You could use something supporting etherchannel and bond a few 1GB links together. We use that to great success, admittedly with using Cisco kit but there's plenty of other companies around making kit that supports channel bonding.
Incidently what are your users doing that maxes out gig uplinks? We have 96 ports sharing 2x1gig uplinks all over the office without problem, but none are particularly heavy traffic users.
They would allow it if it was cost effective, some countries already have 100mbit to the home. To get that requires a huge backbone to start with and it needs to be available to the Telcos/ISPs at reasonable prices.
Bonding huge links together will be quite a feat, as far as I know the main bonding protocols in use now (etherchannel, LACP, etc) are based on current ethernet standards so may need some reworking, unless the large links are already using Ethernet (DWDM maybe?). Then there's the small matter of getting some hardware together that can switch at 100G....
But the OP is quite right, this isn't really aimed at end users and they'll only get benefits indirectly. This is aimed at things like British Telecoms new MPLS network that is supposed to carry all voice and data traffic on a single IP network.
If I say your business is ripping people off then I am the accuser.
I'm accusing you of wrongdoing, so I have to prove it. If I can't prove you guilty then I can't run around publically telling people how guilty you are.
That's a matter of the implementation rather than a feature/by-product of the protocol.
Don't get me wrong, I'd much rather use IPv6 with such an implementation and I think the routing table issue will make this necessary before too long, but in terms of protocols 1-many NAT has this default deny ability that 1-1 routing (and 1-1 static NAT) doesn't provide unless steps are taken to configure it, such as by the manufacturer in your example.
Hopefully the manufacturers will make this argument moot by providing SPI on everything by the time IPv6 comes about.
IPv6 can be planned so that the routes can be aggregated together. IPv6 routers on the backbone won't need individual entries for every possible network, just a few bits from the network part.
In terms of 1-1 static NAT (like using DNAT without specifying ports on Linux) there isn't really much security as you say, but this is effectively the same situation as an IPv6 router (or an IPv4 one). You only get packet filtering if you configure it.
IP masquerading blocks incoming connections and the administrator has to take steps to change this by forwarding ports, it's a default deny situation.
With IPv6 on the other hand the firewall/router only has to pass traffic and the administrator has to take extra steps to do any filtering. The basic form is defaulting to allow all traffic.
I don't think it's a misunderstanding, the argument is just a bit more complicated due to the different types of NAT available and in use.
No he's right, AD has many other features other than broken standards support:)
Kerberos + LDAP alone can't manage group policies. Being able to manage workstation configurations (including new software installs) in this way is the killer feature of AD imo.
Then theres the GUI tools for managing it all, last time I looked Linux only had directoryadministrator which was a basic GUI for adding/removing groups and users.
This stuff could probably be done with a *nix solution but none do it out of the box. Afaik samba acting as domain controller can't apply group policies, although theoretically it should be possible to hack up some login scripts to emulate this functionality. To get it all running and have GUI control of the entire lot would involve a lot of programming and certainly cost more than a few win2k3 licenses.
(I'd love to be proven wrong if software does exist to do all these please point it out)
I tried it on my work PC which came from the factory with XP installed and has a license key on the bottom (is a laptop). I couldn't validate with either the key the factory put on the lappy or the key from the MS sticker underneath it. Could be they're corporate keys that won't go through the validator but no idea.
Although its not a problem as you say that doesn't stop you using it. It's not just pirates that will struggle with validation though.
Its fairly simple to spoof such attacks and spoof the source addresses.
Do this from enough hosts (since we're generally talking machines connected 24/7 you have plenty of time) and the machine with the adaptive system is crippled. Usually just doing it from that machines upstream DNS servers will stop it functioning properly.
Theres software on Linux called portsentry that runs along these lines, theres also perl scripts knocking about to cripple machines running it.
Using things like rate limiting or white lists and similar may help but no foolproof way has yet been found to my knowledge, not to the extend you could safetly use them on production machines.
Brings back memories of the TV license people visiting university halls of residence. The cupboard on our hallway for mops and buckets had 12 TVs piled up in there as soon as the collectors appeared outside the front door:-)
Also brings back memories of the license fee collectors in London turning up 1 day after I started renting a room in someone elses house and threatening to send me to court because they hadn't paid their license. I can see why people hate them so much.
I do think the license fee is a little unfair as there is no choice to own a TV but not watch BBC. If you own a TV then its assumed you will watch BBC and you have to pay. Even if you pay for satellite channels you still have to pay for BBC to be able to own the equipment.
I pay the license now in the vain hope they will produce some more episodes of Red Dwarf and Spooks.
undefined index 'index' at line $line_number_of_error
in any version of PHP from about 4.1 upwards and is shown in error messages. It's not a mistake it's a syntax error as shown in the manuals arrays page:)
And still they work for separating business logic from presentation logic.
