Maybe the Russian gentleman should have told us also about the more inventive Soviet strategies employed to break the Afghan spirit: dropping colorful plastic toy mines in the form of little dinosaurs and cars, designed to blow off the hands of (but not kill) children.
Heard this story before in the 80's (and believed in it too), though the dinosaur shape is new variation of the theme.
However, the story, as told, is extremely unlikely to be true, and probably is a mixture of propaganda, myth and misunderstadings (common in wars and urban legends).
Now, the realities in the myth, may not differ that much from the "truth";
The point was, that USSR-forces would air-deploy 1000's of anti-personal mines, to restrict, and interdict rebel movements. These AP-mines ("Butterfly mines) had small "wings" on them, to reduce impact speed.
This AP-mines tactic, was very common practise at the time. They where not designed to kill/mutelate children, but kids too, would be victims of them (something called "collateral damage" by armys worldwide). Read more on butteflly mines here;
http://www.unicef.org/graca/mines.htm
And do read something about the banning of AP-mines (something I consider a very good thing).
Also note that in this story, he tells about seeing a child with a missing foot (could be a AP-mine) getting into a USSR chopper for later operation, but that he himself, "knew" that the child wouldn't survive, and how this would just generate more rebels. So this "Russian gentleman" actually _does_ tell, exactly how it was.
But then you go on to detail how many ways it is inadequate. NAT was not invented to solve a security problem, it was invented to solve a connectivity problem. By design, NAT enables communication where it was otherwise not possible. This is the opposite of what a firewall does.
Repeat after me: NAT is not a security technology, NAT is not a security technology, NAT is not a security technology. Repeat it until you believe it. It's the truth.
I know, but since most small companies on xDSL/ISDN lines doesn't get (or need) public IP's for all the client pc's, NAT is a pretty common fact. And NAT does give some kind of protection, and is easy to understand and implement.
Note, that I don't think NAT is a firewall substitute, my gripe was actually against those who think so, and rely on their eg. xDSL routers NAT and packet filtering abilities, while negating those security benefits by portforwarding to servers on the LAN side.
A book could have been written on "Lessons learned by Code Red", but it wasn't, so here are some really random thoughts:
Network design:
The new, but simple attack strategy, of hitting neighbour IP adresses, should be a wake up call for all, since this allow for very rapid infections of LAN/IP segments.
Correct me if I am wrong, but wouldn't it be fair to say, that for Code Red to infect the LAN side, the network (and firewall) is fundamentally designed
wrong? Why should a webserver on the public internet, be allowed to issue GETs through the firewall, to the LAN side?
Eg. a company has a public webserver (host A), and a LAN-side server (host B). Of course they have setup their firewall, so that host B, can't be reached directly from the Internet. But for some reason, (people are often cited for, that it is convinience), they make it possibly for all kind of traffic to reach host B, as long as it originates from host A.
Patching:
People often say; "Just patch, and you will be safe". But patching is just the first line of defence.
Some day, a Code Red style worm, exploiting an unknown flaw, perhaps even a flaw that are not easely patched like a "standard" buffer overflow. The speed of such an infection could be overwhelming, with perhaps 100.000's of hosts infected per day, and worse, since the infect algorithm, seems to be very effective in getting inside LANs, the problem may reach infocalyptic proportions.
My point is, that a secure network _design_ with defence in depth, is a necessity, and may stop the infection on the Internet-side.
Perhaps "network plurality" may be something; eg. if one is running MS web-servers, then deploy a Linux/*BSD firewall.
Finally, the LAN side seems very vulnerably now. Sysadmins now face, the overwhelming, Sissyfosian task of patching, upgrading, and locking the LAN-side, as tight as if it were on the public Internet. That just won't happend.
Futher ranting on patching; Why does (some) vendors mix security fixes, and non-security, non-critical bug-fixes, and, worst of all "enhancements" in the same patch? (are you listening MS ).
No wonder SysAdmins are hesitant to patch LAN side, produktion servers when the patch is more than 50Mbyte.
They must wonder whether their systems may BSOD on the spot. (How many times was MS-SP 6 pulled, before it reemerged as SP 6a, twice?). Or does all the new "enhancements" or bugfixes break "company-wide-important-app"?
And speaking of "defence in depth"
Not many networks seems to secured that way, or monitored at all by eg. IDS's. Yeah, money seemed to be spend on "surf-blocking", or monitoring employees mail for four letter words, and badmouthing of the boss.
From my reading of usenet and weblogs on Code Red, it seems that most people discovered it, since their MS-NT 4.0 servers crashed more than usual, or that their managed switches, and IP-printers locked up.
I am no better than the most, I am still reading up on Tripwire and Snort.
NAT
I like NAT/Masquerading etc. It really can give eg. a company good LAN side security.
But NAT gives rather less protection, if portforwarding is used; eg. small company buys a xDSL connection, and are issued small router that does firewalling and NAT. So they make portforwarding to p:80, and closes everything else. But Code Red style worms just thrive on such a setup; It is handily portforwarded into the LAN side, and will spread real fast once inside.
And NAT and firewalling doesn't help at all, if the worm is multi-vectoring through mail and webbrowsers:
eg. the first infections is by mail. The trojan then watches were people surf, and tries to infect those sites.
If succesfull, the trojanend machine, deploys a payload on the website, that further infects all vulnerable webbrowser, visting the site.
On infected machines.
Every attacking machine are announcing to the world that it is infected. (A clever, fellow slashdotter
wrote a piece on this, but I can't find the link now)
Further, more malicious attacks may be instigated on the affected machines. And these, second wave-attacks may not appear in any logs, they may even be impossible for any IDS to detect.
And speaking of IDS's; how many actually monitors traffic going out from the network, especially through port 80?
People may have gotten by, by just removing the actual trojan until now. Perhaps this time too, but
next time it is likely, that all the script kiddies in the world seizes the opportunity to mass infect the infected machines with new and improved root-kits.
Imagine a DDoS from a skript kiddie, controlling 50.000 machines residing all around the globe. Good luck filtering that out on the router, or even your upstream providers router.
Or even worse, a skript kiddie with a clue, a personal grudge against your company, and having a root-kit on your LAN.
And more; it seems like a lot of Code Red attack machines, were W2k Pro's with accidentaly installed web-servers.
Now, the fools with upatched boxes and xDSL lines are hard to do anything about, but it also seems that a lot of accidently web-servers, were found on company/campus LANs. Mapping and scanning the LAN, and dealing with those kind of web-servers, should become a standard practise.
VPN's:
VPNs are often labelled as something that enhances security, but as other point out, they are actually the exact opposite, since they dig a deep hole in the firewall, into the corperate LAN. Good cryptation and authentification by VPN's, doesn't help, if Mr. Traveling Salesman are trojaing a worm, when he connects the LAN through his laptop.
In short, we must all rethink our network design and security. Firewall and IDS on the inside LAN. Lock and patch the LAN, as it was on the public Internet. Use eg. "port mirroring" on the core switch to a "silent" monitor box.
Run network scanners like nessus (www.nessus.org) and nmap on all LAN clients and hosts, so "forgotten" machines are discovered, and accidently installed web-servers are discovered.
Harden hosts with tripwire/md5sum, so even if a host is infected, root-kits may be detected.
Twice this morning I've had to power cycle an HP JetDirect, something I've NEVER had to do before... is this related, or just coincidence? An awfull amount of equipment with embedded webservers, was affected by Code Red*, including (some/all?) HP JetDirect printservers, but also all kind of managed switches, and routers.
Usually because a small memory leak would occur for every GET, enough GETs in a row, and the system will lockup, until powercycled.
Of course, other problems may lay behind the lockups of your equipment. But since the HP JetDirect in question, probably is on the LAN side, you may have infected machines behind your firewall.
I have heard that it is more cost effective to wound an enemy then to kill them. Takes more resources to heal someone then to bury or cremate the body. So enemy must expend resources to help wounded. And if they don't help their wounded, could demoralize the remaining healthy troops.
A couple of friends of mine (historians) interviewed a dozen Waffen SS soldiers (mostly from Frikorps Danmark, Div. LAH, Nordland). Only one of these had escaped being wounded, and that was considered a freak thing, by himself and others. Most of the rest had been wounded 2 or 3 times.
Looking through thousands of service records, their conlusion was, that it was not unlikely, to recieve several, sometimes very serious wounds, and return to service again.
The germans, like the US, had good assembly line style, field hospitals. Once a wounded soldier had reached a such, their survival chance would be good. While caring for wounded soldiers may take some ressources, I don't think that it really matters much, eg. a lot of trains and lorries driving back from the frontline are empty, so loading them with wounded is hardly a logistical strain.
Most important; a veteran soldier is a precious commodity, the logistical strain of sending him back front and patching him up, is probably less than training a new soldier.
All in all, I consider the above statement untrue.
On the topic;
Last summer I visited a wood clearing, where german small and medium arms ammo had been disposed off after the war. It had been a rush job; deep holes had been digged, and loads of ammo dumped into it, then, (way to small) charges had been detonated.
The result was that the area was littered with all kinds of ammo; 9mm parabellums, every size and color of 7.62mm, Sturmgewehr bullets, russian 12.7mm MG, standard 20mm AA shells, and all kinds of freakish sized luftwaffe ammo, in the 20mm range.
A striking thing was, that the holes, after more than 55 years, where pitch black. Not a single grassleave was groving in or around them. Probably because of all the tracer/phosfor rounds?
In eastern Europa and the former USSR, you can still find WWII battlefields in desolated areas, where cases of Nebelwerfer, AT, and MG ammo, rusted rifles and machineguns, is littered among the trenches. Scratch the earth, and you will find the bones of unknown dead soldiers, some hastely buried and forgotten, others simply just forgotten where they fell.
The straits around my country (Denmark), is littered with hundreds of thousends tons of chemical rounds, usually mustard gas, but I believe that every kind of german gas ammo was dumped into the sea, including nervegas like Tabun, and Sarin. A nasty thing. It is fairly common, that fishers catches a corroded, sick-yellow lump of mustard gas rounds in their nets.
The western coast of Denmark was part of the Atlantic Wall. Besides building thousends of concrete bunkers, the german army layed more than 1.4 million mines, and that on a coast less than 170 miles long. It took decades to clear (and costed a lot of lives), and still, in some remote areas, it is not unusually to find a german Teller AT-mine in the sand dunes after an autemn storm.
War is a messy affair in more than one way.
No matter what, after a while, peace will follow war, and people will have to deal with results for a long time. Anything to lessen the burden for the survivors, is IMHO, a good thing.
I've had to reboot my cable modem recently every night to restore connectivity. My ISP just sent out an email saying the CISCO cable modem that I'm using hammered by Code Red.
Here?s the quote ?With the Cisco 67x series, as well as HP print servers, 3Com switches, and almost all other embedded web server applications, the worm causes a buffer overrun which causes the device to lock up.?
Is this really true? It seems pretty unlikely that almost all embedded web server application have a buffer overrun. It seems possible that a few devices do.
Anybody have more info?
Well Cisco has put out a advisory for 'unpatched' 6xx DSL modems.
see:
http://www.cert.org/advisories/CA-2001-19.html
However, the Cisco problems are not the same as the MS buffer overflow, but are triggered by the CR scanning nevertheless.
I have seen several mentionings of other types of equipment, there seems to react badly to CR scanning.Probably because it is "easy" to give a piece of equipment an IP address and a web-server for remote mangement. But most of this equipment was designed to operate inside a nice and friendly LAN, serving well-formed requests. Of course, not all embedded web servers suffers under the CR scanning,and those who are, are probably affected by reboot requering memory leaks, caused by high load.
