The section 404 stuff is ridiculous. Why do we need individual audits of software pushes? I push a 1 line change, I need to fill out a SOX thing.
Because with a 1 line change in the code, you can steal a billion dollars? It's not a measure of how many lines of codes that got changed, it's a measure of accountability of who made the changes so that if the changes are later found to promote fraudulant use, the person or persons culpable are identifiable.
You may have traveled with someone who was infected with (name of disease). If you are the person who was traveling with the other Anonymous person, please contact us immediately.
You know who you are.
If you are not the anonymous person who recently traveled, please forward this the the anonymous person who did. In order to protect your identity, we are also sending this message anonymously.
I'll assume that the word Hacking means a programmer using a language to solve a problem in a way that was not designed by committee, but more on the spur of the moment to solve an immediate problem.
Science is the process of building facts about the real world using experiments and gathering empirical evidence. Hacking can be done this way.
Art is the development of emotional states into things that relay the emotional message. Hacking can do this. If we define art as something that makes us feel that it is elegant, Hacking can definitely do this.
Hacking is both... or either. It's also neither part of the time.
I get about 1000 probes and somewhere near 50 IDS events a day. Something tells me I won't like what I have to deal with if my firewall/IDS starts telling me about it in emails.
All of these logs are history. Fortunately I'm running Linux and 99% of these probes and attacks are of little interest and are no threat.
Now, when you get a tool that will tell me when at attack is about to happen, that's when I want to know about that tool. Especially if it can not only give me advance warning, but warnings appropriate for what it is guarding.
It's a system that compresses each file individually, writes them out to a temp directory, creates an iso and then writes the iso to a CD. This way, single bit errors in the compressed archive don't kill the entire thing, just a single file. This becomes more important as your backups begin to age because perfect playback of bits becomes more difficult as the media they are stored on ages.
Any system that creates a data stream of all files and then compresses it is prone to total loss of data beyond any significant error in the playback.
The order is everything.
Stream all files through the compress algorithm... Very Risky.
Compress each file individually and stream it to the archive... Very Safe.
Write everything to cheap read only media... Very smart.
Depending on the data, you can get several Gig's onto a single CD. High quality CD's should be readable for decades.
Stored procedures can be used to isolate field names from the application that calls them. This encapsulation allows you to change data column names without regard for the application that is calling them. The calling application uses the stored procedure to retrieve and store data, and the stored procedure knows how to translate the data column names.
They also allow you to put business rules and other data centric items at the database where they operate.
For example, let's say you have a trigger on a data row that causes a formula to run. Wouldn't it be best to keep that formula with the data it operates on so that it can run rapidly without the need for data to go over the wire several times?
Stored procedures are also a great place to store a complex set of queries so that the presentation to the outside world is more directly understandable. You might have data that is difficult to represent certain views, but a stored procedure can bridge that gap without adding complexity to the calling program.
All of this is more important when you are talking about a web application where there is not a lot of processing power, state is difficult to maintain and lag times can stretch processing times if the data travels around too much.
Stored procedures can solve all of these problems (and many more) neatly and at the server.
Really, something is wrong with America. The diminishing of personal "liberties" (why didn't you say rights?) you're happy to tolerate is just one symptom, and without treatment of the causal disease (and I'm not pretending to know what it is) there's only one inevitability; the death of America.
It's very simple, really. The problem is the same problem that has plagued mankind from the beginning. Greed tops the list of what is wrong with governments throughout history. This is nothing new.
Greed: n 1: excessive desire to acquire or possess more (esp material wealth) than one needs or deserves 2: reprehensible acquisitiveness; insatiable desire for wealth (personified as one of the deadly sins)
Once the ability exists to go beyond unimaginable material wealth, the only game left in town is acquisition of power.
Modern electronic ballasts run above 50khz. I have some here that run at 90khz. There is no flicker problems from these electronic ballasts.
What you refer to are magnetic ballasts, and they are not all that common these days.
Have you ever noticed the effect of the strobing of your hand when waved in front of a television? You can see multiple outlines of your hand as you wave it back and forth.
You can do the same thing with a flourescent light to see if it is a magnetic ballast or an electronic ballast running at a much higher frequency. I think you'll be surprised at how many flourescent lights are running newer electronic ballasts.
Also, newer electronic ballasts start the bulb so fast that you can use them for a strobe effect. If you can cycle the power of your flourescents quickly and they turn on and off no matter how fast you toggle the power, you can be virtually assured that they are running on a modern electronic ballast at a much higher frequency than 60hz.
