I doubt you'd get anywhere. And if you did, a firewall would not have been relevent.
The only things you'd find are ports for www, smtp, pop3, and ssh. Not much point in firewalling something that isn't listening in the first place... and you can't firewall services you intend to offer, as it kind of defeats the whole fucking purpose, you idiot.
Heh, like they *did* support it in the past... there's still plenty of legacy exploits from NTS that are present in 2K3. You avoid them by eliminating the vectors, and hoping for a patch some day. Now, there just won't be one. 2k3 owners are in the same boat, however, until that patch is released.
So, nothing much will change. 0-day POCs are announced, and you mitigate, doesn't matter what version you've got. We'll be knocking on the MTBF for some of the more critical hardware in a year or two, though, so we'll probably start budgeting next year. MTBF is a real thing, as opposed to some artificial deadline.
Point taken regarding ntdll, however... WM_Timer was a stupid design - Ring3 registers a callback, and the callback is later invoked under Ring0 context. Considering the chunk of code that invoked the callback... if that doesn't constitute a kernel flaw, I'm not sure what does.
(lot of copies) No, there's only 16. But there's a pile of other junk on top that'd need to go as well - like a lot of hardware, and the usual vertical software. All of that junk goes - migrating means we set up a parallel system, which means we don't "upgrade" anything. We must buy additional copies, and CALs. We must buy from scratch. Everything we've got, we buy again, so we can run them both until the new one hits production.
I'm laughing hysterically as I read your comments on Exch55 - I think you're my new hero. You SO hit the nail on the head, lol... it was good to read that. "Stuck running"... oh, with two words you've said an entire thesis:) On the good side, I've not run into any issues with it, aside from the usual OWA crap (which I tossed and replaced with my own crap. Not as pretty, but more functional, the code is a lot cleaner and doesn't crash. Granted, used toilet paper is cleaner than OWA... but mine renders calendars in public folders, too 8^) )
(if IIS hangs etc) That's actually not quite correct. If either an MTX or an in-proc pukes IIS, regardless of the reason, you can kill & restart it without a reboot. The only service that needs a reboot when it goes AWOL seems to be RPCSS. For everything else, there's PSKill(tm). And for bonus points, you can script the automatic detection, killing & restart when things stall or die.
As far as the auto-recovery, I'm not a big fan of that - I view it as a straw-man defense. A worm just rooted it, so... start up another! Oh yeah? Well, have another! And another! Since everything we do demands server-side state, that technique has no value. If we did static content, perhaps - but we don't, it's all GIS and SQL junk fed into a java mapping applet in the user's browser. Due to the large volume of data that's involved, state needs to be kept server-side. And if it goes down (losing what the users have done), it needs to stay that way (not bounce from repeated attacks, with the users starting from scratch each time). So again, I've already got 'auto-recovery'; using it is not appropriate, though, so it has no value.
Final comment on reliability - sorry, but 2K3 isn't going to compete with the four 9s I've already got. Six years, one real dump four years ago, and two over the past year which were in a vendor's COM object (and being outta-proc, were contained to the specific user who caused it. Other users were unaffected.) Reliability isn't defined as the ability to come back after an error; it's defined as the not encountering them, in the first place.
Again, though, I'm in a unique situation. For the general case, everything you've said stands as correct.
Killing NTW was a kick in the stomach, to make the forced upgrade "hit home". They wouldn't be able to do it with NTS, however - consider that I had a quirked out UPS in one rack, and it took almost a week to create an opportunity to swap it out (you can't just dump a full 8-foot rack for an hour).
So, that's why. The NTS patches can easily be made to patch NTW as you suggest. Microsoft's artificially dumping NTW would act as a scare-tactic leverage, giving adequate time to start the ball rolling with the various budget processes. And remember, the bulk of NTS upgrades will carry 6 and 7 digit pricetags.
Actually, no... all documentation provided to admins consists of "Consult the MSKB for details." Consulting the MSKB yields about 14 page redirects, finally ending at "Contact your network administrator for more information."
The result is that when asked what the software is supposed to do, the Admin will generally state that it's intended to piss him off, which it does... meaning Microsoft has delivered on their agreement.
On the good side, MS has since optimized this process with 2K and moreso with XP. They've removed the bulk of the "Contact your NA" jargon, and replaced it with friendlier "File not found or I lost it or something" messages, rendered in wonderful 32 bit anti-aliased glory with full alpha blending. The result, as is promised in the accompanying documentation, is a much richer user-experience.
I agree, but... the problem is the EULA. The EULA states that "the product will work substantially in accordance with what's described in the accompanying documentation."
