I know people like to rant about the "spam problem" a lot, but for all practical purposes, the problem has been largely solved for several years now.
That's news to me. I work for a company that has about 700 employees. Up until a few weeks ago, we got nearly a million spams a day. For seven hundred people. Well over 97% of our inbound mail volume is spam, even now when the spam volume has fallen to about 300,000 messages a day.
I was using Symantec's Mail Security for SMTP product with optional Brightmail anti-spam as an inbound mail gateway for AV and anti-spam, but even with two servers in two different states (one in the West, one in the Midwest), we couldn't keep up with the load. We tried all sorts of things, but ultimately, even though we were successfully filtering over 98% of our spam, the sheer volume of spam effectively became a DDOS attack on our mail gateways.
We decided to move the spam-filtration to a third-party provider. We first tried a hosted service from a provider I won't name, but our spam loads were so crushing that we were actually asked by the product manager at the provider to point our MX records back to our own inadequate gateways. The poor bastard had to call me from his hotel in Sweden (in the middle of the night Sweden time), where he was on a business trip, to get me to aim the firehose somewhere else.
Finally, we settled on MessageLabs. The logfiles on my mail gateways had been approaching 1GB per day (combined for two gateways) before I pointed my MX records at MessageLabs. Now, my logfiles are about 12MB a day (combined).
So my spam problem is solved, right? Yes and no. Spam is no longer crushing my meager inbound mail infrastructure, but I'm paying close to $14k per year to get out from under the crushing spam load. So, yes, my spam problem is temporarily controlled, but it's a fantasy to say that means that spam is no longer a problem, or that the spam problem is solved. The spam problem is not solved, not by a longshot. Spammers are tricky scumbags, and they adapt. Email spam is still a huge problem and it's only getting worse, but the spammers have also moved into spIM and splogs, and who knows where else they'll go next? SpVOIP, anyone?
I've been inundated so heavily and for so long, I don't remember a time when I only got three spams out of every four emails. I recently tried outsourcing my anti-spam filtering to a third-party supplier. That supplier proxies the SMTP connections and closes them when it detects spam, as opposed to most outsourcers, who store-and-forward the messages.
Because my mail gateways couldn't handle the crushing load of spam I was seeing, I'd hoped that this outsourcer would save me. I was wrong. It turned out that my inability to handle the load at my mail gateways ended up causing DDOS problems for the outsourcer.
I got a call from the product manager who was in Sweden on a business trip, begging me to change my MX records back to my own gateways, because otherwise, his IT folks were going to shut me down in order to save themselves.
I'm currently testing MessageLabs, and it's looking good so far. They're catching nearly a million spams a day for me.
Sounds like they are feeling pressure from Xen and are trying to prevent the truely free OSS solution from gaining mindshare. They make a good product, but cost and closed source will limit them in the long run.
Xen is not a competitor to VMWare, at least, not right now, it isn't. Xen requires the guest OS to be built with explicit support for Xen. VMWare doesn't require that. Xen can't run any build of Windows or NetWare, but VMWare can.
It's clear that this product is a shot across Microsoft's bow. Ever since MS bought Connectix, they've been gunning for VMWare. Those who've tried both VirtualPC and VMWare Workstation have almost universally preferred VMWare Workstation (I haven't tried VirtualPC, but VMWare Workstation rocks), but VirtualPC is still cheaper than VMWare ($129 vs. $199). VMWare has also recently announced that it's hoping to standardize the virtual machine software industry around common VM file formats (VMWare's, of course). If, by using a free VMWare Player, they can get everybody else to adopt their VM formats, they'll have won that war before MS can even get into the battle.
This doesn't really cannibalize sales of VMWare Workstation, even if others figure out how to create VMWare-compatible VMs from other applications, because those of us who use VMWare Workstation like all of its features (and there are lots). What it really does is seed the market for VMWare's real money makers--GSX Server and ESX Server. MS has nothing close to those products right now, and VMWare's hoping to permanently establish themselves as the market leaders before MS can get a comparable product on the market.
Currently, MS's development process for hosted apps (MSN, Hotmail, MSN Search, etc.) is moving faster than for PC-based apps and OSes (Windows, Office, etc.).
It's no secret that MS's product management are using the hosted apps as experiments to see in which direction to take their other applicatons. Go take a tour of the Zimbra email client and see if you don't think it's striking fear into the hearts of MS's Exchange/Outlook product managers. Zimbra's not just different--it's obviously superior. MS needs to use Hotmail as the crucible for testing new features that they hope to shoehorn into Exchange/OWA in the future. If they don't, somebody like Zimbra's going to come and take their market share away.
