FC2 is running fine on my IBM T40, but I had to tell the BIOS to show the hidden partition. With it hidden Anaconda wanted to format the disk. Unfortunately, once I un-hid the recovery partition, installed FC2, both OS's ran fine (XP + FC2), but now the BIOS claims the recover partition is trashed. I'm not 100% convince that I can't do a recover since the recover GUI comes up fine, but I'm not running anything from it. The machine is running fine and the only FC2 problem for me is I'll need a custom kernel to get my suspend on cover close back.
will this low-power radar system from the 1970's really help make driving safer?
Phased arrays are still state of the art for military radar targeting systems. They are unbelievably complicated systems when designed for highspeed target tracking and I'm sure whatever was used in the 70's doesn't even compare to what is used today. While modern naval warfare systems are not going to be employed in a car, I really doubt the tech implemented will totally lack the advances made since in the last >3 decades. This will be a damn cool gadget from a pure geek perspective.
Like most tools, the effectiveness will depend on the user. Side view mirrors are highly effective, but in my experience most drivers have no idea how to use them correctly (using them to view the side of their vehicle rather than expanding the rear view provided by the center mirror).
What a bunch of reactionary tripe. I know this isn't supposed to be real news. I mean, it's just news for nerds and all that, but come on. Where the hell do get off putting such ridiculous, unsubstantiated, fear mongering on the front/top of *any* news medium?
Jamie, you really need to think and take a few deep breaths before you go posting crap like this. There's hardly any facts available as it is, but those that are available indicate technical failures. Not too surprising given it's the middle of the fsck'ing summer and a hot & humid one at that.
Put your little tinfoil hat on and go sit in the corner until you've calmed down.
I can't sing great praises of it, but I found Cycas to be very capable and it runs well on Linux. I was able to use it for very accurate floor plans prior to moving into my house. I traded emails with a guy that designed (and apparently built from) a new kitchen with it and was planning his dream home with it.
However, expect a certain level of frustration learning any advanced draw program.
It uses POVRay to render and is partially free beer.
Great analysis and explanation. I think you're dead on with the OSS - CC conflict.
Here's a question though (since you seem to have a strong grasp on EAL defs): What about an effort where say the NSA SELinux group or this "Red Team" idea that came up around here recently went back through and verified all code? This doesn't get around design requirements, but it might address many of the documentation issues, right? How would you guess such an effort might affect the EAL rating of a specific linux distribution?
> So if anybody else wants to be selling Linux to the US government, they have to shell out those hundreds of thousands of dollars themselves.
Not really true. As with the old TCSEC levels, CC EALs are mostly about specific configurations and availability of services. I am not as up on the EAL details as I should be, but I have no doubt that if you were a VAR with government contracts you could easily (in time) get the information needed to replicate the IBM/Suse config and sell a verifiable system to a gov. department.
Something to be aware of, however, as will all things bureaucratic, this is merely a step in the direction of sales to gov. It's going to be quite some time before you see the IBM press release about "US Dept. of Foo Installs 1200 units of IBM/Suse Linux computers." It's the follow-on hurdles which pre-existing government contractors will get over much more easily than most (IBM included). That's the real barrier to entry for doing business with the gov. The CC stuff will all eventually be documented and made available.
Just chatted with my investigator friend at the RIAA again. He told me they've got this whole operation outsourced to online investigators (not sure exactly what that means) and law firms. They're budgeting the effort as a simple cost of doing business. They do in fact have patterns, schedules, etc. This is just going to keep going until a group finds a common defense and can start making this more costly for them. Otherwise he said that internally it's clear they're following this road as long as they can.
He also mentioned that they're now paying for staff at ISP's. Basically with the Verizon case everyone is ready to roll and RIAA finishes them off by offering to pay for the staff increases needed to fullfil the subpeonas.
Personally I haven't bothered downloading music since shortly after the Napster demise, but this stuff is bullshit. I really hope the folks getting targeted can band together with some sort of tenable defense and start making this more expensive for them. During the Napster case I was told by this same guy that RIAA was getting short on funding and the labels weren't willing to cough up extra cash for the case. It sounds crazy, but maybe enough individuals could eventually team up, get all cases into a single jurisdiction, and try to start bleeding them again. They're big, but there funds are not limited. Certainly a long shot, though, and expensive for everyone involved.
I'm not going to get into a nitpicking about speration of private and public (government interests), but would just like to provide this one fact to folks here. I happen to directly know an RIAA investigator. He doesn't participate in P2P or other strictly online cases. His focus is on large scale piracy operations (i.e. overseas manufacturing of conterfeit media). My point, however, is that he, an employee of the RIAA, participates in FBI raids of suspect facilities. He's there representing the RIAA's interests, not the public's. I'm sure FBI folk could go on about how these collaborations are handled to ensure ethical work, but the truth is he's there standing next to the enforcers, pointing his finger, and pressing the RIAA's case before the suspect even has a chance to cry "lawyer".