The accompanying documentation uniformly describes the product elements as "Contact your network administrator for more information."
You are exactly correct. And that is a major compelling reason to stick with a configuration's 6+ year track record, as opposed to buying "the trash du jour" which *needs* to be firewalled. Right off the bat, even the vendor has disavowed it's ability to be properly configured. No, I'll stay away from that, thanks.
I use it exclusively on the back-end I built back in '99. Paying out 1.1 mil for what is in truth just new icon rendering lib and a folder view.dll is downright stupid, especially when there will be *no* change in actual performance or function. Yep, walk the dependancies on why stuff won't run on NTS4 and "requires" 2K+ - 99 times out of 100, it's shell UI crap. 1.1 mil for... exactly what I have, but now with new color schemes and stupid, obfuscating, irrelevent wizards... on rackmounted iron who's KVMs aren't touched but twice a year to see if they work. Thank God 2k3 comes preloaded with AOL, MSN, WMP and Solitare. All of that trash is extremely appropriate in a real production, really.
So yeah, I still use NT4. I don't upgrade my toaster because a new one comes out, I don't upgrade my car stereo when a new one comes out, I don't upgrade my lawnmower when a new one comes out, I don't upgrade my lightbulbs when a new one comes out, and I don't upgrade a server just because a "new" one comes out.
Call me crazy, but I only trash these things when doing so will accomplish a measureable objective. I'm also one of the few retards who dares to run NTS4 without a firewall - I've got one that's a quad-homed box, hosting two T1s and a DS3. No firewalls, just straight from the NICs into Adtrans etc. I put it on the line back in mid '99, and to date it has yet to be compromised or faulted, despite hosting both IIS4 and Exch55, and running some rather unique and complex software in each. Why the f*** would I want to swap that out... well, a Linux solution aside, why *else* would I want to swap that out... no "current" MS product is going to do any better than what I've got now, and in fact will probably do worse. Much worse.
I don't repaint my car every year, I don't replace the doors on my house every year, I don't buy a new bed every f*ing year, and I don't toss a solution that will continue working perfectly unless there's a damned good reason. "New screensavers" and "wizards" doesn't cut it.
Mine, Mine, Mine no carrier I RTFM fucking cordless phones YOUR SSID this song is just 6 words long vRG18bNuW2940F17sM8e (funny because no wep wpa etc)
Finally, we can put an end to all these jerks who have bastardized our precious RFCs... using funky TTLs, non-random sequence numbers, spoofing source addresses, failing to respect the evil bit... finally, finally! We can pay them back!!
It would appear that you missed the recent/. story about Verzon's neat new Motorola Phone, which is exactly what the poster described.
Actually, we play a better game
on
Wi-Fi Gaming
·
· Score: 4, Funny
called "Get the the neighbor arrested".
It's real easy - we each pick a victim, we each point our little waveguides at our victim's AP, and we each see who can get the cops to show up and arrest the victim, first.
Perhaps not today, but I'll wager that by end of year... the above joke won't just be a fiction, and it scares the willies out of me for some reason.
A long (long) time ago, I came home to find my wife pumping some online poll, somewhere. Vote, click, wait, back. Vote, click, wait, back. It seems that Marvel was running a "who's the coolest X-Man" poll, and the various fan-groups were doing their damndest to win. Since I wanted my computer back, SpamHammer was born. With a dynamic array of winsocks, it'd allocate as many as the target server could handle, and repeat the voting that you'd "taught" it xxx times. It did well, to the order of a thousand or so per minute if the target could handle it. I must say, the pained expressions on the faces of the various people who were NOT in my wife's fan-group was worth every minute spent coding it, if only I could have seen them. An army of them would spend an hour pumping in a few thousand votes... I'd throw in 10k votes in the time it'd take to make a cup of coffee. It was a few years ago, but it was the type of user-torture that lasts a lifetime.
Eventually, the phishing scams came out. And the mortgage quotes were flowing in. And I got tired of all of them. And I remembered SpamHammer.
So, a LOT of searching of the old file-tree to find it, a little tweaking, and V2.0 was born. This new version supports everything needed to pump tons of crap into any site, POST or GET, cookies or not. I spared no feature - from random emails, random name permutations from the USCB, junk mailing addresses that'll pass a city/state/zip xref, random credit card numbers with proper checkdigits, and even stuff picked from lists (think of med sites). Mortgage quoters want leads? Here, have a million. Just don't bitch when the lenders refuse to pay for those leads. Phishers want accounts and passwords? No problem - with the added benefit of DOSing the target host. Free viagra? Oooo... I get wood just thinking about it... here, have a hundred thousand orders for random crap on your site.
