When you try to get a prescription filled in a pharmacy they take your ID and insurance card and send that off to your insurance company. If you have a prescription for something simple and cheap like penicillin that cost say $3 the conversation looks something like this: Pharmacy (to insurance co): Joe Sucker gave me a $25 co pay card for penicillin. InsCo: Tell him that it is $30 and you now owe us $22. Pharmacy to Joe: You owe us $25.
If Joe had asked cash price, the conversation would have been: Pharmacy (to Joe): That will be $3. Joe: But I have a $25 co pay Pharmacy: Do you want to pay $3 or $25?
Then you are neither the problem nor the solution.
Oddly enough though, I am the market.
I expect my numbers are right on the sweet spot for a 10 kWh system. Large battery systems should help but most of the rest of the costs will scale linearly with maybe a 10% drop at 4 times the size.
So if the numbers don't really make sense for you, imagine how stupid they are for me?
My power generator will sell me power for $.025 a kwh under a contract. The rest of the $.22 is the grid, billing system, peak cost overruns and taxes so I don't see this a an electricty generation problem but more of a middleman problem and those tend to get worse as time goes on. I expact that since the grid goes past the house that in 30 years I'll get an electricty bill for about $100/mo (in todays dollars) even if I'm not cnnected.
I only use about 10 kwh a day. A 5 kw solar system is about $3600 plus inverter. The 10 kWh system complete with install and the 5 kw of panels would cost a bit less than $20k. I currently pay about $.22 a kwh plus about $1 a day just to have the grid there. The ROI is 16.6 years assuming no maintenance cost, interest or increase in grid costs assuming I can go fully off grid. It goes over 20 years if I still have to pay to have the grid hooked up (or some "grid goes by the house so pay" type fee)
Google+ would have been great had they taken the people out of it. It would have been great for devices to talk to other devices. It could have been the facebook for IoT.
Lots of useful things can happen even if most file systems don't mount.
I have systems in data centers half way around the world. I want sshd to wake up as soon as the networking is up. Once the whole thing is up and stable, I want the initial sshd to be killed off and the normal production one started. The sshd started early uses no shared libraries and uses a config that lets root login. This means that if the machine is screwed up, I can get in if things are broken without depending on the lights out management card or some other virtual console hack.
Remember that on very large systems there are always errors on a disk and some systems are large enough that their mean time between failures is always now. That doesn't mean the systems aren't still useful in production.
I find it odd that there isn't a well known man in the middle SSL-> TLS 1.2 proxy for XP that can fake things enough to work for most programs.
The entire XP TCP/IP stack can be replaced and there are replacement WINSOCK versions for XP.
With the large number of programs that talk to specific hardware that simply won't run on anythign newer than XP, combined with how many machines are still functional for their users, it will be around for a very long time. Remember that Microsoft has only dropped free support for the consumer version of XP and paid support (and some free support) will be going on for another 4 years.
Scanning IPv6 isn't as hard as you make it out to be. I look at it more like using dictionary attacks rather that sequential scans. The 1st 64 bits are known if your after a specific target. It is also trivial to know if a given/64 is even used. A tree of all known used/64 shouldn't take long to create.
The 64 bits of the host is a bit different. They could be fully random (which is rare) or they are allocated based on mac address or statically assigned. The mac addresses means that 40 bits of the address are known if you know anything about the targets buying habits (i.e. they tend to buy Dell or Polycoms). That leaves 16 million guesses which can be reduced based on the vendor or the product version you which you intend to exploit once you find a target.
You may not be looking for one in 2^64, but a network of devices that all may have many addresses and you might only need one.
The static address assignment space isn't very large as well as netadmins like using:: when they type in addresses so they are unlikely to be random. That means their 1st network will be 0::something and their second is likely to be 0001::something. Oddly enough you might find they skip::a and use::8,::9,::10 as well or use something that match with their existing ip v4 address so things like::192:168:1:1 is very likely.
All these things mean that Monte Carlo scans of a specific IPv6 allocation on a remote network is well within the ability of small time hackers.
