That sounds about right. Get the women to buy you a beer first, it weeds out some of the gold diggers. I got snagged by a digger years ago, she cost me a lot of money, in return for some not very good sex. But it was fun and kept me away from computers for a while, and led me into new things.
My current GF comes from a very rich family. I didn't know it at the time I met her, so I let her buy the first meal just to be fair. For the first week or so we were together we alternated buying things. I doubted she was a golddigger, since when we first met I was in my hardware geek outfit, old jeans and sneakers, driving my old car. Later I drove my new car, and had the suit on, and it didn't impress her much more than the first look.
And this weekend I've got to spend with her and her 'rents. Ugh. Yassa, Daddy Warbucks, sah!;-)
Read down to the bottom of the NewTimesLA article, there you will find...
"Hey, Don, Head of Security! I don't give a rip about your stupid orders: BILL GATES' OFFICES ARE LOCATED IN BUILDING 8 ON THE SECOND FLOOR IN THE CENTER OF THE EAST WING FACING SOUTH. Damn that felt good."
ObOnTopic post
When you first start working 90+ hour weeks in this industry (any demanding industry), you have to sacrifice your sex life.
Later, when you mature a bit and get your life balanced out, you learn that spending money on women is much more fun than spending it on ALL the latest geek equipment. Balance means you buy some geek equipment, and spend some on the women.
I would say my sex life has steadily increased over the years. Now I have enough money to keep the women happy, and the social life is properly balanced between partying and geeking. Only sometimes do I miss having a 100% geek life, usually when I watch some young kid right out of school hack circles around me. But he doesn't have a girlfriend, that's my pathetic response.
Ha! I knew that acronym sounded familiar. Thanks for reminding the/. community. Pretty funny they are using that.
Seems to be a class C block of IP addresses from right in the middle of the Class B that M$ uses. Claims to be an ISP, but they have just one static web page on their server.
In theory, any RF signal will go on forever, decreasing at the 4th power of the distance.
In reality, there is a limit where a signal can no longer be detected. Because of the background radiation of 3 degrees kelvin, and a host of other factors, eventually even a.5 watt signal can't be detected even by a theoretically perfect receiver. The distance would probably only be about 10e14 meters, or a distance just outside our own solar system. I think that number was for a 1 watt signal on 1.0 GHz, or maybe it was the 250 milliwatt signal from one of the early spacecraft. Time dims memory.
Their site is pretty funny, they aren't taking themselves too seriously. But there isn't anywhere they tell about what frequency or coding scheme they are using. I'd love to know. I've just posted a message to their board (number 3, they don't have a slashdot base of users, yet)
Microsoft has slapped a packet sniffer on the local network feeding the contest machine. Probably several sniffing machines, with different filter criteria. Gives them some idea of what the script kiddies consider useful for cracking an M$ site.
If any of the attacks succeed, they have a trace of the crack, and can build better security for the final release of NT2000. This is good, because I'll have those pieces of shit installed all over my networks soon enough.
They also get to harvest IP addresses of everyone stupid enough to try even looking at this machine. Even a simple traceroute will give them a source IP address. Toss them all into a big database at a later date, couple it in with some other data about the attack type, and wait to use it later to track crackers. Offline analysis is a powerful tool, couple it with automated lookups and a simple knowledge based system, and you could populate a DB with some dangerous data.
For the paranoid, perhaps there has been a nasty break-in by some sophisticated infocriminals (love that new word, see HNN), and the FBI are also sitting in the room with their own analyzers, waiting for someone to try a similar attack. Assuming the crackers are just some misguided wanna-be scripties, this could help the FBI to back track to them. The cracking contest is just a combination of marketing fiasco and FBI clue gathering mission. The FBI are probably not even looking for anything they could use in court, just some leads to track down.
Given the lack of any other services on the machine, and the simplicity of the web pages (no DB or useful cgi-bin), and the quickly hacked together javascript errors, I would say this is mostly a marketing exersize. No matter what the outcome, they can spin it into some hype and a FUD campaign.
I made a bunch of money in Silicon Valley, years ago. It was nice, I was able to quit my job, got rid of all my material possessions, and did the things I wanted to do.
Granted, I didn't get any where near the $1 million mark, so my spending wasnt that over the top.
After a while I found myself back working again as a consultant. Working was fun, for little blocks of time. In between there is travel, the only really fun thing in my life.
The money has only paid for a few things, more education, lots of travel, a place to live, extra time off every year.
But I still like working (maybe I should do some today, instead of slashdotting:-) But too much working leads to stress and burnout.
[no spoilers here] There was a review recently from a slightly jaded reviewer that he didn't "get it", but many of the people in the theater obviously did.
I would have to put myself in the group who didn't get it, but enjoyed the film anyways.
I saw BWP at a film festival, after having seen about 20 films in the week before it, so I was fully in Jaded Film Reviewer Mode. Even a sneak preview of Phantom Menace at that point wouldn't have got my pulse moving. When I walked out, I had been scared, but not as much as some other films have done. I did give the film some thought, which is my litmus test for a good film.
I did like the hand held camera style, it has been used effectively in only a few films before. Most film makers try to avoid it because audiences tend to get sick if there is too much natural feeling motion, and the film doesn't make as much money. It works to great effect here.
Most of the film is kind of boring, but almost every bit of it is necessary to set up the last 10 minutes. For anyone who has been camping regularly, or was in the scouts, the stupidity seems a little far fetched. But if you remind yourself these are wanna-be film makers first, and probably have never been camping more than once or twice in their lives, then it works. It allows the tension to build for an hour, because the human body really needs that much time for the adrenaline to kick in and power the "fight or flight" response.
