Slashdot Mirror


User: Bert64

Bert64's activity in the archive.

Stories
0
Comments
12,200
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,200

  1. Re:ipv6 support on Cisco/Linksys routers on Cisco Linksys Routers Still Don't Support IPv6 · · Score: 1

    Some of the Buffalo routers actually ship with a buffalo-branded version of dd-wrt, i have a WZR-HP-G300NH which came with DD-WRT v24SP2-EU-US (08/19/10) std... It seems perfectly stable for me, and has far more functionality than the stock firmware i've seen on other routers.

  2. Re:wow on Cisco Linksys Routers Still Don't Support IPv6 · · Score: 1

    Cable modems will actually be much easier to transition than ADSL routers...
    IPv6 is a requirement for DOCSIS 3 certification, so any new cable modem should support v6 out of the box (my isp supplied router does, but the isp doesn't)...
    Many older cable modems are effectively just layer 2 bridges, so they also should work just fine with ipv6.

  3. Re:The problem is people on Are You Sure SHA-1+Salt Is Enough For Passwords? · · Score: 1

    You do make a good point, the typical advice given out on password policies can often be detrimental, and the typical implementations used can be flawed.

    Most systems don't stop dictionary words.
    Even if you're forced to use a *different* password to your previous one, the level of difference typically isn't enforced so password1 can become password2.
    Storing a fixed number of previous passwords is flawed as users can keep changing them to roll around, and setting a minimum password age is just a nasty kludge trying to mitigate this problem while causing new ones - much better to store any number of old passwords for a predetermined length of time.
    There are also flawed authentication schemes out there which make it possible to authenticate using the hash without needing to crack the plaintext password.

    People use the same passwords in multiple places... Even if you choose good strong passwords and some of the places you use it encrypt it with a strong one way hashing algorithm, how do you know how various systems will store your passwords? All it takes is for one to store it weakly and your toast.

  4. Re:Democracy is a concept.... on The Relationship Between FOSS and Democracy · · Score: 1

    All forms of government tend to be judged by cherry picking a few examples... And many of these examples are not what they are claimed to be.

    A democracy like any other form of government is prone to corruption, you start with everyone having the right to vote and the biggest group siezes power.... This group wants more power, so they use their majority to gradually erode the rights of the smaller groups and consolidate their power base.

    Giving people a sense of power through the ability to vote also decreases the risk of civil unrest, people believe they have some power even if their vote means absolutely nothing. The more empowered people think they are, the less likely they are to revolt.

  5. Re:Democracy is a concept.... on The Relationship Between FOSS and Democracy · · Score: 1

    Democracy only initially gives equal rights to all citizens, but it can easily result in genocide...
    All it takes is for the majority to democratically vote for genocide and thus the motion is carried, wether it be genocide against a minority group within the same country or against a foreign group.

    One of the best quotes is "Democracy is 2 wolves and a sheep deciding whats for dinner". Democratically you can't argue with a clear 2/3 majority, but that isn't much consolation to the sheep.

  6. Re:DEAR SONY on Sony Lawyers Expand Dragnet, Targeting Anybody Posting PS3 Hack · · Score: 1

    Which is why the idea of licensing software is ridiculous...

    I can buy a piece of hardware (or most types of physical good, eg clothing), dismantle and modify it in any way i choose, i can even sell it on in modified or unmodified form as i see fit. What i can't do is produce clones of the hardware and sell them as if they were original articles (this is known as counterfeiting).

    Software should be no different, i should be able to use a piece of software i purchased for any purpose i see fit, providing i don't distribute copies. I should also be free to sell the original copy i bought, providing i don't retain any copies myself, and should be free to publish instructions showing other people how to make useful modifications themselves.

    Incidentally, counterfeiting only occurs when the original is sold at a price disproportionate to its production cost. Factories in china can churn out armani suits for the same price as cheap unbranded ones, yet the retail price of the armani suit will be many times higher than an unbranded chinese suit.

  7. Re:Why mistreat your customers? on Sony Lawyers Expand Dragnet, Targeting Anybody Posting PS3 Hack · · Score: 2

    Yes and no...
    A used PS3 might have been bought when sony lost money on their sale, therefore buying a used one prevents the sale of a new unit that would make sony a profit.

  8. One fifth on China Building City For Cloud Computing · · Score: 1

    But China's overall level of IT spending, while growing rapidly, is only one-fifth that of the US.

    How much does the US spend on software (Which the chinese will get for free) and labour (which is much cheaper in china)?
    Spending is not an absolute guide, the chinese have significantly lower costs in some areas than the US does.

  9. Re:The person who needs to leave on The Microsoft High-Profile Exodus Continues · · Score: 1

    Microsoft did no such thing...
    Compaq and all the other makers of IBM compatible clones did that, MS just followed along, getting people locked in to relatively cheap software just as they were getting themselves out of being locked in to expensive proprietary hardware.

    MS prices have steadily increased, both in absolute cost and considerably faster in overall percentage of the cost relative to the hardware. DOS used to be $30 of a $2000 computer, now windows is $100 of a $300 computer. It is hardware that has become more affordable.

