I have one of these and they *rock*. The problem with mine now is it's age, let's see, it came with a P5-90, so that's what, five-six years old? It's filthy, some of the QWERTY keys are starting to go and the space bar is already somewhat loose in its mounting. Naturally, I've been looking for a replacement and the best I've come up with so far is some of the more advanced Cherry keyboards and PI Engineering's rather cool looking PS/2 Stick Keys. Can anyone add to the list?
The quickest way is probably to use SpamHaus.org. Go to the site, click on "SBL" at the top and enter the IP address where the spam originated from the the SMTP headers in the appropriate query box. If they've an entry for the IP then they'll probably have all the contact information on the spammer you could possibly need, and if they have a ROKSO (Registry of Known Spam Operators) record as well then that may also include the name of his dog (I kid you not!)
Frankly, I've always wondered why they didn't adopt this approach in the first place. Not only would it have avoided all the issues with privacy that people get all worked up about, but has the potential to be extended to third party apps too. All you would need is a local database of vendor/server(s) to tell the local client which server to go to for your updates which could be ammended by any software during it's install process. There is an issue with re-pointing a vendor's update server to another offering a trojan disguised as a patch, so you'd need a security mechanism, but apart from that...
Hell, since this is Microsoft we're talking about, they could have even *sold* the back-end update server software to the third parties and made a few more dollars for Bill to roll around in.
This surface can be moved around, painted on, etc. without breaking.
Give's a whole new meaning to the term "water colour" doesn't it? I don't think we're going to see any of these "paintings" in any Earth-side art galleries any time soon though, although it does give the ISS inhabitants something to stick to their fridge with magnets along side their kid's efforts I suppose.;)
Replacing the PC architecture was one of the early selling points of Windows NT, wasn't it? Look at our shiny new OS - it runs on your existing Intel PCs, but when you need more power you can upgrade to more powerful systems running on DEC's Alpha CPU. Only you can't, because no one really bothered to port their applications, even when all that was required was a recompile, and so the Alpha foundered and the inferior x86 architecture marched on.
Of course, if you want real hardware agnosticism, there is always Linux isn't there? That runs on 64 bit CPUs, in 64 bit mode right now, and should be ready to work on AMD's Hammer right from launch. The big gamble for Intel is, can it afford to be late to the party? Intel certainly seems to think so, but I think that the Hammer is going to end up on more desktops than they expect, unless AMD sets the price of entry too high.
Could you possibly be more general? Seriously, you are going to need to give people a better idea of your network setup unless you only want general answers on this, most of which will be moot in you environment.
That said, there are *plenty* of approaches to the problem of killing KaZaA (and KaZaA Lite), but they rather depend on the network infrastructure. You certainly need to filter the standard ports used by the program, and forcing all port 80 traffic through a filtering proxy server nay be of use. Also, P2P in general seems to need a fair amount of UDP traffic - depending on your setup it might be possible to restrict that to just those ports you require.
No, it's a very reasonable one. Yes, you still need to patch, use non-blank SA passwords and the other things you suggest, but if you have an SQL server (any SQL server) directly visible to the Internet then you are either a fscking moron or have a very abnormal circumstance. A database server is a backend server, and should be completely hidden from the Internet by not one but two layers of firewalls.
Basically, in this day and age, your setup from the Internet in to your internal LAN, should be (as a minimum):
Internet router(s) => Firewall(s) => Web servers (HTTP, mail relays, proxies, VPN termination, etc.) => Firewall(s) => backend servers (SQL, internal mail etc..) => Internal network.
Some of these networks can quite easily be different ports on the same physical firewall, but I'm limited by ASCII. Alternatively, if you have no backend servers, that segment can obviously be omitted altogether.
Firewall rulesets can, and should, apply to outbound as well as inbound traffic and allowing traffic to flow cleanly accross multiple firewalls should be limited as much as possible. At a pinch, you could put your backend servers (if any) directly on the internal LAN, and get by with a single, three port firewall, but this should be the absolute minimum setup if you are hosting connections from the Internet. Sticking a two port firewall between your network and the Internet is simply not good enough anymore.
With resonable DMZ capable firewalls available for less than $500, either as a dedicated box, or old PC running the open source apps of your choice, there is no fiscal reason for even the smallest of companies not to be secure. As ever, the real reason is lack of a clue when it comes to matters of security.