What especially got me was the final 10 minutes, there was a kind of tension I've only seen in very few other films. Alien and Psycho are two of my favorites for creating fear when the camera is not really showing anything to fear.
BWP now is firmly in the realm of in the category of "sufficiently scary", and I would put it on my list of top 20 films to cause you to lose sleep.
I wonder what I will think of it after I have seen it a few times over the years. Time will tell.
Having to still support an old network installation run by a bunch of idiots (they are attempting to implement a mostly micro~1.oft shop), I can tell you that outlook doesn't scale to more than 2000 users before the maintenance starts to become a headache.
This is a large client trying to implement a server farm of 20+ NT machines, each server supporting 600-800 users, and combining the whole lot into a coherent whole. Fortunately I only have to fix their poor network designs. The team of administrators now numbers more than 50, most are MCSEs, none less than 5 years experience with Micro~1.oft products. They are tearing their hair out on a daily basis. Complaints number in the hundreds every day, and thats just the users who haven't given up completely.
My advice is to start looking at the larger commercial products, possibly Netscape's server. Get a reputable vendor to support it.
If you look at open source systems, start with OpenBSD and NetBSD.
Divide your system up between the MTA doing delivery/reception of the messages, and the MTA serving the users. Its ok if email to the outside world goes down for short periods of time, its almost expected. But if users cant get to their mailbox 100% of the time, you will look bad.
You also need to look at managing more than 32000 or 65000 users in the future, remember that various *nixes have either 15 or 16 bit UID fields. You should make sure user accounts/authentication/logins are separate from any UID system on any machine type. This means getting some kind of medium sized DB, and tying it into your auth and login schemes. Others have done it, its not that hard (look at AOL with 10million+ user accounts)
Recently attended a big sales pitch on the new generation of home cable and DSL boxes. Idea is that a consumer can just buy one of these things, take it home and plug it into a cable TV system and be up and running.
There was some technical details about how all unregistered boxes would always be directed to a sign in page, so the consumer would just have to enter a credit card number and the box would then reboot with a real IP address. Then the consumer could start surfing the web within minutes.
Great idea, but I asked about setting passwords on the modems or the PCs. The horror and shock was obvious. Seems they did some studies, and found that if an average consumer has to enter a password to secure their system, they prefer not to buy or use the product. But the legal department had forced them to design their web site so the consumer would have to scroll through three pages of smallest type legalese, pressing accept at the bottom of each page. Buried in all that was a warning to set passwords. That was acceptable, but forcing it was not.
So afterwards got a tour of the demo network, with some sample set top boxes and PCs. Whipped out the portable hacking/cracking laptop, and within a few minutes had control of every modem and PC. The big company is going back to the drawing board for the rollout plans, maybe to get each customer to set a line noise type password on their modems, and force them to write it down as part of the login process for the first day or two.
People never learn, which is why crackers have life so easy.
So how do you do this on a weekly basis? Host based scanning, or network scanning?
This is just out of curiosity, since I've been recently involved (actively avoiding) a discussion about which is better, host or net scanning. My position is that both are needed. An unpopular answer because that costs more money:-)
I like this article. Its clueful, balanced, has the requisite number of quotes. There is the seminal quote by Spaf "...locked in a safe, surrounded by armed guards, and even then I wouldn't bet on it".
It goes just deep enough to clarify a bunch of issues for those who have only seen the knee-jerk reactionary articles of the overworked sensationalist press. It does leave a few questions unanswered, and although I would like to see the answers, this article is right in not including them.
So the FBI caught a teen aged hacker who stole a password and got into a bunch of sensitive computers at SFI, LANL, LLNL, and a few others, and they didn't call in a swat team lead by Janet Reno. That in itself is a revelation. The press hungry FBI actually did their jobs instead of sucking some columnists dick? Stop the presses! Makes you wonder what they did to the stupid guy who mailed his only password to all his cow-orkers where any script kiddie could pick it up. Did the FBI come down on him like a ton of bricks? Did he get a 5-10 year sentence for aiding and abetting a felony involving national security? Probably not.
There is also a great section on connecting two secure networks together with an encrypted line, and then having one of the nets get compromised. It doesn't matter how strong the encryption is, the end systems are still the weak link in the chain.
I'm going to have to get reprint permission for this article, third generation photocopies won't do it justice.
I do not want a wince machine. Tried them, they have crossed the line of bloat, and don't seem to have the nice integrated feel of a palm.
I did have a wince machine for a while with a Proxim wireless lan, and the connectivity was cool, but the apps were pure winblows and the machine kept crashing every little while.
Actually, I am going to look again. Everyone around me uses them at this point, so there has to be something there.
I'm a bit jaded because I used one of the original ones a few years ago, and there wasn't enough good stuff on it to keep using it. Lately I've been using a V, which is much nicer. It would make a nice activity organiser, and I suppose I could get my act together and enter all my phone numbers into something on a PC and DL it to the palm. But since I carry a Nokia phone with 200+ entries in it already, the palm wouldn't get used all that much.
The thing that turned me off earlier was the lack of connectivity to anything other than mac and windoze. Now there are lots more linux drivers to do the same thing, so that point is gone.
The best app I could think of would be to have a mailbox which could get DLed every so often, either through infrared or docking or a low power wireless connection. I get hundreds of emails a day, and there is always down time during the day when I could be reading through all of them. But the palm would need 8Mb of storage just to hold a few days worth of my emails (attachments could be left behind).