    The masses *did* use Commodores, many of them were not interested in computers and a lot only wanted to play games (since they couldn't see any other use for a computer at the time). Commodore sold millions of the C64 and a fairly healthy number of Amiga systems too.

  10. Re:The person who needs to leave on The Microsoft High-Profile Exodus Continues · · Score: 2

    Probably not, you point out the benefits that the hardware market being opened up has given us...
    Now consider if those same benefits had extended to software as well?

    Openness in software basically got sacrificed or overlooked as people moved to open hardware, so now we've got to a state where hardware is highly competitive but software is largely dictated by microsoft through marketing and lock-in.

  11. Re:Programmed to do it... on Firewalls Make DDoS Attacks Worse · · Score: 1

    Capable of pushing 150MBit/sec, but what kind of traffic is that?
    I have a Soekris net5501 using the same 500mhz geode cpu and it can easily handle multiple 100mbit/sec links (it has 4 such nics built in) of normal traffic such as http transfers, but if you flood it with small packets the cpu chokes on interrupts with far less actual traffic and an asa will do exactly the same.

    Also, "low end" does not necessarily mean cheap, most of these commercial firewalls are extremely expensive (to purchase, not even considering support costs which can also be stupidly high) especially when you consider the hardware that they're running on. It's only once you get to highend hardware with custom asics that your really getting anything you couldn't with commodity hardware, but considering the huge difference in cost is it really worth it?

  12. Re:Programmed to do it... on Firewalls Make DDoS Attacks Worse · · Score: 1

    Your server could drop the packets immediately too, and chances are your server will be considerably higher spec hardware then your firewall.

    Anything that can fool the server itself into processing it, could also fool the firewall so at best the server is under the same load, at worst the extra load of having to receive, inspect and forward the traffic will cripple the firewall before the load on the server gets high enough to harm it.

  13. Re:That depends upon the situation. on Firewalls Make DDoS Attacks Worse · · Score: 1

    Only using a firewall is bad...

    Using a firewall in addition to properly securing your systems brings you very little additional benefit, and might not be worth the cost...

    Those "cheap" cisco firewalls are still massively overpriced for the hardware they contain, the hardware will almost certainly be considerably slower than your servers and therefore far less resilient to attacks - hence this article in the first place.

    Spending 10 times as much on the firewall as you do on the server, only for the resulting firewall to be basically an older revision of the same hardware used in the server is not a good use of budget.

  14. Re:Microsoft can't be all things to all people on The Microsoft High-Profile Exodus Continues · · Score: 2

    Because they have to diversify, sooner or later the OS and office suite markets will become commoditised.

    They are trying to enter new markets now while they have a significant source of income and can afford to take serious losses for a few years before they establish themselves (see xbox). If they have no replacement revenue stream when their core ones dry up, they would be pretty screwed.

  15. Re:The person who needs to leave on The Microsoft High-Profile Exodus Continues · · Score: 1

    The masses were already using computers, Commodore were big, as were Atari. They basically played a bait and switch with people who wanted the openness offered by the x86 clone market.

  16. Re:Would you rather on Firewalls Make DDoS Attacks Worse · · Score: 1

    Which is exactly the problem the article discussed...
    You put a lowend server to forward all the traffic to your highend server, and then you make it do all kinds of processing on that traffic, thus creating yourself a significant bottleneck.

  17. Re:Would you rather on Firewalls Make DDoS Attacks Worse · · Score: 1

    It's easy to get multi gigabit connections in a carrier neutral data centre... Most big carriers will supply you with 10GB, and major datacentres will have multiple carriers available, look at telecity/redbus/telehouse in london for instance.

    My web servers have 2 interfaces, the back interface connects to a non routable interface which i connect to using a VPN and SSH and lights out boards are running in there.
    I have no issue running SSH on the internet, and you also need to manage a firewall from somewhere too.

  18. Re:Would you rather on Firewalls Make DDoS Attacks Worse · · Score: 1

    IDS systems, when poorly configured, will either generate floods of false positives (so the staff just ignore them) or miss important events. I have pentested countless customers who had IDS systems and many of them simply didn't notice my attacks, even successful ones.
    Many places have an IDS as a tick in the box, and the logs will never be read.

    When they own a system that system is gone, you can consider any data on it gone... The question is how quickly you can detect and remove them, and contain them to minimise any further damage they could do (eg getting into more servers)...
    In the classic case, once you get behind the firewall theres lots of easily exploitable systems so an attacker can easily spread around your network, whereas if your hosts are configured securely enough to stand alone on the internet then one server being hacked won't help you get into anything else.

  19. Re:Would you rather, Double DOh! on Firewalls Make DDoS Attacks Worse · · Score: 1

    Do you trust the people who have access to the server?
    Yes? Then they don't be doing anything stupid like browsing from the servers...
    No? Are the people who run the servers also the same people who run the firewalls? If so, FAIL.

