Please ignore the message I'm replying to. I was an idiot for the most part. And I recommend to fellow/.'ers not to reply to posts after working more than 30hrs, you produce drivel:/
I think I have an interesting point on the reduction of necessary teirs by using the benefits of the open source model (good protocol cooperation and source modification) but for the most part that post was long winded and silly, and not only that but I didn't re-read the original question so my ranting about the question being about Open Source software was totally bogus.
I appreciate your comments but note that starting off by dissing my experience pretty much makes whatever else you choose to say redundant, I won't listen to it, I'll just get annoyed, especially as I have extensive experience in the question at hand.
The original question was talking about Open Source software. By definition this means that any given piece of business logic is available for hacking into whatever forms are desirable, therefore it is entirely appropriate to discuss solutions based on technology that works for you, rather than what the vendor or author has chosen.
Certainly I have found that one of the true values of Open Source software is that you can use the architecture that should work and fit your software to it, rather than whatever architecture results from the various supported methods of interaction by the software you choose.
A large part of my experience revolves around clustered computing environments, and I assure you that the model I outlined with "php and databases" as you put it, distributes very well.
Both you, and the other reply here pointed out that integrating the middle teirs with the front or back end systems means that it isn't possible to distribute the middle teir seperately to one or the other. This is entirely true, and as far as I can see is the only valid argument for having a network (as opposed to internal) seperation in the interface between the middle teirs and the first and last in an Open Source non-legacy environment (which was the context of the question).
It has been my experience that the twisted, screwed up, heavily internetworked architectures utilised often by large companies to solve problems are the result of the closed-source model of development, and the resulting inability of the company concerned to make what are often minor changes necessary to simplify their architecture.
As a result of many years of heavily closed-source deployment in business, a whole field of expertise has arisen around system topology which involves large piles of middlewear, protocol conversion and application blackboxing.
I believe, from my own experience, that utilising Open Source software whereever possible in solving similar problems, has resulted in smaller, faster solutions that utilise less hardware and provide greater reliability.
Certainly, in my current position, the stuff I'm responsible for is leaving every other department, who are using closed-source solutions to many of the same problems, in the dust. We spent a fraction of the money, and our systems have vastly less downtime, and considerably superior performance and functionality.
I do not doubt that there are times when a real networked N teir setup is good. I maintain however that in the general case the selection of this model over a smaller N is due to software incompatibilities that cannot be resolved due closed-source restrictions on the modification of the application. I also note the Open Source worlds closer adherence to public standards and willingness to use commonly available standard libraries as a contributing factor to the fact that open code cooperates far more effectively than closed source software.
I think you might have got a little obsessed with the concept of a "teir" for a start.
Essentially, PHP by itself, or any language that supports abstraction, which is pretty much all of them, can be teired, this is simply dividing your program logically into n parts, and having each part communicate with the others only through a tightly defined interface.
The benefits of the 3 teir webscript/operations/database model are laid precisely in this tightly defined interface, benefits such as better security (fine-grained permissions checks can be made within the second teir, avoiding the possibility of last teir compormise, and logical simplicity within the webscripts themselves. However it is not necessary to have a three teir architecture actually run on three different applications as such.
It is entirely practical for example to, in any major database, have both the first and second teirs within the database itself. Oracle, Microsoft SQL 6/7 and the rest of the heavyweights have built in programming languages which allow you to create SQL functions, some fairly simple configuration lets you force all incoming queries to functions rather than using SQL directly, giving you the opportunity to do the second teir authentication and abstraction using the database language.
I don't particularly recommend this in the MS-SQL case at least, the language is ugly, but it does work.
The other option is to create a good library set of objects or functions in PHP say, and use that as your second teir, using require or include to pull in the libraries that do the logic work, and constaining yourself to simple operations and layout within the website PHP themselves.
If you're really set on using a COM style system, you could try something like CORBA, PHP has bindings (http://www.php.net/manual/ref.satellite.php) which allow you to talk to CORBA objects, it is probably not, at this stage, as tightly integrated as COM is into ASP, but a few functions to wrap it up should work effectively.
Personally, for most setups, I would recommend having a logical two-teir structure within PHP, I have found this to be most effective, since most of your logic is in the same language, and it is simple to map from one to another and shift the borders of the interface a bit when the client makes that irritating little request that totally destroys your design.
Having worked heavily with a system that used 4 teirs (two within PHP and two within the database) I can say that that works very well, especially letting the second database teir handle solid permissions checks etc, making it much safer in the event of kids doing strange things with your web forms (although of course you should properly filter that stuff, but its nice to have a safety net or two).
perl is similarly capable for multi-teir design, although I personally find it less usable for web work than PHP.