Large, moneyed organizations do get special treatment by the US federal government. To try to argue otherwise is ridiculous. Similarly it's a waste of effort to try to get them to stop. In this case the claimed issue is that they need an expert on the scene to identify the infringing materials and the FBI can't be expected to provide that expert. What I'd like to know, and my apologies to all for not posting this question in response to the initial RFQ, is how does the DOJ and it's enforcement arm, the FBI, ensure the individuals and groups within their departments are acting ethically and not being influenced by these private organizations? Are ther eductaional sessions for investigators working hand-in-hand with private organizations? Are there established, departmental penalties for unethical behavior which may not technically be illegal?
Yeah, well you really shouldn't be doing koshis until you can breakfall safely. It's pretty easy to break a bone if you get thrown too hard and fall wrong.
For the record, I've been plenty sore in the muscles and joints after practice. That's mainly to do with being inactive for over 10 years. Compared to many martial arts and western sports aikido is very good to your body, but there are things you have to learn about in order to stay safe.
There is no substitute for getting off your ass a couple/few times a week and doing something. That and calorie reduction.
I was in the same boat you're in. Then I turned 30 this January (yeah, and I still read slashdot:( but at least I'm happily married:) Anyhow, the new decade got me concerned enough to do something about the extra poundage. Problem was I *hate* the usual gym routine. Boooorrrringggg! I tried and failed to stick with it numerous times. I finally decided to give aikido a try. It's a Japanese martial art. Easy on the body, but still excellent excercise. Best of all it's really technical and tricky and weird and just overall appealing to geeky types. Most of the people I practice with are fellow geeks of one type or another. No macho shit. Just tons of fun. Once I started excercising regularly it became almost natural to just start eating and drinking a bit less. I've only lost 10 lb. or so since Feb., but that's fine. I was sporting maybe an extra 20 and I'm not in a race. The important thing is that I think I've finally found a physical activity that will hold my interest for a very long time. Check it out:
http://www.aikidofaq.com/
http://www.aikiweb.com/
Bottom line, there's no gizmo you can hide under your desk that's going to make you healthy. You gotta get away from the desk.
How nice to read a well written book review for once.
However, I'd like to highlight something I think was treated rather lightly. This book, though fiction, provides an amazing look at societal mores of the period. It crosses back and forth over so many cultures, classes, and cliques. It is colorful and thought provoking.
Also, if you do allow yourself to ponder the issues presented and not just focus on the fun easy read that it can be, be prepared for the very sad life of Kavalier. A young Jewish refuge of WWII forced to abandon his family in Europe. It is Chabon's masterfully touching portrayal of this man without falling into the easy (cheap) over dramatization of war victims (WWII victims in particular) that earned him the Pulitzer. It is an amazing study of a horrifying situation which so many people find themselves in as a result of war.
Here's how I'd suggest approaching the problem. Look into the platform MIBs. Find out what you can query values for. You should at least be able to get some binary type "fan working", "power supply working", etc. type stuff. Then get yourself an easily extensible monitoring system. Frankly, BigBrother is anitquated and a pia to manage. Other recommendations made here are reasonable, but I'd suggest mon. It's not a monitoring system per se. It is a scheduling framework with concepts of monitor and alert built-in. Many monitors and alerts are availble, but best of all it's really easy to write your own. For such things (for most things), I like perl.
First off, the reason your security is broken is that you probably don't have a policy and if you do nobody understands it and if they do there's no QA ensuring that they follow it.
Good security starts with the establishment of a security policy followed by education and regular awareness events. Please be aware that paying someone a ton of money to pen. test and inventory your assets will *not* result in a stronger security posture all on it's own. You must have a policy in place and you must compel your users to abide by it (primarily through education, secondarily through threat of penalty). Consider hiring a CISSP or other certified professional to help you through this process. You might be able to find one in your area by using the ISC2 directory. SANS is doing some ISO certification as part of the GIAC program now and they may be able to point you towards some appropriate people as well. The ISSA might be able to help as well. As has been mentioned already, you probably don't want to entrust this to someone selling countermeasures or management services.
Understand, however, that you don't need a firewall engineer right now and you don't need some krad ex-hacker to pen test either. You need someone to help you get your house in order on the administrative side and then you can look into some detailed engineering and assessment. That someone should probably be an independent consultant or at least one working with an infosec specializing firm. If you want a couple bigger names there's @Stake, Booz Allen Hamilton, and Predictive, however, I would encourage you to seek out a local independent with good references.
Any knucklehead can run Nessus and patch systems. This alone does not equal information security. If you want a secure environment, start by defining what "secure" means within your environment.
As hinted at in another post here, there's a difference between what's certified and what individual practioners would see as accurate. The reason is the individual practioner sees systems applied in real world scenarios and these don't necessarily have anything to do with certification standards. For instance, Cold Fusion and IIS problems are simply not a factor in evaluating the OS even though in the case of IIS it's arguable as to whether this should be.