Yup, I knew that. I should have pointed that out, but I was just covering the free/open source bases with my reference to Xen. Thanks for clarifying that.
The one thing I'd count on for development is using virtual machines to host test different target platforms. If you'll be developing primarily for one platform/environment, you can still use VMs to simulate the different machines of the production environment for testing purposes--clients and servers.
Personally, I like VMWare, but I'm in the Windows world. If you're going to be developing and distributing exclusively on and for Linux, you could use something like Xen.
Regardless, I'm hooked on virtual machines, and highly recommend using them for your work.
Three things drive/exploit new technologies
on
Pornified
·
· Score: 1
Around 1994, an article appeared in Time or Newsweek or somesuch that posited that every major advancement in human communications was driven by and immediately exploited by three things:
Politics
Religion
Sex (erotica)
Makes sense, doesn't it? What do people really care about? Today, we have other distractions, such as sports, celebrity gossip, etc., but overall, the investments necessary to develop and exploit new communications technologies come in the areas where people are most willing to pay, and those areas are sex, religion and politics. The Internet is no different.
EMC's acquisition of VMWare was all about getting into the server virtualization market. EMC could already virtualize storage, but the trend lately is for server consolidation. Instead of putting 8-10 1U servers in a rack, you can put an 8-way 7U box in a rack and run 8-10 virtual servers on it. Now imagine having a rack full of 8-way servers emulating an entire server farm of 1U machines.
VMWare's server virtualization stuff allows you to move a virtual server from one physical server to another while the VM is running. This is potent stuff. Couple virtualized servers with virtualized storage and you have a powerful argument for EMC's SANs in more datacenters.
Please do elaborate. How exactly was I trolling? I was speaking out of frustration as a Debian user, not as some asshat who likes to flame Debian. You, on the other hand, simply painted me as a troll, but couldn't be bothered to debunk any misconceptions you believe I'm propagating.
How to kill Debian in five ("Three, sir!") easy steps:
Take freaking forever to freeze a release.
Take freaking forever to ship after freezing.
Ship a broken upgrade even after all the damn testing.
Seriously, WTF? I like Debian, but those folks need to get their heads out of their asses. They need to stop wasting time trying to officially support the two dozen or so architectures nobody gives a damn about, stop engaging in wars about whether non-free belongs in Debian, and concentrate on releasing something that's reasonably current and also supported by security updates. Oh, and it would be nice if doing an 'apt-get dist-upgrade' didn't break things.
Further, NASA was a part of the United States Air Force at the time, not a separate entity with its own (very limited ) budget.
Erm, what?!?
NASA has always been a separate, civilian agency. It grew out of the old National Advisory Committee for Aeronautics (NACA), itself a civilian organization.
The Air Force did have its own space program during the late 1950s and early 1960s (around the same time as the creation of NASA), which centered around the X-20 Dyna-Soar and the Manned Orbiting Laboratory. The USAF even built an astronaut school at Edwards Air Force Base, and Chuck Yeager was the commandant. However, that whole program lost steam in the mid 1960s and was abandoned by 1969. This led the USAF to send its best remaining astronaut pilots to NASA, and convert the school into a test pilot school.
Even so, many of the most famous astronauts from the Apollo days were not USAF pilots. Neil Armstrong was a civilian (he worked for NACA in the X-15 program), and Buzz Aldrin, Jim Lovell and Alan Shepard were US Navy pilots.
The difference between then and now, in terms of budgets is this: First, the entire nation was deathly afraid of the Red Menace and national pride was on the line (nobody wanted go to sleep by the light of a Commie moon); Second, a very charismatic US President had staked his legacy on the US getting to the moon before the end of the 1960s (this at a time when the US had only put one man in space, and briefly, at that) before being assassinated and leaving the entire nation in shock.
Congress voted big dollars to the space program because it helped fight the blasted Commies, and because Lyndon Johnson, among others, helped spread the pork to important states (California, Texas, Missouri, New York, Florida, etc.). It also helped the nation pay its final respects to JFK. By the early 1970s, however, Americans began to question the investment in the space program, regularly saying things such as, "I don't think it makes sense to spend so much money to send people to the moon when we have so many problems here on Earth that we need to deal with first, such as hunger, pollution, disease, poverty, etc."
You made some valid points in the rest of your piece, but your glaring fallacy about NASA's status kind of undermines your credibility, don'tcha think?
I have downloaded firefox like 30 times. Due to installs, re-installs, upgrades, downgrades, and just for the hell of it, it mounts up.