Individuals increasing their personal value
on
Me-Commerce
·
· Score: 3
One of the interesting side topics in this kind of concept is that as individuals become valuable, it makes sense for them to attach knowledge and tools to themselves rather than the company that they're working for.
This seems to be running hand-in-hand with open source software, with the software freely available what you really need is an admin to make effective use of it, and these admins, over time, create significant collections of configuration files, perl scripts, architectures and cooperative setups which solve regular problems effectively, patterns in the system/network space.
While these are commonly available if you request them from the right place, ie the mailing list for a given app, some of this knowledge, especially in the higher-orders of multiple application performance configs, are very hard to locate and invariably require some customisation to the problem at hand.
A goodly percentage of the value a company recieves from hiring a competent administrator is their collection, either mental or digital, of configurations and architectures to solve problems.
The question is whether it will turn into a situation where employees turn up at work with a cd of their own IP, heavily tested high performance plug-in configurations and a suite of scripts in order to make themselves more attractive to potential employers, or whether there is a constant flow back to the community, where only at the very bleeding edge are the configs and scripts hard to find, and as technology moves into mainstream so the relevant information to make it work well becomes publically available.
Always enabled ip_forwarding _after_ you have initialised your firewall, in this case, move the echo to ip_forward at the top down to the bottom of the script. The reasoning behind this is that without such a move, there is a short window during which your system will forward but your firewall is not in place, thus if the attacker somehow manages to reboot your firewall they can get through into your internal network in the clear. Certainly in this case this is a very small risk, but its a trivial change and good for completeness.
The best security policies are built from the "deny first, accept later" method. You should set the default policy on your network to DENY, and then accept what you need, not the other way around as you have done here. Yes this requires a lot more work, since you have to really figure out what you need to access, but it remains far more secure against unanticipated future attacks and insecure internal machine configurations (ie, leaving on a service that you didn't mean to).
You should always drop martians on a firewall as well, a martian is a packet that has an address that should not be possible, this includes broadcast addresses you don't want, 192.168.* from the internet, 10.* from the internet, any addresses you have inside the firewall, etc. For complete lists check out places like securityfocus, they have some good resources, the iptables and ipchains sites have good information as well.
Again, only accept in packets addressed to legal accessible hosts, only send out packets addressed from legal sending hosts.
If at all possible, create a real internal network setup (ie, a 192.168.* address space), and use NAT (available in iptables and ipfilter and to some extent in ipchains) to translate these to external, this causes even more difficulty for IP based assaults as internet and internal packets must be explictly converted before they are effective in either network, giving another layer of security. This also follows on to greater security possibilities such as a public and private DNS (one outside, and one inside, that give out only the relevant information, revealing little about your network structure), binding many services at the firewall and using port based NAT to forward different ports to different hosts (confusing the attacker, making more efficient use of network resources including clustering, and causing many multi-service exploits to fail).
If possible, a reasonable variation in the operating systems used can be helpful as well, don't use an O/S you're not familiar with, you're more likely to make a critical mistake in securing the box, but if you're familiar with OpenBSD and Solaris, use both rather than aiming for a single-os network, it improves the odds of partial network survival in the event of operating system-specific exploits. This includes architectures too, most buffer overflow exploits come out for x86 systems, so having a PowerPC or MIPS system instantly improves your odds against those attacks.
All in all its a balancing game, but you can certainly make life extremely hard for those attempting to penetrate your network at many levels.
Actually, it is far more likely that the box you connected to had already been the target of a script kiddie, and he was using that as a relay. i expect you only got a picture of another victim, and his mother.
Yep, been there, done that. Our particular solution revolved around a cluster of linux servers fronted by a linux/iptables layer-4 router and various custom stuff to perform rapid failover. The cluster nodes themselves used Apache with PHP4, with a database backend and rsync to distribute content to the cluster nodes from a distribution box.
In order to reduce the work, you could use a cisco localdirector or equivalent layer-4 switch instead of the iptables stuff, the rest should basically fit together almost out of the box.
This solution scales very well and handles millions of hits/month. Recommended additions are squid running as an accelerator, since it can absorb a significant number of hits that apache would otherwise have to deal with. However the addition of the Tux in-kernel web stuff on the cluster nodes would probably be an even more preferable solution.
Also recommend dual-cpu machines, they do really well with apache.
Oh wait, no, I was wrong, kinda, significant parts of it appear to be going open source (rendering daemon and other bits), but not entirely OS yet it seems.
The ShowEQ program, with equivalents under Win, gives you plenty of information-leakage advantage under EQ. It reassembles the packet stream itself..so much for encryption..Also on that site, code to read all the data files, and some code which emulates an EQ server. EQ is just as vunerable as everything else I'm afraid.
Yes, there is untold suffering across the planet, yes terrorists are killing people and cutting off kids hands, yes people are dying from aids and starvation, but the question is why is this happening less in countries well supplied with schooling, money and information technology? I say less because as anyone who has visited the dark side of major american cities can tell you, it isn't limited to the third world.