Which Smarty doesn't do, it mixes them right back up again.
Not much use if you want your templates worked on by someone who isn't a programmer, although it certainly looks powerful I fail to see the point. If you want code in the templates just use PHP.
After experimenting around the way I settled on was a 5-line function using file_get_contents() and str_replace(). I fail to see why a template engine needs 3000 lines of code as smarty has.
That phone isn't a fliptop either, since theres hundreds of other simple phone models your point would have been better proven by picking one with the single feature I do want:p
That wouldn't work. When someone enters different values into the form fields the md5 checksum changes.
Just use $_POST["var"] and $_GET["var"], the PHP manual has been saying to do for years (at least 4). Using extract($_POST) is just as dangerous as using register_globals. Say your script does something like:
if ($userIsLoggedIn) { doSecretStuff(); }
Then all someone has to do is visit http://yoursite.com/index.php?userIsLoggedI n=true and they've potentially cracked your site. Without register globals or extract then that becomes $_GET["userIsLoggedIn"] instead of just $userIsLoggedIn and you can have security.
The only alternative is to be 100% sure that you declare and set every variable you use, since PHP doesn't kick up any error messages if you don't this is not a good tactic, especially not in anything larger than a few hundred lines.
Well no, we need to be able to buy whatever we want. Surely you'd agree choice is a good thing.
Sure, they should sell phones that are everything they could possibly be. They also should sell simple phones for people like me who don't want shortened battery life, slower operation, increased likelyhood of failure, to have to "update" software, to have to leave my phone everytime I enter a secure area because of the camera, more complex interface, risk of viruses or any of the other reasons there are for not wanting more complicated phones.
If you like having a fully featured phone then cool, I just want one to be a simple phone that works quickly without causing problems and I'm happy enough to be without the extra features available. I've had mobiles since about 1990 and the only new feature I really want is the flip-top so I don't accidently answer it in my pocket.
Also, if you need it turned on in order to run older PHP scripts you can switch it on per vhost or directory in apaches configuration file with something like:
These computers also have OpenOffice. There have been *O* complaints, just questions whether it will open and save Word files. Yes...yes, you can!
I recently put OpenOffice(.org) onto a PC for some friends.
They hadn't even thought of using it because they had ms office, from about 1997. It couldn't open any of the.doc files they had, pretty much all of them came out in plain text with all the styling replaced by 6 pages of squares. They'd just assumed their only option was to splash out 250 quid on a current version of office or use an illegal copy.
So now they can read those files without making themselves criminals and they can have an extra holiday this year.
...theres 400 posts from people who don't realise that register_globals has been turned OFF by default for years and only outdated old PHP scripts and guides need it turned on.
To brute force a blowfish password requires 500 or so encryptions to check each individual password rather than just one as with other methods. While thats not enough to stop brute-forcing it is enough to slow it down considerably.
I forget the exact numbers, have a look on Mr Schneiers homepage if you have the urge to be more precise:)
Another solution would be to not use a fully featured multimedia OS aimed at home users for relatively simple functions that can affect peoples health and/or lives.
This is the typical patch vs. crash problem. Unfortunately, the stakes here could be human lives."
Either way, don't patch and get virus and the machine could fry someone or patch and break the machines. Seems its a lottery whether they actually work or not. Which leads back to my previous point...
As the AC above states, BIND hasn't been vulnerable to DNS poisons for many years.
Because system administrators are anal and fail to realize that software like BIND is not written to be secure. Not sure why you say this, ISC have released a constant stream of patches since BIND was released and every announced security hole has been fixed. Not only that but they even added options to chroot the daemon and run it as an unprivileged user. They also have links on its homepage to guides on how to chroot the entire server.
The BIND company sells paches for their software. No, they sell support, go read their website. Patches are, and have always been, free.
Still most people use BIND for two reasons: no one wants to learn the crusty details of DNS and Er, you have to know the crusty details of DNS to be able to write proper zonefiles and configure named.conf otherwise you'll struggle.
2) Linux comes with BIND as it's default name library. Except BIND is a server application, not a library. Linux's DNS library is part of glibc.
Stop slandering the ISC, they do a great job providing some very useful software and they also fix it when problems crop up.
Slashdot Mirror
You could use something supporting etherchannel and bond a few 1GB links together. We use that to great success, admittedly with using Cisco kit but there's plenty of other companies around making kit that supports channel bonding.
Incidently what are your users doing that maxes out gig uplinks? We have 96 ports sharing 2x1gig uplinks all over the office without problem, but none are particularly heavy traffic users.
They would allow it if it was cost effective, some countries already have 100mbit to the home. To get that requires a huge backbone to start with and it needs to be available to the Telcos/ISPs at reasonable prices.