Agreed. Let's assume that everybody who downloaded Firefox 1.0 also had to download 1.0.1, 1.0.2, and 1.0.3. From that alone, you now have four times as many downloads as you had from 1.0 alone.
At home, I have Firefox on three PCs. My wife and I each have a desktop, and we share a laptop I bought from my work when it reached the end of its useful work life. Plus, I use Firefox on my current work laptop. So, for 2 people, that's four machines with four downloads each just since Firefox 1.0 shipped. If we're anywhere near typical, then it means that Firefox downloads have been exaggerated by at least a factor of 4.
I also remind them that there are some pages IE was not displaying correctly either
I ditched IE as my primary browser permanently when I discovered MSNBC's website rendered better in Mozilla than in IE 6. I switched from Mozilla to Firefox (while it was still called Firebird) when Mozilla's default behavior changed (loading a folder of bookmarks now replaces existing open tabs by default), and I found it was easier to override that behavior in Firefox than in Mozilla. Now I'm a full-on Firefox convert, baby.
Never mind proper support for CSS or transparent PNGs, IE can't even render goddamned tables properly. I was doing page layout for my personal website in FrontPage 2000 (I know, ICK!) and noticed that in layout mode, everything looked fine, but in "preview" mode (which uses IE as the rendering engine) and in IE 6 itself, the column widths were screwed up. Viewing the page in Firefox and Mozilla, the column widths looked fine. Microsoft's browser can't even properly render pages generated in the WYSIWYG view of its own HTML editor.
I just ordered the upgrades for my ancient VMWare Workstation 3.2 licenses to go to version 5. I'm getting antsy waiting for my licenses to arrive.
VMWare is staying ahead of MS in terms of technology. Version 5 of VMWare Workstation allows "teaming" of virtual machines from different physical computers into a single cohesive test network. I can't wait to try it.
I was forwarding to a server that was the source of my problem, as the article's at ISC now show. BIND v8, used by my ISP, isn't vulnerable to poisoning, but it does pass poisoned entries to servers that forward to it. Since Windows DNS trusts servers to which it forwards, it gets poisoned by the junk passed down from BIND 8.
There are two parts to this problem, and without both of them, this issue never would have arisen. The first is Microsoft's decision to ignore DNS cache security settings when forwarding. The second is BIND 8's decision not to scrub data it sends to servers that forward to it. Take either of those items out of this equation, and the problem I encountered can't happen.
I called my ISP, and they were most unsympathetic. At first, they denied having any role to play because it's a Windows problem and they don't run Windows. When I finally got them to understand, they said, "Well, you shouldn't be forwarding to us in the first place. Use the root servers. Duh!"
Okay, they weren't quite that dismissive. They didn't actually say, "Duh!" But the rest of it was pretty much what I was told. So I've turned off forwarding. I'm not so sure I'm going to stay with my ISP in the future, based on this nonsense.
So, zero action is required by Windows DNS admins, unless for some reason they are running Win2k pre-SP3, or NT4. Even with these older versions of the OS, a single setting change secures the box from DNS poisoning.
Except, as has been pointed out in TFA, when you forward to another DNS server. In that case, Windows ignores your security settings and believes everything it hears from the server it's forwarding to. BIND 4 and 8 pass poisoned entries to servers that forward to them. Since Windows ignores its own security settings in that scenario, it happily accepts the poison. No amount of clue can prevent this problem if your Windows DNS forwards to another server that gets poisoned or doesn't bother to scrub poison before passing it on.
In other words, many or most 2000 installations should be secure against pollution if their admins posess the slightest clue.
You've forgotten an important point, here. Windows DNS servers implicitly trust any servers they forward to, regardless of the "secure cache from pollution" setting. That's not good. Also, until this little brouhaha got enough attention from ISC, MS's KB articles were inaccurate and misleading.
You're also wrong about BIND. BIND 4/8 aren't vulnerable to DNS cache poisoning. They correctly ignore attempts to poison their caches. Unfortunately, they don't bother to scrub the poison when they pass that information on to servers that forward to them.
It's important to note, from what I've understood of it so far, that this exploit only affects the "MS server forwarding it's requests to a bind4/8 server" scenario which I would think, would be a pretty negligible number of DNS servers?!
Well, it's not as obscure as you'd think. My ISP (AT&T) runs BIND 8, and I had my otherwise-properly-secured Windows DNS servers set to forward to AT&T's DNS servers in order to improve performance and reduce unnecessary traffic. When I finally got ahold of AT&T (after ISC's update about the BIND/Windows connection) and verified they were running BIND 8, I was told I should stop forwarding to AT&T and use the root servers. They were almost indignant that I had been forwarding to them. I stopped forwarding, but I wasn't too thrilled with AT&T's attitude--it leads me to suspect they have no plans to either upgrade to a newer build of BIND, nor to warn other customers that forwarding to AT&T's DNS from Windows is a Bad Idea.
