The Africanized bees ARE adapting fairly well and are have further crossbred with (now) indigenous honeybees and as a result are able to handle the cold much better than they have in recent years. As a result of this they are moving further and further north each year. I saw a documentary recently that stated that some scientists thought they would eventually make it up to through Canada and to the southern parts of Alaska eventually! IMHO that may be a little overstated (although I'm no scientist), however you can see from this map that they are hitting southern BC now: http://www.adkinsbeeremoval.co...
You joke, but if you watch the excellent documentary "More Than Honey" (on netflix) you can see that due to the bee population being severely impacted in China they actually DO have people running around pollinating plants!
..and just because it's already done NOW, doesn't mean that it's useless to know! Knowing that employeeX is stealing company data allows you to potentially look further into what else the employee is compromising and put a stop to it.
Everbodies's complaining about lack of software, etc, etc. Folks, you can run a full install of Debian on even a 5500 (which is what I have). I run firefox, thunderbird and just about any other app I want as they're all available from the Debian arm archive! I went into a big rant on/. once about it, got so much email about it I put it up on a web page. Anyway, a karma-whoring I go, see here: http://undertow.2y.net/zaurus/
On my page you'll find cool stuff like my (unmaintained) SLapASS program (wireless app that uses kismet to sniff out networks and then associate with 'em, among other things), an ext3 driver I compiled after getting sick of long fsck's on my 1GB SD card, and I've compiled the great passive OS fingerprinting app "p0f" for the arm platforms and made it available there as well.
I may be wrong here, but I had thought the reason they carried a more or less full feed was due to "common carrier" type laws, I.E., if you restrict CERTAIN groups, then that implies you APPROVE other groups, so if one of those other groups is illegal, the provider has legal liability. If you carry EVERYTHING (even with a short retention), then you can say you just carry "all" usenet, not the illegal groups specifically. Again, I may be wrong here...
...because even if you could ssh into your phone, it'd still be nice to be able to bring up your phone's display on your laptop. This could potentially reduce the need for even syncing your phone with your PC if you can easily access your PDA/phone data from your remote computer.
[ tons of tips and ideas what's possible with a Z follow ]
The 5500 and others are more like little Linux laptops then
PDAs. While I am far from a typical PDA user, the
absolutely INCREDIBLE stuff I can do with just a 5500 and a wireless
card continues to astound me today. To be fair, I never bought a
Zaurus with the intention of ever doing typical PDA like stuff, but
just wanted an easy familiar environment to hack in.
Years ago I had a USR P1000 (The Palm 1000, before Palm bought it
from US Robotics), and while it was a great PDA (for the day), it was
underpowered for what I wanted and most importantly LACKED A
KEYBOARD, which makes all the difference in the world. One day I
worked an ENTIRE day with only my P1000, a ssh client and a (9600
baud) serial link to my cell phone to see just how doable it was. As
a unix admin doing security work the P1000 did have SOME uses (serial
console to Sun boxes, ssh client for accessing mail via Mutt, etc)
but the end result was a less than productive day overall. Trying to
edit files on unix boxes with vi using Graffiti was quite painful and
I vowed I'd never buy another PDA until it had at least a minimal
keyboard to work with.
Fast forward to my (now several years old) 5500. Shortly after
getting it I wiped the original Sharp rom and replace it with the
actively developed OpenZaurus
distribution, and was very happy with the results.
I have a very portable linux box with wireless, nearly all the
software I was using on Solaris and Linux, as well as the pretty
Qtopia apps and a half-way decent environment. I've been able to get
nice tools like nmap,
p0f
(Passive OS Fingerprinter), Kismet,
and other excellent unix based tools working with minimal effort on
the Z under OpenZaurus (and the a lesser extent the Sharp ROM). Under
OZ I can compile and run MANY common exploit tools like the awesome
Metasploit
framework, which require perl, and to a less extent Python. Both
are no big deal to get going on the Z, especially since the Z is
binary compatible with the IPAQ based Familiar
distribution, and usually just needs the odd library to get an
app working. That's all fine for text based apps, but since OZ (using
Opie,
at least) is QT and not X based, a variety of GUI based apps don't
easily run. There ARE solutions to getting X based apps to run with
minimal fuss, including the original x11zaurus
package, and more recently the excellent X/QT
package, as well as simply running one of the versions of the
vncserver
for Zaurus which of course allows you to display X not only on
your Z, but also on any other VNC compatible device (such such as you
cell phone, Linux, Windows, etc).