The scaring truth probably is, that security, as usual, wasn't high on the list when all those devices was designed.
Security is hard to design and maintain, but also hard to sell to costumers.
Sites running transparent proxies, (from MS-proxy, MS-ISA?, Cisco, Squid, etc), may experience severe resource depletetion if infected. See http://archives.neohapsis.com/archives/bugtraq/200 1-08/0078.html
Other products using "embedded" MS ISS are affected too.
What is thoughprovoking about CRII, is its spreading algorithm, favoring IP addresses close to the infected host. This is of course much more effecient than random numbers, but also seems make it easier for it, to infect hosts _inside a LAN_ on "misconfigured" networks:
Host A on the inside LAN/DMZ cannot be reached directly from the Internet, but it "trusts" Host B, on the hostile Internet.So when Host B is infected, Host A gets it too, and starts spreading the infection deep into the LAN.
And in my experience, hosts and equipment inside the LAN, is rarely patched and tied down with the same vigour as Internet hosts.
It is of course bad nework design that allow this to happend, but a lot of sites are nevertheless configured that way, because it makes things easier.
Oh yes, it's all SQL Servers fault. It's got nothing to do with the implementers being inept. Hell, the Russians are normally so good at developing things, just look at the fine work they did for the ISS.
It is inconsequential that hundreds of thousands of other sites seem to run SQL Server 6.5, 7.0, and 2000 just fine.
Well, first of all, the bugs discovered by the Kurchatov Institute does actually exists, and acknowledged as such by Microsoft (see the mail from the MS engineer). Note the bugs are bugs within MS SQL Server, not in the implementation of the DB. So 'Oh yes, it's all SQL Servers fault.'
I don't care to check whether the problems is fixed by now, but I guess they are, though probably not for MS SQL 6.5. (read the text)
So every MS SQL server not patched, has the potential to be bitten by these bugs.
A nice quote from the text:
...I am not going to resolve MS SQL problems by playing around data formats which means a complete redesign of KI-MACS application software core (over 5 Mb of source code in Transact SQL). By the way, I was astonished to learn that MS staff is seriously proposing such
stupid advises as change of data formats to avoid MS SQL Server SYSTEM
problems.
Is it MS style of conducting business? If so, we have to be prepared to
deal with permanent troubles for the rest of our life.
I saw a pretty interesting program on TV a while ago, and have since been reading up on it a bit.. According to a growing group of scientists,
the real reason for the ups and downs of the earth temperature that we are observing are in fact caused by solar activity! It is very sound theory, though pretty new. What scientist like about this theory is, that is simple but gives strong predictions.
The group of scientist which did the research, wasn't specifically interested in explaining global warming, but rather finding an explanation for reoccuring trends in historical weather patterns.
So they applied a lot of historical data to this theory, and so far the results has been very good.
It does look like, that this new theory, combined with traditional weather models, does explain historical weather data, very, very well.
When the scientist published their study, their data seems to exclude, that man-made activities played any great role in the weather system. (Their theory could within some margins, 'predict' historical weather)
But here is the point: When the scientist published their study, they had only applied historical weather data, up until 1972.
When they started to apply more recent weather data, somethings changed; their theory could no longer, within the margins, explain the more recent historical weather data anymore. (their theory, as I understand it, would still give better 'predictions' than traditionel weather models, without their theory).
So the "solar activity" theory as it stands now, actually seems to give a very strong indication, that global warming does exists. It also hints, that the global warming is man made, since it is very good at explaining weather, up until the last 30 years.
People often states, that the recent high temperture measurements, could be a natural cycle like earth so often has been going through before. In itself a reasonably statement. But cycles are cycles, because something cyclical, and therefore predictably occur. So far science has become better and better at finding theses cycles (solar activity being last). But no good scientific explanation exist, for which, and what kind of weather cycle, earth is experiencing right now.
Something on solar activity and global warming:
http://www.giss.nasa.gov/research/intro/shindell .0 3/
Here's what I use: [snip]...3. Use a person's last name (like Rucker) and 4 digits (say 3120). In your DayTimer or PDA, record it as a name and phone (Bill Rucker 275-3120)...
Hm. This method is quite common, but perhaps not so secure. Banks in my country have issued warnings about using this method for storing PIN codes for ATM cards, since "all" pickpockets seems to know this scheme, and therefore scans all dayplanners for "fishy" name and number entries. Apparantly quite a few bank accounts have been emptied this way.
Another problem with this scheme is, that it is "easy" to verify what is real names and telephone numbers.
Only one digit actually.. I screwed up with the $2000. According to the paper which I originally got the figure from, it was $13,000. Thats still not too bad. 13.000$ for a single V-2, even in 1944 currency wouldn't cut it. The V-2 (A-4) rocket program, was by far the largest project of all german rocket projects. There is no way that 13.000 US 1944 dollars per V-2 could pay the actual costs, of the V-2 rocket project.
[snip] its also interesting to note that the V2 weighted 13,000 Kg at launch time. Given a 1000 Kg warhead, The V2 could put a package up 40 miles, at 1/10th orbital velocity (16,500 mph i believe) So basically, the Nazis spent about $13 for each Kg of explosives they lobbed over the English Channel. The monetary figures are wrong, but cost was not the only thing wrong with the german rocket project, since it drew valuable ressources (materials, manpower and research) away from war production. Consider this; the german army had been loosing more trucks than it got since 1939. The result was, that the Wehrmacht demodernized its army in 1941, to walking and horsedrawn army (only 10% was mechanized).
I am not saying that the rocket project was to blame for all of that, but..
And consider how little the rocket projects gained: VT-fuses, Tempest fighters, and radar did that, perhaps only 2-4% of all V-1's ever reached England at the end of the campaign.
The V-2 had a puny payload of 1 ton; B-17's and B-24's would routinely carry 6x as much, and the Lancaster could carry up till 12x as much. And allied bombers at least had a chance to hit anything of importance, unlike the unguided V-2's, who was fired in the general direction of southern England, hoping to hit something else than a wheat field. A "strategy" that accomplished nothing.
The german rocket project got way out of control, which was a fairly typical thing for projects for the Third Reichs disorganized, corrupt, confused, ineffecient, lack-of-foresight way of handling things.
To make a point here, economies of scale apply to rocket launches too. The volume of launches is what drives down costs.
Yes, of course. Sattelite launches has become cheaper thereof. But first one needs huge investments and lots of expensive research. And chemical orbital rockets will never be _very_ cheap, just cheaper than outrageously expensive.
Space travel is not exotic. It shouldnt have to be so expensive that only multinationals and major governments can afford it. Rocket fuel costs about as much as milk. The suborbital V2-rocket produced by the Germans during WW2 only cost about 2000$ each. 2000$ You sources for that must have missed a couple of digits there, even when considering that the SS provided cheap slave labour to assemble the V-2 (A-4) rockets in the underground kz-camps.
In fact, western scientist made a postwar estimate, that the german rocket project was more expensive than the "Manhatten" project (US-GB effort to develop the a-bomb), a project which by all standards was an expensive one.
The german "rocket" project (V-1, V-2, Wasserfall, ME-163 etc) was a massive and spectacular faillure, but it probably helped shortening the war by some months, since its huge, ressource draining efforts, sucked valuable ressources from the Wehrmacht and Luftwaffe.
(a long rant)
I think you don't understand what is all about, and why people like me, are really, really worried about the direction the entire IT section is headed.
First, Microsofts total software domination is an extreme case study in "market failure".
MS have no competition whatsoever, in the markets the choose to dominate. (sure, there are a few players around that MS hasn't killed yet, but they will be killed in the end, just like the others).
Normally, in a free market, the consumer has some choices to choose between. If something sucks, they vote with their feet (and pocket).
But with computer software, that has not been an option for a long time. I am not talking about the tech savy Slashdotter here, but average home computer users, and foremost, business's.
They are so deeply entrenched in MS software, that no matter what, they don't have a choice anymore. Other software producing companies (and soon hardware companies) hasn't had a choice for years; they either humbly submit to MS or gets destroyed.
In short, Microsoft is a monopoly that can do things with impunety, since it is more or less impossible for the consumer, to choose anything else, than MS products.
Not even prices on software is a factor anymore; Corel WordPerfect suite 2002, may be better, faster, and much much cheaper, than MS-office 2000, but will that mean, that it even qualifies, as an unserious competitor to MS-Office? No. Even small business's, or home owners, either warez a copy of MS-office, or pay the full price of it, rather than using a cheaper (and perhaps better) alternative.
As long as Microsoft remains a monopoly, no new software companies, producing software even remotly competing with MS, will ever get to survive. They will either be bought (not in itself a bad thing, but since MS is a monoply.. Ex. Foxbase), or MS will buy all the developers (I strongly suspect, that a lot of the wizz-kids, working for MS R&D, are hired, not so much for what they do for MS, but for what they now don't for others), or directly sabotaged (Quartedeck (qemm, Stacker)), or threatend to submission (Symantec), by locking them out of crucial info, or simply by FUD, "integration" and embrace and extent.
All software companies lives on the mercy of MS. Adobe, Corel, NAI, Symantec, Apple, Macromedia, Real, PKWare, Autodesk, SAP, etc., either lives on borrowed time, or until MS decides to kill them. How long can Autodesk survive MS-CAD 2005, when all their developers now works for MS, their software gets broken with every hot-fix, and service pack released, and when MS is willing and capable of using 5 billion dollars on capturing a 2 billion market?
The article express surprise, that MS do so well on the stockmarked as they do. I am not surprised. In fact, MS anno 2001, is nothing to what they will be in the next decade or two. MS will be the largest, and richest corporation, ever known to man; they will be the defacto only software maker, the largest hardware manufacturer (what good is a CPU, if runs anything else than MS-products), the largest investor and shareholder in the world, and the largest political lobbyist.
When I was young, I refused to buy Macs. I thought they were overpriced, and no fun, because the system was so "closed" and propriatary (and all the nice PC games of course). Now, the PC, that was a lot of fun; wanted a new graphic adaptor? Choose between many firms, buy and plug it in. New, cheap storage? No problem. Of course the Macs were superior to PC's with DOS, even when Windows 3.1 came around, the Macs were superior. But I would not give up my freedom, to choose between many, and cheap hardware firms. Besides WP 5.1, Norton Commander, Turbo Pascal, and Norton Utilities got the job done just fine. I was not alone in that opinion. But I wonder now. Isn't the MS-PC heading down road, more viciously proprietary and closed, than Apple/Mac ever was?
Sure, the hardware is still dirt cheap. But I dread the day, when even my RAM modules, requires a signed MS-driver, and serial number to work. Then it will be hard for me to run Linux:-(
Take eg. Asus. They want to produce a PDA with Windows CE 3.0 as OS. But MS simply refuses to license it to them. MS's reasons notwithstanding, it is a chilling example of what to come. Think about it; a respected, large hardware firm, begs MS to be allowed to pay MS money in exhcange for a licence for a product MS is "selling", and MS says "NO!"
Whats next?
I seldom rant about how bad MS has become (I am not talking about their products, but about their behavior), I just use Linux, and is very happy about that. To me, Linux made computers fun again.