Now, I'm not too sure about you, but in my book, AT&T is a pretty big ISP and they've probably got more than a few customers running Windows DNS and forwarding to AT&T's servers. Maybe none of them are Cybertrust customers, but I'd suspect it's a decent-sized chunk of people, even if it is a small percentage of the companies connected to the Internet.
You probably would have been better off sending your findings to handlers@sans.org
I did. They responded by posting that Win2k SP3+ was supposedly immune but that people with that configuration were reporting the poisoning.
Today's ISC update from SANS indicates they're closing in on the root cause. Apparently, MS DNS servers implicitly trust servers to which they forward. BIND 4 and BIND 8 don't scrub poisoning information when they respond to a forwarding server. DJBDNS and BIND 9 do scrub the data.
So there's no reason to panic - it's a 4-year-old vulnerability as it is, and fixed by a simple registry edit. Most people will be unaffected by it.
Ah, but here's the rub: It's not fixed by a simple registry edit. Win2k SP3 and SP4 are "secure" by default. I'm running Win2k SP3 and SP4, and I was bitten by this. The MS articles I initially found about cache poisoning didn't mention that SP3 and SP4 are secured by default, so I went and inserted the registry setting and restarted my DNS servers. The next day, the poisoning was back. That was when I discovered that SP3 and SP4 are secured by default, and that was when I realized that this problem is more serious than most people realize.
I tried to publicize what I'd learned on Friday. I submitted the story to Slashdot, where it was rejected because it wasn't an April Fool's prank. I submitted it to Russ Cooper's NTBugTraq, where it disappeared into the ether. Imagine my consternation when Russ Cooper was quoted in today's Washington Post security blog saying that nobody was seeing it. I wrote to Russ immediately after seeing that quote and assured him that I was seeing it and I had posted to his list, but the post had not been approved by him.
I'm pissed off because very few people are taking this seriously and well-meaning people such as yourself are dismissing it as a minor vulnerability that's easily remedied with a registry edit. This attack is not remedied by inserting a registry entry and restarting the server--it affects servers that are supposed to be immune.
I don't know how it's possible, and that's why I'm so frustrated that this story hasn't gotten wider traction by now. I'm running at least Win2k SP3 on all my DNS servers, and I've verified that the "prevent DNS cache pollution" setting is enabled, but I started seeing DNS cache poisoning last Thursday nonetheless. It continued on Friday until we blocked the offending poisoning-servers at our routers.
If everybody ignores this issue, then good luck holding Microsoft's feet to the fire about it.
Win2k DNS automatically turns on "secure cache against pollution" in SP3+. Read about it at http://support.microsoft.com/kb/316786/EN-US/. Specifically, you're looking for this quote:
DNS cache pollution protection is enabled by default in Windows 2000 SP3 and later.
Win2k DNS servers with this feature turned on are STILL vulnerable. I know because my DNS servers are configured this way and I began to suffer from the DNS poisoning on Thursday of last week. It took me until Friday to get a real handle on what was happening. Slashdot ignored my submission of this story back then. They were too busy jerking around with April Fool's stories.
First, it depends on the equipment. In the heyday of leasing, the IRS did assign ludicrously-long depreciation schedules for computer assets, but that's no longer a problem. It's possible to depreciate most computer equipment over 3 or 5 years (depending on whether it's a desktop/laptop or a server), IIRC.
Second, those leases that have a $1 buyout at the end aren't "true" leases, and so they don't qualify as such for tax purposes. "True" leases mean the option to buy at the end of the lease is at fair market value, not a predetermined price.
Tax laws being what they are (messy, variegated and variable), there is no blanket answer to this question. Only the CFO and the tax accountants/attorneys for any given company can decide whether buying or leasing makes the most sense.
DirecTV is coming out with their own DVR that will be some kind of home entertainment thing.
Let's keep in mind that DirecTV has only announced a DVR system (to be built by News Corp subsidiary and fellow Murdoch-empire-stablemate NDS), but hasn't yet delivered a product, and the ship date continues to slip. It'll be interesting to see what they come up with, but if the current level of competition is any indication, TiVo will still have a superior UI and more robust scheduling system.
Slashdot Mirror
I know people like to rant about the "spam problem" a lot, but for all practical purposes, the problem has been largely solved for several years now.
