I've done this. You can boot strap the entire thing from a floppy or bootable CD, or PXE (net booting). You can have the floppy read it's configuration from the server (http), so if the servers smart enough it can hand out different config files for different machines. The machines can DHCP themselves addresses. This can work over NFS or HTTP (we do it over HTTP). It's dead simple, install a redhat machine the "usual" way, then cp the "~root/anaconda.ks" file onto a webserver, then boot a machine up and type "linux ks=http://url/to/anaconda.ks" and viola, you have one clone. It's trivial to hard code this into a bootable floppy (like we did) or to have this done entirely over PXE. It's fast too, you can have a machine installed in under 10 minutes.
Carrier Pigeons for time when the phones are down?
on
IP Replaces Avian Carriers
·
· Score: 2, Insightful
They use carrier pigeons for when phones, power and radio are down, for example during hurricans.
How exactly do they propose that email is going to help in this situation? If they have no phones, power or radio, how are they connecting to the Internet?
One of the problems that was discovered in this report was that the root name servers tended to do their zone transfers at the same time as other root name servers meaning that 2 or 3 nameservers could be offline at any given time due to handling a zone transfer.
The nameservers are near capacity at the moment, however since name servers effectively load balance it's rather difficult to notice.
Theres a fascinating paper about it here
The root/gTLD name servers are in a lot worse state than most people think. It is possible in a few years that they become too overloaded and just melt down. Imagine the internet without a functional DNS:)
I remember reading something a while ago about Microsoft providing a mechanism where you can configure Windows to only allow Signed Applications to run, for use in a Corporate Environment where the IT dept doesn't want anyone to run anything.
ext2fs has the ability (although I believe it's not
implemented to store the first 96 odd bytes in the
inode, effectively moving this information with
the meta data. As the first 96 will contain its
magic, and probably it's most important properties
you get almost all the advantages:)
I wouldn't have thought that this is correct solution to the problem. But a solution where information is stored in your browser would be good. Recent Mozilla's (and I assume IE) have the option of "remembering" your username/password for a site. I also seem to recall a "standard" for websites to request information from your browser (and allowing you to preview what information you are about to send to a site). I personally think that this is the best solution. Do other people have any ideas?
It is because irc has no real concept of authentication. A lot of IRC users use shell boxes to try and avoid DoS against their home machines. If a IRC user is abusive, you want to be able to ban them from the network, and the only real way of doing so is to ban by ip. If the box is a shell box then banning by ip will hurt "innocent" users. So IRC uses ident, and, when it's used appropriately it will be used to ban one abusive user. If ident isn't used, or is set up to allow abusive users to evade, then the entire machine is banned. So admins that want their users to be able to IRC install ident correctly.
We do code reviews at my place of work too. We aren't a big company, we're a small company, doing the often mentioned model of "you pay us to work on your OSS'd code", so we pride ourselves on writing good code and code reviews are what makes that happen.
I don't like the "personal firewall" products for this reason. People have the firewalls - thats good, but they have no comprehension of what they are doing (they're protecting me from evil people!) or what it means. Security isn't about buying a product thats going to make it all 'right', it's about understanding the issues, assessing the risks and taking action where warrented.
I code on a irc daemon for a large network, and I get forwarded emails from people who accuse the network of "attacking" them with ident. These people need to learn about the risks and understand why these products say that ident can be a security problem (it "leaks" information about your username if configured correctly) and why it probably isn't in this case (irc uses it for a weak form of identification, and on a windows machine it's probably what you put in the "what do you want to show as your ident?" box)
Linus is quoted in the article stating that he wants to get rid of all the successful loading messages as well. I think this is a very unwise idea. Recently when debugging a hang during boot, I was easily able to track it down by looking at what the last thing was that successfully initialised, and what the next boot message *should* have been. That message didn't appear, so I was able to deduce that that driver was probing something that was hanging my machine.
Sure, get rid of all the fluff that the drivers print out, but I believe that a lot of this information is important, even if it is verbose.