Additionally, you need to understand just what is being evaluated at the different levels. As mentioned, WinNT was given C2 certification. Understand that this has everything to do with a particular feature set (fine grained ACLs primarily) and little to the with the penetrability of the system. Actual pen testing doesn't become a requirement until B1, IIRC.
The type of security that many are trying to achieve now (secure design, design verification, secure distribution, etc. i.e. security from the start) really doesn't come into play until A1 and that's the highest level of security deemed practicle in the TCSEC.
If you read the Orange book all the way through, what you'll see is that the majority of the security is intended to be achieved via mandatory access controls, subject and object labeling, and the careful application of these concepts. Each level has a new set of requirements for how much of the system is submitted to manadatory access control, whether the TCB (trusted computing base) is a subsystem of a greater insecure system, modularity and seperation of duties, etc. Much higher level system design issues and features, really. Until B2, B3, and really A1 IMHO there's only basic and passing concern with what we're coming to realize as the one true requirement of security engineering: security from the start. Secure design, verification, implementation, and review.
I haven't closely studied the Common Criteria and the handful of protection profiles yet, but I suspect you'd find the same or a similar issue. These are evaluation criteria and they tend to be focused on evaluating a stated set of features and capabilities. In high security environments product certification is not a replacement for careful product evaluation by the end user/customer any more than skills certification (e.g. Cisco, MS certs) is a replacement for careful interviewing and skills assessment by a hiring manager.
The Backdoor mode can be entered using the remote by doing a "Browse By Name" for "0v1t" (TiVo spelled backwards with zero and one instead of "O" and "I") followed by the "Thumbs-Up" key. The only known way of exiting Backdoor mode is to reboot the TiVo (see "C-E-C Fast-Forward" below).
The backdoor code for 2.0 systems is done the same way, except the code is "2 0 TCD". There is one space between the "2" and the "0", and another space between the 0 and the TCD".
The backdoor code for 2.5 systems is done the same way, except the code is "B D 2 5". There is one space between each character.
The backdoor code for V1.5.2 UK (latest) is: 10J0M (thats zeros and ones).
I'm as cynical as the next guy, but this is simply wrong. I have a brand new Sony SVR-2000 with the 2.5 code and it's fully hackable. Backdoors are on and I've enabled numerous hacks. For further info see Almost Complete Codes List. Now, what happens in the future is anybody's guess. However, based on the fact that the 30 sec. jump hack was removed in 2.0, then added back in 2.5, I'd say Tivo is still more sensitive to customer demand than anything else.
I don't have a sob story, but it's definetely not the same here that it was. I changed jobs barely over a year ago. Many phone screens. At least a half dozen serious interviews and two great offers to pick from by decision time. It took 2 months.
I start my next new job 6/25. Again it was only two months, but I had only two interviews (one of which I think was bunk from the start; feeling the waters maybe?). I'm doing well, getting a raise on this move, and generally feeling I'm getting into a higher quality company, but I do get the strong sense I was lucky.
My skills? Network engineering, multi flavor unix admin, and perl programming with between 3-6 yrs. exp. on them. Not a ton of time behind me, but I've done large scale data management and compute environments, built big complicated networks, and have written perl code with many layers of logic. I got 1 interview and 1 offer in 2 months. Certainly got me thinking a bit more about the ol' savings account.
But to your original point, I think it's valid. I only started saving money at all after coming to Boston from SF. It's very hard to get your head above water out there and once you do it is (was) tough not to let it run away with you. One of the first things I noticed coming back to Boston was how less common Porche, Mercedes, Jaguar were on the roads. The people with the mansions on the hills like I used to see along rt. 280 out west back east are the same old money people that have always had them, not 27 yr. old CEO's. My perspective at least...
I have no idea how true these claims are WRT Covad, but here's what I saw. I contracted DSL from BellAtlantic 2 years ago. The tech who came to install it put the high pass filter in at the box and ran my line off the phone terminals. At the time I had no idea how ridiculous this was. But after waiting more than a week for a tech to return, I ambushed a guy working in someone else's apartment. I showed him the work done by the previous tech and he just started laughing his ass off. He set me up with a new filter in the apt. with the voice hooked into my existing phone wiring and the data run to a new internal line to where my systems were. So, my point is, Verizon wants us to think Covad techs were clueless. Well, I can guarantee there were just as many clueless Verizon techs out there.
That said, the service has been excellent for these two years. Outages occur, but usually short lived (2 hours) and perf has been exactly as advertised (620/90). I know I probably got lucky in this regard, but I really don't have a negative thing to say about the service. I just find it highly amusing that they would criticize the quality of someone elses techs. This is the same company whose techs I've actually seen first hand pull other people's circuits down just so they can close the order they're working on at that moment.