That's news to me. I work for a company that has about 700 employees. Up until a few weeks ago, we got nearly a million spams a day. For seven hundred people. Well over 97% of our inbound mail volume is spam, even now when the spam volume has fallen to about 300,000 messages a day.
I was using Symantec's Mail Security for SMTP product with optional Brightmail anti-spam as an inbound mail gateway for AV and anti-spam, but even with two servers in two different states (one in the West, one in the Midwest), we couldn't keep up with the load. We tried all sorts of things, but ultimately, even though we were successfully filtering over 98% of our spam, the sheer volume of spam effectively became a DDOS attack on our mail gateways.
We decided to move the spam-filtration to a third-party provider. We first tried a hosted service from a provider I won't name, but our spam loads were so crushing that we were actually asked by the product manager at the provider to point our MX records back to our own inadequate gateways. The poor bastard had to call me from his hotel in Sweden (in the middle of the night Sweden time), where he was on a business trip, to get me to aim the firehose somewhere else.
Finally, we settled on MessageLabs. The logfiles on my mail gateways had been approaching 1GB per day (combined for two gateways) before I pointed my MX records at MessageLabs. Now, my logfiles are about 12MB a day (combined).
So my spam problem is solved, right? Yes and no. Spam is no longer crushing my meager inbound mail infrastructure, but I'm paying close to $14k per year to get out from under the crushing spam load. So, yes, my spam problem is temporarily controlled, but it's a fantasy to say that means that spam is no longer a problem, or that the spam problem is solved. The spam problem is not solved, not by a longshot. Spammers are tricky scumbags, and they adapt. Email spam is still a huge problem and it's only getting worse, but the spammers have also moved into spIM and splogs, and who knows where else they'll go next? SpVOIP, anyone?
I've been inundated so heavily and for so long, I don't remember a time when I only got three spams out of every four emails. I recently tried outsourcing my anti-spam filtering to a third-party supplier. That supplier proxies the SMTP connections and closes them when it detects spam, as opposed to most outsourcers, who store-and-forward the messages.
Because my mail gateways couldn't handle the crushing load of spam I was seeing, I'd hoped that this outsourcer would save me. I was wrong. It turned out that my inability to handle the load at my mail gateways ended up causing DDOS problems for the outsourcer.
I got a call from the product manager who was in Sweden on a business trip, begging me to change my MX records back to my own gateways, because otherwise, his IT folks were going to shut me down in order to save themselves.
I'm currently testing MessageLabs, and it's looking good so far. They're catching nearly a million spams a day for me.
The folks at the Internet Archive have already done the hard work of figuring out how to create a petabyte storage system using commodity hardware. The system works so well they started a company to sell PetaBoxes to others. Why reinvent the wheel?
Sounds like they are feeling pressure from Xen and are trying to prevent the truely free OSS solution from gaining mindshare. They make a good product, but cost and closed source will limit them in the long run.
Xen is not a competitor to VMWare, at least, not right now, it isn't. Xen requires the guest OS to be built with explicit support for Xen. VMWare doesn't require that. Xen can't run any build of Windows or NetWare, but VMWare can.
It's clear that this product is a shot across Microsoft's bow. Ever since MS bought Connectix, they've been gunning for VMWare. Those who've tried both VirtualPC and VMWare Workstation have almost universally preferred VMWare Workstation (I haven't tried VirtualPC, but VMWare Workstation rocks), but VirtualPC is still cheaper than VMWare ($129 vs. $199). VMWare has also recently announced that it's hoping to standardize the virtual machine software industry around common VM file formats (VMWare's, of course). If, by using a free VMWare Player, they can get everybody else to adopt their VM formats, they'll have won that war before MS can even get into the battle.
This doesn't really cannibalize sales of VMWare Workstation, even if others figure out how to create VMWare-compatible VMs from other applications, because those of us who use VMWare Workstation like all of its features (and there are lots). What it really does is seed the market for VMWare's real money makers--GSX Server and ESX Server. MS has nothing close to those products right now, and VMWare's hoping to permanently establish themselves as the market leaders before MS can get a comparable product on the market.
Currently, MS's development process for hosted apps (MSN, Hotmail, MSN Search, etc.) is moving faster than for PC-based apps and OSes (Windows, Office, etc.).
It's no secret that MS's product management are using the hosted apps as experiments to see in which direction to take their other applicatons. Go take a tour of the Zimbra email client and see if you don't think it's striking fear into the hearts of MS's Exchange/Outlook product managers. Zimbra's not just different--it's obviously superior. MS needs to use Hotmail as the crucible for testing new features that they hope to shoehorn into Exchange/OWA in the future. If they don't, somebody like Zimbra's going to come and take their market share away.