Having too much information is far better than not
having any. You can always throw away information thats not relevant. You can't just "make up" information.
What about rsync? I don't know exactly how rsync works but I believe it works by checksumming blocks of files to find out which parts have changed, then resending those blocks that have changed saving bandwidth. But then again, I've never investigated rsync. However I believe that the rsync protocol is very old, older than '97 anyway.
I think this is rather important. What really made the open source software movement take off was the fact that it had a very very low barrier of entry. Anyone at all could sit down and write code and contribute to the project. Open Source Hardware (imho) won't work until anyone can d/l the source, tinker a bit and play with it.
... And this is the perfect vehicle to let people do that. Sure we can't develop then next x86 processor with this technology. But the geek down the road might have a hunk of plastic that he's developed to control the lights in your house, or a new USB you plug into your computer that appears as some neato device.
I remember hearing a long time ago when napster was still quite young, that it had an off by one buy where it would truncate the last byte off every download. This didn't really have any noticable effect on the an mp3, so the bug went unnoticed. Except that files that were popular ended up being many generations old and therefore would have the last part of the song truncated.
This screams out to me, that if they 'reverse engineered' this system, then it's a violation of DMCA and they can be sued? The intent of this system was to prevent people finding the information contained within it. The intent of CSS was to prevent people finding the information contained within it.
They are getting DoS'd, and DoS'd very hard. Just the article that was referenced was talking about a previous attack on undernet - not the current one.
Very Very True. The Undernet coders are trying to move away from the IRC protocol - but it's hard. the clients all speak that protocol and they all need to be changed. Undernet isn't the only network there are several others. Undernet don't write the IRC Client's either which would all need to be upgraded. What would happen if we decided that SMTP sucked and we wanted to change to something else?
Most DoS doesn't occur for 5 days straight - usually the first thing undernet does is ignore it - it'll go away eventually. Undernet's come to the realisation that this one *isn't* going away. They are systematically crippling the network by attacking anything resembling a service. If this goes on for much longer Undernet will be forced to close down. There isn't much you can do at all against a DoS. If you have *any* idea's of what *can* be done Undernet would sure LOVE to know.
AFAIK All undernet servers have very anal firewalls. Several have them on the box, on the network, on the router, on their upstream, on their upstreams upstream etc. But if your having more data shoved into your network than you have connectivity then by the time it gets to your firewall you've already lost -- there is no bandwidth left for anything else.
It *IS* hitting businesses. One ISP is effectively 'closed' as they nolonger have any bandwidth left after the DoS. The company can't do anything. You can't easily sue someone in another country where that country doesn't have any laws about whats going on.
Sure after trying everything I can think of to keep undernet up in the last few days, I'm at the point where I'm ready to scream for the death penalty for DoS'ers. Leaving an unsecured box on a network is like leaving a gun in full view through an open window. If people locked their guns away that would be fine. Leave your computer insecured if you want - but don't leave it in a position where it can be used to further the attacks. And that basically means don't connect it to any network where other people might be attacked from your box. A million hosts isn't an unachievable goal to crack with automated scripts. 1 million x 14k4 is one hell of a lot of bandwidth.
Undernet maintain good relationship with any law enforcement organisation that will listen. Most of them see DoS as being a mosquito bite compared to other crimes they have to handle. Not only that, but tracking it back to the source with dDos tools and spoofing is near impossible. They see it as a lot of time and effort for little return. Maybe with enough of these attacks on large places (AOL hosts an undernet server and were DoS'd and they're not happy about it...) will get their attention.
I think it's too harsh to make them completely accountable, but a stiff fine would certainly mean that people would at least concider security to be a worthy use of their time. Just like a speeding ticket.
The website is hosted well and truely away from the rest of the network AFAIK. It was also an 'Undernet Admin' that requested the post. Undernet can hold up to a little/. - it's about the equiv of DoS on a good day, but on a bad day things get *Real* bad.
This article is from 1997 when the *same guy* did more or less the same. But it's not whats happening this time. No undernet/isp mahcines have been compromised, just DoS'd into oblivion.