From: Mitchell Levinn [levinn@psi.com]
Sent: Tuesday, June 05, 2001 9:35 AM
To: nanog@merit.edu
Cc: levinn@psi.com
Subject: PSINet and C&W peering
C&W did indeed shutdown their peering connections to PSINet
this weekend. While there are many potential explanations
for their actions, I have no visibility into their decision
process. I am disappointed with their decision to disconnect.
PSINet continues to seek a resolution with C&W to restore normal
connectivity in order to avoid further negative impact to both
companies and the Internet. Their decision is hard to understand
based on the following:
- C&W and PSINet upgraded circuits used for peering between
the two networks earlier this year. C&W's recent action
seems inconsistent with the strategy that led to these
upgrades.
- PSINet's recent addition of direct private peering with several
of C&W's transit customers relieved the peering connections
between the networks of a couple hundred Mbps of traffic
(improving connectivity overall and, undoubtedly, lowering costs
for those transit customers). This is significant only because
C&W claims PSINet no longer has sufficient traffic to justify
the connections according to their published standards. In
fact, PSINet's overall traffic continues to grow.
- Most of the PSINet traffic previously destined for sites
behind C&W has alternative paths through other providers.
While this sounds like a generally good thing, especially given
the actions C&W has taken, it does make it difficult for those
that require certain traffic levels to be maintained consistently
for peering. Specifically, C&W's customers (or C&W itself) could
alter "natural" traffic flow to favor (or not) various connections
to meet their published standards (or not). PSINet demonstrated
to C&W that if naturally less favorable announcements were
preferred, PSINet could make an almost arbitrarily large (or
small) amount of traffic flow between the peers. Even so, in
C&W's opinion, PSINet will not be able to comply with their
peering policy's traffic standards. It is gratifying to note
that even without C&W peering, substantially all of the
traffic previously flowing between PSINet and C&W continues to
be delivered.
- At this time PSINet has not disabled the C&W peering interfaces
nor decommissioned any facilities. If C&W chooses to, they can
re-enable interfaces on their side and bring back the connectivity
lost between their non-transit customers and PSINet. PSINet
remains open to discuss with them a new bilateral peering
agreement if they so choose.
PSINet remains committed to servicing its customers and the Internet
with the best possible infrastructure and policies. PSINet still
maintains hundreds of peering connections with other ISPs throughout
the world. While posting about matters between PSINet and its
peering partners is not typical, the circumstances and questions
arising from C&W's decision required some clarification. Hopefully
this additional clarification helps everyone understand the current
situation.
Sure, there's value. Last time it came up I had no direct experience, this time I did and added $.02. I guess what I was more reacting to is the lack of references to previous discussions thereby potentially heading off repetive commentary and drawing out new experiences/sources. But you're right, it's still better than your average dead tree rag.
I recently picked up a new higher watt power supply and cpu fan from PC Power & Cooling. Higher wattage is supposed to aid in reducing fan noise and their stuff is supposed to be high-quality ball bearings that will run quieter. Well, they definetely run quieter, but not even close to silent. And I found the bulk of my noise to be coming from an old hardrive. Well, I removed it as it wasn't really needed anymore and the nice new IBM in there still makes it's share of noise just spinning.
Best suggestions I saw the last time this came up was consider what quiet really means given your ambient noise. For me, it turns out to be nearly silent as the thing is in my bedroom. Based on my experience this is pretty tough to achieve. One issue I've yet to resolve, which you may like to look into, is how to build a *nix system where you can spin down all drives. The problem is swap disk. As for as I can tell presently, you always end up with one disk spinning (or constantly up/down) due to even the smallest swap accesses. What might be feasible, but exspensive, is a solid state disk for swap.
Whatever. First off, only someone who knew nothing of internetwork routing would make the statement "so you have to get what you can from traceroute." Try a looking glass jackass.
So, you have no clue. Let's move on anyway.
How do you just "happen to route via above.net"? Either you, your upstream, or your destination is buying transit off them. If you're an ISP big enough to have a peering agreement (no idea what Above.net's policy is) you aren't sending transit traffic to them anyway b/c you've got 1 or 2 hop routes to every other major backbone. Oh, you lost a seesion with someone. You're still going to send it through your own backbone to a direct exchange with the carrier, not over someone elses network. I have nodes off 5 different large carrier nets and hit anything in a single AS hop (meaning no intermediary carrier). I have one net off a smaller, local carrier and they don't use Above.net. If they did, I would know because I actually *asked* who they were downstream from.
So, if you're an Above.net customer directly or indirectly and you disagree with this, stop being one. If your destination is an Above.net customer, well come on, you aren't going to tell me they don't have the right to enforce an AUP against their own customer are you?
It's their network and you don't have to use it if you don't want to. Period.
It's not even as simple as that. They're also imposing a EULA on the binary which is completely incompatible with the GPL. Even if they did give you the source, if that EULA is attatched anywhere (source, binary), they're in total violation of the GPL.