More recently the GPE
environment and projects has become available, and is offers an
attractive alternative to Opie, but with X11 compatibility built in.
For me, I joined the Debian religion ~5-6 years ago
after experimenting to see what all the fuss on/. was all about. It
didn't take long before I was the typical Debian crack addict
apt-getting any application I wanted to check out on a
whim. After living in Ottawa for years I was very well aware of the
Corel
(and later Rebel.com (who themselves were called Hardware Canada
previously, and were a unix reseller) Netwinder
, which was a cool little ARM based PC, which unfortunately suffered
under the idiocy of Corel's managem
.or you can just get one of those el-cheapo "battery extenders" which are basically a simple external unit that cost about $10 and takes 4 *rechargeable* (only!!) AA batteries and plugs into the power jack. I've got one and it works great! (You have to use rechargeables because they have slightly less voltage than the std AA's, and otherwise you'll blow your Z).
For easy associating of access points or simply switching between multiple configured AP's with handy features like randomly changing your MAC address, check out my simple opie-sh app called SLapASS (Simple Linux access point associator) http://undertow.2y.net/zaurus/SLapASS/
SLapASS uses kismet to sniff out networks, and then uses that information for associating. With the latest OZ there is less of a need for this as now the OZ wireless app will also scan the local network, but it still doesn't offer that level of functionality that SLapASS does:-)
I put the latest release version of POF http://lcamtuf.coredump.cx/p0f.shtml (Passive OS fingerprinter) for the Z/ARM
platform online as well.
Anyway SLapASS and some other Z stuff is at my web page here: http://undertow.2y.net/zaurus
Enjoy:-)
-kcurrie
Long ago I install PocketWorkstation which is a debian install for the Z. It seemed great, but the SD/MMC driver at the time always crashed whenever there were heavy writes, which was anytime you tried to install a package:-( In recent times I haven't had any similar crashes, so maybe it's time to scrap the latest OZ which I just stumbled upon a few days ago and just go straight back to Debian:-)..bought a new 1GB SD card at Fry's for $80 (after rebate) recently, so disk space shouldn't be an issue!
At least in the current version (sorry, the version that was current 2 days ago!) the RSA plugin doesn't work with meanwhile. Yes, I know sametime encrypts the traffic, but it doesn't hide it from THE MAN:-)
It's a Sun box! Boot it off the NETWORK via it's PROM! Google on "boot net" and probably IPX and you should turn up a ton of links.
Of course, having a box that boots via tftp/rarpd as your firewall obviously leaves you open to a variety of issues if your firewall crashes and reboots:-)
The $50 fee is to re-enable their access after they have been cut off-
AFTER they prove that they are clean, eitherc EXCEPT port 80 and 443 LEAVING their IP being
clean, as well as passing through ISP initiated port scans looking for
open ports unscathed. You could even force people to register the
email addresses of people they wish to email with the ISP, and put a
limit on it as well, assuming these people also wanted outgoing port 25
enabled. Since so many (often novice) users rely solely on
webmail, this won't be much of a problem.
The $100 fee would INCLUDE a
cheap (hardware) firewall which would prevent any incoming port
forwards, and potentially limit the outbound connections as well. This
would help stop the problem of PC's being infected and becoming open
relays.
After somebody (or their machine) has been proven or suspected of being
a spammer, an email should be sent to the customer telling them that
all outgoing port 25 traffic from their IP will be blocked EXCEPT to
the ISP, and even then only allow email to flow to "approved" admin
type addresses, not the regular customer base. Implement a system
where a user can interact with an AUTOMATED system to quickly re-enable
their system, even if it is only to small number of recipients, just so
any critical emails they need to send can get through. After a
day or two, have even those limited addresses blocked if the system
detects large or abnormal amounts of mail being sent out.
If people cannot bother to read their email regularly (and get the
admin messages), they should not complain (too loudly) if they miss a
"critical" email which details why they can no longer email others.
The key here is EDUCATION, and of course the hardest thing to do is to
get somebody to pay attention to something they know nothing
about. Even the most fearful user would probably try to figure
out why they keep getting hit by these $50 bills and keep having
problems sending emails.
If somebody needs to constantly send 1000+ emails to a large variety of
people (i.e. running their own mailing list) maybe they should apply
for/pay for additional access anyway, so Joe-Bob and his mother can
continue to have their basic no-frills service cheap.