No, not another duplicate Slashdot story, but I seem to recall a story about another young Irish student who had developed a "revolutionary" encryption engine a while back. That was largely all claim and no solid documentation as well, and what has become of her efforts since then? Not much, not even a single update.
Why am I thinking this is just another one of those snake-oil web speedups that does lots of caching and pre-emptive downloading of pages on the off chance you are going to view it? I'll be taking this story with a large pinch of salt for now I think.
I've been thinking about this for a while as well. There are plenty of open source projects that are highly innovative, producing patentable methods that any self respecting corporate IP lawyer would be drooling all over. It doesn't matter that software patents are a bad idea, they are here and are probably not going to go away, so we might as well start to fight the system from within.
In the corporate world, patents are usually held and owned by the company for whom the actually inventor works, not the inventor themselves. For many freelance open source developers working without the umbrella of a corporate master, why not make that company the EFF or GNU for example? The admin of the patent, and any licensing fees (only chargeable for commercial products of course), goes to the EFF/GNU, maybe with a percentage to the original innovator.
If nothing else, the sheer irony of seeing the likes of Microsoft indirectly funding the development of Linux because some spotty geek happened to invent something first would make it all worth while.;)
I think you missed a point (or I have) as the "distribute the PDF by email..." bit is a bit vague - what does "the PDF" mean, exactly? The text of the article submitted as a PDF, or a PDF of the pages actually in the printed Magazine? There's a big difference.
What I think Nature is saying is that you retain copyright of the article, and presumably any illustrations you submitted, but Nature retains copyright of the layout and any illustations they added. This seems perfectly fair to me, provided that it does indeed mean that I could post the ASCII representation, or even my own layout, of my article to all and sundry.
There is also the "fair use" issue of photocopying articles in publications of course, but that's another point, and the restrictions there are pretty well known.
There is a very simple way of stopping this kind of irritant from bothering the clueless who can't configure their perimeter security properly. It's called having their upstream ISPs drop traffic to and from the NetBIOS' ports on their routers by default. Is this a good idea, though? Maybe, maybe not. I'll certainly kill the pop-up spam intendeded for the ISP's customers dead in it's tracks, but it establishes a couple of precidents that can only cause problems further down the road, such as ISPs taking over responsibilty for customer security from the customer. In the case of ISPs like AoL that already have "we control your online experience" writ large in their advertising spiel, then this might be worthy of consideration. For traditional ISPs that essentially just provide connectivity this would almost certainly be the start of slippery downhill slope though. Who gets to decide what should be on the Internet and what should not?
Telnet? Vulnerable to password sniffing and you should be using SSH! FTP? Same as Telnet! SMTP? Drowing in spam! HTTP? Swamped with porn!...
What is needed (as ever) is customer education, and if the customer doesn't see the problem then that's not going to happen, is it? The ISP where I work sells the option of having a basic stateful firewall on the CPE router that stomps on this kind of thing as a managed / one-off service. It's not intended as a dedicated firewall replacement, it's intended as a first pass at cleaning up incoming and outgoing traffic for SMEs. Essentially, we determine with the customer what traffic they may need to pass and simply drop the rest, hopefully giving some customers a better idea of security in the process. It's good for us, because it's dropping the number of customer network compromises we have to deal with and it's turning into quite a respectable revenue stream. It's good for the customer, because it's protecting them from some hostile traffic on the Internet and they feel safer for it. The most important thing is to make sure that the customer doesn't get the "I've got a firewall, so I'm safe" mentality (back to user education again).
We all know that the Internet has become a very hostile place to be since its rise to being a mass market commodity product, but ultimately ISPs are not, and should not, be held responsible for that (unless it's their servers that are stuffed). To use a tried and trusted analogy premise, that's like blaming car dealers for the increase in risk caused by the growing number of cars on the roads. A car dealer should show you the location of the controls in your new car, maybe even make sure you have a license and valid insurance, but not give you a driving test. Once you own your new car, it's up to you to make sure you drive and park safely, keep it locked, don't leave valuables on the back seat and keep it serviced. If you can't or don't do any of those things, and don't take advantage of the people who will help or do those things for you then, ultimately, who is to blame when things inevitably go horribly wrong?