Bonding huge links together will be quite a feat, as far as I know the main bonding protocols in use now (etherchannel, LACP, etc) are based on current ethernet standards so may need some reworking, unless the large links are already using Ethernet (DWDM maybe?). Then there's the small matter of getting some hardware together that can switch at 100G....
But the OP is quite right, this isn't really aimed at end users and they'll only get benefits indirectly. This is aimed at things like British Telecoms new MPLS network that is supposed to carry all voice and data traffic on a single IP network.
As I understand it the states don't really have "overtaking lanes" whereas in the UK all lanes except the outside one are overtaking lanes.
Quite a simple idea, the "overtaking lane". If people actually used it properly then congestion on the roads wouldn't be half as bad.
If I say your business is ripping people off then I am the accuser.
I'm accusing you of wrongdoing, so I have to prove it. If I can't prove you guilty then I can't run around publically telling people how guilty you are.
That's a matter of the implementation rather than a feature/by-product of the protocol.
Don't get me wrong, I'd much rather use IPv6 with such an implementation and I think the routing table issue will make this necessary before too long, but in terms of protocols 1-many NAT has this default deny ability that 1-1 routing (and 1-1 static NAT) doesn't provide unless steps are taken to configure it, such as by the manufacturer in your example.
Hopefully the manufacturers will make this argument moot by providing SPI on everything by the time IPv6 comes about.
Route aggregation will save the day (hopefully).
IPv6 can be planned so that the routes can be aggregated together. IPv6 routers on the backbone won't need individual entries for every possible network, just a few bits from the network part.
In terms of 1-1 static NAT (like using DNAT without specifying ports on Linux) there isn't really much security as you say, but this is effectively the same situation as an IPv6 router (or an IPv4 one). You only get packet filtering if you configure it.
IP masquerading blocks incoming connections and the administrator has to take steps to change this by forwarding ports, it's a default deny situation.
With IPv6 on the other hand the firewall/router only has to pass traffic and the administrator has to take extra steps to do any filtering. The basic form is defaulting to allow all traffic.
I don't think it's a misunderstanding, the argument is just a bit more complicated due to the different types of NAT available and in use.
No he's right, AD has many other features other than broken standards support :)
Kerberos + LDAP alone can't manage group policies. Being able to manage workstation configurations (including new software installs) in this way is the killer feature of AD imo.
Then theres the GUI tools for managing it all, last time I looked Linux only had directoryadministrator which was a basic GUI for adding/removing groups and users.
This stuff could probably be done with a *nix solution but none do it out of the box. Afaik samba acting as domain controller can't apply group policies, although theoretically it should be possible to hack up some login scripts to emulate this functionality. To get it all running and have GUI control of the entire lot would involve a lot of programming and certainly cost more than a few win2k3 licenses.
(I'd love to be proven wrong if software does exist to do all these please point it out)
I tried it on my work PC which came from the factory with XP installed and has a license key on the bottom (is a laptop). I couldn't validate with either the key the factory put on the lappy or the key from the MS sticker underneath it. Could be they're corporate keys that won't go through the validator but no idea.
Although its not a problem as you say that doesn't stop you using it. It's not just pirates that will struggle with validation though.
If you don't want to alter server settings you could ..to get rid of the short tags
Its fairly simple to spoof such attacks and spoof the source addresses.
Do this from enough hosts (since we're generally talking machines connected 24/7 you have plenty of time) and the machine with the adaptive system is crippled. Usually just doing it from that machines upstream DNS servers will stop it functioning properly.
Theres software on Linux called portsentry that runs along these lines, theres also perl scripts knocking about to cripple machines running it.
Using things like rate limiting or white lists and similar may help but no foolproof way has yet been found to my knowledge, not to the extend you could safetly use them on production machines.
Actually sorry, I'd misread it as being something other than a lame social engineering hack. On second readings I agree its hardly news.
Sendmail isn't installed on >90% of the worlds desktops.
Sendmail isn't advertised and sold as a secure and straightforward system for home users.
Sendmail bugs are hardly news for anyone, particularly not nerds.
I'd call this news, SP2 is being hailed by Microsoft for its security features so it seems fair to report any issues with it.
Brings back memories of the TV license people visiting university halls of residence. The cupboard on our hallway for mops and buckets had 12 TVs piled up in there as soon as the collectors appeared outside the front door :-)
Also brings back memories of the license fee collectors in London turning up 1 day after I started renting a room in someone elses house and threatening to send me to court because they hadn't paid their license. I can see why people hate them so much.
I do think the license fee is a little unfair as there is no choice to own a TV but not watch BBC. If you own a TV then its assumed you will watch BBC and you have to pay. Even if you pay for satellite channels you still have to pay for BBC to be able to own the equipment.