A bonus contrieved example and analogy, on how it would be, if MS ruled the movies:
Lets say you like going to the movies. Especially Sci-Fi and historical movies has your interest. But all of a sudden your local theater only shows badly syncronized east-german movies, from between 1970 and 1975. And prices doubled too. Fine. You vote with your feet, and drive to another cinema a little farther away. But next week, that cinema has been bought, and now it only shows badly syncronized east-german movies, from between 1970 and 1975. Prices went up too.
Some people gets the idea to start their own free theater, with cheap prices; they buy a building, and starts renting some flicks. Alas, the only movies they are allowed to rent, are badly syncronized east-german movies, from between 1970 and 1975. Besides, since they are independent, they will only be allowed to resell anchovis scented, wet popo-corn. They go bust.
Now, the east-german movie industry may have blossomed during the early 70's, but it really gets to your nerves, that even TV shows they same movies, as the cinemas. So you goes to movies again; the movies are the same and the prices went up again, but now the pictures are all blurred, and unfocused. The theater refuses to refocus the film, but will happily sell you an eye laser-surgery operation (in small lifelong payments). That way, the marvels of east-german movie production, becomes crystal sharp again. Unfortunatly, everything else is blurred.
[About Kafka requesting his unfinished works to be burned]
Somehow, I have always suspected that Kafka wasn't entirely sincere about that. Especially since he made the request to his long life friend, the author Max Brod, who practically worshipped Kafka and his writings, and who, since their school days, with some exaggeration, had picked up every scrap of paper, that Kafka even touched, and put in a gilded frame.
And among the works Kafka wanted Max Brod to destroy, was the short story "Ein Hungerkünstler", a story, together with three others, he would edit, and correct spelling errors in, while in his dying bed.
Furthermore, those works Kafka really wanted to destroy (his earliest works), he did destroy. His own death from TB, wasn't a suprise, so if he really wanted, he could easely have destroyed whatever he wanted to.
Kafka was a meticously writer, who himself knew how good he was. Those works he published, got very good reviews.
So in my not so humble opinion, Kafka's message in his litterary testament to Max Brod, was something like this "Hey Max, you really don't have to burn my papers, but if you publish them, which I am sure you do, please separate the unfinished works from the rest, and let no one be in doubt which is which."
On another note; How I dislike, how Kafka is always portrayed, as this serious, "romanticly pale and TB-sick" author. He was a funny man, and his works are chuck full of humour. His slightly paranoid (rightly so), undecesive characters, who always think eight steps ahead before taking any action, and therefore end up taking no action whatsoever, are funny.
I am sure, more people would read Kafka, if they realized how funny his works are.
It seems to me that Wurlzer has fallen victim to some of the FUD that has been spread by Linux advocates. [snip, a lot of linux bashing]
The problem is, that all statistical surveyes (for what they are worth) I've seen, all say that MS-based Internet servers, percentetwise are cracked more than their marked share would indicate. Much to my surprise, MS-Windows 2000 servers, are disproportionately more cracked, than even MS-WinNT 4.0.
Why it so, I really don't know; is it because; Sys-admins are insecure about applying hot-fixes (will the server come up again after the reboot?)
Skript-kiddies feels more at home on Win-servers?
Win+IIS are generally insecure products?
Windows servers, are generally runned by less competent/lazy people?
Companies running MS-solutions are to cheap to have a decent security policy?
A penguin ate the Hot-fix?
The insurance companies doesn't care why. They are just greedy bastards, who hates to pay out.
Look, if you want to use Linux or *BSD or some other non-mainstream OS Take a look a www.netcraft.com : Linux is a mainstream Internet OS. Apache (OSS software) is by far the most dominating web-server around.
The way that America works is that people get together and work hard to put out a product, and then they sell it to people. That exactly what this insurance company is doing; selling a product. Just be glad that it isn't a monopoly, so you can take your business elsewhere.
Go ahead and flame me Ok. Flame, flame, flame.
[scorch-mode on]
You, sir - you are a MS zealot!!
[scorch-mode off]
First of all, Linux is good for Microsoft; they probably enjoy having an easily identifiable enemy to bash, and rally up against, since so few real MS enemies is left.
But it seems that MS have some trouble with crushing and destroying Linux; First, Linux really isn't a single company that can be killed or bought, or intimidated into submission.
At same time, "everyone" agrees, that Open Source has its advantages, and actually makes pretty good software that works.
The advantages with OSS (Open Source Software) seems so compelling, that even MS must stress, in the middlest of a full scale FUD attack against OSS, that MS software is kind of Open Source (see, a few hardware manufactures, and some Uni's are allowed to peek into some parts of our code). Really mixed signals.
OTOH; This FUD speak, targetting especially the GPL license, really underscores one thing;
Open Source, and OSI approved licenses, like GPL, really are a viable, long term, money making, market gaining, idea and force, or else MS would not bother.
Remember, this is not a random MS employee venting his personal opinions, but part of a carefully corporate campaign (see article). MS PHP's must have met to strategy meetings, made plans, exchanged emails, sought approval from Balmer/Gates?, and put lesser minions into action.
I guess it soon will be season for some serious MS "astro turfing".
Out of the two e-mail addresses that I have had for a significant amount of time, neither of them get any spam... one is with my college (I've had that one for almost 4 years) and I've had another one with yahoo for almost a year.... and I never get ANY spam in either. I guess I just don't understand what the big deal is.. Well, lucky for you. I choose to close my old mail account, simply because it got so much spam. Actually I wasn't as plagued as others; some days 4-6 spams, other days nothing. Still, around 50-100 spams a month was enough for me.
There seems to be an element of randomness, in whether ones email account becomes a spam magnet or not. But I suspect my address was spam harvested early on, since I used the account on Usenet, and had it on my homepage too. I seems like, when first an account is in a spammers db, it will resold to other spammers, who will merge it with their db, etc.
Besides the address was a short one, at a local, quite nice, ISP. I guess that ISP domains are popular among spammers, since they got so many users, that a "lexical" spam attack is worthwhile.
I would never post my main e-mail addresses publicly, that would just be asking for it Me neither. It's just so sad that this how spammers has transformed the net. This is not the idea what the Internet was about; easy communcation between peers. It's cool with me to post under a nom de guerre, or hiding ones mail address, if that's what you want. But it is sad when people choose not post their real mail address, on Usenet, on their homepage, on slashdot etc, simply for the sole reason, that they don't want spam.
And sometimes it is a really good that peoples mail address is posted on the web: eg. a friend of mine is writing his phd tesis. He was able to track down, in only 5 minutes, the only other person in the world, who has written something on the same subject, even though he was from another country. Without the net, without email, without publicly availably email addresses, it would been a small project in it self, to track down that person and starting communication.
In short, be happy that your mail account isn't spam infected. But don't confuse your own luck, with the general spam situation.
It also offers signifigantly more than the IBM Linux distro: e-mail, firewall, SQL. Redhat sells the IBM-SBS. And come on, regarding extra features, and application, nothing beats a Linux distro; compilers, editors of choice (vim/emacs), a huge amount of different scripting languages, network monitoring (Netsaint is way cool), MTRG, log analyzers, OpenSSH (and even VNC), NTP servers, industrial strength email servers like Sendmail, Qmail for the paranoid etc. And regarding mission critical software like "Solitaire" and "Freecell", Linux wins hands down with xpat2.
All Linux distributions contains a firewall solution (kernel 2.2 =ipchains, kernel 2.4= iptables). Iptables is a statefull inspection firewall, which I guess is more than w2k's (mostly screening, portfiltering, right?)
Apparently you can go up to 50 clients, but then you hit a hard block. I could swear MS had upped that to 100 clients with MS-SBS 4.5, like IBM-SBS.
There used to be other limitations in the MS-SBS package, like hard limits for the MS-SQL database size, etc. In short MS-SBS was quite, not entirely, unlike MS-NT+MS-Exhange, with small limitations (and sometimes its own service packs/hot fixes).
MS-SBS is a "good" and cheap solution for a small buisiness, but it seems almost like MS is trying to hide it away(too cheap?). The y2k fixes came way after the regular NT fixes, and it almost seemed like MS had abandonded it. Again, when Win 2000 started to arrive, there where some hinting, again, that there would be no upgrade path for MS-SBS users.
$1,499 for server and 5 CALs then $299 for 5 more CALs or $999 for 20 more CALs
So, figure for a business of 50 employees, you're talking about $3,800 total for the software.
Red Hat sells a RH 6.2 Linux server, with IBM-SBS for 475$.
A five pack CAL should be 175$ (90$ for one user)
So a comparable, dare I say, superior;-) Linux solution, should be around 2225$ (compared to 3800 for a similar MS-SBS). Now what to do with that saving: How about almost 2 years of Red Hat "Network System Response" support (unlimited incidents), when you have a question about configuring that firewall or DNS server. (biz hours), and 24/7/365 "emergency" support. (the DNS stopped working, and won't come up again).
Mind you, this isn't including hardware, support, etc., but it's signifigantly lower than the $8000+ mentioned earlier. And the IBM Linux offering doesn't offer an e-mail or firewall solution that I could tell (at least not from the review.) The review was way to short; IBM-SBS includes email/groupware by Lotus Domino/Notes, and Red Hat Linux contains similar, perhaps even better firewall support, than MS-SBS. (that said, I would always run the firewall on a separate box).
Judging by price and features alone, Red Hat+IBM-SBS is a winner combo. whether this Linux combo is the right one, for a particular biz, is of course another matter. It all depends.
windows is not free, but a Windows 2000 Professional license costs about $200 W2k Pro? Thats the desktop version of MS Windows, right? While the desktop version might be used as a server, a much better comparision would be MS SBS (Last version I installed was a NT 4.5, but it is probably in a 2k version now).
Now MS SBS is quite "cheap", but it is hardly 200$. So I don't think your math add up;-)
IBM's SBS is roughly comparable with MS's SBS.
DB2 vs MS SQL
Lotus Domino R5 vs Exchange.
etc, etc.
IBM's SBS isn't free, but at 475$, ex. clients, it is quite cheap. (Check www.redhat.com for prices, and features).
Don't know the US prices, but it should be significally cheaper, than MS-SBS.
What really makes IBM-SBS interesting, is iNotes. According to IBM, you should be able to use MS-Outlook as a groupware client, instead of the usual Domino client. If that works as advertised, that's a killer feature.
A Windows box, which takes very little time to learn to use and administer. I agree, and disagree. It all depends. Eg., if a person has no knowledge about what a "user" and a "group" is, no GUI in the world is going to help that person setting up a server.
Installshield installations are uniformly bad, but rarely go wrong and trash a system or application due to user error. I strongly disagree here. I do think that rpm is way, way superior regarding installing, upgrading, downgrading, and removing software, especially on servers. In my experience, almost no Windows programs ever uninstalls without leaving funny registry keys and dll's. That most config files are text, and easely identified, and backed up, gives me great confidence in upgrading, and if neccesary, downgrading Linux software. It also helps, that it is very easy to browse the rpm-archive (using eg. MC). So even if it is a closed source rpm, it is very easy to see what goes where and what changes are made.
Many business owners, when faced with the task of maintaining a computer system for the first time, would likely have to hire a Linux system adminsitrator for $30k-80k a year for even a single Linux system. That is a ridiculous assumption, especially in the SBS market. I used to be a consultant in a IT shop which targetet that segment: Most small buisiness's are non-tech companies, meaning, that IT is just a tool; law firms, accountants, production companies/factories etc. They are good at what they do, and earn their money by their trade, and not IT. When they need an IT solution, they would nornmally not hire a dedicated "IT-wizard", but outsource it to consultants. So the consultants will do the network design and set up the server to the clients wishes. The company will then make a couple of employees "super users", who does mundane IT tasks (adding users, changing toner), as a small part of their work day.