Slashdot Mirror
I've done this. You can boot strap the entire thing from a floppy or bootable CD, or PXE (net booting). You can have the floppy read it's configuration from the server (http), so if the servers smart enough it can hand out different config files for different machines. The machines can DHCP themselves addresses. This can work over NFS or HTTP (we do it over HTTP). It's dead simple, install a redhat machine the "usual" way, then cp the "~root/anaconda.ks" file onto a webserver, then boot a machine up and type "linux ks=http://url/to/anaconda.ks" and viola, you have one clone. It's trivial to hard code this into a bootable floppy (like we did) or to have this done entirely over PXE. It's fast too, you can have a machine installed in under 10 minutes.
They use carrier pigeons for when phones, power and radio are down, for example during hurricans.
How exactly do they propose that email is going to help in this situation? If they have no phones, power or radio, how are they connecting to the Internet?
One of the problems that was discovered in this report was that the root name servers tended to do their zone transfers at the same time as other root name servers meaning that 2 or 3 nameservers could be offline at any given time due to handling a zone transfer.
The nameservers are near capacity at the moment, however since name servers effectively load balance it's rather difficult to notice. Theres a fascinating paper about it here The root/gTLD name servers are in a lot worse state than most people think. It is possible in a few years that they become too overloaded and just melt down. Imagine the internet without a functional DNS :)
I remember reading something a while ago about Microsoft providing a mechanism where you can configure Windows to only allow Signed Applications to run, for use in a Corporate Environment where the IT dept doesn't want anyone to run anything.
:(
So they've already started
ext2fs has the ability (although I believe it's not implemented to store the first 96 odd bytes in the inode, effectively moving this information with the meta data. As the first 96 will contain its magic, and probably it's most important properties you get almost all the advantages :)
I wouldn't have thought that this is correct solution to the problem. But a solution where information is stored in your browser would be good. Recent Mozilla's (and I assume IE) have the option of "remembering" your username/password for a site. I also seem to recall a "standard" for websites to request information from your browser (and allowing you to preview what information you are about to send to a site). I personally think that this is the best solution. Do other people have any ideas?
It is because irc has no real concept of authentication. A lot of IRC users use shell boxes to try and avoid DoS against their home machines. If a IRC user is abusive, you want to be able to ban them from the network, and the only real way of doing so is to ban by ip. If the box is a shell box then banning by ip will hurt "innocent" users. So IRC uses ident, and, when it's used appropriately it will be used to ban one abusive user. If ident isn't used, or is set up to allow abusive users to evade, then the entire machine is banned. So admins that want their users to be able to IRC install ident correctly.
We do code reviews at my place of work too. We aren't a big company, we're a small company, doing the often mentioned model of "you pay us to work on your OSS'd code", so we pride ourselves on writing good code and code reviews are what makes that happen.
I don't like the "personal firewall" products for this reason. People have the firewalls - thats good, but they have no comprehension of what they are doing (they're protecting me from evil people!) or what it means. Security isn't about buying a product thats going to make it all 'right', it's about understanding the issues, assessing the risks and taking action where warrented.
I code on a irc daemon for a large network, and I get forwarded emails from people who accuse the network of "attacking" them with ident. These people need to learn about the risks and understand why these products say that ident can be a security problem (it "leaks" information about your username if configured correctly) and why it probably isn't in this case (irc uses it for a weak form of identification, and on a windows machine it's probably what you put in the "what do you want to show as your ident?" box)
Linus is quoted in the article stating that he wants to get rid of all the successful loading messages as well. I think this is a very unwise idea. Recently when debugging a hang during boot, I was easily able to track it down by looking at what the last thing was that successfully initialised, and what the next boot message *should* have been. That message didn't appear, so I was able to deduce that that driver was probing something that was hanging my machine.
Sure, get rid of all the fluff that the drivers print out, but I believe that a lot of this information is important, even if it is verbose.
Having too much information is far better than not
having any. You can always throw away information thats not relevant. You can't just "make up" information.