Mine is currently closer to 30k, but about 20k of that comes from those rather excellent people that produce the KaZaA Lite P2P software. Skimming through the domain names in that, it's fairly obvious that most of them deserve to be sent to 127.0.0.1 and it's a good starting point if you are considering going down this route. Add in an ad-blocker, disable JavaScript and ActiveX (if applicable) except for trusted sites that need it, and surfing the net becomes surprisingly fast and even a pleasant experience again.
It's *very* easy to do this - you just make sure that no one person knows the root password(s). For example you have one person who knows the first half of the root password and another who knows the second half. Both parties write their part of the password down, put it in a sealed envelope and the two envelopes go into escrow in case of fatalities (the CEO's safe will do). Both parties must be present at, and sign off on, any changes that require root access.
Add additional safeguards as you see fit - for instance you could have two people who know one half of the password and two different people knowing the other half, or three people each knowing a third of the password, and so on. It might be inconvenient on occassion, but hey, since when has decent security not caused a little inconvenience?
IDE RAID: interesting, but not interested
on
IDE RAID Examined
·
· Score: 2
While I find IDE RAID's attempts to change the "I" in RAID back to "inexpensive" interesting, I just can't get excited about it. It smacks of being a stop gap to SerialATA drive arrays, in the same way that EISA and MCA where a stop gap to PCI. The fundamental limitations of the two drives per channel, and bundles of 40/80 pin cables just doesn't warm me up at all. I'm not even worried about the mess in the case, because you could probably tape the ribbon cables together into a chunky bundle and run vertically up the back of your drive array.
Having made the investment, I'll be wringing every last drop of sweat out of my homebuilt Linux/SCSI-160 network attached storage array thank you very much! I'm hoping that by the time that is on its last legs I'll be able to drop in a SerialATA RAID controller and a whole bunch of cheap drives to build the multi-terabyte storage array everyone will inevitably want by then.
If you convert something to sound and get used to it, you can very easily spot how it "sounds wrong" when something changes.
You can that! I had to debug some modem problems a while back, and it got to the point that I could not only tell whether it was going to connnect or not, but at what speed, just by listening to the entrain sequences. Bearing in mind that V.90 only has a limited set of frequencies it can connect at, I was either getting the right value or one of the adjacent ones *every time*.
Heh. I'd pretty much though of doing the same thing, but added dropping the frequency of the ping based on the percentage of pings dropped; high pitched rapid beeps for a decent high speed link and steady dull drone for all packets lost. I suppose you could do something with the volume as well to indicate hopcount by getting quieter as you move further away...
It depends upon what level of sophistication you are after, of course, but I've never had any problems getting things like this working with that old UNIX standby: shell scripts.
Basically, what you need to do is use a shell script to wrap around the commands you are scheduling and call the shell script from crons instead. The shell script then takes responsibility for any error handling, email/SMS/pager notifications, failover, or whatever, based on return codes and error messages etc. I've usually found that for most sites it's possible to write a generic template script and a small set of support scripts that do the notifications and what not that cover >75% of crons with no major customisation beyond the exit code "case" statement and the command to be executed.
They have screen shots of the victim's computers? They must have been windoze users [min.net], but the precident is disturbing.
Not necessarily, since it's KaZaA they are talking about. The client is Windows only, but does run through WINE on *NIX, so the majority of users probabably were Windows users. However, just because they were Windows users does not mean the boxen were compromised in any way. Try pointing a web browser at port 1214 on a box sharing files with KaZaA (http://<IP address>:1214/) and you get a nice list of all the shared files in the form of clickable links.
I *never* install dubious software without running some packet captures on a test box first! That means YOU, Microsoft.;)
Why not just look for the warchalking logos on the pavement? Actually, warchalking symbols are quite rare in the UK, but open nodes certainly aren't...;)
Typical of a Slashdor story. Lot's of people asking questions when they can find out the answer and post it in the same amount of time.
According to WHOIS, "spamarchive.org" was registered by one Guru Rajan, who has an email address at "ciphertrust.com". Also according to WHOIS, "ciphertrust.com" has the same person as technical contact and if you check the website you find they are the vendors of "IronMail: The Secure Internet Email Gateway", an established if not well known product.