This is the most cost effective solution for most SB's, and the smartest too.
Even a fat consulting job like setting up a server, is nothing to the cost of having a regular employee, all year round.
IMHO the difficult part about setting up, even a very simple network, is the basic, conceptual knowledge. If the concept of dhcp is totally alien to a person, it does not matter, that this is an easy thing to set up in MS-w2k. On the other hand, if people are well versed, in the concepts of tcp/ip etc, designing, and maintaining a network, is easy, regardless of OS. (for varying definitions of easy).
All in all, I think your analyze is wrong. Everything else being equel, the TCO would probably be lower using Linux with IBM-SBS, than MS-SBS. Linux is a really good OS, easy to maintain, and with a lot of flexible options.
But TCO's are not everything (or else, Linux would be much more dominant). Buisiness applications, like accounting, trade journal cdroms, etc, are a much more deciding factor.
MS is clearly leading on that front (except perhaps for web-oriented shops), however, Linux keeps improving on that side too, as this IBM-SBS package shows.
Take a note, Linux developers.
Linux will slowly start to get a significant share of that fat & rich buisiness server market. Take a note of that, windows developers;-)
>What's the point of USENET? The few times I've ever bothered with it, it's been nothing more than random flamewars...
There are still many great Usenet groups, you may not have found them, but they are there.
That there also is a lot of crap groups, flooded with trolls, kooks and spam, is because it is free and anarchic (the alt.*).
In many respects it is similar to the web; Huge, disorganized, full of crap, with some real gold nuggets here and there.
How would you react to somebody who said "I have tried this web-thing a couple of times, but it was full of crappy, rotting homepages, pr0n, pop-up sites, and whizzbang rotating banners."
About the kernel list. It too, like many other maling lists, had its of share spam (discussed many a times on the list, recently; Maps DUL)
The Usenet groups I follow are either totally spam free, or almost (a spam twice a year), thanks to moderation, or vigilant spamfighting.
And the kernel list do have a Usenet gateway, since Usenet readers, are an excellent way to read high volume lists.
>But then again, it always suprises me how much "foward-thinking" tech types seem to want to cling on to the past.
Usenet, as archived by deja/google, is the single largest repository for technical information in the world. I have often found better info on usenet, than on the web.
If you need such info, then it would be a rather backward thing, to disregard Usenet.
And yes, thanks to google, you too can access Usenet by the web, with all the hyperlinks and html, that you crave.
Ok. I am not a history scholar, but I have occasionally worked with different archives during the past years; with the Danish State archives, and The Berlin Document Center (has a new name now).
The amount of information (archives) that a state amasses, is simply astounding, and thats just the the bits that goes into the archives; at least 90% of all paperwork is scrapped even before that.
An example; I helped a scholar do some statistics on black market crime during and after the the war;
He examined a single, lower court, in the period from 1940-1953. "Only" 8000 cases went through this court, but just the verdicts alone, averaging 3 pages per case, amounted to 25000 pages, bound into fifty, 500 page tomes. Each of these cases, would also have generated a "file", containing eg. police interrogations, wiretapping records, anonymous letters, forensic evidence, case evidence, court orders, affadavits, etc. A really conservative estimate would be, that each case, would have generated at least 20-40 pages, meaning that just this single court, in a few years, could have archived 100.000 - 200.000 pages. A totally impractical thing to do. Therefore these files were "cleansed", before being archived.
If all those papers that public institutions produces were preserved, we would be swamped in archives. Some stuff simply has to go.
Old-style paper archives has physical storage problem. Modern "bit-based" archives should in theory, be less burdenend by this. (200.000 pages should fit handily into a single cdrom.)
But on the other hand, modern information systems makes it so much easier to generate, and preserve information. (just think of many gigabytes of information a single company has on its servers)
How many emails is sent every day? 5-10-20 millions? If just a fraction of these, say 100.000, were preserved every day, think how many freaking million emails that would be during a short period of 50 years. But more importantly, how many (and which) emails would posterity need, to say something about our time, and the social pattern behind the phenomenon; email?
The main problem with digital archives, is the same as with paper archives; You can't, and shouldn't try to preserve everything.
I don't doubt, that over time, even the majority of that information selected to be preserved, will be lost, due to bit-rot, war, fire, carelesness, natural disasters etc, during the next 1000 years. But even if just, a tiny, tiny, fraction of this is preserved, there would be "enough" information, about our time, for the historians to make a good overall picture.
A single, modern "Statistical Yearbook", probably contains more demographic information, than all medieval archives put together.
A modern public library, probably contains more works, and written information about the last 100 years, than have been preserved, from when man began to write, until the Middle Age. Still, a lot can be said about the Roman Empire, even though so precious little in writing has survived.
So to reduce future archives to a manageble size, the majority of information simply has to be discarded. Then it is more likely, that there will be funding, for preserving the rest in a proper way.
Consider the amount of time, money, blood, sweat and technology, that goes into carefully extract scrolls from the Pompeii site, and make them readeable, it should be a "trivial" task to recover any kind of non-encryptet data, no matter what digital media it resides on. However, the cost of doing so may not be trivial. Just think on how many data formats, future historians would need to reverse engineer, just to cover this last decade.
"Remember: the victors always have and always will rewrite history as much as possible."
How I have come to loathe this dogma.
Originally, it stems from the fact, that sometimes only one parts "history" survived from ancient times until today (Athens, Ancient Egypt springs to mind).
But the dogma really isn't true anymore; First, in democtratic countries, it is impossible for the state to directly control, what history is written. Secondly, after having dealt with the massive "memory" rewrites among former Waffen-SS soldiers, I can only conclude, that the loosers are just as eager as the winners to rewrite history; there has been a huge amount of revisionist "history books" written since the 2. WW. ended. From outright holocaust denial, to apologeic "Waffen-SS coffee-table books", where the W-SS soldiers are portraied as just a bunch of happy, anti-communistic boy-scouts, on a picnick in the USSR. Noone of them were ever nazis, or anti-semetic, they never saw any warcrimes (except those the russions made), blah, blah, blah. Total denial of facts.
So a better dogma would be:
"Remember: both the winners and looser always have and always will rewrite history as much as possible."
Yes, Netsaint is an impressive package. Been running it since v. 0.4 without any problems whatsoever.
It really gives you a good "feeling" on how the networks performs.
It also has a very good, and steady development cycle, and a good roadmap for future enhancements.
The nice thing about the web-interface is, that it makes it easy to show (management) what Netsaint is all about.
So you quite right. No need to sneak in Netsaint, it is that good.
If you need to monitor Internet traffic, the Ntop (www.ntop.org) is a really slick and impressive package, that looks like it cost XXXX$. It is in furious development, so it isn't ready for production yet, unlike Netsaint. But if you need something like it, it is worth to keep an eye on.
We plan to deploy it within the next mont or so; since we have a managed Cisco switch, we will use CPAN to duplicate the port running to the router, and lead it into a locked down box in the DMZ. That way we can sniff & map network traffic between LAN and Internet, without running a daemon on the actual firewall.
Netsaint is a really good program. And the web interface isn't neccesary for its functionality.
Basically, Netsaint is daemon, which through various plugins (premade or your own scripts), monitors your network. The plugins are just CLI programs or scripts. Netsaint either performs active service checks; e.g. the "check_pop3" plugins log into the pop3 server, and check if it works, or passive checks; the remote host delivers the result of a service check to the netsaint monitoring host. Of course, one can also perform remote checks through OpenSSH, if you don't want to run a deamon on the remote host, or the function one wants to monitor isn't a service as such (load average etc).
The results of these checks goes into a standard text logfile (just grep and awk). But the strong point of Netsaint is not so much its ability to monitor services, but in its handling of the service checks:
E.g.: if the pop3 doesn't work after 3 tries, and it is a working day, during business hours, send me a mail, and page me asap. If it is weekend, just send me a mail, but both mail and page Poor Joe.
If I haven't responded to the problem within X hours, escalate the problem to this list of people.
If the pop3 goes back online again, send me a mail too.
Or: if the 5 min load average during business hours goes above 1.5, write a warning in log, but don't mail me. If the 15 min load average goes above 2.0 mail me. If it goes above 3.0, write "Slashdot effect" in the logfile, and mail everybody on this list, turn on the sprinkler system, and dial out using this modem, on this spare POTS, and leave a naughty message on cowboyneals telephone answering machine.
Of course, one can also mointor and check whether the service checks are performed or not.
In short, Netsaint can monitor all kinds of events, and has a rather powerfull way of dealing with these events, and none of this is in any way, dependent on the web interface. This is mostly used for viewing log-files, or give one a quick overview of the health and status of the network. It is nice, but not neccesary.
So in this case, your "web interace prejudice" isn't warranted;-)
I somewhat agree with you, that web interfaces, as a primary interface, usually feels clunky and sluggish. But web interfaces can be quite usefull, not perhaps for the Sysadmin himself, but because it means that he can delegate rutine stuff to lesser mortals, like adding or removing users, managing mail lists etc., without exposing the l^Husers to anything "complicated", and at the same time, easily restrict them to only the small and limited subset of priviliges they need to perform the job.
Now, this Tbox looks very good. It is yet another reason, for "sneaking" in a Linux box on the network, or sell as a service; it is nice as a consultant or sysadmin to have good diagnostic logfiles, when the costumer calls in, and says "the Internet isn't working".
And better still, since Netsaint is pro-active, call your costumer in the morning, saying "Your/user partition is 95% full {sell HDD|remove files}"
Everybody loves screenshots, so check_url www.netsaint.org
Well, the consultant may have sucked. But regarding the tapestreamer, he may not have been entirely wrong. I have RMA-ed several tapestreamers. Unless it was a DOA, it usually meant "factory service", which often would take several months. Unless you can afford to be without backup, you might as well buy a new one.
You never, never buy a backup solution smaller than the servers storage space. So it would actually be unethical of the consultant to do so.
He may, or may not have told a white lie about large IDE-tapestreamers, but believe me, IDE-streamers are too "cheap" to rely on, regarding servers. When you have experienced the mythical "Write-only" tapestreamer, after a server crash, one becomes very carefull in selecting backup solutions. And I don't care that some people have anecdotes about IDE-streamers that worked for them.
And why was he looking for an IDE-streamer the first place? Was it a costumer demand for a specific interface, in perhaps a hope of saving some money? In that case, one should not use a consultant in the first place: Why pay money for experience, that you don't use. It sounds like you could have easely installed that IDE-streamer yourself.
Regarding the consultant installing spyware; I can hardly believe he installed a real piece of spyware. More likely it was one of those pesky pieces of free "spywares" (see previuos/. articles). It is so unlikely that the consultant could have benefittet from that. And maybe the specific app, was a costumer demand?
Perhaps this consultant was to meek and "hungry", to tell what he meant. Perhaps a more BOFH style consultant would have been what was needed:
"This *?!½ piece of *!?* IDE streamer was a bad idea in the first place...So you want to RMA it? Well, expect at least 2 month without without backup, then. And actually, you really don't want back, remember how it (expectetly) broke down within the first year? No, just dump it, take your losses and get something that works....You _insist_ on getting similar cr*p, -again? Well, I won't do that, but call me sometime in the near future, when that too, has broken down." (sound of a BOFH leaving in his Mercedes SLE)
Slashdot Mirror
Maybe the Russian gentleman should have told us also about the more inventive Soviet strategies employed to break the Afghan spirit: dropping colorful plastic toy mines in the form of little dinosaurs and cars, designed to blow off the hands of (but not kill) children.