Slashdot Mirror
Still willing to lend a hand to someone?
mynospam@fightgravity.com
Simple gratitude or a local postcard in exchange if you like.
FC2 is running fine on my IBM T40, but I had to tell the BIOS to show the hidden partition. With it hidden Anaconda wanted to format the disk. Unfortunately, once I un-hid the recovery partition, installed FC2, both OS's ran fine (XP + FC2), but now the BIOS claims the recover partition is trashed. I'm not 100% convince that I can't do a recover since the recover GUI comes up fine, but I'm not running anything from it. The machine is running fine and the only FC2 problem for me is I'll need a custom kernel to get my suspend on cover close back.
will this low-power radar system from the 1970's really help make driving safer?
Phased arrays are still state of the art for military radar targeting systems. They are unbelievably complicated systems when designed for highspeed target tracking and I'm sure whatever was used in the 70's doesn't even compare to what is used today. While modern naval warfare systems are not going to be employed in a car, I really doubt the tech implemented will totally lack the advances made since in the last >3 decades. This will be a damn cool gadget from a pure geek perspective.
Like most tools, the effectiveness will depend on the user. Side view mirrors are highly effective, but in my experience most drivers have no idea how to use them correctly (using them to view the side of their vehicle rather than expanding the rear view provided by the center mirror).
What a bunch of reactionary tripe. I know this isn't supposed to be real news. I mean, it's just news for nerds and all that, but come on. Where the hell do get off putting such ridiculous, unsubstantiated, fear mongering on the front/top of *any* news medium?
Jamie, you really need to think and take a few deep breaths before you go posting crap like this. There's hardly any facts available as it is, but those that are available indicate technical failures. Not too surprising given it's the middle of the fsck'ing summer and a hot & humid one at that.
Put your little tinfoil hat on and go sit in the corner until you've calmed down.
I can't sing great praises of it, but I found Cycas to be very capable and it runs well on Linux. I was able to use it for very accurate floor plans prior to moving into my house. I traded emails with a guy that designed (and apparently built from) a new kitchen with it and was planning his dream home with it.
However, expect a certain level of frustration learning any advanced draw program.
It uses POVRay to render and is partially free beer.
http://www.cycas.de/
Great analysis and explanation. I think you're dead on with the OSS - CC conflict.
Here's a question though (since you seem to have a strong grasp on EAL defs): What about an effort where say the NSA SELinux group or this "Red Team" idea that came up around here recently went back through and verified all code? This doesn't get around design requirements, but it might address many of the documentation issues, right? How would you guess such an effort might affect the EAL rating of a specific linux distribution?
> So if anybody else wants to be selling Linux to the US government, they have to shell out those hundreds of thousands of dollars themselves.
Not really true. As with the old TCSEC levels, CC EALs are mostly about specific configurations and availability of services. I am not as up on the EAL details as I should be, but I have no doubt that if you were a VAR with government contracts you could easily (in time) get the information needed to replicate the IBM/Suse config and sell a verifiable system to a gov. department.
Something to be aware of, however, as will all things bureaucratic, this is merely a step in the direction of sales to gov. It's going to be quite some time before you see the IBM press release about "US Dept. of Foo Installs 1200 units of IBM/Suse Linux computers." It's the follow-on hurdles which pre-existing government contractors will get over much more easily than most (IBM included). That's the real barrier to entry for doing business with the gov. The CC stuff will all eventually be documented and made available.
Just chatted with my investigator friend at the RIAA again. He told me they've got this whole operation outsourced to online investigators (not sure exactly what that means) and law firms. They're budgeting the effort as a simple cost of doing business. They do in fact have patterns, schedules, etc. This is just going to keep going until a group finds a common defense and can start making this more costly for them. Otherwise he said that internally it's clear they're following this road as long as they can.
He also mentioned that they're now paying for staff at ISP's. Basically with the Verizon case everyone is ready to roll and RIAA finishes them off by offering to pay for the staff increases needed to fullfil the subpeonas.
Personally I haven't bothered downloading music since shortly after the Napster demise, but this stuff is bullshit. I really hope the folks getting targeted can band together with some sort of tenable defense and start making this more expensive for them. During the Napster case I was told by this same guy that RIAA was getting short on funding and the labels weren't willing to cough up extra cash for the case. It sounds crazy, but maybe enough individuals could eventually team up, get all cases into a single jurisdiction, and try to start bleeding them again. They're big, but there funds are not limited. Certainly a long shot, though, and expensive for everyone involved.
I'm not going to get into a nitpicking about speration of private and public (government interests), but would just like to provide this one fact to folks here. I happen to directly know an RIAA investigator. He doesn't participate in P2P or other strictly online cases. His focus is on large scale piracy operations (i.e. overseas manufacturing of conterfeit media). My point, however, is that he, an employee of the RIAA, participates in FBI raids of suspect facilities. He's there representing the RIAA's interests, not the public's. I'm sure FBI folk could go on about how these collaborations are handled to ensure ethical work, but the truth is he's there standing next to the enforcers, pointing his finger, and pressing the RIAA's case before the suspect even has a chance to cry "lawyer".