But, in the long run, you really need to upgrade OpenSSL.
Anyway:
su - cd/tmp ls -a.bugtraq*
If there is anything in your/tmp directory named.bugtraq.c and you didn't put it there, it's too late, you're rooted. Time to unplug the network cable...
Software bugs are costing the U.S. economy an estimated $59.5 billion each year, with more than half of the cost borne by end users and the remainder by developers and vendors, according to a new federal study.
Improvements in testing could reduce this cost by about a third, or $22.5 billion, but it won't eliminate all software errors, the study said. Of the total $59.5 billion cost, users incurred 64% of the cost and developers 36%.
This is a load of Hogwash!
Testing can only prove whether or not the code was well written. You cannot fix badly written code by testing it. The most you can do with testing is delay it's introduction into the wild.
Testing is NOT part of the design or development process, which is where bugs are actually created.
Defects found during testing take far longer to find and fix than code audits and walkthroughs take. If you are doing a code audit or walkthrough and you see a bug, you are already at the spot to fix it. If you find a bug during testing, it might take days to determine where the cause is, if ever.
If you want decent code, write decent specs and allow the programmers time to hit a well thought out and non-moving target.
Re:IPCop as a quick solution to firewalling
on
IPCop 0.1.1 Review
·
· Score: 1
This is weird - I just surfed by the Sourceforge mailing list archive. You are an admin on this project so effectively whoring yourself here.
You must have bad vision, then, because I am not associated with the administration of this project in any way. I don't even have CVS rights. I haven't donated any code, I have no submissions to anything that is in the CVS of this project.
The copyright on most of the SmoothWall 0.9.9 GPL code reads: "Copyright, 2001, The SmoothWall Team". Good luck on enforcing that one. It is my understanding that copyrights can only be held by legal entities, and as far as I have found, "The SmoothWall Team" was never a legal entity. If there was such an entity, anyone who was ever granted membership of the team would hold legal copyright. I'm open to being proven wrong.
...if Eben Mogel is reading this I'd suggest he contact the guys at the FSF Center because this smacks of really abusing author rights protected under the GPL.
Doing whatever you want to do with the code is exactly what the GPL is all about. If you don't like the way things are going with some GPL code for any reason, you are free to do whatever you like with the code as long as you feed it back to the community as GPL code.
Now, if copyrights were removed, that would be a different matter. From what I understand, that has not been done.
From what I have read on the IPCop-dev mailing list, most of the SW 0.9.9 code will be discarded and implemented in a different way in the 0.2.0 branch of the IPCop project. According to the IPCop-dev mailing list, the Perl code will all be discarded.
Talk is cheap when you post as an Anonymous Coward.......
Re:IPCop as a quick solution to firewalling
on
IPCop 0.1.1 Review
·
· Score: 5, Informative
I've done a lot of IPCop installs and I can have it installed and configured in 10 minutes pretty much every time. That includes from the time I boot the CD to start the install to doing all the patches, turning on all the services I like and defining the dhcp ranges it will be serving.
This is one nice Linux security distribution. It requires minimal skill to install and there is a huge FAQ on the website.
Highly recommended!
Here's what you get:
- Totally GPL - Friendly support on mailing list - All source code available on public CVS - Installs from bootable CD, or with a floppy to kick it off, installs from CD, http or ftp. - 2.2.21rc1 Kernel - EXT3 File System - IPChains based firewall - Network Address Translation (NAT) - Analog/ISDN/ADSL modem support - Support for almost any connection type - CheckPoint Soft. SecuRemote Support - Full DMZ Support - Web Based GUI Admin & Config System - Full Status Display - Full Traffic Graphs - Full Connections Information - PPP Settings/Configuration Area - PPtP ADSL Support - PPPoE Support - USB ADSL Firmware Upload Area - Modem Configuration Area - SSH server for Remote Access - Password Control Area - HTTP/FTP/HTTPS Web Proxy - DHCP Server - Caching DNS - TCP/UDP Port Forwarding - External Service Access Control - DMZ Pinholing Capacity - Dynamic DNS Support - Intrusion Detection System (SNORT) - VPN Support (FreeSWAN) with Control Area - Full System Logs - Web Proxy Logs - Firewall Logs - Intrusion Detection System Logs - Remote Shutdown/Reboot Area - Integrated JAVA Based SSH Shell Area - IPCop Linux Updates Area
Now, on to Richard. Yes, he can be a dick and he likes to prove it. So don't go to his mail list or chat. Start your own and field questions all day from people who'd have an anal probe before they'd give you a dime for your time, but expect you to practically go to their home and set the box up for them.