It would also be cool to have the palm just be another IP address on my network, so an IMAP or similar process running on a linux server could sync up the mailboxes, and delete all the emails I delete on my palm.
Color is useful for highlighting important objects on the screen. I wouldn't care if it dragged the batteries down a little faster, if I could get recharging docks at work, home, in the car, etc.
Didn't mean to be a troll, I'll probably have one before Christmas (or as soon as a color one comes out)
Recently there was a big international company with a cracking/phreaking problem (the problem was really with a piss poor attitude by management to enforce a good security policy).
Their lawyer and CIO wanted to tie together all the intrusion detection systems, the firewalls, some sniffers, a certificate authority, and who knows what else, with the goal of providing a chain-of-evidence that they could hand (or email to) some prosecutor somewhere and have it stand up as evidence in court. Oh, and since the cracking attempts are coming from europe/russia/australia, can the system be completely international and stand up in any court.
"Looky here, Mr. State Attorney General, we were attacked by a ping flood from these IP addresses, and we carefully recorded each and every ping packet hitting our firewall in this log file. We want you to prosecute."
For some reason, Dilbert strips weren't funny for weeks after that episode:-)
But on the flip side, imagine what a naive prosecutor would do if someone handed him a log file with some spoofed IP or email addresses in it, showing some kind of real world crime (drug dealing or car theft). Granted, there should be other evidence to back up any prosecution, but cases have gone to trial on less. That's the scary part.
I know where N'rundel county is, I used to live there. Its a short drive around the beltway to Sterling (except in late afternoon trafic:-)
The cop and I went to school together, we still keep in touch. This info is from last Christmas time. Do you think AOL has completely cleaned up their act since last winter?
Investigators from many jurisdictions hit up AOL for information all the time, there was even a story about someone being sued in TX because the message went through VA. AOL honors search warrants from any american court, they have to, its the law. They have also cooperated with scotland yard in england, in the big cross-atlantic child pr0n case a couple years ago.
And AOL has so many cops or DAs coming in with court orders, they don't even check them any more, or supervise what they collect. Many courts require chain-of-possession by an officer of their court, so the cop head into the crime scene (AOL headquarters), records the evidence, and then hand carries the evidence back to a court approved storage site. When the evidence is presented in court, there is a list of every person who handled it from collection point to the courtroom.
So the cops grab whatever they can while they have free reign on the system, even for cases they don't have a warrant for. Just because it cant be used as evidence in court doesnt mean they cant 'accidently' see some information which leads them to discover other evidence in a legal manner. A fairly common tactic by overworked cops. Only a serious investigation by a defense attorney can dig up the illegal origin of the evidence, and the cops are counting on major incompetence in most cases.
[And yes, the brits are bastards sometimes, but its the IRS (internal, not inland) that thinks it can tax people all over the world. Grrrr.]
AOL is just the biggest name in the game of rolling over for law enforcement, so that is why they are getting the most attention. Anne Arundel cops have been able to just drive over to AOL headquarters and take anything they want, just by flashing a badge. No court order needed, just bring your laptop with a lot of disk space. There is even an office for cops in the building, but the cops have to schedule time in it since so many investigators try to use it.
Smaller ISPs are all learning the hard way the courts always rule for investigators, so at this point most don't even bother asking for a warrant before allowing access. I've watched it happen at a couple of ISPs where I've done business, where the cops wanted either a straight wiretap off a router, or a copy of all email from the main server and backup tapes.
Its not that difficult to direct traffic from a logon session through a specific port on a router, and I had one ISP pay me two days wages just to do it once (without breaking their network like they did). They had the cops camped in their offices waiting to capture all the traffic from a suspect's sessions, thinking he was dealing drugs from his email account or over IRC. He wasn't, but it took them a few weeks to figure that out. At first, they expected to have an exact copy of his screen based on IP packets going across the network, by the end they were happy enough with a tcpdump file. The guy just played on the web a bit, never even hit any pr0n sites.
So this doesn't surprise me at all. I'm surprised anyone is shocked by the revelation, tho.
Its much more interesting than the theoretical brute force machine.
I like the quote about cheating. Been doing that all weekend. Great fun being accused of cheating when all you do is exploit a loophole in the rules. Don't know if I'll ever be invited back for a games night again:-) Or if I am, everyone will be doing the same cheat, until we all decide to fix the rules.
There is a good follow up about good security == good engineering.
And the JYA article is a simple extrapolation of the EFF's DES breaker to more bits. A quick look at the numbers and I don't think it would cost anywhere near as much to build a machine like that. And if a big three or four letter agency wanted to build a series of these machines, they would get their own chip foundry going, and the price would come down as time went on. Assuming the NSA has done that, you can imagine the cracking power they can throw against codes they haven't comprimised yet.
The site is slashdotted already, seconds after being posted here. That has left me with a ton of questions.
I wonder how they are going to focus a beam with hundreds of megawatts of power in it down through the atmosphere. There are all kinds of engineering problems to overcome, such as dispersion of the beam in the atmosphere, reflections and deflections of parts of the beam by atmospheric winds, compensation for changes in the temperature and humidity of the air.
How large a target will the beam be aimed at? Presumably a field several miles across full of receiving antennas. The antennas near the center of the beam will receive full power, while antennas at the edge would receive only a few percent.
How do you keep birds from flying into the beam area, and what happens to people living near the receiver? Do you move all the citizens out of the area, and declare it a danger zone? How do you shield the operation engineers working near the site?