Maybe with a little
more education the average
person will come to realize
why us geeks are always pissed about the poor security of Windows
boxes, and maybe, just maybe
some of that will roll uphill to Redmond and change just a little of the way they implement
things.
I can think of a million (probably impractacle) hacks that could be put
into place to help ensure your customer base is safe. An ISP
could even go the route of using something like the Cisco Security
Agent. There are a million links to it, but here's one from ZdNet
for those of you all paranoid about marketing information: http://techupdate.zdnet.com/techupdate/stories/mai n/Cisco_Security_Agent.html?tag=tu.arch.link
Basically you could "require" your customers have something like CSA
installed to protect their machines are they are simply not allowed on
the network. Of course, common sense has to be used (something
often lacking, unfortunately) when implementing such policies. If
your chosen tool is not available for a specific platform, allow
exceptions. We all know that (currently) the biggest threat on
the internet is Windows machines anyway, so this isn't
unreasonable. Even if something without as much capability
as CSA was used, say something with ONLY the ability to to just verify
that the virus updates happened in the last X time period, and that
critical update X has been installed, etc before they were allowed to
access ANYWHERE except those locations, great, the vast majority of
problems are solved.....just don't make a poor Linux or
Mac user suffer with draconian, impossible to comply to restrictions...
The Zaurus is a tiny linux box. A powerful, tiny linux
box. The first thing you should do when you get a Z is wipe
the OS and instead install the excellent OpenZaurus (OZ). OZ is better
than the original Linux install in nearly every respect. Don't
think of your Z as a PDA, it's more like a tiny laptop.
Some of the things I do with mine:
email: I recently compiled Mutt
with a IMAP header cache patch. One of the most powerful email
clients in the palm of my hand:-)
wireless sniffing: As you know, Kismet rules the land of
wireless sniffers. Pop a wireless card in your Z (or get a 6000:-) and your neighbours will never be safe again:-)
mp3/ogg playing: Using either Opie-Player2 or the excellent
tkcplayer.
Unfortunatly, I can't use the tkcplayer on the very latest version of
OpenZaurus, not because it won't run (because it DOES almost start up
when using "runcompat" but then tells me it can't run on this
platform-- which it CAN otherwise it wouldn't be able to tell me that:-) TKC are you listening? Remove the check please:-)
Video playing: using a port of the best linux movie player mplayer. I've encoded a
bunch of movies down to ~200MB with great results. You can pop a
couple of these on a 512MB card for those long flights:-)
Coding: Of course, I've got gcc and perl loaded on the
puppy. Hell, without perl I wouldn't be able to run Chaosreader,
makes those long hotel stays much more interesting:-)
Exploit testing:-) Since perl and gcc work fine, I really
haven't run into any common exploits I can't compile or run properly.
A couple of hints and tricks:
1) If you want to extend your battery life while doing things
like mp3 playing or wardriving, grab something like Qoverclock
and use it to UNDERCLOCK your Z. Turn down (or off) the display
as well. Poke at it a bit and realize you can easily make a shell
script to do without the GUI.
2) To maximize your space on root, ram, sd and cf, the single best
thing to use is UCLX which
works just like UPX.
UCLX/UPX are executeable file compressors-- you compress your
executable and when you run it it decompresses (to ram) on the
fly. The compression it uses is AT LEAST as good as gzip (or
better) and the decompression is very fast. When using slower
media like SD (or even CF) you'll find that executables will run FASTER
compressed then they would uncompressed-- the CPU can decompress much
smaller exe faster than the much larger uncompressed exe could be
loaded from media and run.
3) When choosing a root/ram disk size for OpenZaurus, it's
a good idea to pick a small root with a much larger ram disk. If
(when) you need more ram, you can simply make some ramdisk swap files.
4) While you can run gcc right on the Z, it's also nice to us a
cross compiler on your (much faster) desktop and then just cp the
binary over. If you're too lazy to do cross compiles (or don't
want to set up a ton of additional packages like ncurses, etc), you can
also just ssh into the IPAQ
development cluster and compile your code there. Typically it
will run without issue-- sometimes you may want/need to statically link
your programs or just grab the libraries from the ipaq and throw
'em on your Z. I haven't found a single thing yet I couldn't get
to run.