In short, yes, it seem legit, and it probably took me less time to find that out than the time taken by the myriad people asking "is it legit" took to post the question.;)
Or even general location for that matter. A friend of mine did disaster recovery work for IBM after the Trade Towers attack. They had their data center in Tower 1 and their backup center in Tower 2. After six weeks of what was essentially scrabbling through rubble they managed to recover a single spindle. The company concerned became another statistic, and part of an important lesson in DR implementation; safety increases with distance.
The University of Twente's attempts to overclock the new AMD Opteron and Nvidia GeForceFX card in the same case are declared a failure. "We certainly won't be building a Beowolf cluster of these..." commented a spokesperson.
Is there a possible way to make a message be decrypted in two different ways with two different keys?
I'm not aware of any actual implementations, but it's certainly possible. All that is required for generation is to GPG the two alternate messages, stick the two bits together in an envelope and transmit. What is required is for the decryption engine to be able to determine which half of the message has been decrypted to the original and silently discarding the other half.
A fairly obvious way of acheiving this is to MD5 checksum the two plain text messages and append that to each message before encryption. Upon decrypting both parts with the available key, only one "plain text" message should match the MD5, and the other could then be safely discarded.
Of course, law enforcement isn't totally dumb and it's not going to take them long to realise that they need to ask for both keys when confronted with this kind of message. Also, there are probably issues with obstruction of justice by deliberately giving the wrong key to an authorised party. Your legislative system may vary of course...
Repetitive exploits in the same software, such as the recent BIND exploits in the latest version (and the eighty or ninety exploits that came before it).
Latest version? I don't think so. BIND currently has three main code bases:
v4.x - essentially an ugly, bug ridden hack (or at least it seemed like it).
v8.x - a very stable DNS server, but unfortunately largely built upon the v4.x codebase and inheriting issues galore as a result.
v9.x - A complete rewrite of v8.x, plus extra features, with much more attention paid to code integrity.
Almost ALL of the recent serious BIND exploits, including the recent one you are referring to, have been focused upon the v4.x and 8.x trees.
Sure, v9.x isn't without it's problems, but all in all, it's proven to be pretty secure and stable so far.
Slashdot Mirror
I have one of these and they *rock*. The problem with mine now is it's age, let's see, it came with a P5-90, so that's what, five-six years old? It's filthy, some of the QWERTY keys are starting to go and the space bar is already somewhat loose in its mounting. Naturally, I've been looking for a replacement and the best I've come up with so far is some of the more advanced Cherry keyboards and PI Engineering's rather cool looking PS/2 Stick Keys. Can anyone add to the list?
The quickest way is probably to use SpamHaus.org. Go to the site, click on "SBL" at the top and enter the IP address where the spam originated from the the SMTP headers in the appropriate query box. If they've an entry for the IP then they'll probably have all the contact information on the spammer you could possibly need, and if they have a ROKSO (Registry of Known Spam Operators) record as well then that may also include the name of his dog (I kid you not!)
Hell, since this is Microsoft we're talking about, they could have even *sold* the back-end update server software to the third parties and made a few more dollars for Bill to roll around in.
Give's a whole new meaning to the term "water colour" doesn't it? I don't think we're going to see any of these "paintings" in any Earth-side art galleries any time soon though, although it does give the ISS inhabitants something to stick to their fridge with magnets along side their kid's efforts I suppose. ;)
Of course, if you want real hardware agnosticism, there is always Linux isn't there? That runs on 64 bit CPUs, in 64 bit mode right now, and should be ready to work on AMD's Hammer right from launch. The big gamble for Intel is, can it afford to be late to the party? Intel certainly seems to think so, but I think that the Hammer is going to end up on more desktops than they expect, unless AMD sets the price of entry too high.
That said, there are *plenty* of approaches to the problem of killing KaZaA (and KaZaA Lite), but they rather depend on the network infrastructure. You certainly need to filter the standard ports used by the program, and forcing all port 80 traffic through a filtering proxy server nay be of use. Also, P2P in general seems to need a fair amount of UDP traffic - depending on your setup it might be possible to restrict that to just those ports you require.
No, it's a very reasonable one. Yes, you still need to patch, use non-blank SA passwords and the other things you suggest, but if you have an SQL server (any SQL server) directly visible to the Internet then you are either a fscking moron or have a very abnormal circumstance. A database server is a backend server, and should be completely hidden from the Internet by not one but two layers of firewalls.
