads until it's done right.
Systrace eliminates much (but not all) of that initial trial period with a method of analyzing processes and watching what permissions for what resources they need and generating ACL's based on 'normal' use. This interactive mode ~greatly~ simplifies the otherwise length process of configuring the kind of security modules being discussed.
I carry an ids alerted pager myself and agree very much that false positives dilute the value of actual events. However, the problem is in people's definitions of false positive. And in fact, a long winded discussion on the subject has already started and been closed on bugtraq about this.
The general idea is that an ids should alert when you are attacked. If, for example, you have a signature that detects misuse of cmd.exe against windows hosts, that is going to detect every single nimda and code-red attack you receive. Lots of 'false-positives', right? No! Those are still attacks, just not successful compromises. This distinction was not made in the story.
Does anyone know of good references that cover the security of web applications from the ground up? This is good that they appear to devote some time to security from the mysql side, but typically security flaws in web applications tend to be in the communication between the front-end and the database, or in the front-end itself. What books if any cover the entire process for security?
A good example of a computer proving a hypothesis, with a great deal of human help, of course, is the map coloring problem. The current best-case proof that the minimum number of colors required to color any map is four utilizes a brute-force approach where the solution space is broken down into a finite (but large) number of possibilities that the computer can then attack individually.
This was not the developers doing something sly. There have been a recent rash of compromised servers hosting different pieces of software, and then backdoors being configured in a similar manner in the ./configure script as described in this post. Similarly hit was monkey.org where some of dug song's security tools were compromised. Google cache of dug's post.
There was another relatively famous piece of software compromised the same way recently as well. Somebody is going through some great lengths to put backdoors in the source of some good OSS. Makes you wonder how much is being missed.
So let's see, I can spend $200 on a machine that I probably wouldn't otherwise buy to watch divx movies, or I can buy a $50 dreamcast and use the divx player that's been around for a while on that. Hmm... difficult decision. Not to mention there are already emulators for ALL of your favorite old-school platforms for the dreamcast. -jordan
Yes, 42 ~is~ old. Much older than Douglas Adams, even.
Why is Lewis Caroll (Charles Dodgson) always getting shafted? He was certainly a little off-base, but that's no reason not to honor him as the true 42 obsessee.
--
jordan
Umm, no. Wrong zaurus. That's the japanese zaurus; when most people refer to zaurus generically, they're referring to the SL-5500 (or the developers version which is the 5000, or the german versions of those; stick a (d) at the end of the product) There ~is~ a gameboy for the zaurus though. Just had the wrong link.
How about snes [sourceforge] for the zaurus? There's also a gameboy [killefiz.de] emulator for the zaurus, though it's quite slow as well.
I haven't tried the snes emulator, but I'd imagine it's slow too. It requires installing the x-windows environment instead of the normal Qt windowing system installed by default.
Those emulators work. I've also dumped a 'live' rom from my palmVx that worked fine as well.
Don't get your hopes up though, the speed of the emulator currently is abysmal. 5-30 seconds to register a single click. More than anything it's a demonstration that it can be done. Whether it can be done well or not will take time, and probably some lower-level programming to tell.
The differences in the palm cpu and zaurus cpu mean that just having 6x the sheer clock cycles doesn't necessarily mean you can emulate a palm with any reasonable speed.
To the post a few items down, this is a port OF an emulator. The author ported pose (the linux open source palm emulator) to the zaurus. So it's both a port and an emulator.
From outside appearances, the Symbol card looks to be the same as the Socket brand 802.11 card.
Yup, symbol/socket are rebrands. Forget who's rebranding whom, but they're interchangeable.
Yeah, hardware wise they're the same, except....
Zaurus - Built in CF slot
Ipaq - must add on expansion jacket
Zaurus - Built in SD/MMC slot
Ipaq - only on newest models
Zaurus - Built in keyboard
Ipaq - nope
To be fair...
Zaurus - only a headphonejack (built in buzzer similar to palms)
Ipaq - headphone jack and builtin speaker