It would seem to me that education is almost viral in effect. Teach one person to teach, and he can teach a dozen others. Attempting to get the median level of earning up by a small amount is counter to this concept. If you manage to raise ten people $10 above the median wage, what are they going to be able to teach the other 120 people? how to raise their wage $10. Get three people to $100, and you're going to have a far more profound effect.
I think that, (and I emphasise think, since I have no formal training and have done no extensive documented research) that it is in fact possible to pull a culture up to first-world levels of education in a fairly short time, the members of those cultures are not stupid, they simply have tradition, and the older members are often resistant to change. Careful planning, followed by the introduction of, and intensive training in modern technology for a small group would have, IMHO, a far more beneficial effect over the medium term on a large group of people, than attempting to upgrade all of the society a little bit at a time.
Humanity is competitive, it is quick to learn and to teach, and I believe that attempting to shuffle 3rd world countries slowly into the 21st century at a rate which, in some circumstances, isn't even keeping up with the rate of change in the first world, is counter-productive. It leaves those few self-driven individuals capable of making contact with the first world with complete power, hence terrorists and dictators with heavy weaponry, and a terrified, unknowing, uneducated population with no way of coordinating and little knowledge that there is another way.
And so I conclude, running cat5 around villages is entirely to the point, get them out there, make them part of the world, yes it'll be hard on them, but the consequnces of falling further and further behind, as many of the 3rd world countries, laden with debt, are doing now, is far worse.
I find this all highly suspect. The Trolls have been running their little games on this site for so long now I don't believe a single one of them, and to be quite frank, this particular one is so full of holes you could drop a car through 'em.
For a start, the link to http://warmann.com/broken/legal.html is broken, And http://www.warmann.com/users/broken/legal.html contains nothing but a short page indicating that the person concerned can't talk about the case right now. Given the Trolls previous methods of being jerks, including Mr Goatsex et al, I have absolutely no faith that this isn't anything more than Yet Another Stupid Prank.
Along with that, the story itself is dubious, apparently this person was contacted by a Lawyer..err..wow, what, he gave his phone number away or something? I doubt it, I'd be surprised if he even had a valid email address, but if he did I can assure him right now that email is far too easily forged for him to believe it actually came from Slashdot. More likely it was sent to him by some Slashdot user totally pissed off at his immature and idiotic antics. I'm pleased to say that this appears to have worked nicely, however his friend here has taken up arms against Slashdot, a free service he's abusing the crap out of, because of something that might possibly, but probably isn't their fault, using a method of informing people which I at least find incredibly insulting and a waste of space. No discussion, no thought, just "Oh look,/. apparently sent my troll friend an email from their lawyer!".
My conclusion, Get a Life. The information you have presented has not one iota of evidence to back it, and you are a Troll.
They're infringing on my patent. I have a working example in my back yard of a much more efficient machine, it is also solar powered, using multiple redundant flexible green solar panels to absorb solar energy, a self-maintainence system that will repair our adapt to compensate for medium scale damage, a robust, flexible physical structure capable of withstanding considerable force by dissipating the energy throughout the structure and bending, and utilises as fuel a small set of chemicals and H20.
It has further advantages over the solar machine exhibited, its components are easily recycled into a number of useful objects, various parts are edible and it aids in topsoil stability. It is also capable of self-reproduction given a requisite amount of available fuel.
It also comes in numerous makes and models suitable for every task, from extremely large to the inconspicuously small.
I call it The Plant, and I would demand royalties on this inferior implementation except that..well..its obviously so inferior no-one would ever buy it.
As someone who has implemented a medium-scale WAP application, I have only one thing to say: WAP sucks.
The fact that its based on XML is cool, the syntax is clear, the addition of a scripting language is fairly sensible, and yet I have many gripes:
Motorola and Nokia have implemented their browsers completely differently, you simply cannot write a simple WAP application that will perform well and be userfriendly on both, you have to do it twice, once for each browser basically.
Additionally, the WAP markup itself is full of redundencies, there are invariably several ways to achieve each effect. This would be fine except that each browser implementation treats them differently, causing something that is easily navigable in one browser to be a total mess in another.
This on top of the already obvious flaws such as over-zealous caching despite headers, terrible error handling, buggy simulators (Nokia in particular) and confusingly unintuitive choices for various aspects make WAP at its current stage impractical to develop in with anything short of a Motorola and Nokia phone right in front of you to test with.