Throw in a firewall that isn't filtering IPv6 properly and that will result in remote exploits of internal devices.
The push for https everywhere also means there is more metadata floating around. If all your are looking at is the metadata and not the data stream, https gives an observer more info about what is going on than with just http. Once you get into properly verifing certs, both sides and an observer has more info to tie a converstaion between a specific client and a server.
You can see this yourself by getting something that does netflow and look at the data that comes from that.
The best modern farm equipment can grow alternate crops in alternate rows. It can be done in a way that is sort of mix between what had historically been done by using seasonal crop rotation and planting trees as wind breaks.
The system works by using a high precision DGPS system so the tractor wheels are in the same spot every year so the rows stay in the same places. The hills can also be mapped so that the side of a hill may get processed first or last in a season and the amount of fertilizer or planting depths of crops can be adjusted for optimum yield or land protection.
Many of the California farming areas were settled after people left the mid-west dust bowl. Most of the dust bowl problems were a result of not using the best farming techniques when a drought worsened and it took lots of time to rebuild those areas. Those areas also get massive amounts of rain from time to time from hurricanes hitting the Gulf of Mexico. California doesn't have that advantage.
Another odd thing is there seems to be some connection between early crop failures in the midwest that predate the dust bowl and those crop failures started screwing with the futures markets which some have claimed was the start of the stock market crash and great depression.
That is a might fine web site there. It provides many great examples of things that should cause you to fire your web designer. Go with a slightly aged browser and it falls over in some very interesting ways. If they can't test a simple website, how are they testing their product?
It was a monolithic kernel. One of the interesting features were devices drivers were modules and there was a small device node module which would say stuff like "used module 'serial driver', call it tty4 at IRQ 2 and address 0x454040". The kernel would deal with all IRQs in the hardware and then run the IRQ callback funtion in the proper module. That allowed user level device drivers back in the early 1980s.
Another cool feature was each software module had a CRC so it could detect bad binaries. There were ways to whitelist and blacklist based on CRC values.
24 bit color is a problem. Out of those 16 million colors, about 1/4 are greys and about 1/2 are browns. The remaining 4 million are slightly more than a million of each of the reds, greens and blues leaving less than a million in the rest of the spectrum. When it comes to shades of oranges your limited to only about 60 that most people won't say are brown when viewed in isolation.
The flipper displays that use 18 bits are even worse and are way too common.
Of course the real fix for this is to run HSV rather than RGB to the display and let it work out how to drive the pixels.
What is the problem with getting it installed before he moved in? I had to pay for termite inspection for a house I bought since I wasn't about to trust anyone else. If I hadn't spotted a radio tower I could link to, I would have had DSL installed in the house before I moved in. The costs of pulling out out of a DSL contract are much cheaper than trying to cope with a house in an area where you can't get connectivity.
The OID concept does fix a common problem. Take a typical CRM database where you have customer account and a ship to address. At some point, the ship to address for a customer gets updated to their new office yet someone wants to check where an old order was shipped to and the programmer didn't think of it so now reprinting the old invoices show the new address. It is amazing how many times I've seen that type of problem cause massive issues in data integrity.
ECC might be able to help the attack. If you know the state of memory and the associated ECC values you would like and can calculate a designed bit pattern with the same ECC that meets the requirements, you may be able to get the ECC hardware to flip the bit for you as you hammer bits that don't matter as much.
Hammering memory to induce writes where they shouldn't happen has been done for decades. It was used back in the days when you needed high voltages to do writes in eeproms when people found out that you could use a 5V write power supply and sometimes get bits to change if you tried enough times.. Related techniques have been used with bubble memory and iron core as well.
A friend's boss saw him talking to a valve actuator using a tapping device and told him to talk to the patent lawyer about the invention. The "invention" was using a single wire to talk to something inside containment areas where drilling holes was a bad thing so wires could cost about a million a conductor. The resulting patent application didn't have that bit in it. It did have the use of a single wire for sending code using a keying device to another device. He ended up with a patent for using Morse code complete with encoding and everything else that was invented long ago. The bit about using the old technology in a unique way was missing.