/mutelate children, but kids too, would be victims of them (something called "collateral damage" by armys worldwide). Read more on butteflly mines here;
Heard this story before in the 80's (and believed in it too), though the dinosaur shape is new variation of the theme.
However, the story, as told, is extremely unlikely to be true, and probably is a mixture of propaganda, myth and misunderstadings (common in wars and urban legends).
Now, the realities in the myth, may not differ that much from the "truth";
The point was, that USSR-forces would air-deploy 1000's of anti-personal mines, to restrict, and interdict rebel movements. These AP-mines ("Butterfly mines) had small "wings" on them, to reduce impact speed.
This AP-mines tactic, was very common practise at the time. They where not designed to kill
http://www.unicef.org/graca/mines.htm
And do read something about the banning of AP-mines (something I consider a very good thing).
Also note that in this story, he tells about seeing a child with a missing foot (could be a AP-mine) getting into a USSR chopper for later operation, but that he himself, "knew" that the child wouldn't survive, and how this would just generate more rebels. So this "Russian gentleman" actually _does_ tell, exactly how it was.
But then you go on to detail how many ways it is inadequate. NAT was not invented to solve a security problem, it was invented to solve a connectivity problem. By design, NAT enables communication where it was otherwise not possible. This is the opposite of what a firewall does.
/ISDN lines doesn't get (or need) public IP's for all the client pc's, NAT is a pretty common fact. And NAT does give some kind of protection, and is easy to understand and implement.
Repeat after me: NAT is not a security technology, NAT is not a security technology, NAT is not a security technology. Repeat it until you believe it. It's the truth.
I know, but since most small companies on xDSL
Note, that I don't think NAT is a firewall substitute, my gripe was actually against those who think so, and rely on their eg. xDSL routers NAT and packet filtering abilities, while negating those security benefits by portforwarding to servers on the LAN side.
A book could have been written on "Lessons learned by Code Red", but it wasn't, so here are some really random thoughts:
Network design:
The new, but simple attack strategy, of hitting neighbour IP adresses, should be a wake up call for all, since this allow for very rapid infections of LAN
Correct me if I am wrong, but wouldn't it be fair to say, that for Code Red to infect the LAN side, the network (and firewall) is fundamentally designed
wrong? Why should a webserver on the public internet, be allowed to issue GETs through the firewall, to the LAN side?
Eg. a company has a public webserver (host A), and a LAN-side server (host B). Of course they have setup their firewall, so that host B, can't be reached directly from the Internet. But for some reason, (people are often cited for, that it is convinience), they make it possibly for all kind of traffic to reach host B, as long as it originates from host A.
Patching:
People often say; "Just patch, and you will be safe". But patching is just the first line of defence.
Some day, a Code Red style worm, exploiting an unknown flaw, perhaps even a flaw that are not easely patched like a "standard" buffer overflow. The speed of such an infection could be overwhelming, with perhaps 100.000's of hosts infected per day, and worse, since the infect algorithm, seems to be very effective in getting inside LANs, the problem may reach infocalyptic proportions.
My point is, that a secure network _design_ with defence in depth, is a necessity, and may stop the infection on the Internet-side.
Perhaps "network plurality" may be something; eg. if one is running MS web-servers, then deploy a Linux/*BSD firewall.
Finally, the LAN side seems very vulnerably now. Sysadmins now face, the overwhelming, Sissyfosian task of patching, upgrading, and locking the LAN-side, as tight as if it were on the public Internet. That just won't happend.
Futher ranting on patching; Why does (some) vendors mix security fixes, and non-security, non-critical bug-fixes, and, worst of all "enhancements" in the same patch? (are you listening MS ).
No wonder SysAdmins are hesitant to patch LAN side, produktion servers when the patch is more than 50Mbyte.
They must wonder whether their systems may BSOD on the spot. (How many times was MS-SP 6 pulled, before it reemerged as SP 6a, twice?). Or does all the new "enhancements" or bugfixes break "company-wide-important-app"?
And speaking of "defence in depth"
Not many networks seems to secured that way, or monitored at all by eg. IDS's. Yeah, money seemed to be spend on "surf-blocking", or monitoring employees mail for four letter words, and badmouthing of the boss.
From my reading of usenet and weblogs on Code Red, it seems that most people discovered it, since their MS-NT 4.0 servers crashed more than usual, or that their managed switches, and IP-printers locked up.
I am no better than the most, I am still reading up on Tripwire and Snort.
NAT
I like NAT
But NAT gives rather less protection, if portforwarding is used; eg. small company buys a xDSL connection, and are issued small router that does firewalling and NAT. So they make portforwarding to p:80, and closes everything else. But Code Red style worms just thrive on such a setup; It is handily portforwarded into the LAN side, and will spread real fast once inside.
And NAT and firewalling doesn't help at all, if the worm is multi-vectoring through mail and webbrowsers:
eg. the first infections is by mail. The trojan then watches were people surf, and tries to infect those sites.
If succesfull, the trojanend machine, deploys a payload on the website, that further infects all vulnerable webbrowser, visting the site.
On infected machines.
Every attacking machine are announcing to the world that it is infected. (A clever, fellow slashdotter
wrote a piece on this, but I can't find the link now)
Further, more malicious attacks may be instigated on the affected machines. And these, second wave-attacks may not appear in any logs, they may even be impossible for any IDS to detect.
And speaking of IDS's; how many actually monitors traffic going out from the network, especially through port 80?
People may have gotten by, by just removing the actual trojan until now. Perhaps this time too, but
next time it is likely, that all the script kiddies in the world seizes the opportunity to mass infect the infected machines with new and improved root-kits.
Imagine a DDoS from a skript kiddie, controlling 50.000 machines residing all around the globe. Good luck filtering that out on the router, or even your upstream providers router.
Or even worse, a skript kiddie with a clue, a personal grudge against your company, and having a root-kit on your LAN.
And more; it seems like a lot of Code Red attack machines, were W2k Pro's with accidentaly installed web-servers.
Now, the fools with upatched boxes and xDSL lines are hard to do anything about, but it also seems that a lot of accidently web-servers, were found on company
VPN's:
VPNs are often labelled as something that enhances security, but as other point out, they are actually the exact opposite, since they dig a deep hole in the firewall, into the corperate LAN. Good cryptation and authentification by VPN's, doesn't help, if Mr. Traveling Salesman are trojaing a worm, when he connects the LAN through his laptop.
In short, we must all rethink our network design and security. Firewall and IDS on the inside LAN. Lock and patch the LAN, as it was on the public Internet. Use eg. "port mirroring" on the core switch to a "silent" monitor box.
Run network scanners like nessus (www.nessus.org) and nmap on all LAN clients and hosts, so "forgotten" machines are discovered, and accidently installed web-servers are discovered.
Harden hosts with tripwire
Twice this morning I've had to power cycle an HP JetDirect, something I've NEVER had to do before... is this related, or just coincidence?
An awfull amount of equipment with embedded webservers, was affected by Code Red*, including (some/all?) HP JetDirect printservers, but also all kind of managed switches, and routers.
Usually because a small memory leak would occur for every GET, enough GETs in a row, and the system will lockup, until powercycled.
Of course, other problems may lay behind the lockups of your equipment. But since the HP JetDirect in question, probably is on the LAN side, you may have infected machines behind your firewall.
I have heard that it is more cost effective to wound an enemy then to kill them. Takes more resources to heal someone then to bury or cremate the body. So enemy must expend resources to help wounded. And if they don't help their wounded, could demoralize the remaining healthy troops.
/phosfor rounds?
A couple of friends of mine (historians) interviewed a dozen Waffen SS soldiers (mostly from Frikorps Danmark, Div. LAH, Nordland). Only one of these had escaped being wounded, and that was considered a freak thing, by himself and others. Most of the rest had been wounded 2 or 3 times.
Looking through thousands of service records, their conlusion was, that it was not unlikely, to recieve several, sometimes very serious wounds, and return to service again.
The germans, like the US, had good assembly line style, field hospitals. Once a wounded soldier had reached a such, their survival chance would be good. While caring for wounded soldiers may take some ressources, I don't think that it really matters much, eg. a lot of trains and lorries driving back from the frontline are empty, so loading them with wounded is hardly a logistical strain.
Most important; a veteran soldier is a precious commodity, the logistical strain of sending him back front and patching him up, is probably less than training a new soldier.
All in all, I consider the above statement untrue.
On the topic;
Last summer I visited a wood clearing, where german small and medium arms ammo had been disposed off after the war. It had been a rush job; deep holes had been digged, and loads of ammo dumped into it, then, (way to small) charges had been detonated.
The result was that the area was littered with all kinds of ammo; 9mm parabellums, every size and color of 7.62mm, Sturmgewehr bullets, russian 12.7mm MG, standard 20mm AA shells, and all kinds of freakish sized luftwaffe ammo, in the 20mm range.
A striking thing was, that the holes, after more than 55 years, where pitch black. Not a single grassleave was groving in or around them. Probably because of all the tracer
In eastern Europa and the former USSR, you can still find WWII battlefields in desolated areas, where cases of Nebelwerfer, AT, and MG ammo, rusted rifles and machineguns, is littered among the trenches. Scratch the earth, and you will find the bones of unknown dead soldiers, some hastely buried and forgotten, others simply just forgotten where they fell.
The straits around my country (Denmark), is littered with hundreds of thousends tons of chemical rounds, usually mustard gas, but I believe that every kind of german gas ammo was dumped into the sea, including nervegas like Tabun, and Sarin. A nasty thing. It is fairly common, that fishers catches a corroded, sick-yellow lump of mustard gas rounds in their nets.
The western coast of Denmark was part of the Atlantic Wall. Besides building thousends of concrete bunkers, the german army layed more than 1.4 million mines, and that on a coast less than 170 miles long. It took decades to clear (and costed a lot of lives), and still, in some remote areas, it is not unusually to find a german Teller AT-mine in the sand dunes after an autemn storm.
War is a messy affair in more than one way.
No matter what, after a while, peace will follow war, and people will have to deal with results for a long time. Anything to lessen the burden for the survivors, is IMHO, a good thing.
I've had to reboot my cable modem recently every night to restore connectivity. My ISP just sent out an email saying the CISCO cable modem that I'm using hammered by Code Red.
0 1-08/0078.html
/DMZ cannot be reached directly from the Internet, but it "trusts" Host B, on the hostile Internet.So when Host B is infected, Host A gets it too, and starts spreading the infection deep into the LAN.
Here?s the quote ?With the Cisco 67x series, as well as HP print servers, 3Com switches, and almost all other embedded web server applications, the worm causes a buffer overrun which causes the device to lock up.?
Is this really true? It seems pretty unlikely that almost all embedded web server application have a buffer overrun. It seems possible that a few devices do.
Anybody have more info?
Well Cisco has put out a advisory for 'unpatched' 6xx DSL modems.
see:
http://www.cert.org/advisories/CA-2001-19.html
However, the Cisco problems are not the same as the MS buffer overflow, but are triggered by the CR scanning nevertheless.
I have seen several mentionings of other types of equipment, there seems to react badly to CR scanning.Probably because it is "easy" to give a piece of equipment an IP address and a web-server for remote mangement. But most of this equipment was designed to operate inside a nice and friendly LAN, serving well-formed requests. Of course, not all embedded web servers suffers under the CR scanning,and those who are, are probably affected by reboot requering memory leaks, caused by high load.