Large, moneyed organizations do get special treatment by the US federal government. To try to argue otherwise is ridiculous. Similarly it's a waste of effort to try to get them to stop. In this case the claimed issue is that they need an expert on the scene to identify the infringing materials and the FBI can't be expected to provide that expert. What I'd like to know, and my apologies to all for not posting this question in response to the initial RFQ, is how does the DOJ and it's enforcement arm, the FBI, ensure the individuals and groups within their departments are acting ethically and not being influenced by these private organizations? Are ther eductaional sessions for investigators working hand-in-hand with private organizations? Are there established, departmental penalties for unethical behavior which may not technically be illegal?
Maybe we'll get to interview the FBI next?
Yeah, well you really shouldn't be doing koshis until you can breakfall safely. It's pretty easy to break a bone if you get thrown too hard and fall wrong.
For the record, I've been plenty sore in the muscles and joints after practice. That's mainly to do with being inactive for over 10 years. Compared to many martial arts and western sports aikido is very good to your body, but there are things you have to learn about in order to stay safe.
There is no substitute for getting off your ass a couple/few times a week and doing something. That and calorie reduction.
:( but at least I'm happily married :) Anyhow, the new decade got me concerned enough to do something about the extra poundage. Problem was I *hate* the usual gym routine. Boooorrrringggg! I tried and failed to stick with it numerous times. I finally decided to give aikido a try. It's a Japanese martial art. Easy on the body, but still excellent excercise. Best of all it's really technical and tricky and weird and just overall appealing to geeky types. Most of the people I practice with are fellow geeks of one type or another. No macho shit. Just tons of fun. Once I started excercising regularly it became almost natural to just start eating and drinking a bit less. I've only lost 10 lb. or so since Feb., but that's fine. I was sporting maybe an extra 20 and I'm not in a race. The important thing is that I think I've finally found a physical activity that will hold my interest for a very long time. Check it out:
I was in the same boat you're in. Then I turned 30 this January (yeah, and I still read slashdot
http://www.aikidofaq.com/
http://www.aikiweb.com/
Bottom line, there's no gizmo you can hide under your desk that's going to make you healthy. You gotta get away from the desk.
How nice to read a well written book review for once.
However, I'd like to highlight something I think was treated rather lightly. This book, though fiction, provides an amazing look at societal mores of the period. It crosses back and forth over so many cultures, classes, and cliques. It is colorful and thought provoking.
Also, if you do allow yourself to ponder the issues presented and not just focus on the fun easy read that it can be, be prepared for the very sad life of Kavalier. A young Jewish refuge of WWII forced to abandon his family in Europe. It is Chabon's masterfully touching portrayal of this man without falling into the easy (cheap) over dramatization of war victims (WWII victims in particular) that earned him the Pulitzer. It is an amazing study of a horrifying situation which so many people find themselves in as a result of war.
Here's how I'd suggest approaching the problem. Look into the platform MIBs. Find out what you can query values for. You should at least be able to get some binary type "fan working", "power supply working", etc. type stuff. Then get yourself an easily extensible monitoring system. Frankly, BigBrother is anitquated and a pia to manage. Other recommendations made here are reasonable, but I'd suggest mon. It's not a monitoring system per se. It is a scheduling framework with concepts of monitor and alert built-in. Many monitors and alerts are availble, but best of all it's really easy to write your own. For such things (for most things), I like perl.
First off, the reason your security is broken is that you probably don't have a policy and if you do nobody understands it and if they do there's no QA ensuring that they follow it.
Good security starts with the establishment of a security policy followed by education and regular awareness events. Please be aware that paying someone a ton of money to pen. test and inventory your assets will *not* result in a stronger security posture all on it's own. You must have a policy in place and you must compel your users to abide by it (primarily through education, secondarily through threat of penalty). Consider hiring a CISSP or other certified professional to help you through this process. You might be able to find one in your area by using the ISC2 directory. SANS is doing some ISO certification as part of the GIAC program now and they may be able to point you towards some appropriate people as well. The ISSA might be able to help as well. As has been mentioned already, you probably don't want to entrust this to someone selling countermeasures or management services.
Understand, however, that you don't need a firewall engineer right now and you don't need some krad ex-hacker to pen test either. You need someone to help you get your house in order on the administrative side and then you can look into some detailed engineering and assessment. That someone should probably be an independent consultant or at least one working with an infosec specializing firm. If you want a couple bigger names there's @Stake, Booz Allen Hamilton, and Predictive, however, I would encourage you to seek out a local independent with good references.
Any knucklehead can run Nessus and patch systems. This alone does not equal information security. If you want a secure environment, start by defining what "secure" means within your environment.