I note however that if you can get your hands on a couple of phones to test with, things become easier, and with a bit of wire sniffing and using a decent backend language like PHP, you can whip up WAP applications fairly quickly. Its just not a small-time developers game at this stage:/
Personally I think there are two particular issues here:
1. Its hard to stay current, young people start off with a different viewpoint that often helps them, whereas older programmers have to constantly relearn, some people can do it, some people can't be bothered. Take the whole swing of Visual* stuff at the moment, definitely not my scene, the concept of designing a piece of software like that makes me cringe, but a lot of people are doing good stuff with it, if thats the way the future goes, I might end up obsolete out of pure stubborness.
2. Its damn hard work sometimes, long hours coding, hard debugging, caffine and coke and pizza diet, maybe I'll be sick of that stuff by the time I reach 40-50. Maybe I'll start writing books like a lot of other older programmers have, beats all-night slugfests with gdb.
but I have one consolation, one little guarrantee, if I still wanna be in the game when I'm that old, in about 2038 all the unix boxes are gonna need recoding to solve time(); issues, ressurgence in C system programmers? I think so:)
Damn. you're right:) Is a new bug *frown*, I guess I should probably get rid of the loop, but without knowing exactly the function of the procs below the read I can't be sure what is appropriate. Rats.
t's likely a mistake not to check the return on malloc(). Calling free() on a null pointer isn't good;) Unless of course, some error checking is done in pgpAssert, haven't looked.
Thats exactly what pgpAssert() does:) Checks for a 0/NULL value and bails if that occurs.
Yeah we lost a bit, in the for line, i < count,/. ripped the < out. Hey CmdrTaco, how about a Code Mode for submissions that fixes stuff like that?:)
The number of errors in that code is truely disturbing. Here's my contrib for a first try at a decent fix. I hate the code layout though:)
God knows whether this thing will format ok when it turns up on/. tho:) My apologies if gt's or lt's go missing.
Not too comfortable with the sizeof(unsigned char) stuff, probably better as something like sizeof(*ReadBuf). Anyway, I'm sure theres plenty of errors, get stuck in.
pgpAssert(count > 0);/* Make sure we have a count */ pgpAssert(fd >= 0);/* Make sure we have a valid filedesc */
/* Allocate a buffer for the count, and check we got a valid alloc */ RandBuf = malloc(sizeof(unsigned char)*count); pgpAssert(RandBuf);
for (i=0; icount; i++) { /* If the read fails, bail */ if (!read(fd,RandBuf,count)) break; pgpRandomAddBytes(&pgpRandomPool,RandBuf,count*siz eof(unsigned char)); pgpRandPoolAddEntroy(256); }
I appreciate your compassion and consideration. However, in this case, I think the party who did a bad job was whichever executive made the decision to co-opt Kerberos, in the sleazy way Microsoft normally does things. Whoever made that decision DOES deserve scolding and a virtual slap, and more. Since they're already lying to us, stealing from us, and otherwise treating us with such dismissal, I doubt their feelings would be hurt no matter how many names we call them. Which is too bad, because I wish there was a way to correct their antisocial behaviour, just as we try to correct a child's antisocial behaviour.
It is unfortunate that in this case, just as in many others, relativism comes into play, they just don't see themselves as doing wrong, and as a street missionary once said to me, "A man convinced against his will is of the same opinion still". A little poetic but true all the same, until they realise of their own volition the harm that they do, we can try and correct them all we like and it will make no difference.
Even if the breakup of Microsoft goes ahead, all it will achieve is the protection of society from its practices, it will not change how Microsoft views its strategy, indeed they may try all the harder, believing themselves unfairly treated.
I suspect that in the long term there is only one way to resolve those kind of differences, you have to be recognised as someone whose input counts to the other party before it is possible to convince them of an alternate view, and you have to be prepared to be convinced in turn, for surely we are not always right:) I suspect psychology literature might be the best source of wisdom on this subject.
But on a more serious note, noting the actions of another is not "bad" per se, it is when you attach motive or extrapolate that things can go wrong, saying that Microsoft have released specifications under a weak security system and are now utilising a controvertial law to make up for the failing is one thing, declaring them to be stupid for having done it, or attributing malice to the actions they're taking via the law to attempt to recover from it is dubious.
Somewhere in Microsoft, undoubtably, someone is feeling rather upset right now, because of their failure to consider or forsee the result of releasing the documentation in that particular format. While I consider the entire operation to be a mistake from the start, I do feel kinda sorry for that person, and the others involved. They had a job to do, they did their best and have been found wanting, a terribly unpleasant feeling I can assure you, and I have little doubt that most other people know just how unpleasant it is.
I feel no desire to add, however indirectly or insignificantly, to that burden.
Slashdot Mirror
Please ignore the message I'm replying to. I was an idiot for the most part. And I recommend to fellow /.'ers not to reply to posts after working more than 30hrs, you produce drivel :/
:)
I think I have an interesting point on the reduction of necessary teirs by using the benefits of the open source model (good protocol cooperation and source modification) but for the most part that post was long winded and silly, and not only that but I didn't re-read the original question so my ranting about the question being about Open Source software was totally bogus.