There is an old test known as the Schneider Index which was used by the US Navy for divers and pilots in the 1940s. An old movie called "Dive Bomber" shows details of how the test was done at the time. The test ended the flying careers for many pilots at the time if their score decreased much. It turns out that the guys who did best in the test were the ones most likely to pass out on dive bombing runs. The Schneider Index uses reclining heart rate, blood pressure with standing and then rapid activity for about 30 seconds and then factoring in increase in pulse, BP and the time to return to normal.
There is enough flash and ram to run Linux on the controller. I've seen it done at Ruxcon/Breakpoint where the hard drive booted up to the point where it couldn't find a root disk to mount.
It is trivial to make firmware that watches for things like/etc/shadow files and returns something else. You can have this code activate by searching for data that would be logged and hunting for the magic key and that is trivial since every system logs to disk.
I've seen the baseball diamonds near my house used exactly twice. Once involved using it for fireworks. It was built around the time of the 1964 olympics like nearly every baseball diamond in the country.
When a bat is going to cost you $300 and a full uniform and gear to play on a team is close to a $1000, there isn't much demand. The Melbourne girls baseball teams positions are more about forfeits than wins.
I don't know why the local baseball teams need such formal rules with such official imported uniforms. What ever happened to wearing a shirt the right colour?
That was true before the days of disposable servers. Today, when it breaks, drop it from the pool of working systems. The HVAC is on a lease contract which makes them far more reliable as the manufacture no longer gets s cut by selling parts that used to be used for maintenance. The same is true with power systems but the electrical wiring is massively overbuilt between the stuff under contract and the racks. I have a rack in a recently built data center and they have an electrician on site less often than some small companies I work with.
Slashdot Mirror
When you try to get a prescription filled in a pharmacy they take your ID and insurance card and send that off to your insurance company. If you have a prescription for something simple and cheap like penicillin that cost say $3 the conversation looks something like this:
Pharmacy (to insurance co): Joe Sucker gave me a $25 co pay card for penicillin.
InsCo: Tell him that it is $30 and you now owe us $22.
Pharmacy to Joe: You owe us $25.
If Joe had asked cash price, the conversation would have been:
Pharmacy (to Joe): That will be $3.
Joe: But I have a $25 co pay
Pharmacy: Do you want to pay $3 or $25?
Oddly enough though, I am the market.
I expect my numbers are right on the sweet spot for a 10 kWh system. Large battery systems should help but most of the rest of the costs will scale linearly with maybe a 10% drop at 4 times the size.
My power generator will sell me power for $.025 a kwh under a contract. The rest of the $.22 is the grid, billing system, peak cost overruns and taxes so I don't see this a an electricty generation problem but more of a middleman problem and those tend to get worse as time goes on. I expact that since the grid goes past the house that in 30 years I'll get an electricty bill for about $100/mo (in todays dollars) even if I'm not cnnected.
I only use about 10 kwh a day. A 5 kw solar system is about $3600 plus inverter. The 10 kWh system complete with install and the 5 kw of panels would cost a bit less than $20k. I currently pay about $.22 a kwh plus about $1 a day just to have the grid there. The ROI is 16.6 years assuming no maintenance cost, interest or increase in grid costs assuming I can go fully off grid. It goes over 20 years if I still have to pay to have the grid hooked up (or some "grid goes by the house so pay" type fee)
Google+ would have been great had they taken the people out of it. It would have been great for devices to talk to other devices. It could have been the facebook for IoT.
But they missed the mark.
Lots of useful things can happen even if most file systems don't mount.
I have systems in data centers half way around the world. I want sshd to wake up as soon as the networking is up. Once the whole thing is up and stable, I want the initial sshd to be killed off and the normal production one started. The sshd started early uses no shared libraries and uses a config that lets root login. This means that if the machine is screwed up, I can get in if things are broken without depending on the lights out management card or some other virtual console hack.
