There is absolutely no reason, NO FUCKING REASON, why any of this information should ever be on a machine that is accessible from the Internet. Hell internally-speaking this is absolutely no reason for all but a handful of internal employees to have unfettered access to this data. IMHO access to this data should require manual intervention. If you want to run a query against it someone on that isolated network should have to type it in manually. If you want to do something grander with the data you should have to bring the query in on a physical medium like a CD, run your query in the isolated system, and then write the results to another medium. This would give people access to the data that they need and nothing more. I don't know. The whole damned system is jacked up. Stop storing the data and people wouldn't have this problem.
I live in the Midwest. It's not exactly the busiest place in the world but I often find myself too busy to go shopping. At times I'll eat every last thing in my cubbards before going to the store. I may go once a month and spend $250. It may take me all afternoon to pack it up as well. I would like to find more time to cook. I think I could do this if I could lessen the amount of time I spend doing other crap (other than work crap). I have a maid service come in twice a month to give the house a once over. That cuts a handful of misc tasks off my monthly list of stuff to do. I picked up an old riding mower which cut my mowing time down from about 90 minutes to 10. I even order many of my clothes online. I know my sizes. I could spend 30 minutes shopping online and pay $15 in shipping (or wait until I get a free shipping ad) or I could spend 90-120 minutes in a crowded store elbow to elbow with screaming kids and parents that don't give a damn. Compound that with not being able to find clothes in my size or the color I want and you've got yourself a horrible shopping experience. It's actually cheaper for me to buy things online because I save time, find what I want, and frequently find a good deal in the process. Not bad.
Basically I already try to embrace many of these services already. If I could have at least basic food supplies delivered to my doorstep for a small extra cost then I'd jump at the chance. There is a food service in my area that delivers food. It even does this in the very rural areas. It's called Schwans. Unfortunately they have a steep markup. If a company like Amazon can do something similar without the huge markup then I'm all for it.
Of course she'd still sleep easy. The majority of the 25-40 year old crowd can't find the time to GET OFF THEIR FAT ASSES AND VOTE!!! So why should it concern her in the least? Hey comments pleased a larger body of voters than it pissed off. There is no fear of reprisal from people that don't vote.
There was an unsolved murder in my home town, I believe shortly before I was born. The local part-time deputy contaminated the crime scene when he moved the shotgun that was used to blow the victim's face into little bits of hamburger. While this may be somewhat commonplace in larger communities it's not in a rural community under 250 people. So no, Jack, I'd say that things like this happen without the involvement of violent video games. That is unless of course Pong and Mrs. Pacman drove the killer to do it. There wasn't much else available at the time. The Atari 2600 wasn't even out yet.
Quite frankly a software security issue from the 80s is pretty much irrelevant in any modern security discussion. Why? Simply put people didn't give any thought to security in those days of the Internet. The Internet back then was almost entirely a trust system. You could rattle off most of the names of the major players on the 'Net quite easily. Security thoughts rarely even came up in a What If scenario because security breeches simply didn't happen. I'm sure the cave man that invented the door didn't see any point in putting a lock (think wedging the door) on it for many years after its invention, that is until a security breech happened and someone stole his Bronto Burger.
I've been admining large Sendmail installations for 10 years now and haven't once ever had to refer to the Bat Book. The online documentation and support forums are more than enough for any person with remedial grasp of mail administration.
The biggest reason I switched away from sendmail was I did lose data because of mbox file corruption on two occasions. Maildir is much better at protecting against that.
That has absolutely nothing to do with Sendmail. The MTA is not responsible for writing mail to disk. That's the function of a LDA such as Procmail. If you didn't like the Berkley mbox format then you should have configured Procmail to use MailDir or switched to a different LDA. Setting up Procmail to use MailDir is quite trivial, especially if you spend a few minutes googling for the recipe instead of writing your own or copying it out of the man pages.
such as a call from overseas followed by a flurry of domestic calls are used to identify leads
...for example, a relative from overseas calls to say that Uncle Buck died in his sleep last night. Or when your daughter who's living abroad calls to say that she's fallen in love and is getting married. What do you do after receiving such a call? You call all the members of your family. There are 2 trivial scenarios that break the system.