As hinted at in another post here, there's a difference between what's certified and what individual practioners would see as accurate. The reason is the individual practioner sees systems applied in real world scenarios and these don't necessarily have anything to do with certification standards. For instance, Cold Fusion and IIS problems are simply not a factor in evaluating the OS even though in the case of IIS it's arguable as to whether this should be.
Additionally, you need to understand just what is being evaluated at the different levels. As mentioned, WinNT was given C2 certification. Understand that this has everything to do with a particular feature set (fine grained ACLs primarily) and little to the with the penetrability of the system. Actual pen testing doesn't become a requirement until B1, IIRC.
The type of security that many are trying to achieve now (secure design, design verification, secure distribution, etc. i.e. security from the start) really doesn't come into play until A1 and that's the highest level of security deemed practicle in the TCSEC.
If you read the Orange book all the way through, what you'll see is that the majority of the security is intended to be achieved via mandatory access controls, subject and object labeling, and the careful application of these concepts. Each level has a new set of requirements for how much of the system is submitted to manadatory access control, whether the TCB (trusted computing base) is a subsystem of a greater insecure system, modularity and seperation of duties, etc. Much higher level system design issues and features, really. Until B2, B3, and really A1 IMHO there's only basic and passing concern with what we're coming to realize as the one true requirement of security engineering: security from the start. Secure design, verification, implementation, and review.
I haven't closely studied the Common Criteria and the handful of protection profiles yet, but I suspect you'd find the same or a similar issue. These are evaluation criteria and they tend to be focused on evaluating a stated set of features and capabilities. In high security environments product certification is not a replacement for careful product evaluation by the end user/customer any more than skills certification (e.g. Cisco, MS certs) is a replacement for careful interviewing and skills assessment by a hiring manager.
Enabling Backdoor Mode
The Backdoor mode can be entered using the remote by doing a "Browse By Name" for "0v1t" (TiVo spelled backwards with zero and one instead of "O" and "I") followed by the "Thumbs-Up" key. The only known way of exiting Backdoor mode is to reboot the TiVo (see "C-E-C Fast-Forward" below).
The backdoor code for 2.0 systems is done the same way, except the code is "2 0 TCD". There is one space between the "2" and the "0", and another space between the 0 and the TCD".
The backdoor code for 2.5 systems is done the same way, except the code is "B D 2 5". There is one space between each character.
The backdoor code for V1.5.2 UK (latest) is: 10J0M (thats zeros and ones).
Almost Complete Codes List
I'm as cynical as the next guy, but this is simply wrong. I have a brand new Sony SVR-2000 with the 2.5 code and it's fully hackable. Backdoors are on and I've enabled numerous hacks. For further info see Almost Complete Codes List. Now, what happens in the future is anybody's guess. However, based on the fact that the 30 sec. jump hack was removed in 2.0, then added back in 2.5, I'd say Tivo is still more sensitive to customer demand than anything else.
I don't have a sob story, but it's definetely not the same here that it was. I changed jobs barely over a year ago. Many phone screens. At least a half dozen serious interviews and two great offers to pick from by decision time. It took 2 months.
I start my next new job 6/25. Again it was only two months, but I had only two interviews (one of which I think was bunk from the start; feeling the waters maybe?). I'm doing well, getting a raise on this move, and generally feeling I'm getting into a higher quality company, but I do get the strong sense I was lucky.
My skills? Network engineering, multi flavor unix admin, and perl programming with between 3-6 yrs. exp. on them. Not a ton of time behind me, but I've done large scale data management and compute environments, built big complicated networks, and have written perl code with many layers of logic. I got 1 interview and 1 offer in 2 months. Certainly got me thinking a bit more about the ol' savings account.
But to your original point, I think it's valid. I only started saving money at all after coming to Boston from SF. It's very hard to get your head above water out there and once you do it is (was) tough not to let it run away with you. One of the first things I noticed coming back to Boston was how less common Porche, Mercedes, Jaguar were on the roads. The people with the mansions on the hills like I used to see along rt. 280 out west back east are the same old money people that have always had them, not 27 yr. old CEO's. My perspective at least...
I have no idea how true these claims are WRT Covad, but here's what I saw. I contracted DSL from BellAtlantic 2 years ago. The tech who came to install it put the high pass filter in at the box and ran my line off the phone terminals. At the time I had no idea how ridiculous this was. But after waiting more than a week for a tech to return, I ambushed a guy working in someone else's apartment. I showed him the work done by the previous tech and he just started laughing his ass off. He set me up with a new filter in the apt. with the voice hooked into my existing phone wiring and the data run to a new internal line to where my systems were. So, my point is, Verizon wants us to think Covad techs were clueless. Well, I can guarantee there were just as many clueless Verizon techs out there.
That said, the service has been excellent for these two years. Outages occur, but usually short lived (2 hours) and perf has been exactly as advertised (620/90). I know I probably got lucky in this regard, but I really don't have a negative thing to say about the service. I just find it highly amusing that they would criticize the quality of someone elses techs. This is the same company whose techs I've actually seen first hand pull other people's circuits down just so they can close the order they're working on at that moment.