I'll promise to be better next time
I appreciate your comments but note that starting off by dissing my experience pretty much makes whatever else you choose to say redundant, I won't listen to it, I'll just get annoyed, especially as I have extensive experience in the question at hand.
The original question was talking about Open Source software. By definition this means that any given piece of business logic is available for hacking into whatever forms are desirable, therefore it is entirely appropriate to discuss solutions based on technology that works for you, rather than what the vendor or author has chosen.
Certainly I have found that one of the true values of Open Source software is that you can use the architecture that should work and fit your software to it, rather than whatever architecture results from the various supported methods of interaction by the software you choose.
A large part of my experience revolves around clustered computing environments, and I assure you that the model I outlined with "php and databases" as you put it, distributes very well.
Both you, and the other reply here pointed out that integrating the middle teirs with the front or back end systems means that it isn't possible to distribute the middle teir seperately to one or the other. This is entirely true, and as far as I can see is the only valid argument for having a network (as opposed to internal) seperation in the interface between the middle teirs and the first and last in an Open Source non-legacy environment (which was the context of the question).
It has been my experience that the twisted, screwed up, heavily internetworked architectures utilised often by large companies to solve problems are the result of the closed-source model of development, and the resulting inability of the company concerned to make what are often minor changes necessary to simplify their architecture.
As a result of many years of heavily closed-source deployment in business, a whole field of expertise has arisen around system topology which involves large piles of middlewear, protocol conversion and application blackboxing.
I believe, from my own experience, that utilising Open Source software whereever possible in solving similar problems, has resulted in smaller, faster solutions that utilise less hardware and provide greater reliability.
Certainly, in my current position, the stuff I'm responsible for is leaving every other department, who are using closed-source solutions to many of the same problems, in the dust. We spent a fraction of the money, and our systems have vastly less downtime, and considerably superior performance and functionality.
I do not doubt that there are times when a real networked N teir setup is good. I maintain however that in the general case the selection of this model over a smaller N is due to software incompatibilities that cannot be resolved due closed-source restrictions on the modification of the application. I also note the Open Source worlds closer adherence to public standards and willingness to use commonly available standard libraries as a contributing factor to the fact that open code cooperates far more effectively than closed source software.
I think you might have got a little obsessed with the concept of a "teir" for a start.
Essentially, PHP by itself, or any language that supports abstraction, which is pretty much all of them, can be teired, this is simply dividing your program logically into n parts, and having each part communicate with the others only through a tightly defined interface.
The benefits of the 3 teir webscript/operations/database model are laid precisely in this tightly defined interface, benefits such as better security (fine-grained permissions checks can be made within the second teir, avoiding the possibility of last teir compormise, and logical simplicity within the webscripts themselves. However it is not necessary to have a three teir architecture actually run on three different applications as such.
It is entirely practical for example to, in any major database, have both the first and second teirs within the database itself. Oracle, Microsoft SQL 6/7 and the rest of the heavyweights have built in programming languages which allow you to create SQL functions, some fairly simple configuration lets you force all incoming queries to functions rather than using SQL directly, giving you the opportunity to do the second teir authentication and abstraction using the database language.
I don't particularly recommend this in the MS-SQL case at least, the language is ugly, but it does work.
The other option is to create a good library set of objects or functions in PHP say, and use that as your second teir, using require or include to pull in the libraries that do the logic work, and constaining yourself to simple operations and layout within the website PHP themselves.
If you're really set on using a COM style system, you could try something like CORBA, PHP has bindings (http://www.php.net/manual/ref.satellite.php) which allow you to talk to CORBA objects, it is probably not, at this stage, as tightly integrated as COM is into ASP, but a few functions to wrap it up should work effectively.
Personally, for most setups, I would recommend having a logical two-teir structure within PHP, I have found this to be most effective, since most of your logic is in the same language, and it is simple to map from one to another and shift the borders of the interface a bit when the client makes that irritating little request that totally destroys your design.
Having worked heavily with a system that used 4 teirs (two within PHP and two within the database) I can say that that works very well, especially letting the second database teir handle solid permissions checks etc, making it much safer in the event of kids doing strange things with your web forms (although of course you should properly filter that stuff, but its nice to have a safety net or two).
perl is similarly capable for multi-teir design, although I personally find it less usable for web work than PHP.
One of the interesting side topics in this kind of concept is that as individuals become valuable, it makes sense for them to attach knowledge and tools to themselves rather than the company that they're working for.
This seems to be running hand-in-hand with open source software, with the software freely available what you really need is an admin to make effective use of it, and these admins, over time, create significant collections of configuration files, perl scripts, architectures and cooperative setups which solve regular problems effectively, patterns in the system/network space.