I think NASA is hoping to get a small pilot program up and testing in the next 20 years or so. There is a lot of research left to be done.
And the SimCity beam was one of the best. Bzzzzzzzzzzzzzzzzzzzzzzz.
Ooops, I meant that the IPSEC implementation mentioned in RFCs 2401-2412 sets the standard DH key exchange time to 8 hours, easily changeable during the key exchange handshake, shortest time wins.
Creating a new key every few hours means that only a small amount of your data is compromised when someone cracks your key, not the entire amount of data captured over a period of months or years. The more valuable your data, the more often you want to create new keys if you think you will be the target of a serious cryptanalysis effort. The downside is that DH key exchange is very CPU intensive, so re-keying ever few minutes is probably not a good idea.
And if you expect bad individuals to be capturing your valuable data for later analysis, and that data can hurt you, then you probably can afford to protect it with more crypto than off the shelf simple DES IPSEC. 3DES is also an option in IPSEC, so pay the extra for vendors who support it, just dont expect the exact same throughput for the price.
IPSEC encryption is starting to take off in a big way in the networking world. Every corporation is looking at getting many Virtual Private Networks set up using IPSEC, and the router manufacturers are taking notice.
With chips like these, the price for doing dozens or thousands of IPSEC tunnels from a single router gets pretty cheap. So every company starts setting them up next to their firewalls, and every employee working from home over their cable modem gets a nice secure and authenticated connection into the company network.
Soon, 30% or more of all internet traffic is encrypted, and the intelligence agencies have to go back to intercepting the communications at the point where there is no encryption. So they have to focus attention on the criminals and terrorists, and stop throwing out wide dragnets like they are now. The end effect is that people will have more protection from fascist government agencies.
The arguments about whether DES is strong enough if it can be broken in 22 hours are kind of stupid. Sure DES can be broken, but if you are using Diffie-Hellman key exchange then your keys are cycled every 8 hours. And if millions of users are using DES, it becomes very difficult to target specific communications with packet captures or taps, and the resources to break a stream make it unlikely the script kiddies will bother.
This ASIC design is just a research project, the VHDL code should make it into commercial products soon enough, and I don't see why it wouldn't support 3DES at that point.
So yes, products like this will make encryption more widespread. Slashdot readers already know all the pros and cons of that whole debate, and will probably agree this will be a good thing in the long run.
This sounds like an exploratory question for someone who hasn't yet come up with a business plan. Are you truly expecting to provide a huge amount of bandwidth to thousands of customers and then try to use a free linux program to enforce your ToS? I'd love to see you succeed with this, because the latest Linux kernels have some traffic shaping in them, and you could help out the coders with a real world test bed.
Why then aren't you taking advantage of Breezecom's built in Maximum Information Rate Class of Service? Do they charge too much for the management software? Have you even talked with their account reps? Their whole business is aimed at ISPs trying to do exactly this same thing. Breezecom modems emulate a serial connection, but their cheaper LAN products emulate an ethernet link. Their modems have a built in rate limiter, their LAN replacement is only aimed at office environments and not ISPs. It sounds like you have chosen the cheapest products, and are now trying to add something for nothing.
To properly implement a per user CoS, you must assign a static IP address to each end station, and possibly lock it down to a MAC address. Then you can set up a traffic shaper for each customer with little hassle. Easiest way to do is have different customers in different subnets, so all the 128k people are on one subnet, 512k on another. Rule writing is easiest that way. If you try to do CoS on systems dynamically grabbing an IP address (DHCP or equiv), you will spend all your time writing custom code to match addresses to customers to ToS to shaper rules and so on. Avoid it.
The best solution for packet shaping is Packeteer, who make a great box with a fairly good interface. The cost isn't that high compared with how much you will spend trying to implement the same thing with free software. Just buy one of their boxes and throw it in line with your ISP, then configure it a little and you can mostly forget it.
The next solution is Cisco, who have a bunch of different options built into their IOS for crude packet shaping. Presumably at some point you will have to buy a big Cisco router, probably when you get more than 50-100 customers. Since you are an ISP, what routers are you using now?
The cheap but limited solution is the latest linux kernel with IP Chains and Class Based Queueing. It should scale to handle a few subnets, each having its own CoS, but may not do 512k or higher. Crude, but should keep your bean counters happy until you have enough paying customers to afford something to cover a bigger user base.
Also check out NetBSD shaping, since I haven't yet.
No matter what you do, always enforce your bandwidth policy from the beginning, because you will lose all of your original customers later when you start to enfore the policy. Never give customers free bandwidth even if it is available, you are asking for a customer relations headache down the road if you do. Poor customer relations is the main reason small ISPs go out of business. This is the voice of experience learned the hard way:-(
Remember, packet shaping is a one way process, if you want to limit the connection from the user back towards the internet, you have to install something at the customer end, either a small box or software on their machines. A nightmare you probably shouldn't touch.
Good luck, and tell us what solution you end up with and how it works. We geeks are a curious bunch.
Slashdot Mirror
That sounds about right. Get the women to buy you a beer first, it weeds out some of the gold diggers. I got snagged by a digger years ago, she cost me a lot of money, in return for some not very good sex. But it was fun and kept me away from computers for a while, and led me into new things.
;-)
My current GF comes from a very rich family. I didn't know it at the time I met her, so I let her buy the first meal just to be fair. For the first week or so we were together we alternated buying things. I doubted she was a golddigger, since when we first met I was in my hardware geek outfit, old jeans and sneakers, driving my old car. Later I drove my new car, and had the suit on, and it didn't impress her much more than the first look.