I did exactly that for nearly 8 months. You can read the archives as they are preserved perfectly. Richard threatened to sue me if I didn't shut it down. I got tired of the threats and when IPCop.org appeared, I stopped the unofficial SmoothWall support lists.
Somewhere in early December, 2001 I actually had to moderate Richard since he was doing nothing but stirring up the list with his venomous messages.
Care to do some reading? Go here. It's all archived...
Why is there such an emphasis placed on RPMs? i.e. 7200 versus 5400 versus 3600, etc: RPM is used as the metric regarding the performance of a hard drive. Yet, correct me if I'm wrong (as if I need to even say that:-]), is it not true that one RPM on one drive can represent a vastly different amount of data than one RPM on a different drive?
Most IDE drives have the same number and size of sectors per track, ie: the same amount of data on each track, therefore each rotation causes the same amount of data to pass under the head.
Rotation speed is important as it is generally the limiting factor on how fast data can be read and streamed off of each track. Small chunks of data will only gain an improved latency time, but large chunks of data will read off as fast as the disk can get the data under the head.
The biggest marketing foofoo in hard drives is currently the interface speed. Once you reach ultra-33, you have surpassed the speed of the data being read, so the bottleneck moves to the next spot, how fast the head is moving past the data. If you can't saturate an ultra-33 data path at 7200 rpm, you also can't saturate a ultra-66 or ultra-100 or ultra-133. Unless the cache is doing a lot for you, these faster interfaces don't do a lot for you overall in getting large chunks of data from disk to memory. This is why they are putting much larger caches in the drives now, so cache hits are increased and the bottleneck is not at the head touching the platter, but how fast the drive's cache can put the data on the bus. Large caches are important to take advantage of ultra-66 and above interfaces.
Slashdot Mirror
Good
Fast
Cheap
Pick any two...
Because with a 1 line change in the code, you can steal a billion dollars? It's not a measure of how many lines of codes that got changed, it's a measure of accountability of who made the changes so that if the changes are later found to promote fraudulant use, the person or persons culpable are identifiable.
Dear Sir,
You may have traveled with someone who was infected with (name of disease). If you are the person who was traveling with the other Anonymous person, please contact us immediately.
You know who you are.
If you are not the anonymous person who recently traveled, please forward this the the anonymous person who did. In order to protect your identity, we are also sending this message anonymously.
Thank you.
I'll assume that the word Hacking means a programmer using a language to solve a problem in a way that was not designed by committee, but more on the spur of the moment to solve an immediate problem.
Science is the process of building facts about the real world using experiments and gathering empirical evidence. Hacking can be done this way.
Art is the development of emotional states into things that relay the emotional message. Hacking can do this. If we define art as something that makes us feel that it is elegant, Hacking can definitely do this.
Hacking is both... or either. It's also neither part of the time.
Have you ever heard an automobile sales commercial on TV or Radio that stated:
"All credit applications accepted" ?
This does not mean they will be approved...
I get about 1000 probes and somewhere near 50 IDS events a day. Something tells me I won't like what I have to deal with if my firewall/IDS starts telling me about it in emails.
All of these logs are history. Fortunately I'm running Linux and 99% of these probes and attacks are of little interest and are no threat.
Now, when you get a tool that will tell me when at attack is about to happen, that's when I want to know about that tool. Especially if it can not only give me advance warning, but warnings appropriate for what it is guarding.
Gentoo does this.
When a new port of emerge comes out, you have to donwload it and compile it before you can use it to get anything else.
Plesk server administration suite is written primarily by Russian programmers.
It is outstanding software, which would explain it's use by major hosting companies like RackSpace.
How does "Turned Off by Default" get to be equal to "Drops Support"?
A leaf falls from a tree and the next thing you know, the sky is falling.
So, first, we have this "Copy" system that's being called a "Backup" system. PHOOEY.
m 0204c.htm
Next, he admits that the "Backup" system can't restore files or directories. OMG!!
Anybody who adopts this system of backups better be praying to the hard drive gods and be making regular and appropriate homage.