WMware works on Linux too!
Yup, I knew that. I should have pointed that out, but I was just covering the free/open source bases with my reference to Xen. Thanks for clarifying that.
The one thing I'd count on for development is using virtual machines to host test different target platforms. If you'll be developing primarily for one platform/environment, you can still use VMs to simulate the different machines of the production environment for testing purposes--clients and servers.
Personally, I like VMWare, but I'm in the Windows world. If you're going to be developing and distributing exclusively on and for Linux, you could use something like Xen.
Regardless, I'm hooked on virtual machines, and highly recommend using them for your work.
Around 1994, an article appeared in Time or Newsweek or somesuch that posited that every major advancement in human communications was driven by and immediately exploited by three things:
Makes sense, doesn't it? What do people really care about? Today, we have other distractions, such as sports, celebrity gossip, etc., but overall, the investments necessary to develop and exploit new communications technologies come in the areas where people are most willing to pay, and those areas are sex, religion and politics. The Internet is no different.
EMC's acquisition of VMWare was all about getting into the server virtualization market. EMC could already virtualize storage, but the trend lately is for server consolidation. Instead of putting 8-10 1U servers in a rack, you can put an 8-way 7U box in a rack and run 8-10 virtual servers on it. Now imagine having a rack full of 8-way servers emulating an entire server farm of 1U machines.
VMWare's server virtualization stuff allows you to move a virtual server from one physical server to another while the VM is running. This is potent stuff. Couple virtualized servers with virtualized storage and you have a powerful argument for EMC's SANs in more datacenters.
Q: What will the keyboard be called in the US when Radio Shack slaps you for using their "Optimus" trademark?
Downgrade the troll above, please.
Please do elaborate. How exactly was I trolling? I was speaking out of frustration as a Debian user, not as some asshat who likes to flame Debian. You, on the other hand, simply painted me as a troll, but couldn't be bothered to debunk any misconceptions you believe I'm propagating.
How to kill Debian in five ("Three, sir!") easy steps:
Seriously, WTF? I like Debian, but those folks need to get their heads out of their asses. They need to stop wasting time trying to officially support the two dozen or so architectures nobody gives a damn about, stop engaging in wars about whether non-free belongs in Debian, and concentrate on releasing something that's reasonably current and also supported by security updates. Oh, and it would be nice if doing an 'apt-get dist-upgrade' didn't break things.
Further, NASA was a part of the United States Air Force at the time, not a separate entity with its own (very limited ) budget.
Erm, what?!?
NASA has always been a separate, civilian agency. It grew out of the old National Advisory Committee for Aeronautics (NACA), itself a civilian organization.
The Air Force did have its own space program during the late 1950s and early 1960s (around the same time as the creation of NASA), which centered around the X-20 Dyna-Soar and the Manned Orbiting Laboratory. The USAF even built an astronaut school at Edwards Air Force Base, and Chuck Yeager was the commandant. However, that whole program lost steam in the mid 1960s and was abandoned by 1969. This led the USAF to send its best remaining astronaut pilots to NASA, and convert the school into a test pilot school.
Even so, many of the most famous astronauts from the Apollo days were not USAF pilots. Neil Armstrong was a civilian (he worked for NACA in the X-15 program), and Buzz Aldrin, Jim Lovell and Alan Shepard were US Navy pilots.
The difference between then and now, in terms of budgets is this: First, the entire nation was deathly afraid of the Red Menace and national pride was on the line (nobody wanted go to sleep by the light of a Commie moon); Second, a very charismatic US President had staked his legacy on the US getting to the moon before the end of the 1960s (this at a time when the US had only put one man in space, and briefly, at that) before being assassinated and leaving the entire nation in shock.
Congress voted big dollars to the space program because it helped fight the blasted Commies, and because Lyndon Johnson, among others, helped spread the pork to important states (California, Texas, Missouri, New York, Florida, etc.). It also helped the nation pay its final respects to JFK. By the early 1970s, however, Americans began to question the investment in the space program, regularly saying things such as, "I don't think it makes sense to spend so much money to send people to the moon when we have so many problems here on Earth that we need to deal with first, such as hunger, pollution, disease, poverty, etc."
You made some valid points in the rest of your piece, but your glaring fallacy about NASA's status kind of undermines your credibility, don'tcha think?
I have downloaded firefox like 30 times. Due to installs, re-installs, upgrades, downgrades, and just for the hell of it, it mounts up.