I'm not sure why, but there's something satisfying about getting a "write failure: access denied" after pumping a few million POSTs into a site, consisting of every major field being 32K each. The only thing more satisfying is knowing that certain med-sites simply email the order to an in-box... here, have a big pile of 1Meg emails.
The cuda doesn't do outbound (aside from generating NDRs). It basically plays "man-in-the-middle" with inbounds from foreign hosts, only. Easiest setup is to add a new public A/PTR pair for the 'cuda, then point your MX at it. As the new MX propagates, traffic to the actual mailexch will dry up, etc, as outside hosts begin sending to the cuda, instead. Eventually you make your mailexch blackhole the entire planet, with the exception of any legit hosts who'd SMTP directly to it (including the 'cuda). This type of setup works great, as it involves no change to client configs, etc.
OTOH, if you suspect your userbase may be a source of spam that needs to be killed, you might want to hold off on any purchase - they're supposedly releasing a product that does both in and outbounds in the near future. By all means, evaluate the 300 though, but don't commit to it if you need outbound screening.
Re:What's a dead virus?
on
HIV Vaccine
·
· Score: 5, Funny
Think of it as a Windows install disk that's been badly scratched.
Ah - but if the writer does get caught, they'll be set for life once they got out of jail. Adobe and California have already asserted that "breaking" ROT13 is a criminal offense... imagine the field day some scumbag lawyer would have with those who "hacked into" and "reversed" some jerk's obfuscated trojan.
A good trojan that contained an embedded EULA, a trade-secret and a copyright notice would be funny as hell IMO... and I've not seen any exceptions in the DMCA where certain "IP Rights" are waived if the "IP" is evil. Besides - if there were such exceptions, there'd be noone who'd have paid for Windows in the past decade.:)
If someone, one way or another, effectively "salts the earth" and destroys your ability to grow crops - shouldn't that person go to jail and face damages?
Slashdot Mirror
I doubt you'd get anywhere. And if you did, a firewall would not have been relevent.
The only things you'd find are ports for www, smtp, pop3, and ssh. Not much point in firewalling something that isn't listening in the first place... and you can't firewall services you intend to offer, as it kind of defeats the whole fucking purpose, you idiot.
What happens with support being dropped?
Heh, like they *did* support it in the past... there's still plenty of legacy exploits from NTS that are present in 2K3. You avoid them by eliminating the vectors, and hoping for a patch some day. Now, there just won't be one. 2k3 owners are in the same boat, however, until that patch is released.
So, nothing much will change. 0-day POCs are announced, and you mitigate, doesn't matter what version you've got. We'll be knocking on the MTBF for some of the more critical hardware in a year or two, though, so we'll probably start budgeting next year. MTBF is a real thing, as opposed to some artificial deadline.
Never needs to happen on IIS4, either - you need to hoof your butt over to sysinternals.com, my friend :) Welcome to ToyLand !
Point taken regarding ntdll, however... WM_Timer was a stupid design - Ring3 registers a callback, and the callback is later invoked under Ring0 context. Considering the chunk of code that invoked the callback... if that doesn't constitute a kernel flaw, I'm not sure what does.
(lot of copies)
:) On the good side, I've not run into any issues with it, aside from the usual OWA crap (which I tossed and replaced with my own crap. Not as pretty, but more functional, the code is a lot cleaner and doesn't crash. Granted, used toilet paper is cleaner than OWA... but mine renders calendars in public folders, too 8^) )
No, there's only 16. But there's a pile of other junk on top that'd need to go as well - like a lot of hardware, and the usual vertical software. All of that junk goes - migrating means we set up a parallel system, which means we don't "upgrade" anything. We must buy additional copies, and CALs. We must buy from scratch. Everything we've got, we buy again, so we can run them both until the new one hits production.
I'm laughing hysterically as I read your comments on Exch55 - I think you're my new hero. You SO hit the nail on the head, lol... it was good to read that. "Stuck running"... oh, with two words you've said an entire thesis
(if IIS hangs etc)
That's actually not quite correct. If either an MTX or an in-proc pukes IIS, regardless of the reason, you can kill & restart it without a reboot. The only service that needs a reboot when it goes AWOL seems to be RPCSS. For everything else, there's PSKill(tm). And for bonus points, you can script the automatic detection, killing & restart when things stall or die.