5) Assuming you grab the required libraries, you can run
basically all of the sw in th
Same thing here. PIII 866, Nvidia NVS, 2.4.22, save nvidia version. I too am running Debian (knoppix). OpenGL works fine, and I play gl-117 all the time. glxgears gives ~1100fps.
As for why I left Vonage, I was unimpressed with the call quality. I had Road Runner Business Class (I think 1.5M down, 768k up, although I might be mistaken) coming into my residence, and I would occasionally get static and dropped calls. Also, about 1 out of 10 calls the other party would not be able to hear me at all and hang up in frustration (assuming it was a crank caller or the like).
I've had vonage since last April, and when I *first* got it it was great-- no problems at all. I have fiber to the house, going back to a neighbourhood T1 (shared by only ~5-6 people in the end, and that went back to a T3 I believe). Anyway, once Nachi came out it basically wiped this ISP off the map as they had absolutely no filtering of any kind (i.e. windows networking fully available all over, etc). Once nachi traffic rose my phone was basically unusable. The ISP lost a ton of money and pulled out of Austin completely, except for Alarm monitoring apparently. Anyway, I got a TW business class cable modem too (2.5 down, 768K up in this case) and since getting it I've had not a single problem with Vonage. I can even have another IP phone running through a hw vpn concurrently with no bandwidth issues. The thing that makes the biggest difference is setting of traffic shaping/QoS. I set up an OpenBSD box and use it's altq with excellent results.
For me the free long distance to Canada was the biggest thing-- we had phone bills over $100 all the time, now we pay $35.
I once accidentally bought a house "out in the sticks" (Osgoode, ON) where I couldn't even get ISDN (which I had while living in Ottawa). I grabbed a 486 that had 2 serial ports, added a serial card and put 3 56K modems on it. When I called Bell and asked for 3 additional phone lines they had to run a new wire from the curb to my house. On the 2 lines that ran across the connection I got 48K connections to the office (connecting to a Cisco AS5300). Note that I asked for 3 additional lines, and I already had one being used for voice. After multiple attempts they were unable to get all 4 lines working (they'd disable other ones, etc,etc) and I gave up on 3 modems, settling for only 2...anyway, using multilink PPP on a 2.1 series kernel worked perfectly, and it seems due to the modems compression I was often getting better apparent speeds than I was on ISDN. Using (compressed) SSH across such a configuration was nearly the same as being in the office-- no problems at all. Of course the SSH's compression and modems compression didn't help each other, but I'd bet SSH compressed the data far more than the modem would have anyway. Pages with lots of text just flew down. I had the system configured to keep 1 line up all the time, and when there was traffic it'd dial on demand the other line, and keep it up for ~45 minutes before dropping due to inactivity.
IIRC, the total cost (to me, anyway) was around $18*2)= $36/month for the phone lines + hardware of course.
BTW, I'd also tried multilink PPP on Windows (95 at the time) with equally good results.
Assuming I could hack up a method to just put ONE CD in there and then be able to have it act as a MythTV frontend it would be wonderful. Having to jump through hoops to first boot it would suck, but if I only rebooted it when there was a power failure, I wouldn't care too much. Small, quiet, with stereo sound and TV out, with wireless controllers available, sounds good to me.
Heh, I did RTFM, it wasn't there:-) It's there in Linux, but still not in Solaris. The boxes in question at the time were Ultrix boxes and I don't have any of those handy to check right now:-)..another poster mentioned that it was listed in the NetBSD manpages-- I wonder when it was added, as I'd swear it wasn't there back in those days-- I ran NetBSD on my Amiga 4000.
'tis true. While in college (1990) I did a similar thing, and another student and I worked frantically to try to kill the fork bombs as fast as possible. Of course, you can't be fast enough to kill a tight enough loop and the machine quickly was unable to run any new processes. We each had a bunch of xterms up, but any command we tried to run we got the old "no more processes message". We thought we were screwed, until our very sharp prof (an engineer from Nortel actually) typed this into one of our xterms: exec kill -9 -1
The exec overlays the new process, the -1 kills all of the current users processes. It seems the -1 option is a nice undocumented trick-- I've don't think I've seen it mentioned elsewhere... don't do this as root, BTW:-)
Maybe a P1 200 class machine with 256 mb of ram running FreeBSD and Squid is about right for this machine?
At my kids school (a little under 400 people) I'm running squid on a P200 with *96MB* of RAM with absolutely no issues at all. The machine is mostly idle, and the load only goes up due to the snort and afick processes also running on the host:-)
Slashdot Mirror
Maybe 30% overall. For some things (at least almonds) they are responsible for 100% of the pollination.