I like the analogy. It makes me wonder about something though. Lets say I'm a consultant in state A. A person for Acme calls me from state D and pays me for 2 hours of my time to work on XYZ in their primary state D POP. Do I owe taxes to state D? I may be using the state's resources if the state helped pay for or subsidize any of the fiber infrastructure that I may be crossing. What about states B and C? What if they too subsidized their state's fiber plant and I'm transitting across their network resources. Do I owe them taxes too? The absurdly of the analogy can grow exponentially too. What if state D's power was generated in state E. State E paid for the high-voltage aerial lines to their border and state D paid for the lines to their distribution grid as well as the monthly costs. Do I therefore owe state E taxes as well? The reservoir that provides the city in which Acme built its business comes from state F. Yadda yadda yadda. That is an example of the analogy reaching absurdity but of course our government redraws that boundary often.
I can't honestly say that I feel saddened by this. It's a shame they didn't simply crush his hands or something though. Let him live a miserable life without the ability to control a computer with ease.
Both really. I literally have a virtual machine dedicated to Azureus. It's a 2k3 Server (to save resources on the VMWare box) that runs one application: Azureus. The main output directory from Azureus does resides on a network share so that I can more easily expand it after the fact. It isn't virus-checked by the virtual machine and the host machine though so I feel fairly safe.
I agree though that downloading executables nowadays is not a good idea. Alas people still do it.
LOL. Only if I was blind and it was in braille.;-)
Actually I've been downloading gigs of training material (PDFs, CHMs, videos). That would be the documentation I was referring to. There's a substantial amount of this data on BT. I believe the other kind of "documentation" is more prevalent on the other types of P2P services.
Oh, I see. So what you're saying is that you'd forego actually knowing how to properly design a NTP system in lieu of simply bombarding stratum 2 and 3 servers with queries directly from your individual desktops. I see. That makes sense.
Yes folks, there is a right and a wrong way to set up NTP. Having each of your individual clients poll stratum 2 or 3 (or Allah forbid a stratum 1 server) directly is like configuring each of your clients to poll the the Internet's DNS Root Servers directly. After all very few of the queries sent to the root servers are unnecessary or frivolous. A proper NTP design is essential for any entreprise-class network. I include in this ISPs. ISPs should provide their customers with a locally-available NTP service. It's extremely easy to do. Then they should block outbound NTP queries from their dynamically-assigned customers (allowing the statics out, like you normally would for exceptions to ACLs like when you block SMTP out (you do block outbound SMTP, don't you?)). I've long-since believed that NTP will someday become a point of attack. It's not that I find a fault in the program or protocol but the very fact that it's a protocol used to enhance security and improve auditing and certainly isn't out of the minds of hackers. NTP would be fairly easy to DoS if proper ACLs aren't in place.
The point of all this is that NTP is very easy to set up correctly and is even easier to set up wrong. I wish everyone would spend the extra 0.001% of effort to do it right.
This also emphasizes why all P2P users should quarantine their P2P software inside a virtual machine. VMWare's recently renamed VMWare Server" product is free and is a perfect way to isolate your P2P software from the rest of your machine. I actually employ this method myself. Much of the documentation I download is infected and this method prevents that infection from getting back to the host server. Plus it's quite easy to rollback changes to a time before the infection and start over.
I have an aunt and cousin that I simply can not help. They inquired about a PC. I tried my best to explain in very simple terms what they should look for. Finally I told them to buy a Dell. A month later they're asking the same questions. Every time I'd see them they'd forget that they already asked me the same sets of questions. Eventually I stopped taking their calls and letting it go to voicemail. The next thing I know they ignored my advice and bought some neighbor's really old PC. I found about that they did this because they called me for support. They couldn't play their audio CDs. Then it was this, then it was that. I refused to work on it in person which had the unfortunate side effect of creating a series of very long and frustrating calls. I simply wouldn't help them. I'd recommend finding a local computer shop and taking class. "Well, what about this?" I just answered that question no less than 60 seconds ago. Find a local computer shop and take a computer class. Collectively my aunst and cousin have less computing knowledge than my cats. Some things are not meant to be understood by some people. Computers are not meant to be understood by my aunt and cousin. My answer now for any question they ask me is that I do not know Windows. I do not use it. I can't be of any help. Call a computer shop, buy a book, and take some classes. OMG, I just cut off my leg with a chainsaw. *click* I hate to be rude but they simply don't get it. I could flat out say that I refuse to help them and they wouldn't get it. They'd ask the same question 10 seconds later. I wouldn't mind helping if they ever made progress. However they haven't made any progress. In fact I think they've actually gotten worse, collectively. It's not like she's 80 either. He's in his teens. She's in her early 50s. They can program a VCR between them. They should get this eventually.