I pay the license now in the vain hope they will produce some more episodes of Red Dwarf and Spooks.
$arr[index] will give an error something like:
:)
undefined index 'index' at line $line_number_of_error
in any version of PHP from about 4.1 upwards and is shown in error messages. It's not a mistake it's a syntax error as shown in the manuals arrays page
And still they work for separating business logic from presentation logic.
Which Smarty doesn't do, it mixes them right back up again.
Not much use if you want your templates worked on by someone who isn't a programmer, although it certainly looks powerful I fail to see the point. If you want code in the templates just use PHP.
After experimenting around the way I settled on was a 5-line function using file_get_contents() and str_replace(). I fail to see why a template engine needs 3000 lines of code as smarty has.
So what are you whining about exactly?
:p
This modern fangled technology.
That phone isn't a fliptop either, since theres hundreds of other simple phone models your point would have been better proven by picking one with the single feature I do want
That wouldn't work. When someone enters different values into the form fields the md5 checksum changes.
I n=true
Just use $_POST["var"] and $_GET["var"], the PHP manual has been saying to do for years (at least 4). Using extract($_POST) is just as dangerous as using register_globals. Say your script does something like:
if ($userIsLoggedIn) { doSecretStuff(); }
Then all someone has to do is visit
http://yoursite.com/index.php?userIsLogged
and they've potentially cracked your site. Without register globals or extract then that becomes $_GET["userIsLoggedIn"] instead of just $userIsLoggedIn and you can have security.
The only alternative is to be 100% sure that you declare and set every variable you use, since PHP doesn't kick up any error messages if you don't this is not a good tactic, especially not in anything larger than a few hundred lines.
Well no, we need to be able to buy whatever we want. Surely you'd agree choice is a good thing.
Sure, they should sell phones that are everything they could possibly be. They also should sell simple phones for people like me who don't want shortened battery life, slower operation, increased likelyhood of failure, to have to "update" software, to have to leave my phone everytime I enter a secure area because of the camera, more complex interface, risk of viruses or any of the other reasons there are for not wanting more complicated phones.
If you like having a fully featured phone then cool, I just want one to be a simple phone that works quickly without causing problems and I'm happy enough to be without the extra features available. I've had mobiles since about 1990 and the only new feature I really want is the flip-top so I don't accidently answer it in my pocket.
Have a look at the predefined variables bit of the PHP manual, it explains quite well how to avoid needing register_globals.
These computers also have OpenOffice. There have been *O* complaints, just questions whether it will open and save Word files. Yes...yes, you can!
.doc files they had, pretty much all of them came out in plain text with all the styling replaced by 6 pages of squares. They'd just assumed their only option was to splash out 250 quid on a current version of office or use an illegal copy.
:)
I recently put OpenOffice(.org) onto a PC for some friends.
They hadn't even thought of using it because they had ms office, from about 1997. It couldn't open any of the
So now they can read those files without making themselves criminals and they can have an extra holiday this year.
Nice huh
...theres 400 posts from people who don't realise that register_globals has been turned OFF by default for years and only outdated old PHP scripts and guides need it turned on.
To brute force a blowfish password requires 500 or so encryptions to check each individual password rather than just one as with other methods. While thats not enough to stop brute-forcing it is enough to slow it down considerably.
:)
I forget the exact numbers, have a look on Mr Schneiers homepage if you have the urge to be more precise
Another solution would be to not use a fully featured multimedia OS aimed at home users for relatively simple functions that can affect peoples health and/or lives.
This is the typical patch vs. crash problem. Unfortunately, the stakes here could be human lives."
Either way, don't patch and get virus and the machine could fry someone or patch and break the machines. Seems its a lottery whether they actually work or not. Which leads back to my previous point...
As the AC above states, BIND hasn't been vulnerable to DNS poisons for many years.
Because system administrators are anal and fail to realize that software like BIND is not written to be secure.
Not sure why you say this, ISC have released a constant stream of patches since BIND was released and every announced security hole has been fixed. Not only that but they even added options to chroot the daemon and run it as an unprivileged user. They also have links on its homepage to guides on how to chroot the entire server.
The BIND company sells paches for their software.
No, they sell support, go read their website. Patches are, and have always been, free.
Still most people use BIND for two reasons: no one wants to learn the crusty details of DNS and
Er, you have to know the crusty details of DNS to be able to write proper zonefiles and configure named.conf otherwise you'll struggle.
2) Linux comes with BIND as it's default name library.
Except BIND is a server application, not a library. Linux's DNS library is part of glibc.
Stop slandering the ISC, they do a great job providing some very useful software and they also fix it when problems crop up.