As far as the auto-recovery, I'm not a big fan of that - I view it as a straw-man defense. A worm just rooted it, so... start up another! Oh yeah? Well, have another! And another! Since everything we do demands server-side state, that technique has no value. If we did static content, perhaps - but we don't, it's all GIS and SQL junk fed into a java mapping applet in the user's browser. Due to the large volume of data that's involved, state needs to be kept server-side. And if it goes down (losing what the users have done), it needs to stay that way (not bounce from repeated attacks, with the users starting from scratch each time). So again, I've already got 'auto-recovery'; using it is not appropriate, though, so it has no value.
Final comment on reliability - sorry, but 2K3 isn't going to compete with the four 9s I've already got. Six years, one real dump four years ago, and two over the past year which were in a vendor's COM object (and being outta-proc, were contained to the specific user who caused it. Other users were unaffected.) Reliability isn't defined as the ability to come back after an error; it's defined as the not encountering them, in the first place.
Again, though, I'm in a unique situation. For the general case, everything you've said stands as correct.
Killing NTW was a kick in the stomach, to make the forced upgrade "hit home". They wouldn't be able to do it with NTS, however - consider that I had a quirked out UPS in one rack, and it took almost a week to create an opportunity to swap it out (you can't just dump a full 8-foot rack for an hour).
So, that's why. The NTS patches can easily be made to patch NTW as you suggest. Microsoft's artificially dumping NTW would act as a scare-tactic leverage, giving adequate time to start the ball rolling with the various budget processes. And remember, the bulk of NTS upgrades will carry 6 and 7 digit pricetags.
Actually, no... all documentation provided to admins consists of "Consult the MSKB for details." Consulting the MSKB yields about 14 page redirects, finally ending at "Contact your network administrator for more information."
The result is that when asked what the software is supposed to do, the Admin will generally state that it's intended to piss him off, which it does... meaning Microsoft has delivered on their agreement.
On the good side, MS has since optimized this process with 2K and moreso with XP. They've removed the bulk of the "Contact your NA" jargon, and replaced it with friendlier "File not found or I lost it or something" messages, rendered in wonderful 32 bit anti-aliased glory with full alpha blending. The result, as is promised in the accompanying documentation, is a much richer user-experience.
I agree, but... the problem is the EULA. The EULA states that "the product will work substantially in accordance with what's described in the accompanying documentation."
:(
The accompanying documentation uniformly describes the product elements as "Contact your network administrator for more information."
We're screwed
Yep. There's also the WM_TIMER exploit. Not a bug, but an exploit of a gross design flaw (that's also present in 2k & xp as well)
Too late. I've never bsod'd a box installing NICs on NT4, ever, and I have done many. His credibility is going, going... ... gone.
Ah! But if you run NTS on a box with more than 64megs, it kicks into "big server" mode :)
You are exactly correct. And that is a major compelling reason to stick with a configuration's 6+ year track record, as opposed to buying "the trash du jour" which *needs* to be firewalled. Right off the bat, even the vendor has disavowed it's ability to be properly configured. No, I'll stay away from that, thanks.
THANK YOU.
I find it amazing how many people simply cannot comprehend this simple concept. I'm not sure if they're clueless, or arrogant, or both.
I use it exclusively on the back-end I built back in '99. Paying out 1.1 mil for what is in truth just new icon rendering lib and a folder view .dll is downright stupid, especially when there will be *no* change in actual performance or function. Yep, walk the dependancies on why stuff won't run on NTS4 and "requires" 2K+ - 99 times out of 100, it's shell UI crap. 1.1 mil for... exactly what I have, but now with new color schemes and stupid, obfuscating, irrelevent wizards... on rackmounted iron who's KVMs aren't touched but twice a year to see if they work. Thank God 2k3 comes preloaded with AOL, MSN, WMP and Solitare. All of that trash is extremely appropriate in a real production, really.
So yeah, I still use NT4. I don't upgrade my toaster because a new one comes out, I don't upgrade my car stereo when a new one comes out, I don't upgrade my lawnmower when a new one comes out, I don't upgrade my lightbulbs when a new one comes out, and I don't upgrade a server just because a "new" one comes out.
Call me crazy, but I only trash these things when doing so will accomplish a measureable objective. I'm also one of the few retards who dares to run NTS4 without a firewall - I've got one that's a quad-homed box, hosting two T1s and a DS3. No firewalls, just straight from the NICs into Adtrans etc. I put it on the line back in mid '99, and to date it has yet to be compromised or faulted, despite hosting both IIS4 and Exch55, and running some rather unique and complex software in each. Why the f*** would I want to swap that out... well, a Linux solution aside, why *else* would I want to swap that out... no "current" MS product is going to do any better than what I've got now, and in fact will probably do worse. Much worse.