Cut your losses and run. If it's a business then raise your rates. If it's an individual then politely bow out and give them references to other sources of support. Tell them that due to new commitments and policy changes that you will not be able to do work outside of hours.
I can think of a similar example. I work for a consulting company that does everything from PBXs to network engineering to systems, SANs, and VMWare design and installation. One client in particular has a fairly large PBX installed. They queue up most major things for our phone tech to come out and work on once a week but regularly some exec gets a burr up their ass and decide to move offices. They can't wait the remaing -4 days in the week for the regularly-schedule office move day. They become the squeaky wheel that management appeases. Our phone tech spends an hour or two locating jacks, moving cross connects, and updating documentation for a single station Whereas he could do 4-5 in 3-4 hours time. It's much more efficient to do many than do just one. Nevertheless the client still calls the tech out multiple times throughout the week. We certainly don't mind because its good revenue. If only they'd gone with a VoIP installation...
There are dozens of uses for null routing on ISP networks. For example you can use simple static routes to match all private (RFC1918), reserved for special purposes (RFC3330), and unassigned (Google for "BOGON") netblocks and route them to Null0 (a logical interface that basically drops the packets, much like the data bursts are dropped when sent to/dev/null. This is basic ingress/egress filtering that should be deployed on all border routers. You don't want to accept packets destined for your network that claim to be from a RFC1918 address because they are almost certainly spoofed (or another upstream ISP has an idiot for a netadm and your common carrier also employs idiots for not doing ingress filtering on customer access circuits). This is actually less CPU intensive than an access-list. Most mid to upper-end routers today can offload routing decisions to ASICs, whereas access-list decisions still bounce off of the CPU in many cases. You lose much of your logging capabilities with this method however.
A variation of this technique is to route packets to an internal "blackhole router" instead of to Null0. This consumes a little more resources than the Null0 option but still far less than an ACL. The blackhole router does nothing else other than null routing the traffic. It can also be used to route the traffic to a sniffing device to give the admin an opportunity to see what the malicious traffic really was. The blackhole router can also advertise internally the blackhole routes. This is useful when you network policy prohibits making changes to critical hardware such as a border router without sufficient peer review. Often when you must null route something you must do it in a hurry (ie, a customer is being attacked). Being able to make the changes on a non-critical box (the blackhole router) and having the routes changes propgate up to a critical piece of hardware (the border router(s)) is very useful.
Another reason to use them is to prevent routing loops. Lets say for example you have an access server terminating dialin customers. You've loaded out your AS with 192 modems. A/24 has been allocated for this AS. Your AS advertises that/24 with OSPF back into the core of your ISP network. However the AS's routing table doesn't contain a route for all 253 of the useable IPs in that/24. Instead individual routes are added as individual users dial in. Lets say a packet comes in that's destined for an IP that isn't in use. The AS looks at its routing table and says to itself that it doesn't have a route to that IP. It falls back on its default route which is the router upstream of the AS that just routed the packet to the AS. Rinse and repeat. A routing loop ensues.
Sometimes in BGP you have to have a static route to a given netblock to turn around and advertise it. You already have internal routes that would ultimately route the packet to the right destination. However to get BGP working you have to create a specific route. You can simply create a static route to that subnet via Null0 with a cost of 254 and make BGP happy.
There are dozens of examples of why you need null routing. Does that help? You can search on Cisco's website for additional references.