FWIW, this just hit NANOG list.
From: Mitchell Levinn [levinn@psi.com]
Sent: Tuesday, June 05, 2001 9:35 AM
To: nanog@merit.edu
Cc: levinn@psi.com
Subject: PSINet and C&W peering
C&W did indeed shutdown their peering connections to PSINet
this weekend. While there are many potential explanations
for their actions, I have no visibility into their decision
process. I am disappointed with their decision to disconnect.
PSINet continues to seek a resolution with C&W to restore normal
connectivity in order to avoid further negative impact to both
companies and the Internet. Their decision is hard to understand
based on the following:
- C&W and PSINet upgraded circuits used for peering between
the two networks earlier this year. C&W's recent action
seems inconsistent with the strategy that led to these
upgrades.
- PSINet's recent addition of direct private peering with several
of C&W's transit customers relieved the peering connections
between the networks of a couple hundred Mbps of traffic
(improving connectivity overall and, undoubtedly, lowering costs
for those transit customers). This is significant only because
C&W claims PSINet no longer has sufficient traffic to justify
the connections according to their published standards. In
fact, PSINet's overall traffic continues to grow.
- Most of the PSINet traffic previously destined for sites
behind C&W has alternative paths through other providers.
While this sounds like a generally good thing, especially given
the actions C&W has taken, it does make it difficult for those
that require certain traffic levels to be maintained consistently
for peering. Specifically, C&W's customers (or C&W itself) could
alter "natural" traffic flow to favor (or not) various connections
to meet their published standards (or not). PSINet demonstrated
to C&W that if naturally less favorable announcements were
preferred, PSINet could make an almost arbitrarily large (or
small) amount of traffic flow between the peers. Even so, in
C&W's opinion, PSINet will not be able to comply with their
peering policy's traffic standards. It is gratifying to note
that even without C&W peering, substantially all of the
traffic previously flowing between PSINet and C&W continues to
be delivered.
- At this time PSINet has not disabled the C&W peering interfaces
nor decommissioned any facilities. If C&W chooses to, they can
re-enable interfaces on their side and bring back the connectivity
lost between their non-transit customers and PSINet. PSINet
remains open to discuss with them a new bilateral peering
agreement if they so choose.
PSINet remains committed to servicing its customers and the Internet
with the best possible infrastructure and policies. PSINet still
maintains hundreds of peering connections with other ISPs throughout
the world. While posting about matters between PSINet and its
peering partners is not typical, the circumstances and questions
arising from C&W's decision required some clarification. Hopefully
this additional clarification helps everyone understand the current
situation.
-Mitch Levinn
PSINet
Sure, there's value. Last time it came up I had no direct experience, this time I did and added $.02. I guess what I was more reacting to is the lack of references to previous discussions thereby potentially heading off repetive commentary and drawing out new experiences/sources. But you're right, it's still better than your average dead tree rag.
Ultra-Quiet Linux Boxes?
Computers And The Noise They Make
I'm pretty sure there's at least one other story in the archives which I didn't find immediately.
Best suggestions I saw the last time this came up was consider what quiet really means given your ambient noise. For me, it turns out to be nearly silent as the thing is in my bedroom. Based on my experience this is pretty tough to achieve. One issue I've yet to resolve, which you may like to look into, is how to build a *nix system where you can spin down all drives. The problem is swap disk. As for as I can tell presently, you always end up with one disk spinning (or constantly up/down) due to even the smallest swap accesses. What might be feasible, but exspensive, is a solid state disk for swap.
What an arrogant sack o'...
Whatever. First off, only someone who knew nothing of internetwork routing would make the statement "so you have to get what you can from traceroute." Try a looking glass jackass.
So, you have no clue. Let's move on anyway.
How do you just "happen to route via above.net"? Either you, your upstream, or your destination is buying transit off them. If you're an ISP big enough to have a peering agreement (no idea what Above.net's policy is) you aren't sending transit traffic to them anyway b/c you've got 1 or 2 hop routes to every other major backbone. Oh, you lost a seesion with someone. You're still going to send it through your own backbone to a direct exchange with the carrier, not over someone elses network. I have nodes off 5 different large carrier nets and hit anything in a single AS hop (meaning no intermediary carrier). I have one net off a smaller, local carrier and they don't use Above.net. If they did, I would know because I actually *asked* who they were downstream from.
So, if you're an Above.net customer directly or indirectly and you disagree with this, stop being one. If your destination is an Above.net customer, well come on, you aren't going to tell me they don't have the right to enforce an AUP against their own customer are you?
It's their network and you don't have to use it if you don't want to. Period.
It's not even as simple as that. They're also imposing a EULA on the binary which is completely incompatible with the GPL. Even if they did give you the source, if that EULA is attatched anywhere (source, binary), they're in total violation of the GPL.