Basically, in this day and age, your setup from the Internet in to your internal LAN, should be (as a minimum):
Internet router(s) => Firewall(s) => Web servers (HTTP, mail relays, proxies, VPN termination, etc.) => Firewall(s) => backend servers (SQL, internal mail etc..) => Internal network.
Some of these networks can quite easily be different ports on the same physical firewall, but I'm limited by ASCII. Alternatively, if you have no backend servers, that segment can obviously be omitted altogether.
Firewall rulesets can, and should, apply to outbound as well as inbound traffic and allowing traffic to flow cleanly accross multiple firewalls should be limited as much as possible. At a pinch, you could put your backend servers (if any) directly on the internal LAN, and get by with a single, three port firewall, but this should be the absolute minimum setup if you are hosting connections from the Internet. Sticking a two port firewall between your network and the Internet is simply not good enough anymore.
With resonable DMZ capable firewalls available for less than $500, either as a dedicated box, or old PC running the open source apps of your choice, there is no fiscal reason for even the smallest of companies not to be secure. As ever, the real reason is lack of a clue when it comes to matters of security.
Never mind, it's still not on The Register!
Why am I thinking this is just another one of those snake-oil web speedups that does lots of caching and pre-emptive downloading of pages on the off chance you are going to view it? I'll be taking this story with a large pinch of salt for now I think.
In the corporate world, patents are usually held and owned by the company for whom the actually inventor works, not the inventor themselves. For many freelance open source developers working without the umbrella of a corporate master, why not make that company the EFF or GNU for example? The admin of the patent, and any licensing fees (only chargeable for commercial products of course), goes to the EFF/GNU, maybe with a percentage to the original innovator.
If nothing else, the sheer irony of seeing the likes of Microsoft indirectly funding the development of Linux because some spotty geek happened to invent something first would make it all worth while. ;)
What I think Nature is saying is that you retain copyright of the article, and presumably any illustrations you submitted, but Nature retains copyright of the layout and any illustations they added. This seems perfectly fair to me, provided that it does indeed mean that I could post the ASCII representation, or even my own layout, of my article to all and sundry.
There is also the "fair use" issue of photocopying articles in publications of course, but that's another point, and the restrictions there are pretty well known.
What is needed (as ever) is customer education, and if the customer doesn't see the problem then that's not going to happen, is it? The ISP where I work sells the option of having a basic stateful firewall on the CPE router that stomps on this kind of thing as a managed / one-off service. It's not intended as a dedicated firewall replacement, it's intended as a first pass at cleaning up incoming and outgoing traffic for SMEs. Essentially, we determine with the customer what traffic they may need to pass and simply drop the rest, hopefully giving some customers a better idea of security in the process. It's good for us, because it's dropping the number of customer network compromises we have to deal with and it's turning into quite a respectable revenue stream. It's good for the customer, because it's protecting them from some hostile traffic on the Internet and they feel safer for it. The most important thing is to make sure that the customer doesn't get the "I've got a firewall, so I'm safe" mentality (back to user education again).
We all know that the Internet has become a very hostile place to be since its rise to being a mass market commodity product, but ultimately ISPs are not, and should not, be held responsible for that (unless it's their servers that are stuffed). To use a tried and trusted analogy premise, that's like blaming car dealers for the increase in risk caused by the growing number of cars on the roads. A car dealer should show you the location of the controls in your new car, maybe even make sure you have a license and valid insurance, but not give you a driving test. Once you own your new car, it's up to you to make sure you drive and park safely, keep it locked, don't leave valuables on the back seat and keep it serviced. If you can't or don't do any of those things, and don't take advantage of the people who will help or do those things for you then, ultimately, who is to blame when things inevitably go horribly wrong?
Mine is currently closer to 30k, but about 20k of that comes from those rather excellent people that produce the KaZaA Lite P2P software. Skimming through the domain names in that, it's fairly obvious that most of them deserve to be sent to 127.0.0.1 and it's a good starting point if you are considering going down this route. Add in an ad-blocker, disable JavaScript and ActiveX (if applicable) except for trusted sites that need it, and surfing the net becomes surprisingly fast and even a pleasant experience again.
Add additional safeguards as you see fit - for instance you could have two people who know one half of the password and two different people knowing the other half, or three people each knowing a third of the password, and so on. It might be inconvenient on occassion, but hey, since when has decent security not caused a little inconvenience?