Slashdot Mirror
There is absolutely no reason, NO FUCKING REASON, why any of this information should ever be on a machine that is accessible from the Internet. Hell internally-speaking this is absolutely no reason for all but a handful of internal employees to have unfettered access to this data. IMHO access to this data should require manual intervention. If you want to run a query against it someone on that isolated network should have to type it in manually. If you want to do something grander with the data you should have to bring the query in on a physical medium like a CD, run your query in the isolated system, and then write the results to another medium. This would give people access to the data that they need and nothing more. I don't know. The whole damned system is jacked up. Stop storing the data and people wouldn't have this problem.
Basically I already try to embrace many of these services already. If I could have at least basic food supplies delivered to my doorstep for a small extra cost then I'd jump at the chance. There is a food service in my area that delivers food. It even does this in the very rural areas. It's called Schwans. Unfortunately they have a steep markup. If a company like Amazon can do something similar without the huge markup then I'm all for it.
I believe Dillons does as well. Wal-mart Pharmacies in some areas do deliveries to the eldery as well. My siste did that during college.
I thought that sales calls to mobile numbers was illegal? Of course that's what I always tell any salesdroid that calls me on my cell.
Of course she'd still sleep easy. The majority of the 25-40 year old crowd can't find the time to GET OFF THEIR FAT ASSES AND VOTE!!! So why should it concern her in the least? Hey comments pleased a larger body of voters than it pissed off. There is no fear of reprisal from people that don't vote.
There was an unsolved murder in my home town, I believe shortly before I was born. The local part-time deputy contaminated the crime scene when he moved the shotgun that was used to blow the victim's face into little bits of hamburger. While this may be somewhat commonplace in larger communities it's not in a rural community under 250 people. So no, Jack, I'd say that things like this happen without the involvement of violent video games. That is unless of course Pong and Mrs. Pacman drove the killer to do it. There wasn't much else available at the time. The Atari 2600 wasn't even out yet.
Search for "tidal wave".
This is actually even supported by the article you site in section 4.5:
The first fact to face is that Unix was not developed with security, in any realistic sense, in mind... [Dennis Ritchie, "On the Security of Unix"]
Quite frankly a software security issue from the 80s is pretty much irrelevant in any modern security discussion. Why? Simply put people didn't give any thought to security in those days of the Internet. The Internet back then was almost entirely a trust system. You could rattle off most of the names of the major players on the 'Net quite easily. Security thoughts rarely even came up in a What If scenario because security breeches simply didn't happen. I'm sure the cave man that invented the door didn't see any point in putting a lock (think wedging the door) on it for many years after its invention, that is until a security breech happened and someone stole his Bronto Burger.
I've been admining large Sendmail installations for 10 years now and haven't once ever had to refer to the Bat Book. The online documentation and support forums are more than enough for any person with remedial grasp of mail administration.
That has absolutely nothing to do with Sendmail. The MTA is not responsible for writing mail to disk. That's the function of a LDA such as Procmail. If you didn't like the Berkley mbox format then you should have configured Procmail to use MailDir or switched to a different LDA. Setting up Procmail to use MailDir is quite trivial, especially if you spend a few minutes googling for the recipe instead of writing your own or copying it out of the man pages.
I like the analogy. It makes me wonder about something though. Lets say I'm a consultant in state A. A person for Acme calls me from state D and pays me for 2 hours of my time to work on XYZ in their primary state D POP. Do I owe taxes to state D? I may be using the state's resources if the state helped pay for or subsidize any of the fiber infrastructure that I may be crossing. What about states B and C? What if they too subsidized their state's fiber plant and I'm transitting across their network resources. Do I owe them taxes too? The absurdly of the analogy can grow exponentially too. What if state D's power was generated in state E. State E paid for the high-voltage aerial lines to their border and state D paid for the lines to their distribution grid as well as the monthly costs. Do I therefore owe state E taxes as well? The reservoir that provides the city in which Acme built its business comes from state F. Yadda yadda yadda. That is an example of the analogy reaching absurdity but of course our government redraws that boundary often.
I can't honestly say that I feel saddened by this. It's a shame they didn't simply crush his hands or something though. Let him live a miserable life without the ability to control a computer with ease.
I agree though that downloading executables nowadays is not a good idea. Alas people still do it.
Actually I've been downloading gigs of training material (PDFs, CHMs, videos). That would be the documentation I was referring to. There's a substantial amount of this data on BT. I believe the other kind of "documentation" is more prevalent on the other types of P2P services.