And this weekend I've got to spend with her and her 'rents. Ugh. Yassa, Daddy Warbucks, sah!
the AC
Read down to the bottom of the NewTimesLA article, there you will find...
"Hey, Don, Head of Security! I don't give a rip about your stupid orders: BILL GATES' OFFICES ARE LOCATED IN BUILDING 8 ON THE SECOND FLOOR IN THE CENTER OF THE EAST WING FACING SOUTH. Damn that felt good."
ObOnTopic post
When you first start working 90+ hour weeks in this industry (any demanding industry), you have to sacrifice your sex life.
Later, when you mature a bit and get your life balanced out, you learn that spending money on women is much more fun than spending it on ALL the latest geek equipment. Balance means you buy some geek equipment, and spend some on the women.
I would say my sex life has steadily increased over the years. Now I have enough money to keep the women happy, and the social life is properly balanced between partying and geeking. Only sometimes do I miss having a 100% geek life, usually when I watch some young kid right out of school hack circles around me. But he doesn't have a girlfriend, that's my pathetic response.
the AC
It must be that memory drops off over time at the inverse of 4th power :-)
The post above was right, for reflections the returned power is 1/^4 of the distance to the target.
Power from Tx to Rx falls off at 1/^2 * distance.
the Anonymous Cypher
Ha! I knew that acronym sounded familiar. Thanks for reminding the /. community. Pretty funny they are using that.
Seems to be a class C block of IP addresses from right in the middle of the Class B that M$ uses. Claims to be an ISP, but they have just one static web page on their server.
the AC
In theory, any RF signal will go on forever, decreasing at the 4th power of the distance.
.5 watt signal can't be detected even by a theoretically perfect receiver. The distance would probably only be about 10e14 meters, or a distance just outside our own solar system. I think that number was for a 1 watt signal on 1.0 GHz, or maybe it was the 250 milliwatt signal from one of the early spacecraft. Time dims memory.
In reality, there is a limit where a signal can no longer be detected. Because of the background radiation of 3 degrees kelvin, and a host of other factors, eventually even a
Their site is pretty funny, they aren't taking themselves too seriously. But there isn't anywhere they tell about what frequency or coding scheme they are using. I'd love to know. I've just posted a message to their board (number 3, they don't have a slashdot base of users, yet)
the AC
Microsoft has slapped a packet sniffer on the local network feeding the contest machine. Probably several sniffing machines, with different filter criteria. Gives them some idea of what the script kiddies consider useful for cracking an M$ site.
If any of the attacks succeed, they have a trace of the crack, and can build better security for the final release of NT2000. This is good, because I'll have those pieces of shit installed all over my networks soon enough.
They also get to harvest IP addresses of everyone stupid enough to try even looking at this machine. Even a simple traceroute will give them a source IP address. Toss them all into a big database at a later date, couple it in with some other data about the attack type, and wait to use it later to track crackers. Offline analysis is a powerful tool, couple it with automated lookups and a simple knowledge based system, and you could populate a DB with some dangerous data.
For the paranoid, perhaps there has been a nasty break-in by some sophisticated infocriminals (love that new word, see HNN), and the FBI are also sitting in the room with their own analyzers, waiting for someone to try a similar attack. Assuming the crackers are just some misguided wanna-be scripties, this could help the FBI to back track to them. The cracking contest is just a combination of marketing fiasco and FBI clue gathering mission. The FBI are probably not even looking for anything they could use in court, just some leads to track down.
Given the lack of any other services on the machine, and the simplicity of the web pages (no DB or useful cgi-bin), and the quickly hacked together javascript errors, I would say this is mostly a marketing exersize. No matter what the outcome, they can spin it into some hype and a FUD campaign.
the AC
I made a bunch of money in Silicon Valley, years ago. It was nice, I was able to quit my job, got rid of all my material possessions, and did the things I wanted to do.
:-) But too much working leads to stress and burnout.
Granted, I didn't get any where near the $1 million mark, so my spending wasnt that over the top.
After a while I found myself back working again as a consultant. Working was fun, for little blocks of time. In between there is travel, the only really fun thing in my life.
The money has only paid for a few things, more education, lots of travel, a place to live, extra time off every year.
But I still like working (maybe I should do some today, instead of slashdotting
the AC
[no spoilers here]
There was a review recently from a slightly jaded reviewer that he didn't "get it", but many of the people in the theater obviously did.
I would have to put myself in the group who didn't get it, but enjoyed the film anyways.
I saw BWP at a film festival, after having seen about 20 films in the week before it, so I was fully in Jaded Film Reviewer Mode. Even a sneak preview of Phantom Menace at that point wouldn't have got my pulse moving. When I walked out, I had been scared, but not as much as some other films have done. I did give the film some thought, which is my litmus test for a good film.
I did like the hand held camera style, it has been used effectively in only a few films before. Most film makers try to avoid it because audiences tend to get sick if there is too much natural feeling motion, and the film doesn't make as much money. It works to great effect here.
Most of the film is kind of boring, but almost every bit of it is necessary to set up the last 10 minutes. For anyone who has been camping regularly, or was in the scouts, the stupidity seems a little far fetched. But if you remind yourself these are wanna-be film makers first, and probably have never been camping more than once or twice in their lives, then it works. It allows the tension to build for an hour, because the human body really needs that much time for the adrenaline to kick in and power the "fight or flight" response.
What especially got me was the final 10 minutes, there was a kind of tension I've only seen in very few other films. Alien and Psycho are two of my favorites for creating fear when the camera is not really showing anything to fear.