The Africanized bees ARE adapting fairly well and are have further crossbred with (now) indigenous honeybees and as a result are able to handle the cold much better than they have in recent years. As a result of this they are moving further and further north each year. I saw a documentary recently that stated that some scientists thought they would eventually make it up to through Canada and to the southern parts of Alaska eventually! IMHO that may be a little overstated (although I'm no scientist), however you can see from this map that they are hitting southern BC now:
http://www.adkinsbeeremoval.co...
You joke, but if you watch the excellent documentary "More Than Honey" (on netflix) you can see that due to the bee population being severely impacted in China they actually DO have people running around pollinating plants!
..and just because it's already done NOW, doesn't mean that it's useless to know! Knowing that employeeX is stealing company data allows you to potentially look further into what else the employee is compromising and put a stop to it.
> Don't be daft, SSL was created to prevent exactly these attacks, so why isn't it being used?
Because it takes lotsa CPU or dedicated SSL engines to encrypt that many connections.
Everbodies's complaining about lack of software, etc, etc. Folks, you can run a full install of Debian on even a 5500 (which is what I have). I run firefox, thunderbird and just about any other app I want as they're all available from the Debian arm archive! I went into a big rant on /. once about it, got so much email about it I put it up on a web page. Anyway, a karma-whoring I go, see here:
:-)
http://undertow.2y.net/zaurus/
On my page you'll find cool stuff like my (unmaintained) SLapASS program (wireless app that uses kismet to sniff out networks and then associate with 'em, among other things), an ext3 driver I compiled after getting sick of long fsck's on my 1GB SD card, and I've compiled the great passive OS fingerprinting app "p0f" for the arm platforms and made it available there as well.
Anyway, enjoy crushing my web server
I may be wrong here, but I had thought the reason they carried a more or less full feed was due to "common carrier" type laws, I.E., if you restrict CERTAIN groups, then that implies you APPROVE other groups, so if one of those other groups is illegal, the provider has legal liability. If you carry EVERYTHING (even with a short retention), then you can say you just carry "all" usenet, not the illegal groups specifically. Again, I may be wrong here...
...because even if you could ssh into your phone, it'd still be nice to be able to bring up your phone's display on your laptop. This could potentially reduce the need for even syncing your phone with your PC if you can easily access your PDA /phone data from your remote computer.
[ tons of tips and ideas what's possible with a Z follow ]
The 5500 and others are more like little Linux laptops then PDAs. While I am far from a typical PDA user, the absolutely INCREDIBLE stuff I can do with just a 5500 and a wireless card continues to astound me today. To be fair, I never bought a Zaurus with the intention of ever doing typical PDA like stuff, but just wanted an easy familiar environment to hack in.
Years ago I had a USR P1000 (The Palm 1000, before Palm bought it from US Robotics), and while it was a great PDA (for the day), it was underpowered for what I wanted and most importantly LACKED A KEYBOARD, which makes all the difference in the world. One day I worked an ENTIRE day with only my P1000, a ssh client and a (9600 baud) serial link to my cell phone to see just how doable it was. As a unix admin doing security work the P1000 did have SOME uses (serial console to Sun boxes, ssh client for accessing mail via Mutt, etc) but the end result was a less than productive day overall. Trying to edit files on unix boxes with vi using Graffiti was quite painful and I vowed I'd never buy another PDA until it had at least a minimal keyboard to work with.
Fast forward to my (now several years old) 5500. Shortly after getting it I wiped the original Sharp rom and replace it with the actively developed OpenZaurus distribution, and was very happy with the results.
I have a very portable linux box with wireless, nearly all the software I was using on Solaris and Linux, as well as the pretty Qtopia apps and a half-way decent environment. I've been able to get nice tools like nmap, p0f (Passive OS Fingerprinter), Kismet, and other excellent unix based tools working with minimal effort on the Z under OpenZaurus (and the a lesser extent the Sharp ROM). Under OZ I can compile and run MANY common exploit tools like the awesome Metasploit framework, which require perl, and to a less extent Python. Both are no big deal to get going on the Z, especially since the Z is binary compatible with the IPAQ based Familiar distribution, and usually just needs the odd library to get an app working. That's all fine for text based apps, but since OZ (using Opie, at least) is QT and not X based, a variety of GUI based apps don't easily run. There ARE solutions to getting X based apps to run with minimal fuss, including the original x11zaurus package, and more recently the excellent X/QT package, as well as simply running one of the versions of the vncserver for Zaurus which of course allows you to display X not only on your Z, but also on any other VNC compatible device (such such as you cell phone, Linux, Windows, etc).