Having made the investment, I'll be wringing every last drop of sweat out of my homebuilt Linux/SCSI-160 network attached storage array thank you very much! I'm hoping that by the time that is on its last legs I'll be able to drop in a SerialATA RAID controller and a whole bunch of cheap drives to build the multi-terabyte storage array everyone will inevitably want by then.
You can that! I had to debug some modem problems a while back, and it got to the point that I could not only tell whether it was going to connnect or not, but at what speed, just by listening to the entrain sequences. Bearing in mind that V.90 only has a limited set of frequencies it can connect at, I was either getting the right value or one of the adjacent ones *every time*.
Yeah, I know: Sad! ;)
Heh. I'd pretty much though of doing the same thing, but added dropping the frequency of the ping based on the percentage of pings dropped; high pitched rapid beeps for a decent high speed link and steady dull drone for all packets lost. I suppose you could do something with the volume as well to indicate hopcount by getting quieter as you move further away...
Basically, what you need to do is use a shell script to wrap around the commands you are scheduling and call the shell script from crons instead. The shell script then takes responsibility for any error handling, email/SMS/pager notifications, failover, or whatever, based on return codes and error messages etc. I've usually found that for most sites it's possible to write a generic template script and a small set of support scripts that do the notifications and what not that cover >75% of crons with no major customisation beyond the exit code "case" statement and the command to be executed.
Not necessarily, since it's KaZaA they are talking about. The client is Windows only, but does run through WINE on *NIX, so the majority of users probabably were Windows users. However, just because they were Windows users does not mean the boxen were compromised in any way. Try pointing a web browser at port 1214 on a box sharing files with KaZaA (http://<IP address>:1214/) and you get a nice list of all the shared files in the form of clickable links.
I *never* install dubious software without running some packet captures on a test box first! That means YOU, Microsoft. ;)
Why not just look for the warchalking logos on the pavement? Actually, warchalking symbols are quite rare in the UK, but open nodes certainly aren't... ;)
According to WHOIS, "spamarchive.org" was registered by one Guru Rajan, who has an email address at "ciphertrust.com". Also according to WHOIS, "ciphertrust.com" has the same person as technical contact and if you check the website you find they are the vendors of "IronMail: The Secure Internet Email Gateway", an established if not well known product.
In short, yes, it seem legit, and it probably took me less time to find that out than the time taken by the myriad people asking "is it legit" took to post the question. ;)
Or even general location for that matter. A friend of mine did disaster recovery work for IBM after the Trade Towers attack. They had their data center in Tower 1 and their backup center in Tower 2. After six weeks of what was essentially scrabbling through rubble they managed to recover a single spindle. The company concerned became another statistic, and part of an important lesson in DR implementation; safety increases with distance.
The University of Twente's attempts to overclock the new AMD Opteron and Nvidia GeForceFX card in the same case are declared a failure. "We certainly won't be building a Beowolf cluster of these..." commented a spokesperson.
I'm not aware of any actual implementations, but it's certainly possible. All that is required for generation is to GPG the two alternate messages, stick the two bits together in an envelope and transmit. What is required is for the decryption engine to be able to determine which half of the message has been decrypted to the original and silently discarding the other half.
A fairly obvious way of acheiving this is to MD5 checksum the two plain text messages and append that to each message before encryption. Upon decrypting both parts with the available key, only one "plain text" message should match the MD5, and the other could then be safely discarded.
Of course, law enforcement isn't totally dumb and it's not going to take them long to realise that they need to ask for both keys when confronted with this kind of message. Also, there are probably issues with obstruction of justice by deliberately giving the wrong key to an authorised party. Your legislative system may vary of course...
Latest version? I don't think so. BIND currently has three main code bases:
v4.x - essentially an ugly, bug ridden hack (or at least it seemed like it).
v8.x - a very stable DNS server, but unfortunately largely built upon the v4.x codebase and inheriting issues galore as a result.
v9.x - A complete rewrite of v8.x, plus extra features, with much more attention paid to code integrity.
Almost ALL of the recent serious BIND exploits, including the recent one you are referring to, have been focused upon the v4.x and 8.x trees. Sure, v9.x isn't without it's problems, but all in all, it's proven to be pretty secure and stable so far.