For a REAL backup method that can stand the test of time, try this:
http://www.samag.com/documents/s=7033/sam0204c/sa
It's a system that compresses each file individually, writes them out to a temp directory, creates an iso and then writes the iso to a CD. This way, single bit errors in the compressed archive don't kill the entire thing, just a single file. This becomes more important as your backups begin to age because perfect playback of bits becomes more difficult as the media they are stored on ages.
Any system that creates a data stream of all files and then compresses it is prone to total loss of data beyond any significant error in the playback.
The order is everything.
Stream all files through the compress algorithm... Very Risky.
Compress each file individually and stream it to the archive... Very Safe.
Write everything to cheap read only media... Very smart.
Depending on the data, you can get several Gig's onto a single CD. High quality CD's should be readable for decades.
Stored procedures can be used to isolate field names from the application that calls them. This encapsulation allows you to change data column names without regard for the application that is calling them. The calling application uses the stored procedure to retrieve and store data, and the stored procedure knows how to translate the data column names.
They also allow you to put business rules and other data centric items at the database where they operate.
For example, let's say you have a trigger on a data row that causes a formula to run. Wouldn't it be best to keep that formula with the data it operates on so that it can run rapidly without the need for data to go over the wire several times?
Stored procedures are also a great place to store a complex set of queries so that the presentation to the outside world is more directly understandable. You might have data that is difficult to represent certain views, but a stored procedure can bridge that gap without adding complexity to the calling program.
All of this is more important when you are talking about a web application where there is not a lot of processing power, state is difficult to maintain and lag times can stretch processing times if the data travels around too much.
Stored procedures can solve all of these problems (and many more) neatly and at the server.
It's very simple, really. The problem is the same problem that has plagued mankind from the beginning. Greed tops the list of what is wrong with governments throughout history. This is nothing new.
Greed: n 1: excessive desire to acquire or possess more (esp material wealth) than one needs or deserves 2: reprehensible acquisitiveness; insatiable desire for wealth (personified as one of the deadly sins)
Once the ability exists to go beyond unimaginable material wealth, the only game left in town is acquisition of power.
This is where we are today.
Modern electronic ballasts run above 50khz. I have some here that run at 90khz. There is no flicker problems from these electronic ballasts.
What you refer to are magnetic ballasts, and they are not all that common these days.
Have you ever noticed the effect of the strobing of your hand when waved in front of a television? You can see multiple outlines of your hand as you wave it back and forth.
You can do the same thing with a flourescent light to see if it is a magnetic ballast or an electronic ballast running at a much higher frequency. I think you'll be surprised at how many flourescent lights are running newer electronic ballasts.
Also, newer electronic ballasts start the bulb so fast that you can use them for a strobe effect. If you can cycle the power of your flourescents quickly and they turn on and off no matter how fast you toggle the power, you can be virtually assured that they are running on a modern electronic ballast at a much higher frequency than 60hz.
But, in the long run, you really need to upgrade OpenSSL.
/tmp .bugtraq*
/tmp directory named .bugtraq.c and you didn't put it there, it's too late, you're rooted. Time to unplug the network cable...
/tmp/.bugtraq.c /tmp/.bugtraq.c /tmp/.bugtraq.c
Anyway:
su -
cd
ls -a
If there is anything in your
If you haven't been compromised yet:
touch
chmod 000
chown root.root
then...
which gcc
and, chmod 700 that file.
This means that normal users will not be able to compile c code. If this is unacceptable, you can undo it after you get OpenSSL up to date.
Improvements in testing could reduce this cost by about a third, or $22.5 billion, but it won't eliminate all software errors, the study said. Of the total $59.5 billion cost, users incurred 64% of the cost and developers 36%.
This is a load of Hogwash!
Testing can only prove whether or not the code was well written. You cannot fix badly written code by testing it. The most you can do with testing is delay it's introduction into the wild.
Testing is NOT part of the design or development process, which is where bugs are actually created.
Defects found during testing take far longer to find and fix than code audits and walkthroughs take. If you are doing a code audit or walkthrough and you see a bug, you are already at the spot to fix it. If you find a bug during testing, it might take days to determine where the cause is, if ever.
If you want decent code, write decent specs and allow the programmers time to hit a well thought out and non-moving target.
You must have bad vision, then, because I am not associated with the administration of this project in any way. I don't even have CVS rights. I haven't donated any code, I have no submissions to anything that is in the CVS of this project.