I don't repaint my car every year, I don't replace the doors on my house every year, I don't buy a new bed every f*ing year, and I don't toss a solution that will continue working perfectly unless there's a damned good reason. "New screensavers" and "wizards" doesn't cut it.
Mine, Mine, Mine
no carrier
I RTFM
fucking cordless phones
YOUR SSID
this song is just 6 words long
vRG18bNuW2940F17sM8e (funny because no wep wpa etc)
And my #1 favorite
Shit N Surf
Finally, we can put an end to all these jerks who have bastardized our precious RFCs... using funky TTLs, non-random sequence numbers, spoofing source addresses, failing to respect the evil bit... finally, finally! We can pay them back!!
[ducking]
It would appear that you missed the recent /. story about Verzon's neat new Motorola Phone, which is exactly what the poster described.
called "Get the the neighbor arrested".
It's real easy - we each pick a victim, we each point our little waveguides at our victim's AP, and we each see who can get the cops to show up and arrest the victim, first.
Perhaps not today, but I'll wager that by end of year... the above joke won't just be a fiction, and it scares the willies out of me for some reason.
I'd tell them I'll save them both... after I've finished checking my email.
A long (long) time ago, I came home to find my wife pumping some online poll, somewhere. Vote, click, wait, back. Vote, click, wait, back. It seems that Marvel was running a "who's the coolest X-Man" poll, and the various fan-groups were doing their damndest to win. Since I wanted my computer back, SpamHammer was born. With a dynamic array of winsocks, it'd allocate as many as the target server could handle, and repeat the voting that you'd "taught" it xxx times. It did well, to the order of a thousand or so per minute if the target could handle it. I must say, the pained expressions on the faces of the various people who were NOT in my wife's fan-group was worth every minute spent coding it, if only I could have seen them. An army of them would spend an hour pumping in a few thousand votes... I'd throw in 10k votes in the time it'd take to make a cup of coffee. It was a few years ago, but it was the type of user-torture that lasts a lifetime.
Eventually, the phishing scams came out. And the mortgage quotes were flowing in. And I got tired of all of them. And I remembered SpamHammer.
So, a LOT of searching of the old file-tree to find it, a little tweaking, and V2.0 was born. This new version supports everything needed to pump tons of crap into any site, POST or GET, cookies or not. I spared no feature - from random emails, random name permutations from the USCB, junk mailing addresses that'll pass a city/state/zip xref, random credit card numbers with proper checkdigits, and even stuff picked from lists (think of med sites). Mortgage quoters want leads? Here, have a million. Just don't bitch when the lenders refuse to pay for those leads. Phishers want accounts and passwords? No problem - with the added benefit of DOSing the target host. Free viagra? Oooo... I get wood just thinking about it... here, have a hundred thousand orders for random crap on your site.
I'm not sure why, but there's something satisfying about getting a "write failure: access denied" after pumping a few million POSTs into a site, consisting of every major field being 32K each. The only thing more satisfying is knowing that certain med-sites simply email the order to an in-box... here, have a big pile of 1Meg emails.
The cuda doesn't do outbound (aside from generating NDRs). It basically plays "man-in-the-middle" with inbounds from foreign hosts, only. Easiest setup is to add a new public A/PTR pair for the 'cuda, then point your MX at it. As the new MX propagates, traffic to the actual mailexch will dry up, etc, as outside hosts begin sending to the cuda, instead. Eventually you make your mailexch blackhole the entire planet, with the exception of any legit hosts who'd SMTP directly to it (including the 'cuda). This type of setup works great, as it involves no change to client configs, etc.
OTOH, if you suspect your userbase may be a source of spam that needs to be killed, you might want to hold off on any purchase - they're supposedly releasing a product that does both in and outbounds in the near future. By all means, evaluate the 300 though, but don't commit to it if you need outbound screening.
Think of it as a Windows install disk that's been badly scratched.
Because in order for MS to do this, they must *clearly* have bought a SmartCard Programmer...
Ah - but if the writer does get caught, they'll be set for life once they got out of jail. Adobe and California have already asserted that "breaking" ROT13 is a criminal offense... imagine the field day some scumbag lawyer would have with those who "hacked into" and "reversed" some jerk's obfuscated trojan.
:)
A good trojan that contained an embedded EULA, a trade-secret and a copyright notice would be funny as hell IMO... and I've not seen any exceptions in the DMCA where certain "IP Rights" are waived if the "IP" is evil. Besides - if there were such exceptions, there'd be noone who'd have paid for Windows in the past decade.
I have to wonder -
If someone, one way or another, effectively "salts the earth" and destroys your ability to grow crops - shouldn't that person go to jail and face damages?