More recently the GPE environment and projects has become available, and is offers an attractive alternative to Opie, but with X11 compatibility built in.
For me, I joined the Debian religion ~5-6 years ago after experimenting to see what all the fuss on /. was all about. It
didn't take long before I was the typical Debian crack addict
apt-getting any application I wanted to check out on a
whim. After living in Ottawa for years I was very well aware of the
Corel
(and later Rebel.com (who themselves were called Hardware Canada
previously, and were a unix reseller) Netwinder
, which was a cool little ARM based PC, which unfortunately suffered
under the idiocy of Corel's managem
.or you can just get one of those el-cheapo "battery extenders" which are basically a simple external unit that cost about $10 and takes 4 *rechargeable* (only!!) AA batteries and plugs into the power jack. I've got one and it works great! (You have to use rechargeables because they have slightly less voltage than the std AA's, and otherwise you'll blow your Z).
For easy associating of access points or simply switching between multiple configured AP's with handy features like randomly changing your MAC address, check out my simple opie-sh app called SLapASS (Simple Linux access point associator) http://undertow.2y.net/zaurus/SLapASS/ SLapASS uses kismet to sniff out networks, and then uses that information for associating.With the latest OZ there is less of a need for this as now the OZ wireless app will also scan the local network, but it still doesn't offer that level of functionality that SLapASS does
I put the latest release version of POF http://lcamtuf.coredump.cx/p0f.shtml (Passive OS fingerprinter) for the Z/ARM platform online as well. Anyway SLapASS and some other Z stuff is at my web page here: http://undertow.2y.net/zaurus Enjoy
-kcurrie
Long ago I install PocketWorkstation which is a debian install for the Z. It seemed great, but the SD/MMC driver at the time always crashed whenever there were heavy writes, which was anytime you tried to install a package :-( :-) ..bought a new 1GB SD card at Fry's for $80 (after rebate) recently, so disk space shouldn't be an issue!
In recent times I haven't had any similar crashes, so maybe it's time to scrap the latest OZ which I just stumbled upon a few days ago and just go straight back to Debian
At least in the current version (sorry, the version that was current 2 days ago!) the RSA plugin doesn't work with meanwhile. Yes, I know sametime encrypts the traffic, but it doesn't hide it from THE MAN :-)
RoadRunner got rather pissed off at me once because I ran a caching DNS server at my house.
How could RoadRunner know that you were running a caching DNS server at home unless you were ACTING as a DNS server to those externally?
It's a Sun box! Boot it off the NETWORK via it's PROM!
:-)
Google on "boot net" and probably IPX and you should turn up a ton of links.
Of course, having a box that boots via tftp/rarpd as your firewall obviously leaves you open to a variety of issues if your firewall crashes and reboots
The $50 fee is to re-enable their access after they have been cut off- AFTER they prove that they are clean, eitherc EXCEPT port 80 and 443 LEAVING their IP being clean, as well as passing through ISP initiated port scans looking for open ports unscathed. You could even force people to register the email addresses of people they wish to email with the ISP, and put a limit on it as well, assuming these people also wanted outgoing port 25 enabled. Since so many (often novice) users rely solely on webmail, this won't be much of a problem.
The $100 fee would INCLUDE a cheap (hardware) firewall which would prevent any incoming port forwards, and potentially limit the outbound connections as well. This would help stop the problem of PC's being infected and becoming open relays.
After somebody (or their machine) has been proven or suspected of being a spammer, an email should be sent to the customer telling them that all outgoing port 25 traffic from their IP will be blocked EXCEPT to the ISP, and even then only allow email to flow to "approved" admin type addresses, not the regular customer base. Implement a system where a user can interact with an AUTOMATED system to quickly re-enable their system, even if it is only to small number of recipients, just so any critical emails they need to send can get through. After a day or two, have even those limited addresses blocked if the system detects large or abnormal amounts of mail being sent out.
If people cannot bother to read their email regularly (and get the admin messages), they should not complain (too loudly) if they miss a "critical" email which details why they can no longer email others.