The copyright on most of the SmoothWall 0.9.9 GPL code reads: "Copyright, 2001, The SmoothWall Team". Good luck on enforcing that one. It is my understanding that copyrights can only be held by legal entities, and as far as I have found, "The SmoothWall Team" was never a legal entity. If there was such an entity, anyone who was ever granted membership of the team would hold legal copyright. I'm open to being proven wrong.
Doing whatever you want to do with the code is exactly what the GPL is all about. If you don't like the way things are going with some GPL code for any reason, you are free to do whatever you like with the code as long as you feed it back to the community as GPL code.
Now, if copyrights were removed, that would be a different matter. From what I understand, that has not been done.
From what I have read on the IPCop-dev mailing list, most of the SW 0.9.9 code will be discarded and implemented in a different way in the 0.2.0 branch of the IPCop project. According to the IPCop-dev mailing list, the Perl code will all be discarded.
Talk is cheap when you post as an Anonymous Coward.......
I've done a lot of IPCop installs and I can have it installed and configured in 10 minutes pretty much every time. That includes from the time I boot the CD to start the install to doing all the patches, turning on all the services I like and defining the dhcp ranges it will be serving.
This is one nice Linux security distribution. It requires minimal skill to install and there is a huge FAQ on the website.
Highly recommended!
Here's what you get:
- Totally GPL
- Friendly support on mailing list
- All source code available on public CVS
- Installs from bootable CD, or with a floppy to kick it off, installs from CD, http or ftp.
- 2.2.21rc1 Kernel
- EXT3 File System
- IPChains based firewall
- Network Address Translation (NAT)
- Analog/ISDN/ADSL modem support
- Support for almost any connection type
- CheckPoint Soft. SecuRemote Support
- Full DMZ Support
- Web Based GUI Admin & Config System
- Full Status Display
- Full Traffic Graphs
- Full Connections Information
- PPP Settings/Configuration Area
- PPtP ADSL Support
- PPPoE Support
- USB ADSL Firmware Upload Area
- Modem Configuration Area
- SSH server for Remote Access
- Password Control Area
- HTTP/FTP/HTTPS Web Proxy
- DHCP Server
- Caching DNS
- TCP/UDP Port Forwarding
- External Service Access Control
- DMZ Pinholing Capacity
- Dynamic DNS Support
- Intrusion Detection System (SNORT)
- VPN Support (FreeSWAN) with Control Area
- Full System Logs
- Web Proxy Logs
- Firewall Logs
- Intrusion Detection System Logs
- Remote Shutdown/Reboot Area
- Integrated JAVA Based SSH Shell Area
- IPCop Linux Updates Area
I did exactly that for nearly 8 months. You can read the archives as they are preserved perfectly. Richard threatened to sue me if I didn't shut it down. I got tired of the threats and when IPCop.org appeared, I stopped the unofficial SmoothWall support lists.
Somewhere in early December, 2001 I actually had to moderate Richard since he was doing nothing but stirring up the list with his venomous messages.
Care to do some reading? Go here. It's all archived...
http://www.matrixlist.com/pipermail/swgpl-main/
Most IDE drives have the same number and size of sectors per track, ie: the same amount of data on each track, therefore each rotation causes the same amount of data to pass under the head.
Rotation speed is important as it is generally the limiting factor on how fast data can be read and streamed off of each track. Small chunks of data will only gain an improved latency time, but large chunks of data will read off as fast as the disk can get the data under the head.
The biggest marketing foofoo in hard drives is currently the interface speed. Once you reach ultra-33, you have surpassed the speed of the data being read, so the bottleneck moves to the next spot, how fast the head is moving past the data. If you can't saturate an ultra-33 data path at 7200 rpm, you also can't saturate a ultra-66 or ultra-100 or ultra-133. Unless the cache is doing a lot for you, these faster interfaces don't do a lot for you overall in getting large chunks of data from disk to memory. This is why they are putting much larger caches in the drives now, so cache hits are increased and the bottleneck is not at the head touching the platter, but how fast the drive's cache can put the data on the bus. Large caches are important to take advantage of ultra-66 and above interfaces.
No, 99.999% uptime gives you
24 x 60 x 60 = 86400 seconds per day
86400 x
Re: 3. and a sharp decline in Linux-based companies' stock value.
Did he bother to compare Linux-based stocks performance with how Microsoft stock has performed over the last year?
Obviously not!