While these are commonly available if you request them from the right place, ie the mailing list for a given app, some of this knowledge, especially in the higher-orders of multiple application performance configs, are very hard to locate and invariably require some customisation to the problem at hand.
A goodly percentage of the value a company recieves from hiring a competent administrator is their collection, either mental or digital, of configurations and architectures to solve problems.
The question is whether it will turn into a situation where employees turn up at work with a cd of their own IP, heavily tested high performance plug-in configurations and a suite of scripts in order to make themselves more attractive to potential employers, or whether there is a constant flow back to the community, where only at the very bleeding edge are the configs and scripts hard to find, and as technology moves into mainstream so the relevant information to make it work well becomes publically available.
Just a few notes:
Always enabled ip_forwarding _after_ you have initialised your firewall, in this case, move the echo to ip_forward at the top down to the bottom of the script. The reasoning behind this is that without such a move, there is a short window during which your system will forward but your firewall is not in place, thus if the attacker somehow manages to reboot your firewall they can get through into your internal network in the clear. Certainly in this case this is a very small risk, but its a trivial change and good for completeness.
The best security policies are built from the "deny first, accept later" method. You should set the default policy on your network to DENY, and then accept what you need, not the other way around as you have done here. Yes this requires a lot more work, since you have to really figure out what you need to access, but it remains far more secure against unanticipated future attacks and insecure internal machine configurations (ie, leaving on a service that you didn't mean to).
You should always drop martians on a firewall as well, a martian is a packet that has an address that should not be possible, this includes broadcast addresses you don't want, 192.168.* from the internet, 10.* from the internet, any addresses you have inside the firewall, etc. For complete lists check out places like securityfocus, they have some good resources, the iptables and ipchains sites have good information as well.
Again, only accept in packets addressed to legal accessible hosts, only send out packets addressed from legal sending hosts.
If at all possible, create a real internal network setup (ie, a 192.168.* address space), and use NAT (available in iptables and ipfilter and to some extent in ipchains) to translate these to external, this causes even more difficulty for IP based assaults as internet and internal packets must be explictly converted before they are effective in either network, giving another layer of security. This also follows on to greater security possibilities such as a public and private DNS (one outside, and one inside, that give out only the relevant information, revealing little about your network structure), binding many services at the firewall and using port based NAT to forward different ports to different hosts (confusing the attacker, making more efficient use of network resources including clustering, and causing many multi-service exploits to fail).
If possible, a reasonable variation in the operating systems used can be helpful as well, don't use an O/S you're not familiar with, you're more likely to make a critical mistake in securing the box, but if you're familiar with OpenBSD and Solaris, use both rather than aiming for a single-os network, it improves the odds of partial network survival in the event of operating system-specific exploits. This includes architectures too, most buffer overflow exploits come out for x86 systems, so having a PowerPC or MIPS system instantly improves your odds against those attacks.
All in all its a balancing game, but you can certainly make life extremely hard for those attempting to penetrate your network at many levels.
Actually, it is far more likely that the box you connected to had already been the target of a script kiddie, and he was using that as a relay. i expect you only got a picture of another victim, and his mother.
My apologies, our current system has scaled up to a million hits/day, not a month :)
Yep, been there, done that. Our particular solution revolved around a cluster of linux servers fronted by a linux/iptables layer-4 router and various custom stuff to perform rapid failover. The cluster nodes themselves used Apache with PHP4, with a database backend and rsync to distribute content to the cluster nodes from a distribution box.
In order to reduce the work, you could use a cisco localdirector or equivalent layer-4 switch instead of the iptables stuff, the rest should basically fit together almost out of the box.
This solution scales very well and handles millions of hits/month. Recommended additions are squid running as an accelerator, since it can absorb a significant number of hits that apache would otherwise have to deal with. However the addition of the Tux in-kernel web stuff on the cluster nodes would probably be an even more preferable solution.
Also recommend dual-cpu machines, they do really well with apache.
Oh wait, no, I was wrong, kinda, significant parts of it appear to be going open source (rendering daemon and other bits), but not entirely OS yet it seems.
Blender is actually Open Source (GPL) as of version 2.0, its only real problem is a lack of import/export vectors.
I hate to burst your bubble..
h tml
http://www.hackersquest.gomp.ch/html/seqfiles.s
The ShowEQ program, with equivalents under Win, gives you plenty of information-leakage advantage under EQ. It reassembles the packet stream itself..so much for encryption..Also on that site, code to read all the data files, and some code which emulates an EQ server. EQ is just as vunerable as everything else I'm afraid.
I think you ought to calm down.
Yes, there is untold suffering across the planet, yes terrorists are killing people and cutting off kids hands, yes people are dying from aids and starvation, but the question is why is this happening less in countries well supplied with schooling, money and information technology? I say less because as anyone who has visited the dark side of major american cities can tell you, it isn't limited to the third world.