Remember that on very large systems there are always errors on a disk and some systems are large enough that their mean time between failures is always now. That doesn't mean the systems aren't still useful in production.
I find it odd that there isn't a well known man in the middle SSL-> TLS 1.2 proxy for XP that can fake things enough to work for most programs.
The entire XP TCP/IP stack can be replaced and there are replacement WINSOCK versions for XP.
With the large number of programs that talk to specific hardware that simply won't run on anythign newer than XP, combined with how many machines are still functional for their users, it will be around for a very long time. Remember that Microsoft has only dropped free support for the consumer version of XP and paid support (and some free support) will be going on for another 4 years.
Scanning IPv6 isn't as hard as you make it out to be. I look at it more like using dictionary attacks rather that sequential scans. The 1st 64 bits are known if your after a specific target. It is also trivial to know if a given /64 is even used. A tree of all known used /64 shouldn't take long to create.
The 64 bits of the host is a bit different. They could be fully random (which is rare) or they are allocated based on mac address or statically assigned. The mac addresses means that 40 bits of the address are known if you know anything about the targets buying habits (i.e. they tend to buy Dell or Polycoms). That leaves 16 million guesses which can be reduced based on the vendor or the product version you which you intend to exploit once you find a target.
You may not be looking for one in 2^64, but a network of devices that all may have many addresses and you might only need one.
The static address assignment space isn't very large as well as netadmins like using :: when they type in addresses so they are unlikely to be random. That means their 1st network will be 0::something and their second is likely to be 0001::something. Oddly enough you might find they skip ::a and use ::8,::9,::10 as well or use something that match with their existing ip v4 address so things like ::192:168:1:1 is very likely.
All these things mean that Monte Carlo scans of a specific IPv6 allocation on a remote network is well within the ability of small time hackers.
Throw in a firewall that isn't filtering IPv6 properly and that will result in remote exploits of internal devices.
The push for https everywhere also means there is more metadata floating around. If all your are looking at is the metadata and not the data stream, https gives an observer more info about what is going on than with just http. Once you get into properly verifing certs, both sides and an observer has more info to tie a converstaion between a specific client and a server.
You can see this yourself by getting something that does netflow and look at the data that comes from that.
The best modern farm equipment can grow alternate crops in alternate rows. It can be done in a way that is sort of mix between what had historically been done by using seasonal crop rotation and planting trees as wind breaks.
The system works by using a high precision DGPS system so the tractor wheels are in the same spot every year so the rows stay in the same places. The hills can also be mapped so that the side of a hill may get processed first or last in a season and the amount of fertilizer or planting depths of crops can be adjusted for optimum yield or land protection.
Many of the California farming areas were settled after people left the mid-west dust bowl. Most of the dust bowl problems were a result of not using the best farming techniques when a drought worsened and it took lots of time to rebuild those areas. Those areas also get massive amounts of rain from time to time from hurricanes hitting the Gulf of Mexico. California doesn't have that advantage.
Another odd thing is there seems to be some connection between early crop failures in the midwest that predate the dust bowl and those crop failures started screwing with the futures markets which some have claimed was the start of the stock market crash and great depression.
That is a might fine web site there. It provides many great examples of things that should cause you to fire your web designer. Go with a slightly aged browser and it falls over in some very interesting ways. If they can't test a simple website, how are they testing their product?
Its nearly 3 inces. What was the precision of the Saturn 5?
It was a monolithic kernel. One of the interesting features were devices drivers were modules and there was a small device node module which would say stuff like "used module 'serial driver', call it tty4 at IRQ 2 and address 0x454040". The kernel would deal with all IRQs in the hardware and then run the IRQ callback funtion in the proper module. That allowed user level device drivers back in the early 1980s.
Another cool feature was each software module had a CRC so it could detect bad binaries. There were ways to whitelist and blacklist based on CRC values.
24 bit color is a problem. Out of those 16 million colors, about 1/4 are greys and about 1/2 are browns. The remaining 4 million are slightly more than a million of each of the reds, greens and blues leaving less than a million in the rest of the spectrum. When it comes to shades of oranges your limited to only about 60 that most people won't say are brown when viewed in isolation.