Agreed. Let's assume that everybody who downloaded Firefox 1.0 also had to download 1.0.1, 1.0.2, and 1.0.3. From that alone, you now have four times as many downloads as you had from 1.0 alone.
At home, I have Firefox on three PCs. My wife and I each have a desktop, and we share a laptop I bought from my work when it reached the end of its useful work life. Plus, I use Firefox on my current work laptop. So, for 2 people, that's four machines with four downloads each just since Firefox 1.0 shipped. If we're anywhere near typical, then it means that Firefox downloads have been exaggerated by at least a factor of 4.
I also remind them that there are some pages IE was not displaying correctly either
I ditched IE as my primary browser permanently when I discovered MSNBC's website rendered better in Mozilla than in IE 6. I switched from Mozilla to Firefox (while it was still called Firebird) when Mozilla's default behavior changed (loading a folder of bookmarks now replaces existing open tabs by default), and I found it was easier to override that behavior in Firefox than in Mozilla. Now I'm a full-on Firefox convert, baby.
Never mind proper support for CSS or transparent PNGs, IE can't even render goddamned tables properly. I was doing page layout for my personal website in FrontPage 2000 (I know, ICK!) and noticed that in layout mode, everything looked fine, but in "preview" mode (which uses IE as the rendering engine) and in IE 6 itself, the column widths were screwed up. Viewing the page in Firefox and Mozilla, the column widths looked fine. Microsoft's browser can't even properly render pages generated in the WYSIWYG view of its own HTML editor.
I just ordered the upgrades for my ancient VMWare Workstation 3.2 licenses to go to version 5. I'm getting antsy waiting for my licenses to arrive.
VMWare is staying ahead of MS in terms of technology. Version 5 of VMWare Workstation allows "teaming" of virtual machines from different physical computers into a single cohesive test network. I can't wait to try it.
I was forwarding to a server that was the source of my problem, as the article's at ISC now show. BIND v8, used by my ISP, isn't vulnerable to poisoning, but it does pass poisoned entries to servers that forward to it. Since Windows DNS trusts servers to which it forwards, it gets poisoned by the junk passed down from BIND 8.
There are two parts to this problem, and without both of them, this issue never would have arisen. The first is Microsoft's decision to ignore DNS cache security settings when forwarding. The second is BIND 8's decision not to scrub data it sends to servers that forward to it. Take either of those items out of this equation, and the problem I encountered can't happen.
I called my ISP, and they were most unsympathetic. At first, they denied having any role to play because it's a Windows problem and they don't run Windows. When I finally got them to understand, they said, "Well, you shouldn't be forwarding to us in the first place. Use the root servers. Duh!"
Okay, they weren't quite that dismissive. They didn't actually say, "Duh!" But the rest of it was pretty much what I was told. So I've turned off forwarding. I'm not so sure I'm going to stay with my ISP in the future, based on this nonsense.
So, zero action is required by Windows DNS admins, unless for some reason they are running Win2k pre-SP3, or NT4. Even with these older versions of the OS, a single setting change secures the box from DNS poisoning.
Except, as has been pointed out in TFA, when you forward to another DNS server. In that case, Windows ignores your security settings and believes everything it hears from the server it's forwarding to. BIND 4 and 8 pass poisoned entries to servers that forward to them. Since Windows ignores its own security settings in that scenario, it happily accepts the poison. No amount of clue can prevent this problem if your Windows DNS forwards to another server that gets poisoned or doesn't bother to scrub poison before passing it on.
In other words, many or most 2000 installations should be secure against pollution if their admins posess the slightest clue.
You've forgotten an important point, here. Windows DNS servers implicitly trust any servers they forward to, regardless of the "secure cache from pollution" setting. That's not good. Also, until this little brouhaha got enough attention from ISC, MS's KB articles were inaccurate and misleading.
You're also wrong about BIND. BIND 4/8 aren't vulnerable to DNS cache poisoning. They correctly ignore attempts to poison their caches. Unfortunately, they don't bother to scrub the poison when they pass that information on to servers that forward to them.
It's important to note, from what I've understood of it so far, that this exploit only affects the "MS server forwarding it's requests to a bind4/8 server" scenario which I would think, would be a pretty negligible number of DNS servers?!
Well, it's not as obscure as you'd think. My ISP (AT&T) runs BIND 8, and I had my otherwise-properly-secured Windows DNS servers set to forward to AT&T's DNS servers in order to improve performance and reduce unnecessary traffic. When I finally got ahold of AT&T (after ISC's update about the BIND/Windows connection) and verified they were running BIND 8, I was told I should stop forwarding to AT&T and use the root servers. They were almost indignant that I had been forwarding to them. I stopped forwarding, but I wasn't too thrilled with AT&T's attitude--it leads me to suspect they have no plans to either upgrade to a newer build of BIND, nor to warn other customers that forwarding to AT&T's DNS from Windows is a Bad Idea.