It would seem to me that education is almost viral in effect. Teach one person to teach, and he can teach a dozen others. Attempting to get the median level of earning up by a small amount is counter to this concept. If you manage to raise ten people $10 above the median wage, what are they going to be able to teach the other 120 people? how to raise their wage $10. Get three people to $100, and you're going to have a far more profound effect.
I think that, (and I emphasise think, since I have no formal training and have done no extensive documented research) that it is in fact possible to pull a culture up to first-world levels of education in a fairly short time, the members of those cultures are not stupid, they simply have tradition, and the older members are often resistant to change. Careful planning, followed by the introduction of, and intensive training in modern technology for a small group would have, IMHO, a far more beneficial effect over the medium term on a large group of people, than attempting to upgrade all of the society a little bit at a time.
Humanity is competitive, it is quick to learn and to teach, and I believe that attempting to shuffle 3rd world countries slowly into the 21st century at a rate which, in some circumstances, isn't even keeping up with the rate of change in the first world, is counter-productive. It leaves those few self-driven individuals capable of making contact with the first world with complete power, hence terrorists and dictators with heavy weaponry, and a terrified, unknowing, uneducated population with no way of coordinating and little knowledge that there is another way.
And so I conclude, running cat5 around villages is entirely to the point, get them out there, make them part of the world, yes it'll be hard on them, but the consequnces of falling further and further behind, as many of the 3rd world countries, laden with debt, are doing now, is far worse.
I find this all highly suspect. The Trolls have been running their little games on this site for so long now I don't believe a single one of them, and to be quite frank, this particular one is so full of holes you could drop a car through 'em.
/. apparently sent my troll friend an email from their lawyer!".
For a start, the link to http://warmann.com/broken/legal.html is broken, And http://www.warmann.com/users/broken/legal.html contains nothing but a short page indicating that the person concerned can't talk about the case right now. Given the Trolls previous methods of being jerks, including Mr Goatsex et al, I have absolutely no faith that this isn't anything more than Yet Another Stupid Prank.
Along with that, the story itself is dubious, apparently this person was contacted by a Lawyer..err..wow, what, he gave his phone number away or something? I doubt it, I'd be surprised if he even had a valid email address, but if he did I can assure him right now that email is far too easily forged for him to believe it actually came from Slashdot. More likely it was sent to him by some Slashdot user totally pissed off at his immature and idiotic antics. I'm pleased to say that this appears to have worked nicely, however his friend here has taken up arms against Slashdot, a free service he's abusing the crap out of, because of something that might possibly, but probably isn't their fault, using a method of informing people which I at least find incredibly insulting and a waste of space. No discussion, no thought, just "Oh look,
My conclusion, Get a Life. The information you have presented has not one iota of evidence to back it, and you are a Troll.
They're infringing on my patent. I have a working example in my back yard of a much more efficient machine, it is also solar powered, using multiple redundant flexible green solar panels to absorb solar energy, a self-maintainence system that will repair our adapt to compensate for medium scale damage, a robust, flexible physical structure capable of withstanding considerable force by dissipating the energy throughout the structure and bending, and utilises as fuel a small set of chemicals and H20.
It has further advantages over the solar machine exhibited, its components are easily recycled into a number of useful objects, various parts are edible and it aids in topsoil stability. It is also capable of self-reproduction given a requisite amount of available fuel.
It also comes in numerous makes and models suitable for every task, from extremely large to the inconspicuously small.
I call it The Plant, and I would demand royalties on this inferior implementation except that..well..its obviously so inferior no-one would ever buy it.
As someone who has implemented a medium-scale WAP application, I have only one thing to say: WAP sucks.
:/
The fact that its based on XML is cool, the syntax is clear, the addition of a scripting language is fairly sensible, and yet I have many gripes:
Motorola and Nokia have implemented their browsers completely differently, you simply cannot write a simple WAP application that will perform well and be userfriendly on both, you have to do it twice, once for each browser basically.
Additionally, the WAP markup itself is full of redundencies, there are invariably several ways to achieve each effect. This would be fine except that each browser implementation treats them differently, causing something that is easily navigable in one browser to be a total mess in another.
This on top of the already obvious flaws such as over-zealous caching despite headers, terrible error handling, buggy simulators (Nokia in particular) and confusingly unintuitive choices for various aspects make WAP at its current stage impractical to develop in with anything short of a Motorola and Nokia phone right in front of you to test with.