The scaring truth probably is, that security, as usual, wasn't high on the list when all those devices was designed.
Security is hard to design and maintain, but also hard to sell to costumers.
Sites running transparent proxies, (from MS-proxy, MS-ISA?, Cisco, Squid, etc), may experience severe resource depletetion if infected. See http://archives.neohapsis.com/archives/bugtraq/20
Other products using "embedded" MS ISS are affected too.
What is thoughprovoking about CRII, is its spreading algorithm, favoring IP addresses close to the infected host. This is of course much more effecient than random numbers, but also seems make it easier for it, to infect hosts _inside a LAN_ on "misconfigured" networks:
Host A on the inside LAN
And in my experience, hosts and equipment inside the LAN, is rarely patched and tied down with the same vigour as Internet hosts.
It is of course bad nework design that allow this to happend, but a lot of sites are nevertheless configured that way, because it makes things easier.
Oh yes, it's all SQL Servers fault. It's got nothing to do with the implementers being inept. Hell, the Russians are normally so good at developing things, just look at the fine work they did for the ISS.
...I am not going to resolve MS SQL problems by playing around data formats which means a complete redesign of KI-MACS application software core (over 5 Mb of source code in Transact SQL). By the way, I was astonished to learn that MS staff is seriously proposing such
It is inconsequential that hundreds of thousands of other sites seem to run SQL Server 6.5, 7.0, and 2000 just fine.
Well, first of all, the bugs discovered by the Kurchatov Institute does actually exists, and acknowledged as such by Microsoft (see the mail from the MS engineer). Note the bugs are bugs within MS SQL Server, not in the implementation of the DB. So 'Oh yes, it's all SQL Servers fault.'
I don't care to check whether the problems is fixed by now, but I guess they are, though probably not for MS SQL 6.5. (read the text)
So every MS SQL server not patched, has the potential to be bitten by these bugs.
A nice quote from the text:
stupid advises as change of data formats to avoid MS SQL Server SYSTEM
problems.
Is it MS style of conducting business? If so, we have to be prepared to
deal with permanent troubles for the rest of our life.
I saw a pretty interesting program on TV a while ago, and have since been reading up on it a bit.. According to a growing group of scientists,
l .0 3/
the real reason for the ups and downs of the earth temperature that we are observing are in fact caused by solar activity!
It is very sound theory, though pretty new. What scientist like about this theory is, that is simple but gives strong predictions.
The group of scientist which did the research, wasn't specifically interested in explaining global warming, but rather finding an explanation for reoccuring trends in historical weather patterns.
So they applied a lot of historical data to this theory, and so far the results has been very good.
It does look like, that this new theory, combined with traditional weather models, does explain historical weather data, very, very well.
When the scientist published their study, their data seems to exclude, that man-made activities played any great role in the weather system. (Their theory could within some margins, 'predict' historical weather)
But here is the point: When the scientist published their study, they had only applied historical weather data, up until 1972.
When they started to apply more recent weather data, somethings changed; their theory could no longer, within the margins, explain the more recent historical weather data anymore. (their theory, as I understand it, would still give better 'predictions' than traditionel weather models, without their theory).
So the "solar activity" theory as it stands now, actually seems to give a very strong indication, that global warming does exists. It also hints, that the global warming is man made, since it is very good at explaining weather, up until the last 30 years.
People often states, that the recent high temperture measurements, could be a natural cycle like earth so often has been going through before. In itself a reasonably statement. But cycles are cycles, because something cyclical, and therefore predictably occur. So far science has become better and better at finding theses cycles (solar activity being last). But no good scientific explanation exist, for which, and what kind of weather cycle, earth is experiencing right now.
Something on solar activity and global warming:
http://www.giss.nasa.gov/research/intro/shindel
Here's what I use: [snip] ...3. Use a person's last name (like Rucker) and 4 digits (say 3120). In your DayTimer or PDA, record it as a name and phone (Bill Rucker 275-3120)...
Hm. This method is quite common, but perhaps not so secure. Banks in my country have issued warnings about using this method for storing PIN codes for ATM cards, since "all" pickpockets seems to know this scheme, and therefore scans all dayplanners for "fishy" name and number entries. Apparantly quite a few bank accounts have been emptied this way.
Another problem with this scheme is, that it is "easy" to verify what is real names and telephone numbers.
Only one digit actually.. I screwed up with the $2000. According to the paper which I originally got the figure from, it was $13,000. Thats still not too bad.
13.000$ for a single V-2, even in 1944 currency wouldn't cut it. The V-2 (A-4) rocket program, was by far the largest project of all german rocket projects. There is no way that 13.000 US 1944 dollars per V-2 could pay the actual costs, of the V-2 rocket project.
[snip] its also interesting to note that the V2 weighted 13,000 Kg at launch time. Given a 1000 Kg warhead, The V2 could put a package up 40 miles, at 1/10th orbital velocity (16,500 mph i believe) So basically, the Nazis spent about $13 for each Kg of explosives they lobbed over the English Channel.
The monetary figures are wrong, but cost was not the only thing wrong with the german rocket project, since it drew valuable ressources (materials, manpower and research) away from war production. Consider this; the german army had been loosing more trucks than it got since 1939. The result was, that the Wehrmacht demodernized its army in 1941, to walking and horsedrawn army (only 10% was mechanized).
I am not saying that the rocket project was to blame for all of that, but..
And consider how little the rocket projects gained: VT-fuses, Tempest fighters, and radar did that, perhaps only 2-4% of all V-1's ever reached England at the end of the campaign.
The V-2 had a puny payload of 1 ton; B-17's and B-24's would routinely carry 6x as much, and the Lancaster could carry up till 12x as much. And allied bombers at least had a chance to hit anything of importance, unlike the unguided V-2's, who was fired in the general direction of southern England, hoping to hit something else than a wheat field. A "strategy" that accomplished nothing.
The german rocket project got way out of control, which was a fairly typical thing for projects for the Third Reichs disorganized, corrupt, confused, ineffecient, lack-of-foresight way of handling things.
To make a point here, economies of scale apply to rocket launches too. The volume of launches is what drives down costs.
Yes, of course. Sattelite launches has become cheaper thereof. But first one needs huge investments and lots of expensive research. And chemical orbital rockets will never be _very_ cheap, just cheaper than outrageously expensive.
Space travel is not exotic. It shouldnt have to be so expensive that only multinationals and major governments can afford it. Rocket fuel costs about as much as milk. The suborbital V2-rocket produced by the Germans during WW2 only cost about 2000$ each.
2000$ You sources for that must have missed a couple of digits there, even when considering that the SS provided cheap slave labour to assemble the V-2 (A-4) rockets in the underground kz-camps.
In fact, western scientist made a postwar estimate, that the german rocket project was more expensive than the "Manhatten" project (US-GB effort to develop the a-bomb), a project which by all standards was an expensive one.
The german "rocket" project (V-1, V-2, Wasserfall, ME-163 etc) was a massive and spectacular faillure, but it probably helped shortening the war by some months, since its huge, ressource draining efforts, sucked valuable ressources from the Wehrmacht and Luftwaffe.
(a long rant)
/Mac ever was?
:-(
I think you don't understand what is all about, and why people like me, are really, really worried about the direction the entire IT section is headed.
First, Microsofts total software domination is an extreme case study in "market failure".
MS have no competition whatsoever, in the markets the choose to dominate. (sure, there are a few players around that MS hasn't killed yet, but they will be killed in the end, just like the others).
Normally, in a free market, the consumer has some choices to choose between. If something sucks, they vote with their feet (and pocket).
But with computer software, that has not been an option for a long time. I am not talking about the tech savy Slashdotter here, but average home computer users, and foremost, business's.
They are so deeply entrenched in MS software, that no matter what, they don't have a choice anymore. Other software producing companies (and soon hardware companies) hasn't had a choice for years; they either humbly submit to MS or gets destroyed.
In short, Microsoft is a monopoly that can do things with impunety, since it is more or less impossible for the consumer, to choose anything else, than MS products.
Not even prices on software is a factor anymore; Corel WordPerfect suite 2002, may be better, faster, and much much cheaper, than MS-office 2000, but will that mean, that it even qualifies, as an unserious competitor to MS-Office? No. Even small business's, or home owners, either warez a copy of MS-office, or pay the full price of it, rather than using a cheaper (and perhaps better) alternative.
As long as Microsoft remains a monopoly, no new software companies, producing software even remotly competing with MS, will ever get to survive. They will either be bought (not in itself a bad thing, but since MS is a monoply.. Ex. Foxbase), or MS will buy all the developers (I strongly suspect, that a lot of the wizz-kids, working for MS R&D, are hired, not so much for what they do for MS, but for what they now don't for others), or directly sabotaged (Quartedeck (qemm, Stacker)), or threatend to submission (Symantec), by locking them out of crucial info, or simply by FUD, "integration" and embrace and extent.
All software companies lives on the mercy of MS. Adobe, Corel, NAI, Symantec, Apple, Macromedia, Real, PKWare, Autodesk, SAP, etc., either lives on borrowed time, or until MS decides to kill them. How long can Autodesk survive MS-CAD 2005, when all their developers now works for MS, their software gets broken with every hot-fix, and service pack released, and when MS is willing and capable of using 5 billion dollars on capturing a 2 billion market?
The article express surprise, that MS do so well on the stockmarked as they do. I am not surprised. In fact, MS anno 2001, is nothing to what they will be in the next decade or two. MS will be the largest, and richest corporation, ever known to man; they will be the defacto only software maker, the largest hardware manufacturer (what good is a CPU, if runs anything else than MS-products), the largest investor and shareholder in the world, and the largest political lobbyist.
When I was young, I refused to buy Macs. I thought they were overpriced, and no fun, because the system was so "closed" and propriatary (and all the nice PC games of course). Now, the PC, that was a lot of fun; wanted a new graphic adaptor? Choose between many firms, buy and plug it in. New, cheap storage? No problem. Of course the Macs were superior to PC's with DOS, even when Windows 3.1 came around, the Macs were superior. But I would not give up my freedom, to choose between many, and cheap hardware firms. Besides WP 5.1, Norton Commander, Turbo Pascal, and Norton Utilities got the job done just fine. I was not alone in that opinion. But I wonder now. Isn't the MS-PC heading down road, more viciously proprietary and closed, than Apple
Sure, the hardware is still dirt cheap. But I dread the day, when even my RAM modules, requires a signed MS-driver, and serial number to work. Then it will be hard for me to run Linux
Take eg. Asus. They want to produce a PDA with Windows CE 3.0 as OS. But MS simply refuses to license it to them. MS's reasons notwithstanding, it is a chilling example of what to come. Think about it; a respected, large hardware firm, begs MS to be allowed to pay MS money in exhcange for a licence for a product MS is "selling", and MS says "NO!"
Whats next?
I seldom rant about how bad MS has become (I am not talking about their products, but about their behavior), I just use Linux, and is very happy about that. To me, Linux made computers fun again.
A bonus contrieved example and analogy, on how it would be, if MS ruled the movies:
Lets say you like going to the movies. Especially Sci-Fi and historical movies has your interest. But all of a sudden your local theater only shows badly syncronized east-german movies, from between 1970 and 1975. And prices doubled too. Fine. You vote with your feet, and drive to another cinema a little farther away. But next week, that cinema has been bought, and now it only shows badly syncronized east-german movies, from between 1970 and 1975. Prices went up too.