BWP now is firmly in the realm of in the category of "sufficiently scary", and I would put it on my list of top 20 films to cause you to lose sleep.
I wonder what I will think of it after I have seen it a few times over the years. Time will tell.
the AC
Having to still support an old network installation run by a bunch of idiots (they are attempting to implement a mostly micro~1.oft shop), I can tell you that outlook doesn't scale to more than 2000 users before the maintenance starts to become a headache.
This is a large client trying to implement a server farm of 20+ NT machines, each server supporting 600-800 users, and combining the whole lot into a coherent whole. Fortunately I only have to fix their poor network designs. The team of administrators now numbers more than 50, most are MCSEs, none less than 5 years experience with Micro~1.oft products. They are tearing their hair out on a daily basis. Complaints number in the hundreds every day, and thats just the users who haven't given up completely.
My advice is to start looking at the larger commercial products, possibly Netscape's server. Get a reputable vendor to support it.
If you look at open source systems, start with OpenBSD and NetBSD.
Divide your system up between the MTA doing delivery/reception of the messages, and the MTA serving the users. Its ok if email to the outside world goes down for short periods of time, its almost expected. But if users cant get to their mailbox 100% of the time, you will look bad.
You also need to look at managing more than 32000 or 65000 users in the future, remember that various *nixes have either 15 or 16 bit UID fields. You should make sure user accounts/authentication/logins are separate from any UID system on any machine type. This means getting some kind of medium sized DB, and tying it into your auth and login schemes. Others have done it, its not that hard (look at AOL with 10million+ user accounts)
the AC
Recently attended a big sales pitch on the new generation of home cable and DSL boxes. Idea is that a consumer can just buy one of these things, take it home and plug it into a cable TV system and be up and running.
There was some technical details about how all unregistered boxes would always be directed to a sign in page, so the consumer would just have to enter a credit card number and the box would then reboot with a real IP address. Then the consumer could start surfing the web within minutes.
Great idea, but I asked about setting passwords on the modems or the PCs. The horror and shock was obvious. Seems they did some studies, and found that if an average consumer has to enter a password to secure their system, they prefer not to buy or use the product. But the legal department had forced them to design their web site so the consumer would have to scroll through three pages of smallest type legalese, pressing accept at the bottom of each page. Buried in all that was a warning to set passwords. That was acceptable, but forcing it was not.
So afterwards got a tour of the demo network, with some sample set top boxes and PCs. Whipped out the portable hacking/cracking laptop, and within a few minutes had control of every modem and PC. The big company is going back to the drawing board for the rollout plans, maybe to get each customer to set a line noise type password on their modems, and force them to write it down as part of the login process for the first day or two.
People never learn, which is why crackers have life so easy.
the AC
Cool, caching the cache.
Whatever they are working on, has got to be good.
waiting impatiently,
the AC
So how do you do this on a weekly basis? Host based scanning, or network scanning?
:-)
This is just out of curiosity, since I've been recently involved (actively avoiding) a discussion about which is better, host or net scanning. My position is that both are needed. An unpopular answer because that costs more money
the AC
I like this article. Its clueful, balanced, has the requisite number of quotes. There is the seminal quote by Spaf "...locked in a safe, surrounded by armed guards, and even then I wouldn't bet on it".
It goes just deep enough to clarify a bunch of issues for those who have only seen the knee-jerk reactionary articles of the overworked sensationalist press. It does leave a few questions unanswered, and although I would like to see the answers, this article is right in not including them.
So the FBI caught a teen aged hacker who stole a password and got into a bunch of sensitive computers at SFI, LANL, LLNL, and a few others, and they didn't call in a swat team lead by Janet Reno. That in itself is a revelation. The press hungry FBI actually did their jobs instead of sucking some columnists dick? Stop the presses! Makes you wonder what they did to the stupid guy who mailed his only password to all his cow-orkers where any script kiddie could pick it up. Did the FBI come down on him like a ton of bricks? Did he get a 5-10 year sentence for aiding and abetting a felony involving national security? Probably not.
There is also a great section on connecting two secure networks together with an encrypted line, and then having one of the nets get compromised. It doesn't matter how strong the encryption is, the end systems are still the weak link in the chain.
I'm going to have to get reprint permission for this article, third generation photocopies won't do it justice.
the AC
I do not want a wince machine. Tried them, they have crossed the line of bloat, and don't seem to have the nice integrated feel of a palm.
I did have a wince machine for a while with a Proxim wireless lan, and the connectivity was cool, but the apps were pure winblows and the machine kept crashing every little while.
the AC
Actually, I am going to look again. Everyone around me uses them at this point, so there has to be something there.
I'm a bit jaded because I used one of the original ones a few years ago, and there wasn't enough good stuff on it to keep using it. Lately I've been using a V, which is much nicer. It would make a nice activity organiser, and I suppose I could get my act together and enter all my phone numbers into something on a PC and DL it to the palm. But since I carry a Nokia phone with 200+ entries in it already, the palm wouldn't get used all that much.
The thing that turned me off earlier was the lack of connectivity to anything other than mac and windoze. Now there are lots more linux drivers to do the same thing, so that point is gone.
The best app I could think of would be to have a mailbox which could get DLed every so often, either through infrared or docking or a low power wireless connection. I get hundreds of emails a day, and there is always down time during the day when I could be reading through all of them. But the palm would need 8Mb of storage just to hold a few days worth of my emails (attachments could be left behind).