The key here is EDUCATION, and of course the hardest thing to do is to get somebody to pay attention to something they know nothing about. Even the most fearful user would probably try to figure out why they keep getting hit by these $50 bills and keep having problems sending emails.
If somebody needs to constantly send 1000+ emails to a large variety of people (i.e. running their own mailing list) maybe they should apply for/pay for additional access anyway, so Joe-Bob and his mother can continue to have their basic no-frills service cheap.
Maybe with a little more education the average person will come to realize why us geeks are always pissed about the poor security of Windows boxes, and maybe, just maybe some of that will roll uphill to Redmond and change just a little of the way they implement things.
I can think of a million (probably impractacle) hacks that could be put into place to help ensure your customer base is safe. An ISP could even go the route of using something like the Cisco Security Agent. There are a million links to it, but here's one from ZdNet for those of you all paranoid about marketing information: http://techupdate.zdnet.com/techupdate/stories/ma
Basically you could "require" your customers have something like CSA installed to protect their machines are they are simply not allowed on the network. Of course, common sense has to be used (something often lacking, unfortunately) when implementing such policies. If your chosen tool is not available for a specific platform, allow exceptions. We all know that (currently) the biggest threat on the internet is Windows machines anyway, so this isn't unreasonable. Even if something without as much capability as CSA was used, say something with ONLY the ability to to just verify that the virus updates happened in the last X time period, and that critical update X has been installed, etc before they were allowed to access ANYWHERE except those locations, great, the vast majority of problems are solved.
An update, I've actually put a link to some programs on the Zaurus in the Undertow page mentioned above.
:-)
Let me know if there is something specific you'd like to see compiled for the Z and maybe I'll give it a shot
The Zaurus is a tiny linux box. A powerful, tiny linux box. The first thing you should do when you get a Z is wipe the OS and instead install the excellent OpenZaurus (OZ). OZ is better than the original Linux install in nearly every respect. Don't think of your Z as a PDA, it's more like a tiny laptop. Some of the things I do with mine:
:-)
:-) and your neighbours will never be safe again :-)
:-) TKC are you listening? Remove the check please :-)
:-)
:-)
:-) Since perl and gcc work fine, I really
haven't run into any common exploits I can't compile or run properly.
email: I recently compiled Mutt with a IMAP header cache patch. One of the most powerful email clients in the palm of my hand
wireless sniffing: As you know, Kismet rules the land of wireless sniffers. Pop a wireless card in your Z (or get a 6000
mp3/ogg playing: Using either Opie-Player2 or the excellent tkcplayer. Unfortunatly, I can't use the tkcplayer on the very latest version of OpenZaurus, not because it won't run (because it DOES almost start up when using "runcompat" but then tells me it can't run on this platform-- which it CAN otherwise it wouldn't be able to tell me that
Video playing: using a port of the best linux movie player mplayer. I've encoded a bunch of movies down to ~200MB with great results. You can pop a couple of these on a 512MB card for those long flights
Coding: Of course, I've got gcc and perl loaded on the puppy. Hell, without perl I wouldn't be able to run Chaosreader, makes those long hotel stays much more interesting
Exploit testing
A couple of hints and tricks:
1) If you want to extend your battery life while doing things like mp3 playing or wardriving, grab something like Qoverclock and use it to UNDERCLOCK your Z. Turn down (or off) the display as well. Poke at it a bit and realize you can easily make a shell script to do without the GUI.
2) To maximize your space on root, ram, sd and cf, the single best thing to use is UCLX which works just like UPX. UCLX/UPX are executeable file compressors-- you compress your executable and when you run it it decompresses (to ram) on the fly. The compression it uses is AT LEAST as good as gzip (or better) and the decompression is very fast. When using slower media like SD (or even CF) you'll find that executables will run FASTER compressed then they would uncompressed-- the CPU can decompress much smaller exe faster than the much larger uncompressed exe could be loaded from media and run.
3) When choosing a root/ram disk size for OpenZaurus, it's a good idea to pick a small root with a much larger ram disk. If (when) you need more ram, you can simply make some ramdisk swap files.
4) While you can run gcc right on the Z, it's also nice to us a cross compiler on your (much faster) desktop and then just cp the binary over. If you're too lazy to do cross compiles (or don't want to set up a ton of additional packages like ncurses, etc), you can also just ssh into the IPAQ development cluster and compile your code there. Typically it will run without issue-- sometimes you may want/need to statically link your programs or just grab the libraries from the ipaq and throw 'em on your Z. I haven't found a single thing yet I couldn't get to run.