I note however that if you can get your hands on a couple of phones to test with, things become easier, and with a bit of wire sniffing and using a decent backend language like PHP, you can whip up WAP applications fairly quickly. Its just not a small-time developers game at this stage
Personally I think there are two particular issues here:
:)
1. Its hard to stay current, young people start off with a different viewpoint that often helps them, whereas older programmers have to constantly relearn, some people can do it, some people can't be bothered. Take the whole swing of Visual* stuff at the moment, definitely not my scene, the concept of designing a piece of software like that makes me cringe, but a lot of people are doing good stuff with it, if thats the way the future goes, I might end up obsolete out of pure stubborness.
2. Its damn hard work sometimes, long hours coding, hard debugging, caffine and coke and pizza diet, maybe I'll be sick of that stuff by the time I reach 40-50. Maybe I'll start writing books like a lot of other older programmers have, beats all-night slugfests with gdb.
but I have one consolation, one little guarrantee, if I still wanna be in the game when I'm that old, in about 2038 all the unix boxes are gonna need recoding to solve time(); issues, ressurgence in C system programmers? I think so
Damn. you're right :) Is a new bug *frown*, I guess I should probably get rid of the loop, but without knowing exactly the function of the procs below the read I can't be sure what is appropriate. Rats.
done in pgpAssert, haven't looked.
Thats exactly what pgpAssert() does
Nope. Because I allocate the correct buffer length etc, and because I don't assign the read return value into the buffer.
Yeah we lost a bit, in the for line, i < count, /. ripped the < out. Hey CmdrTaco, how about a Code Mode for submissions that fixes stuff like that? :)
The number of errors in that code is truely disturbing. Here's my contrib for a first try at a decent fix. I hate the code layout though :)
/. tho :) My apologies if gt's or lt's go missing.
/* Make sure we have a count */ /* Make sure we have a valid filedesc */
/* Allocate a buffer for the count, and check we got a valid alloc */
/* If the read fails, bail */ z eof(unsigned char));
/* Free buffer */
God knows whether this thing will format ok when it turns up on
Not too comfortable with the sizeof(unsigned char) stuff, probably better as something like sizeof(*ReadBuf). Anyway, I'm sure theres plenty of errors, get stuck in.
static unsigned
pgpDevRandomAccum(int fd, unsigned count)
{
unsigned char *RandBuf;
unsigned i;
pgpAssert(count > 0);
pgpAssert(fd >= 0);
RandBuf = malloc(sizeof(unsigned char)*count);
pgpAssert(RandBuf);
for (i=0; icount; i++) {
if (!read(fd,RandBuf,count))
break;
pgpRandomAddBytes(&pgpRandomPool,RandBuf,count*si
pgpRandPoolAddEntroy(256);
}
free(RandBuf);
return(i);
}
I appreciate your compassion and consideration. However, in this case, I think the party who did a bad job was whichever executive made the decision to co-opt Kerberos, in the sleazy way Microsoft normally does things. Whoever made that decision DOES deserve scolding and a virtual slap, and more. Since they're already lying to us, stealing from us, and otherwise treating us with such dismissal, I doubt their feelings would be hurt no matter how many names we call them. Which is too bad, because I wish there was a way to correct their antisocial behaviour, just as we try to correct a child's antisocial behaviour.
It is unfortunate that in this case, just as in many others, relativism comes into play, they just don't see themselves as doing wrong, and as a street missionary once said to me, "A man convinced against his will is of the same opinion still". A little poetic but true all the same, until they realise of their own volition the harm that they do, we can try and correct them all we like and it will make no difference.
Even if the breakup of Microsoft goes ahead, all it will achieve is the protection of society from its practices, it will not change how Microsoft views its strategy, indeed they may try all the harder, believing themselves unfairly treated.
I suspect that in the long term there is only one way to resolve those kind of differences, you have to be recognised as someone whose input counts to the other party before it is possible to convince them of an alternate view, and you have to be prepared to be convinced in turn, for surely we are not always right :) I suspect psychology literature might be the best source of wisdom on this subject.
> The point? While your thesis is valid, your example was poorly-chosen. IMO.
:)
Upon reading your comment, I totally agree
Apology accepted on behalf of myself, and I hope, others.
:)
Have a nice day
Amusement noted :)
But on a more serious note, noting the actions of another is not "bad" per se, it is when you attach motive or extrapolate that things can go wrong, saying that Microsoft have released specifications under a weak security system and are now utilising a controvertial law to make up for the failing is one thing, declaring them to be stupid for having done it, or attributing malice to the actions they're taking via the law to attempt to recover from it is dubious.
Somewhere in Microsoft, undoubtably, someone is feeling rather upset right now, because of their failure to consider or forsee the result of releasing the documentation in that particular format. While I consider the entire operation to be a mistake from the start, I do feel kinda sorry for that person, and the others involved. They had a job to do, they did their best and have been found wanting, a terribly unpleasant feeling I can assure you, and I have little doubt that most other people know just how unpleasant it is.
I feel no desire to add, however indirectly or insignificantly, to that burden.