It would also be cool to have the palm just be another IP address on my network, so an IMAP or similar process running on a linux server could sync up the mailboxes, and delete all the emails I delete on my palm.
Color is useful for highlighting important objects on the screen. I wouldn't care if it dragged the batteries down a little faster, if I could get recharging docks at work, home, in the car, etc.
Didn't mean to be a troll, I'll probably have one before Christmas (or as soon as a color one comes out)
the AC
I've used palms a few times, and I cant see all that much use to them.
But with a color screen, and a built in IP stack, now they are getting into the useful realm.
Can't wait. Hurry up, 3Com!
the AC
Thats IS the real issue.
:-)
Recently there was a big international company with a cracking/phreaking problem (the problem was really with a piss poor attitude by management to enforce a good security policy).
Their lawyer and CIO wanted to tie together all the intrusion detection systems, the firewalls, some sniffers, a certificate authority, and who knows what else, with the goal of providing a chain-of-evidence that they could hand (or email to) some prosecutor somewhere and have it stand up as evidence in court. Oh, and since the cracking attempts are coming from europe/russia/australia, can the system be completely international and stand up in any court.
"Looky here, Mr. State Attorney General, we were attacked by a ping flood from these IP addresses, and we carefully recorded each and every ping packet hitting our firewall in this log file. We want you to prosecute."
For some reason, Dilbert strips weren't funny for weeks after that episode
But on the flip side, imagine what a naive prosecutor would do if someone handed him a log file with some spoofed IP or email addresses in it, showing some kind of real world crime (drug dealing or car theft). Granted, there should be other evidence to back up any prosecution, but cases have gone to trial on less. That's the scary part.
the AC
I know where N'rundel county is, I used to live there. Its a short drive around the beltway to Sterling (except in late afternoon trafic :-)
The cop and I went to school together, we still keep in touch. This info is from last Christmas time. Do you think AOL has completely cleaned up their act since last winter?
Investigators from many jurisdictions hit up AOL for information all the time, there was even a story about someone being sued in TX because the message went through VA. AOL honors search warrants from any american court, they have to, its the law. They have also cooperated with scotland yard in england, in the big cross-atlantic child pr0n case a couple years ago.
And AOL has so many cops or DAs coming in with court orders, they don't even check them any more, or supervise what they collect. Many courts require chain-of-possession by an officer of their court, so the cop head into the crime scene (AOL headquarters), records the evidence, and then hand carries the evidence back to a court approved storage site. When the evidence is presented in court, there is a list of every person who handled it from collection point to the courtroom.
So the cops grab whatever they can while they have free reign on the system, even for cases they don't have a warrant for. Just because it cant be used as evidence in court doesnt mean they cant 'accidently' see some information which leads them to discover other evidence in a legal manner. A fairly common tactic by overworked cops. Only a serious investigation by a defense attorney can dig up the illegal origin of the evidence, and the cops are counting on major incompetence in most cases.
[And yes, the brits are bastards sometimes, but its the IRS (internal, not inland) that thinks it can tax people all over the world. Grrrr.]
AOL is just the biggest name in the game of rolling over for law enforcement, so that is why they are getting the most attention. Anne Arundel cops have been able to just drive over to AOL headquarters and take anything they want, just by flashing a badge. No court order needed, just bring your laptop with a lot of disk space. There is even an office for cops in the building, but the cops have to schedule time in it since so many investigators try to use it.
Smaller ISPs are all learning the hard way the courts always rule for investigators, so at this point most don't even bother asking for a warrant before allowing access. I've watched it happen at a couple of ISPs where I've done business, where the cops wanted either a straight wiretap off a router, or a copy of all email from the main server and backup tapes.
Its not that difficult to direct traffic from a logon session through a specific port on a router, and I had one ISP pay me two days wages just to do it once (without breaking their network like they did). They had the cops camped in their offices waiting to capture all the traffic from a suspect's sessions, thinking he was dealing drugs from his email account or over IRC. He wasn't, but it took them a few weeks to figure that out. At first, they expected to have an exact copy of his screen based on IP packets going across the network, by the end they were happy enough with a tcpdump file. The guy just played on the web a bit, never even hit any pr0n sites.
So this doesn't surprise me at all. I'm surprised anyone is shocked by the revelation, tho.
the AC
Its much more interesting than the theoretical brute force machine.
:-) Or if I am, everyone will be doing the same cheat, until we all decide to fix the rules.
I like the quote about cheating. Been doing that all weekend. Great fun being accused of cheating when all you do is exploit a loophole in the rules. Don't know if I'll ever be invited back for a games night again
There is a good follow up about good security == good engineering.
And the JYA article is a simple extrapolation of the EFF's DES breaker to more bits. A quick look at the numbers and I don't think it would cost anywhere near as much to build a machine like that. And if a big three or four letter agency wanted to build a series of these machines, they would get their own chip foundry going, and the price would come down as time went on. Assuming the NSA has done that, you can imagine the cracking power they can throw against codes they haven't comprimised yet.
the AC
The site is slashdotted already, seconds after being posted here. That has left me with a ton of questions.
I wonder how they are going to focus a beam with hundreds of megawatts of power in it down through the atmosphere. There are all kinds of engineering problems to overcome, such as dispersion of the beam in the atmosphere, reflections and deflections of parts of the beam by atmospheric winds, compensation for changes in the temperature and humidity of the air.
How large a target will the beam be aimed at? Presumably a field several miles across full of receiving antennas. The antennas near the center of the beam will receive full power, while antennas at the edge would receive only a few percent.