Some people gets the idea to start their own free theater, with cheap prices; they buy a building, and starts renting some flicks. Alas, the only movies they are allowed to rent, are badly syncronized east-german movies, from between 1970 and 1975. Besides, since they are independent, they will only be allowed to resell anchovis scented, wet popo-corn. They go bust.
Now, the east-german movie industry may have blossomed during the early 70's, but it really gets to your nerves, that even TV shows they same movies, as the cinemas. So you goes to movies again; the movies are the same and the prices went up again, but now the pictures are all blurred, and unfocused. The theater refuses to refocus the film, but will happily sell you an eye laser-surgery operation (in small lifelong payments). That way, the marvels of east-german movie production, becomes crystal sharp again. Unfortunatly, everything else is blurred.
[About Kafka requesting his unfinished works to be burned]
Somehow, I have always suspected that Kafka wasn't entirely sincere about that. Especially since he made the request to his long life friend, the author Max Brod, who practically worshipped Kafka and his writings, and who, since their school days, with some exaggeration, had picked up every scrap of paper, that Kafka even touched, and put in a gilded frame.
And among the works Kafka wanted Max Brod to destroy, was the short story "Ein Hungerkünstler", a story, together with three others, he would edit, and correct spelling errors in, while in his dying bed.
Furthermore, those works Kafka really wanted to destroy (his earliest works), he did destroy. His own death from TB, wasn't a suprise, so if he really wanted, he could easely have destroyed whatever he wanted to.
Kafka was a meticously writer, who himself knew how good he was. Those works he published, got very good reviews.
So in my not so humble opinion, Kafka's message in his litterary testament to Max Brod, was something like this "Hey Max, you really don't have to burn my papers, but if you publish them, which I am sure you do, please separate the unfinished works from the rest, and let no one be in doubt which is which."
On another note; How I dislike, how Kafka is always portrayed, as this serious, "romanticly pale and TB-sick" author. He was a funny man, and his works are chuck full of humour. His slightly paranoid (rightly so), undecesive characters, who always think eight steps ahead before taking any action, and therefore end up taking no action whatsoever, are funny.
I am sure, more people would read Kafka, if they realized how funny his works are.
It seems to me that Wurlzer has fallen victim to some of the FUD that has been spread by Linux advocates. [snip, a lot of linux bashing]
The problem is, that all statistical surveyes (for what they are worth) I've seen, all say that MS-based Internet servers, percentetwise are cracked more than their marked share would indicate. Much to my surprise, MS-Windows 2000 servers, are disproportionately more cracked, than even MS-WinNT 4.0.
Why it so, I really don't know; is it because; Sys-admins are insecure about applying hot-fixes (will the server come up again after the reboot?)
Skript-kiddies feels more at home on Win-servers?
Win+IIS are generally insecure products?
Windows servers, are generally runned by less competent/lazy people?
Companies running MS-solutions are to cheap to have a decent security policy?
A penguin ate the Hot-fix?
The insurance companies doesn't care why. They are just greedy bastards, who hates to pay out.
Look, if you want to use Linux or *BSD or some other non-mainstream OS
Take a look a www.netcraft.com : Linux is a mainstream Internet OS. Apache (OSS software) is by far the most dominating web-server around.
The way that America works is that people get together and work hard to put out a product, and then they sell it to people.
That exactly what this insurance company is doing; selling a product. Just be glad that it isn't a monopoly, so you can take your business elsewhere.
Go ahead and flame me
Ok. Flame, flame, flame.
[scorch-mode on]
You, sir - you are a MS zealot!!
[scorch-mode off]
First of all, Linux is good for Microsoft; they probably enjoy having an easily identifiable enemy to bash, and rally up against, since so few real MS enemies is left.
But it seems that MS have some trouble with crushing and destroying Linux; First, Linux really isn't a single company that can be killed or bought, or intimidated into submission.
At same time, "everyone" agrees, that Open Source has its advantages, and actually makes pretty good software that works.
The advantages with OSS (Open Source Software) seems so compelling, that even MS must stress, in the middlest of a full scale FUD attack against OSS, that MS software is kind of Open Source (see, a few hardware manufactures, and some Uni's are allowed to peek into some parts of our code). Really mixed signals.
OTOH; This FUD speak, targetting especially the GPL license, really underscores one thing;
Open Source, and OSI approved licenses, like GPL, really are a viable, long term, money making, market gaining, idea and force, or else MS would not bother.
Remember, this is not a random MS employee venting his personal opinions, but part of a carefully corporate campaign (see article). MS PHP's must have met to strategy meetings, made plans, exchanged emails, sought approval from Balmer/Gates?, and put lesser minions into action.
I guess it soon will be season for some serious MS "astro turfing".
Out of the two e-mail addresses that I have had for a significant amount of time, neither of them get any spam... one is with my college (I've had that one for almost 4 years) and I've had another one with yahoo for almost a year.... and I never get ANY spam in either. I guess I just don't understand what the big deal is..
Well, lucky for you. I choose to close my old mail account, simply because it got so much spam. Actually I wasn't as plagued as others; some days 4-6 spams, other days nothing. Still, around 50-100 spams a month was enough for me.
There seems to be an element of randomness, in whether ones email account becomes a spam magnet or not. But I suspect my address was spam harvested early on, since I used the account on Usenet, and had it on my homepage too. I seems like, when first an account is in a spammers db, it will resold to other spammers, who will merge it with their db, etc.
Besides the address was a short one, at a local, quite nice, ISP. I guess that ISP domains are popular among spammers, since they got so many users, that a "lexical" spam attack is worthwhile.
I would never post my main e-mail addresses publicly, that would just be asking for it
Me neither. It's just so sad that this how spammers has transformed the net. This is not the idea what the Internet was about; easy communcation between peers. It's cool with me to post under a nom de guerre, or hiding ones mail address, if that's what you want. But it is sad when people choose not post their real mail address, on Usenet, on their homepage, on slashdot etc, simply for the sole reason, that they don't want spam.
And sometimes it is a really good that peoples mail address is posted on the web: eg. a friend of mine is writing his phd tesis. He was able to track down, in only 5 minutes, the only other person in the world, who has written something on the same subject, even though he was from another country. Without the net, without email, without publicly availably email addresses, it would been a small project in it self, to track down that person and starting communication.
In short, be happy that your mail account isn't spam infected. But don't confuse your own luck, with the general spam situation.
It also offers signifigantly more than the IBM Linux distro: e-mail, firewall, SQL. /emacs), a huge amount of different scripting languages, network monitoring (Netsaint is way cool), MTRG, log analyzers, OpenSSH (and even VNC), NTP servers, industrial strength email servers like Sendmail, Qmail for the paranoid etc. And regarding mission critical software like "Solitaire" and "Freecell", Linux wins hands down with xpat2.
/groupware by Lotus Domino /Notes, and Red Hat Linux contains similar, perhaps even better firewall support, than MS-SBS. (that said, I would always run the firewall on a separate box).
Redhat sells the IBM-SBS. And come on, regarding extra features, and application, nothing beats a Linux distro; compilers, editors of choice (vim
All Linux distributions contains a firewall solution (kernel 2.2 =ipchains, kernel 2.4= iptables). Iptables is a statefull inspection firewall, which I guess is more than w2k's (mostly screening, portfiltering, right?)
Apparently you can go up to 50 clients, but then you hit a hard block.
I could swear MS had upped that to 100 clients with MS-SBS 4.5, like IBM-SBS.
There used to be other limitations in the MS-SBS package, like hard limits for the MS-SQL database size, etc. In short MS-SBS was quite, not entirely, unlike MS-NT+MS-Exhange, with small limitations (and sometimes its own service packs/hot fixes).
MS-SBS is a "good" and cheap solution for a small buisiness, but it seems almost like MS is trying to hide it away(too cheap?). The y2k fixes came way after the regular NT fixes, and it almost seemed like MS had abandonded it. Again, when Win 2000 started to arrive, there where some hinting, again, that there would be no upgrade path for MS-SBS users.
$1,499 for server and 5 CALs then $299 for 5 more CALs or $999 for 20 more CALs
So, figure for a business of 50 employees, you're talking about $3,800 total for the software.
Red Hat sells a RH 6.2 Linux server, with IBM-SBS for 475$.
A five pack CAL should be 175$ (90$ for one user)
So a comparable, dare I say, superior;-) Linux solution, should be around 2225$ (compared to 3800 for a similar MS-SBS). Now what to do with that saving: How about almost 2 years of Red Hat "Network System Response" support (unlimited incidents), when you have a question about configuring that firewall or DNS server. (biz hours), and 24/7/365 "emergency" support. (the DNS stopped working, and won't come up again).
Mind you, this isn't including hardware, support, etc., but it's signifigantly lower than the $8000+ mentioned earlier. And the IBM Linux offering doesn't offer an e-mail or firewall solution that I could tell (at least not from the review.)
The review was way to short; IBM-SBS includes email
Judging by price and features alone, Red Hat+IBM-SBS is a winner combo. whether this Linux combo is the right one, for a particular biz, is of course another matter. It all depends.
windows is not free, but a Windows 2000 Professional license costs about $200
/factories etc. They are good at what they do, and earn their money by their trade, and not IT. When they need an IT solution, they would nornmally not hire a dedicated "IT-wizard", but outsource it to consultants. So the consultants will do the network design and set up the server to the clients wishes. The company will then make a couple of employees "super users", who does mundane IT tasks (adding users, changing toner), as a small part of their work day.
W2k Pro? Thats the desktop version of MS Windows, right? While the desktop version might be used as a server, a much better comparision would be MS SBS (Last version I installed was a NT 4.5, but it is probably in a 2k version now).
Now MS SBS is quite "cheap", but it is hardly 200$. So I don't think your math add up;-)
IBM's SBS is roughly comparable with MS's SBS.
DB2 vs MS SQL
Lotus Domino R5 vs Exchange.
etc, etc.
IBM's SBS isn't free, but at 475$, ex. clients, it is quite cheap. (Check www.redhat.com for prices, and features).
Don't know the US prices, but it should be significally cheaper, than MS-SBS.
What really makes IBM-SBS interesting, is iNotes. According to IBM, you should be able to use MS-Outlook as a groupware client, instead of the usual Domino client. If that works as advertised, that's a killer feature.
A Windows box, which takes very little time to learn to use and administer.
I agree, and disagree. It all depends. Eg., if a person has no knowledge about what a "user" and a "group" is, no GUI in the world is going to help that person setting up a server.
Installshield installations are uniformly bad, but rarely go wrong and trash a system or application due to user error.
I strongly disagree here. I do think that rpm is way, way superior regarding installing, upgrading, downgrading, and removing software, especially on servers. In my experience, almost no Windows programs ever uninstalls without leaving funny registry keys and dll's. That most config files are text, and easely identified, and backed up, gives me great confidence in upgrading, and if neccesary, downgrading Linux software. It also helps, that it is very easy to browse the rpm-archive (using eg. MC). So even if it is a closed source rpm, it is very easy to see what goes where and what changes are made.
Many business owners, when faced with the task of maintaining a computer system for the first time, would likely have to hire a Linux system adminsitrator for $30k-80k a year for even a single Linux system.
That is a ridiculous assumption, especially in the SBS market. I used to be a consultant in a IT shop which targetet that segment: Most small buisiness's are non-tech companies, meaning, that IT is just a tool; law firms, accountants, production companies
This is the most cost effective solution for most SB's, and the smartest too.
Even a fat consulting job like setting up a server, is nothing to the cost of having a regular employee, all year round.