What about rsync? I don't know exactly how rsync works but I believe it works by checksumming blocks of files to find out which parts have changed, then resending those blocks that have changed saving bandwidth. But then again, I've never investigated rsync. However I believe that the rsync protocol is very old, older than '97 anyway.
I think this is rather important. What really made the open source software movement take off was the fact that it had a very very low barrier of entry. Anyone at all could sit down and write code and contribute to the project. Open Source Hardware (imho) won't work until anyone can d/l the source, tinker a bit and play with it.
... And this is the perfect vehicle to let people do that. Sure we can't develop then next x86 processor with this technology. But the geek down the road might have a hunk of plastic that he's developed to control the lights in your house, or a new USB you plug into your computer that appears as some neato device.
I remember hearing a long time ago when napster
was still quite young, that it had an off by one
buy where it would truncate the last byte off
every download. This didn't really have any
noticable effect on the an mp3, so the bug went
unnoticed. Except that files that were popular
ended up being many generations old and therefore
would have the last part of the song truncated.
This screams out to me, that if they 'reverse
:)
engineered' this system, then it's a violation
of DMCA and they can be sued? The intent of this
system was to prevent people finding the information
contained within it. The intent of CSS was to
prevent people finding the information contained
within it.
Could be an excellent case for someone to trial
They are getting DoS'd, and DoS'd very hard. Just the article that was referenced was talking about a previous attack on undernet - not the current one.
Very Very True. The Undernet coders are trying to move away from the IRC protocol - but it's hard. the clients all speak that protocol and they all need to be changed. Undernet isn't the only network there are several others. Undernet don't write the IRC Client's either which would all need to be upgraded. What would happen if we decided that SMTP sucked and we wanted to change to something else?
Most DoS doesn't occur for 5 days straight - usually the first thing undernet does is ignore it - it'll go away eventually. Undernet's come to the realisation that this one *isn't* going away. They are systematically crippling the network by attacking anything resembling a service. If this goes on for much longer Undernet will be forced to close down. There isn't much you can do at all against a DoS. If you have *any* idea's of what *can* be done Undernet would sure LOVE to know.
AFAIK All undernet servers have very anal firewalls. Several have them on the box, on the network, on the router, on their upstream, on their upstreams upstream etc. But if your having more data shoved into your network than you have connectivity then by the time it gets to your firewall you've already lost -- there is no bandwidth left for anything else.
It *IS* hitting businesses. One ISP is effectively 'closed' as they nolonger have any bandwidth left after the DoS. The company can't do anything. You can't easily sue someone in another country where that country doesn't have any laws about whats going on.
Sure after trying everything I can think of to keep undernet up in the last few days, I'm at the point where I'm ready to scream for the death penalty for DoS'ers. Leaving an unsecured box on a network is like leaving a gun in full view through an open window. If people locked their guns away that would be fine. Leave your computer insecured if you want - but don't leave it in a position where it can be used to further the attacks. And that basically means don't connect it to any network where other people might be attacked from your box. A million hosts isn't an unachievable goal to crack with automated scripts. 1 million x 14k4 is one hell of a lot of bandwidth.
Undernet maintain good relationship with any law enforcement organisation that will listen. Most of them see DoS as being a mosquito bite compared to other crimes they have to handle. Not only that, but tracking it back to the source with dDos tools and spoofing is near impossible. They see it as a lot of time and effort for little return. Maybe with enough of these attacks on large places (AOL hosts an undernet server and were DoS'd and they're not happy about it...) will get their attention.
I think it's too harsh to make them completely accountable, but a stiff fine would certainly mean that people would at least concider security to be a worthy use of their time. Just like a speeding ticket.
The website is hosted well and truely away from the rest of the network AFAIK. It was also an 'Undernet Admin' that requested the post. Undernet can hold up to a little /. - it's about the equiv of DoS on a good day, but on a bad day things get *Real* bad.
This article is from 1997 when the *same guy* did more or less the same. But it's not whats happening this time. No undernet/isp mahcines have been compromised, just DoS'd into oblivion.