5) Assuming you grab the required libraries, you can run basically all of the sw in th
Same thing here. PIII 866, Nvidia NVS, 2.4.22, save nvidia version.
I too am running Debian (knoppix).
OpenGL works fine, and I play gl-117 all the time. glxgears gives ~1100fps.
As for why I left Vonage, I was unimpressed with the call quality. I had Road Runner Business Class (I think 1.5M down, 768k up, although I might be mistaken) coming into my residence, and I would occasionally get static and dropped calls. Also, about 1 out of 10 calls the other party would not be able to hear me at all and hang up in frustration (assuming it was a crank caller or the like).
I've had vonage since last April, and when I *first* got it it was great-- no problems at all. I have fiber to the house, going back to a neighbourhood T1 (shared by only ~5-6 people in the end, and that went back to a T3 I believe). Anyway, once Nachi came out it basically wiped this ISP off the map as they had absolutely no filtering of any kind (i.e. windows networking fully available all over, etc). Once nachi traffic rose my phone was basically unusable. The ISP lost a ton of money and pulled out of Austin completely, except for Alarm monitoring apparently. Anyway, I got a TW business class cable modem too (2.5 down, 768K up in this case) and since getting it I've had not a single problem with Vonage. I can even have another IP phone running through a hw vpn concurrently with no bandwidth issues.
The thing that makes the biggest difference is setting of traffic shaping/QoS. I set up an OpenBSD box and use it's altq with excellent results.
For me the free long distance to Canada was the biggest thing-- we had phone bills over $100 all the time, now we pay $35.
I once accidentally bought a house "out in the sticks" (Osgoode, ON) where I couldn't even get ISDN (which I had while living in Ottawa). I grabbed a 486 that had 2 serial ports, added a serial card and put 3 56K modems on it. When I called Bell and asked for 3 additional phone lines they had to run a new wire from the curb to my house. On the 2 lines that ran across the connection I got 48K connections to the office (connecting to a Cisco AS5300). Note that I asked for 3 additional lines, and I already had one being used for voice. After multiple attempts they were unable to get all 4 lines working (they'd disable other ones, etc,etc) and I gave up on 3 modems, settling for only 2. ..anyway, using multilink PPP on a 2.1 series kernel worked perfectly, and it seems due to the modems compression I was often getting better apparent speeds than I was on ISDN. Using (compressed) SSH across such a configuration was nearly the same as being in the office-- no problems at all. Of course the SSH's compression and modems compression didn't help each other, but I'd bet SSH compressed the data far more than the modem would have anyway. Pages with lots of text just flew down.
I had the system configured to keep 1 line up all the time, and when there was traffic it'd dial on demand the other line, and keep it up for ~45 minutes before dropping due to inactivity.
IIRC, the total cost (to me, anyway) was around $18*2)= $36/month for the phone lines + hardware of course.
BTW, I'd also tried multilink PPP on Windows (95 at the time) with equally good results.
..it pulls Canadian guide listings with xmltv.
Assuming I could hack up a method to just put ONE CD in there and then be able to have it act as a MythTV frontend it would be wonderful. Having to jump through hoops to first boot it would suck, but if I only rebooted it when there was a power failure, I wouldn't care too much.
Small, quiet, with stereo sound and TV out, with wireless controllers available, sounds good to me.
Heh, I did RTFM, it wasn't there
'tis true. While in college (1990) I did a similar thing, and another student and I worked frantically to try to kill the fork bombs as fast as possible. Of course, you can't be fast enough to kill a tight enough loop and the machine quickly was unable to run any new processes. We each had a bunch of xterms up, but any command we tried to run we got the old "no more processes message". We thought we were screwed, until our very sharp prof (an engineer from Nortel actually) typed this into one of our xterms:
:-)
exec kill -9 -1
The exec overlays the new process, the -1 kills all of the current users processes. It seems the -1 option is a nice undocumented trick-- I've don't think I've seen it mentioned elsewhere... don't do this as root, BTW
Maybe a P1 200 class machine with 256 mb of ram running FreeBSD and Squid is about right for this machine?
:-)
At my kids school (a little under 400 people) I'm running squid on a P200 with *96MB* of RAM with absolutely no issues at all. The machine is mostly idle, and the load only goes up due to the snort and afick processes also running on the host