Now, I'm not too sure about you, but in my book, AT&T is a pretty big ISP and they've probably got more than a few customers running Windows DNS and forwarding to AT&T's servers. Maybe none of them are Cybertrust customers, but I'd suspect it's a decent-sized chunk of people, even if it is a small percentage of the companies connected to the Internet.
You probably would have been better off sending your findings to handlers@sans.org
I did. They responded by posting that Win2k SP3+ was supposedly immune but that people with that configuration were reporting the poisoning.
Today's ISC update from SANS indicates they're closing in on the root cause. Apparently, MS DNS servers implicitly trust servers to which they forward. BIND 4 and BIND 8 don't scrub poisoning information when they respond to a forwarding server. DJBDNS and BIND 9 do scrub the data.
So there's no reason to panic - it's a 4-year-old vulnerability as it is, and fixed by a simple registry edit. Most people will be unaffected by it.
Ah, but here's the rub: It's not fixed by a simple registry edit. Win2k SP3 and SP4 are "secure" by default. I'm running Win2k SP3 and SP4, and I was bitten by this. The MS articles I initially found about cache poisoning didn't mention that SP3 and SP4 are secured by default, so I went and inserted the registry setting and restarted my DNS servers. The next day, the poisoning was back. That was when I discovered that SP3 and SP4 are secured by default, and that was when I realized that this problem is more serious than most people realize.
I tried to publicize what I'd learned on Friday. I submitted the story to Slashdot, where it was rejected because it wasn't an April Fool's prank. I submitted it to Russ Cooper's NTBugTraq, where it disappeared into the ether. Imagine my consternation when Russ Cooper was quoted in today's Washington Post security blog saying that nobody was seeing it. I wrote to Russ immediately after seeing that quote and assured him that I was seeing it and I had posted to his list, but the post had not been approved by him.
I'm pissed off because very few people are taking this seriously and well-meaning people such as yourself are dismissing it as a minor vulnerability that's easily remedied with a registry edit. This attack is not remedied by inserting a registry entry and restarting the server--it affects servers that are supposed to be immune.
How so?
I don't know how it's possible, and that's why I'm so frustrated that this story hasn't gotten wider traction by now. I'm running at least Win2k SP3 on all my DNS servers, and I've verified that the "prevent DNS cache pollution" setting is enabled, but I started seeing DNS cache poisoning last Thursday nonetheless. It continued on Friday until we blocked the offending poisoning-servers at our routers.
If everybody ignores this issue, then good luck holding Microsoft's feet to the fire about it.
Damn, if only I had checked the "turn on security" box!!
From MSFT (http://support.microsoft.com/kb/241352/EN-US/)
How very wrong you are.
Win2k DNS automatically turns on "secure cache against pollution" in SP3+. Read about it at http://support.microsoft.com/kb/316786/EN-US/. Specifically, you're looking for this quote:
Win2k DNS servers with this feature turned on are STILL vulnerable. I know because my DNS servers are configured this way and I began to suffer from the DNS poisoning on Thursday of last week. It took me until Friday to get a real handle on what was happening. Slashdot ignored my submission of this story back then. They were too busy jerking around with April Fool's stories.
You've got a few misconceptions here.
First, it depends on the equipment. In the heyday of leasing, the IRS did assign ludicrously-long depreciation schedules for computer assets, but that's no longer a problem. It's possible to depreciate most computer equipment over 3 or 5 years (depending on whether it's a desktop/laptop or a server), IIRC.
Second, those leases that have a $1 buyout at the end aren't "true" leases, and so they don't qualify as such for tax purposes. "True" leases mean the option to buy at the end of the lease is at fair market value, not a predetermined price.
Tax laws being what they are (messy, variegated and variable), there is no blanket answer to this question. Only the CFO and the tax accountants/attorneys for any given company can decide whether buying or leasing makes the most sense.
DirecTV is coming out with their own DVR that will be some kind of home entertainment thing.
Let's keep in mind that DirecTV has only announced a DVR system (to be built by News Corp subsidiary and fellow Murdoch-empire-stablemate NDS), but hasn't yet delivered a product, and the ship date continues to slip. It'll be interesting to see what they come up with, but if the current level of competition is any indication, TiVo will still have a superior UI and more robust scheduling system.