IMHO the difficult part about setting up, even a very simple network, is the basic, conceptual knowledge. If the concept of dhcp is totally alien to a person, it does not matter, that this is an easy thing to set up in MS-w2k. On the other hand, if people are well versed, in the concepts of tcp/ip etc, designing, and maintaining a network, is easy, regardless of OS. (for varying definitions of easy).
All in all, I think your analyze is wrong. Everything else being equel, the TCO would probably be lower using Linux with IBM-SBS, than MS-SBS. Linux is a really good OS, easy to maintain, and with a lot of flexible options.
But TCO's are not everything (or else, Linux would be much more dominant). Buisiness applications, like accounting, trade journal cdroms, etc, are a much more deciding factor.
MS is clearly leading on that front (except perhaps for web-oriented shops), however, Linux keeps improving on that side too, as this IBM-SBS package shows.
Take a note, Linux developers.
Linux will slowly start to get a significant share of that fat & rich buisiness server market. Take a note of that, windows developers;-)
>What's the point of USENET? The few times I've ever bothered with it, it's been nothing more than random flamewars...
/google, is the single largest repository for technical information in the world. I have often found better info on usenet, than on the web.
There are still many great Usenet groups, you may not have found them, but they are there.
That there also is a lot of crap groups, flooded with trolls, kooks and spam, is because it is free and anarchic (the alt.*).
In many respects it is similar to the web; Huge, disorganized, full of crap, with some real gold nuggets here and there.
How would you react to somebody who said "I have tried this web-thing a couple of times, but it was full of crappy, rotting homepages, pr0n, pop-up sites, and whizzbang rotating banners."
About the kernel list. It too, like many other maling lists, had its of share spam (discussed many a times on the list, recently; Maps DUL)
The Usenet groups I follow are either totally spam free, or almost (a spam twice a year), thanks to moderation, or vigilant spamfighting.
And the kernel list do have a Usenet gateway, since Usenet readers, are an excellent way to read high volume lists.
>But then again, it always suprises me how much "foward-thinking" tech types seem to want to cling on to the past.
Usenet, as archived by deja
If you need such info, then it would be a rather backward thing, to disregard Usenet.
And yes, thanks to google, you too can access Usenet by the web, with all the hyperlinks and html, that you crave.
Ok. I am not a history scholar, but I have occasionally worked with different archives during the past years; with the Danish State archives, and The Berlin Document Center (has a new name now).
The amount of information (archives) that a state amasses, is simply astounding, and thats just the the bits that goes into the archives; at least 90% of all paperwork is scrapped even before that.
An example; I helped a scholar do some statistics on black market crime during and after the the war;
He examined a single, lower court, in the period from 1940-1953. "Only" 8000 cases went through this court, but just the verdicts alone, averaging 3 pages per case, amounted to 25000 pages, bound into fifty, 500 page tomes. Each of these cases, would also have generated a "file", containing eg. police interrogations, wiretapping records, anonymous letters, forensic evidence, case evidence, court orders, affadavits, etc. A really conservative estimate would be, that each case, would have generated at least 20-40 pages, meaning that just this single court, in a few years, could have archived 100.000 - 200.000 pages. A totally impractical thing to do. Therefore these files were "cleansed", before being archived.
If all those papers that public institutions produces were preserved, we would be swamped in archives. Some stuff simply has to go.
Old-style paper archives has physical storage problem. Modern "bit-based" archives should in theory, be less burdenend by this. (200.000 pages should fit handily into a single cdrom.)
But on the other hand, modern information systems makes it so much easier to generate, and preserve information. (just think of many gigabytes of information a single company has on its servers)
How many emails is sent every day? 5-10-20 millions? If just a fraction of these, say 100.000, were preserved every day, think how many freaking million emails that would be during a short period of 50 years. But more importantly, how many (and which) emails would posterity need, to say something about our time, and the social pattern behind the phenomenon; email?
The main problem with digital archives, is the same as with paper archives; You can't, and shouldn't try to preserve everything.
I don't doubt, that over time, even the majority of that information selected to be preserved, will be lost, due to bit-rot, war, fire, carelesness, natural disasters etc, during the next 1000 years. But even if just, a tiny, tiny, fraction of this is preserved, there would be "enough" information, about our time, for the historians to make a good overall picture.
A single, modern "Statistical Yearbook", probably contains more demographic information, than all medieval archives put together.
A modern public library, probably contains more works, and written information about the last 100 years, than have been preserved, from when man began to write, until the Middle Age. Still, a lot can be said about the Roman Empire, even though so precious little in writing has survived.
So to reduce future archives to a manageble size, the majority of information simply has to be discarded. Then it is more likely, that there will be funding, for preserving the rest in a proper way.
Consider the amount of time, money, blood, sweat and technology, that goes into carefully extract scrolls from the Pompeii site, and make them readeable, it should be a "trivial" task to recover any kind of non-encryptet data, no matter what digital media it resides on. However, the cost of doing so may not be trivial. Just think on how many data formats, future historians would need to reverse engineer, just to cover this last decade.
"Remember: the victors always have and always will rewrite history as much as possible."
How I have come to loathe this dogma.
Originally, it stems from the fact, that sometimes only one parts "history" survived from ancient times until today (Athens, Ancient Egypt springs to mind).
But the dogma really isn't true anymore; First, in democtratic countries, it is impossible for the state to directly control, what history is written. Secondly, after having dealt with the massive "memory" rewrites among former Waffen-SS soldiers, I can only conclude, that the loosers are just as eager as the winners to rewrite history; there has been a huge amount of revisionist "history books" written since the 2. WW. ended. From outright holocaust denial, to apologeic "Waffen-SS coffee-table books", where the W-SS soldiers are portraied as just a bunch of happy, anti-communistic boy-scouts, on a picnick in the USSR. Noone of them were ever nazis, or anti-semetic, they never saw any warcrimes (except those the russions made), blah, blah, blah. Total denial of facts.
So a better dogma would be:
"Remember: both the winners and looser always have and always will rewrite history as much as possible."
Historians know this of course.
D*mn. Something went very wrong with my moderation. The above post is "informative", not a "troll".
Hope this post cancels my fumbling moderation.
Konqueror from KDE 2.1.X has a "Disable "window.open()"" in the "JavaScript" tab.
Not much, but better than nothing.
Yes, Netsaint is an impressive package. Been running it since v. 0.4 without any problems whatsoever.
It really gives you a good "feeling" on how the networks performs.
It also has a very good, and steady development cycle, and a good roadmap for future enhancements.
The nice thing about the web-interface is, that it makes it easy to show (management) what Netsaint is all about.
So you quite right. No need to sneak in Netsaint, it is that good.
If you need to monitor Internet traffic, the Ntop (www.ntop.org) is a really slick and impressive package, that looks like it cost XXXX$. It is in furious development, so it isn't ready for production yet, unlike Netsaint. But if you need something like it, it is worth to keep an eye on.
We plan to deploy it within the next mont or so; since we have a managed Cisco switch, we will use CPAN to duplicate the port running to the router, and lead it into a locked down box in the DMZ. That way we can sniff & map network traffic between LAN and Internet, without running a daemon on the actual firewall.
Regards
Peter H.S.
Netsaint is a really good program. And the web interface isn't neccesary for its functionality.
/user partition is 95% full {sell HDD|remove files}"
Basically, Netsaint is daemon, which through various plugins (premade or your own scripts), monitors your network. The plugins are just CLI programs or scripts. Netsaint either performs active service checks; e.g. the "check_pop3" plugins log into the pop3 server, and check if it works, or passive checks; the remote host delivers the result of a service check to the netsaint monitoring host. Of course, one can also perform remote checks through OpenSSH, if you don't want to run a deamon on the remote host, or the function one wants to monitor isn't a service as such (load average etc).
The results of these checks goes into a standard text logfile (just grep and awk). But the strong point of Netsaint is not so much its ability to monitor services, but in its handling of the service checks:
E.g.: if the pop3 doesn't work after 3 tries, and it is a working day, during business hours, send me a mail, and page me asap. If it is weekend, just send me a mail, but both mail and page Poor Joe.
If I haven't responded to the problem within X hours, escalate the problem to this list of people.
If the pop3 goes back online again, send me a mail too.
Or: if the 5 min load average during business hours goes above 1.5, write a warning in log, but don't mail me. If the 15 min load average goes above 2.0 mail me. If it goes above 3.0, write "Slashdot effect" in the logfile, and mail everybody on this list, turn on the sprinkler system, and dial out using this modem, on this spare POTS, and leave a naughty message on cowboyneals telephone answering machine.
Of course, one can also mointor and check whether the service checks are performed or not.
In short, Netsaint can monitor all kinds of events, and has a rather powerfull way of dealing with these events, and none of this is in any way, dependent on the web interface. This is mostly used for viewing log-files, or give one a quick overview of the health and status of the network. It is nice, but not neccesary.
So in this case, your "web interace prejudice" isn't warranted;-)
I somewhat agree with you, that web interfaces, as a primary interface, usually feels clunky and sluggish. But web interfaces can be quite usefull, not perhaps for the Sysadmin himself, but because it means that he can delegate rutine stuff to lesser mortals, like adding or removing users, managing mail lists etc., without exposing the l^Husers to anything "complicated", and at the same time, easily restrict them to only the small and limited subset of priviliges they need to perform the job.
Now, this Tbox looks very good. It is yet another reason, for "sneaking" in a Linux box on the network, or sell as a service; it is nice as a consultant or sysadmin to have good diagnostic logfiles, when the costumer calls in, and says "the Internet isn't working".
And better still, since Netsaint is pro-active, call your costumer in the morning, saying "Your
Everybody loves screenshots, so check_url www.netsaint.org
Regards
Peter H.S.
Well, the consultant may have sucked. But regarding the tapestreamer, he may not have been entirely wrong. I have RMA-ed several tapestreamers. Unless it was a DOA, it usually meant "factory service", which often would take several months. Unless you can afford to be without backup, you might as well buy a new one.
/. articles). It is so unlikely that the consultant could have benefittet from that. And maybe the specific app, was a costumer demand?
You never, never buy a backup solution smaller than the servers storage space. So it would actually be unethical of the consultant to do so.
He may, or may not have told a white lie about large IDE-tapestreamers, but believe me, IDE-streamers are too "cheap" to rely on, regarding servers. When you have experienced the mythical "Write-only" tapestreamer, after a server crash, one becomes very carefull in selecting backup solutions. And I don't care that some people have anecdotes about IDE-streamers that worked for them.
And why was he looking for an IDE-streamer the first place? Was it a costumer demand for a specific interface, in perhaps a hope of saving some money? In that case, one should not use a consultant in the first place: Why pay money for experience, that you don't use. It sounds like you could have easely installed that IDE-streamer yourself.
Regarding the consultant installing spyware; I can hardly believe he installed a real piece of spyware. More likely it was one of those pesky pieces of free "spywares" (see previuos
Perhaps this consultant was to meek and "hungry", to tell what he meant. Perhaps a more BOFH style consultant would have been what was needed:
"This *?!½ piece of *!?* IDE streamer was a bad idea in the first place...So you want to RMA it? Well, expect at least 2 month without without backup, then. And actually, you really don't want back, remember how it (expectetly) broke down within the first year? No, just dump it, take your losses and get something that works....You _insist_ on getting similar cr*p, -again? Well, I won't do that, but call me sometime in the near future, when that too, has broken down." (sound of a BOFH leaving in his Mercedes SLE)
Regards (no personal flaming intented)
Peter H.S.