How do you keep birds from flying into the beam area, and what happens to people living near the receiver? Do you move all the citizens out of the area, and declare it a danger zone? How do you shield the operation engineers working near the site?
I think NASA is hoping to get a small pilot program up and testing in the next 20 years or so. There is a lot of research left to be done.
And the SimCity beam was one of the best. Bzzzzzzzzzzzzzzzzzzzzzzz.
the AC
Ooops, I meant that the IPSEC implementation mentioned in RFCs 2401-2412 sets the standard DH key exchange time to 8 hours, easily changeable during the key exchange handshake, shortest time wins.
Creating a new key every few hours means that only a small amount of your data is compromised when someone cracks your key, not the entire amount of data captured over a period of months or years. The more valuable your data, the more often you want to create new keys if you think you will be the target of a serious cryptanalysis effort. The downside is that DH key exchange is very CPU intensive, so re-keying ever few minutes is probably not a good idea.
And if you expect bad individuals to be capturing your valuable data for later analysis, and that data can hurt you, then you probably can afford to protect it with more crypto than off the shelf simple DES IPSEC. 3DES is also an option in IPSEC, so pay the extra for vendors who support it, just dont expect the exact same throughput for the price.
the AC
IPSEC encryption is starting to take off in a big way in the networking world. Every corporation is looking at getting many Virtual Private Networks set up using IPSEC, and the router manufacturers are taking notice.
With chips like these, the price for doing dozens or thousands of IPSEC tunnels from a single router gets pretty cheap. So every company starts setting them up next to their firewalls, and every employee working from home over their cable modem gets a nice secure and authenticated connection into the company network.
Soon, 30% or more of all internet traffic is encrypted, and the intelligence agencies have to go back to intercepting the communications at the point where there is no encryption. So they have to focus attention on the criminals and terrorists, and stop throwing out wide dragnets like they are now. The end effect is that people will have more protection from fascist government agencies.
The arguments about whether DES is strong enough if it can be broken in 22 hours are kind of stupid. Sure DES can be broken, but if you are using Diffie-Hellman key exchange then your keys are cycled every 8 hours. And if millions of users are using DES, it becomes very difficult to target specific communications with packet captures or taps, and the resources to break a stream make it unlikely the script kiddies will bother.
This ASIC design is just a research project, the VHDL code should make it into commercial products soon enough, and I don't see why it wouldn't support 3DES at that point.
So yes, products like this will make encryption more widespread. Slashdot readers already know all the pros and cons of that whole debate, and will probably agree this will be a good thing in the long run.
the AC
Its the CmdrTaco taco bell cup, free with any large soft drink. See the JarJarBinks death scene.
:-)
The Hemos action figure comes with toy light saber and a tiny linux box*.
The JonKatz voodoo doll. 'nuff said
The CowboyNeal signature collection all leather riding outfit.
Slashdot merchandising, because Rob and Hemos aren't rich enough yet.
*Internet connection not included.
This sounds like an exploratory question for someone who hasn't yet come up with a business plan. Are you truly expecting to provide a huge amount of bandwidth to thousands of customers and then try to use a free linux program to enforce your ToS? I'd love to see you succeed with this, because the latest Linux kernels have some traffic shaping in them, and you could help out the coders with a real world test bed.
:-(
Why then aren't you taking advantage of Breezecom's built in Maximum Information Rate Class of Service? Do they charge too much for the management software? Have you even talked with their account reps? Their whole business is aimed at ISPs trying to do exactly this same thing. Breezecom modems emulate a serial connection, but their cheaper LAN products emulate an ethernet link. Their modems have a built in rate limiter, their LAN replacement is only aimed at office environments and not ISPs. It sounds like you have chosen the cheapest products, and are now trying to add something for nothing.
To properly implement a per user CoS, you must assign a static IP address to each end station, and possibly lock it down to a MAC address. Then you can set up a traffic shaper for each customer with little hassle. Easiest way to do is have different customers in different subnets, so all the 128k people are on one subnet, 512k on another. Rule writing is easiest that way. If you try to do CoS on systems dynamically grabbing an IP address (DHCP or equiv), you will spend all your time writing custom code to match addresses to customers to ToS to shaper rules and so on. Avoid it.
The best solution for packet shaping is Packeteer, who make a great box with a fairly good interface. The cost isn't that high compared with how much you will spend trying to implement the same thing with free software. Just buy one of their boxes and throw it in line with your ISP, then configure it a little and you can mostly forget it.
The next solution is Cisco, who have a bunch of different options built into their IOS for crude packet shaping. Presumably at some point you will have to buy a big Cisco router, probably when you get more than 50-100 customers. Since you are an ISP, what routers are you using now?
The cheap but limited solution is the latest linux kernel with IP Chains and Class Based Queueing. It should scale to handle a few subnets, each having its own CoS, but may not do 512k or higher. Crude, but should keep your bean counters happy until you have enough paying customers to afford something to cover a bigger user base.
Also check out NetBSD shaping, since I haven't yet.
No matter what you do, always enforce your bandwidth policy from the beginning, because you will lose all of your original customers later when you start to enfore the policy. Never give customers free bandwidth even if it is available, you are asking for a customer relations headache down the road if you do. Poor customer relations is the main reason small ISPs go out of business. This is the voice of experience learned the hard way
Remember, packet shaping is a one way process, if you want to limit the connection from the user back towards the internet, you have to install something at the customer end, either a small box or software on their machines. A nightmare you probably shouldn't touch.
Good luck, and tell us what solution you end up with and how it works. We geeks are a curious bunch.
the AC