BTW, please substitute rotation for orbit. Thx
...Oprah's weight. Didn't you get the memo?
Yes folks, there is a right and a wrong way to set up NTP. Having each of your individual clients poll stratum 2 or 3 (or Allah forbid a stratum 1 server) directly is like configuring each of your clients to poll the the Internet's DNS Root Servers directly. After all very few of the queries sent to the root servers are unnecessary or frivolous. A proper NTP design is essential for any entreprise-class network. I include in this ISPs. ISPs should provide their customers with a locally-available NTP service. It's extremely easy to do. Then they should block outbound NTP queries from their dynamically-assigned customers (allowing the statics out, like you normally would for exceptions to ACLs like when you block SMTP out (you do block outbound SMTP, don't you?)). I've long-since believed that NTP will someday become a point of attack. It's not that I find a fault in the program or protocol but the very fact that it's a protocol used to enhance security and improve auditing and certainly isn't out of the minds of hackers. NTP would be fairly easy to DoS if proper ACLs aren't in place.
The point of all this is that NTP is very easy to set up correctly and is even easier to set up wrong. I wish everyone would spend the extra 0.001% of effort to do it right.
This also emphasizes why all P2P users should quarantine their P2P software inside a virtual machine. VMWare's recently renamed VMWare Server" product is free and is a perfect way to isolate your P2P software from the rest of your machine. I actually employ this method myself. Much of the documentation I download is infected and this method prevents that infection from getting back to the host server. Plus it's quite easy to rollback changes to a time before the infection and start over.
Damn you Pat Robertson!!!
Cut your losses and run. If it's a business then raise your rates. If it's an individual then politely bow out and give them references to other sources of support. Tell them that due to new commitments and policy changes that you will not be able to do work outside of hours.
I can think of a similar example. I work for a consulting company that does everything from PBXs to network engineering to systems, SANs, and VMWare design and installation. One client in particular has a fairly large PBX installed. They queue up most major things for our phone tech to come out and work on once a week but regularly some exec gets a burr up their ass and decide to move offices. They can't wait the remaing -4 days in the week for the regularly-schedule office move day. They become the squeaky wheel that management appeases. Our phone tech spends an hour or two locating jacks, moving cross connects, and updating documentation for a single station Whereas he could do 4-5 in 3-4 hours time. It's much more efficient to do many than do just one. Nevertheless the client still calls the tech out multiple times throughout the week. We certainly don't mind because its good revenue. If only they'd gone with a VoIP installation...
A variation of this technique is to route packets to an internal "blackhole router" instead of to Null0. This consumes a little more resources than the Null0 option but still far less than an ACL. The blackhole router does nothing else other than null routing the traffic. It can also be used to route the traffic to a sniffing device to give the admin an opportunity to see what the malicious traffic really was. The blackhole router can also advertise internally the blackhole routes. This is useful when you network policy prohibits making changes to critical hardware such as a border router without sufficient peer review. Often when you must null route something you must do it in a hurry (ie, a customer is being attacked). Being able to make the changes on a non-critical box (the blackhole router) and having the routes changes propgate up to a critical piece of hardware (the border router(s)) is very useful.
Another reason to use them is to prevent routing loops. Lets say for example you have an access server terminating dialin customers. You've loaded out your AS with 192 modems. A /24 has been allocated for this AS. Your AS advertises that /24 with OSPF back into the core of your ISP network. However the AS's routing table doesn't contain a route for all 253 of the useable IPs in that /24. Instead individual routes are added as individual users dial in. Lets say a packet comes in that's destined for an IP that isn't in use. The AS looks at its routing table and says to itself that it doesn't have a route to that IP. It falls back on its default route which is the router upstream of the AS that just routed the packet to the AS. Rinse and repeat. A routing loop ensues.
Sometimes in BGP you have to have a static route to a given netblock to turn around and advertise it. You already have internal routes that would ultimately route the packet to the right destination. However to get BGP working you have to create a specific route. You can simply create a static route to that subnet via Null0 with a cost of 254 and make BGP happy.
There are dozens of examples of why you need null routing. Does that help? You can search on Cisco's website for additional references.
Very useful info. Do you by chance have any links or keywords one would search for to gather additional info?