The flipper displays that use 18 bits are even worse and are way too common.
Of course the real fix for this is to run HSV rather than RGB to the display and let it work out how to drive the pixels.
The TRS-80 model 2, 12 and 16 used 8 inch floppies.
What is the problem with getting it installed before he moved in? I had to pay for termite inspection for a house I bought since I wasn't about to trust anyone else. If I hadn't spotted a radio tower I could link to, I would have had DSL installed in the house before I moved in. The costs of pulling out out of a DSL contract are much cheaper than trying to cope with a house in an area where you can't get connectivity.
The OID concept does fix a common problem. Take a typical CRM database where you have customer account and a ship to address. At some point, the ship to address for a customer gets updated to their new office yet someone wants to check where an old order was shipped to and the programmer didn't think of it so now reprinting the old invoices show the new address. It is amazing how many times I've seen that type of problem cause massive issues in data integrity.
Mine was free then. I did a dictionary search against whois and abnormal was free. I just knew I had to have it. That was close to 20 years ago.
Anyway there will be cake for anyone who RSVPs.
!ihnp4 ?
ECC might be able to help the attack. If you know the state of memory and the associated ECC values you would like and can calculate a designed bit pattern with the same ECC that meets the requirements, you may be able to get the ECC hardware to flip the bit for you as you hammer bits that don't matter as much.
Hammering memory to induce writes where they shouldn't happen has been done for decades. It was used back in the days when you needed high voltages to do writes in eeproms when people found out that you could use a 5V write power supply and sometimes get bits to change if you tried enough times.. Related techniques have been used with bubble memory and iron core as well.
A friend's boss saw him talking to a valve actuator using a tapping device and told him to talk to the patent lawyer about the invention. The "invention" was using a single wire to talk to something inside containment areas where drilling holes was a bad thing so wires could cost about a million a conductor. The resulting patent application didn't have that bit in it. It did have the use of a single wire for sending code using a keying device to another device. He ended up with a patent for using Morse code complete with encoding and everything else that was invented long ago. The bit about using the old technology in a unique way was missing.
There is an old test known as the Schneider Index which was used by the US Navy for divers and pilots in the 1940s. An old movie called "Dive Bomber" shows details of how the test was done at the time. The test ended the flying careers for many pilots at the time if their score decreased much. It turns out that the guys who did best in the test were the ones most likely to pass out on dive bombing runs. The Schneider Index uses reclining heart rate, blood pressure with standing and then rapid activity for about 30 seconds and then factoring in increase in pulse, BP and the time to return to normal.
There is enough flash and ram to run Linux on the controller. I've seen it done at Ruxcon/Breakpoint where the hard drive booted up to the point where it couldn't find a root disk to mount.
It is trivial to make firmware that watches for things like /etc/shadow files and returns something else. You can have this code activate by searching for data that would be logged and hunting for the magic key and that is trivial since every system logs to disk.
I've seen the baseball diamonds near my house used exactly twice. Once involved using it for fireworks. It was built around the time of the 1964 olympics like nearly every baseball diamond in the country.
When a bat is going to cost you $300 and a full uniform and gear to play on a team is close to a $1000, there isn't much demand. The Melbourne girls baseball teams positions are more about forfeits than wins.
I don't know why the local baseball teams need such formal rules with such official imported uniforms. What ever happened to wearing a shirt the right colour?
That was true before the days of disposable servers. Today, when it breaks, drop it from the pool of working systems. The HVAC is on a lease contract which makes them far more reliable as the manufacture no longer gets s cut by selling parts that used to be used for maintenance. The same is true with power systems but the electrical wiring is massively overbuilt between the stuff under contract and the racks. I have a rack in a recently built data center and they have an electrician on site less often than some small companies I work with.
Some people have been using port knocking to allow remote admin yet cut down on the ssh bots trying to login.
It would be trivial to do the same in a cgi where if your ip address is 1.2.232.121 you have to hit /target/232 then /target/121 to get the real data.