    A server being able to connect out doesn't become a problem until that server gets compromised, which is not something you want to happen... Minimising what the attacker can do is one thing, but its only a minor gain in a niche case. Better to spend more effort on making sure the server doesn't get owned in the first place.

    Also if you rely too much on the firewall (which MANY places do), sure your owned servers might not be able to connect out but can they connect to each other? A hacker might have a lot more fun owning all your other servers.

  20. Re:Sold! on Firewalls Make DDoS Attacks Worse · · Score: 1

    Servers can be configured to stealth, they don't need to return port closed responses.
    The value of doing so is quite limited however, a determined attacker can just scan every port until they find your open ones...

    Scanning large ipranges is going to become a lot less useful with ipv6.

  21. Re:Serious Hardware in 1997... on DreamPlug ARM Box Brings Power To Plug Computing · · Score: 4, Informative

    The linpack benchmark focuses on floating point, whereas most ARM chips don't have hardware floating point units...
    ARM chips tend to do much better at integer benchmarks, and most code you would run on a server is integer code.

  22. Re:Internet Connected Exchanges?! on London Stock Exchange Was 'Under Major Cyberattack' During Linux Switch · · Score: 1

    They will be connected somehow, because using the public internet as a transit backbone is the easiest way of getting a connection from a far away location (laying your own dedicated fibre isn't really practical), even if all your traffic goes over a VPN.
    Also many trading companies will be connected into the exchange, who knows what state their networks will be in.

  23. Re:Sold! on Firewalls Make DDoS Attacks Worse · · Score: 1

    Indeed i have several servers on the internet with no firewalls...
    Firewalls would simply introduce additional cost and additional failure points, any benefit in security would be pretty negligible. The external footprint of the servers (ie if you scanned them) would be exactly the same because only services that need to be open to the world (http, smtp, dns etc) are actually open.

  24. Re:Would you rather on Firewalls Make DDoS Attacks Worse · · Score: 1

    Lets assume for a moment that your web server is configured correctly, that is the only service listening on it is port 80 (HTTP) because as you say, its a web server.

    Now in order to exploit that server, you would need to find a vulnerability on the HTTP service, wether its a bug in the web server software or a vulnerable script running on top of the web server... Obviously you can only exploit this while port 80 is open...

    So if you add a firewall, you could use it to block port 80 and thus prevent this avenue of exploitation... But if you do that, the web server will no longer work so your firewall has to be configured to allow port 80.

    So you have a choice:

    Firewalled:
    Port 80 open

    Unfirewalled:
    Port 80 open

    The only place a firewall provides any benefit is either:

    If you do get hacked, a firewall can hinder the hacker by preventing them from binding additional ports or establishing outbound connections, or detect them by providing an additional point of logging.
    Your web server is grossly misconfigured and has all kinds of non web related services listening on its external interface, and you choose to block these services at the network level with a firewall instead of turning them off like you should have.

    On the other hand, a firewall might have vulnerabilities of its own and someone could exploit that instead of the web server behind it. By adding the firewall, you have increased the network latency, increased your cost (power, hardware), and increased the potential intrusion points (since you now have 2 machines for hackers to attack instead of one).

    The only real security benefit to be had is if you have application specific firewalls, and even there the benefits are questionable... Risk of the firewall being exploited (since it does very complex processing of the traffic) vs the risk of your services being exploited. Your still adding another point of exploitation, and basically assuming that the service behind the firewall cant stand on its own.

  25. Programmed to do it... on Firewalls Make DDoS Attacks Worse · · Score: 4, Informative

    Misconfigured IPS systems are often easily abused to launch a DoS, for instance many will block an IP address which appears to be doing a syn scan, yet such scans are trivially spoofed - spoof the scans from other addresses and the IPS will dutifully block them.

    As for firewalls, people are generally conditioned that a firewall is required, and in many cases end up relying entirely on the firewall (eg a device will have lots of listening ports open which dont need to be, and which are only inaccessible from the internet because of a firewall. It's extremely common to find a network with little apparently open from the outside because of a firewall, but once you get inside everything is wide open and trivially exploitable. All you need is one hole in a service which is permitted through the firewall, and the rest of the network falls easily.

    A firewall should only be a SMALL component in a defence in depth strategy, your web servers should only have the services they need open, everything else closed and then the firewall should be a second line of defence which allows the same ports (since you need them), it shouldn't actually be blocking anything under normal circumstances but rather is there to provide a second barrier and point of logging incase someone does compromise the server and tries to open up additional ports or send traffic out. If the servers are only listening on the services they need (and which by definition the firewall must allow anyway) then being behind the firewall doesn't really provide you much benefit as a hacker.

    In terms of DDoS, well it depends on the type of attack.
    A raw packet attack, where you seek to swamp the target with more traffic than it can handle is often much easier if a firewall is involved, especially a stateful one. For each packet thats received, the firewall must process the interrupt on the outside network card, read the packet headers and process them against its ruleset, and then if the packet is allowed (which it probably will be, since most ddos attacks will focus on actual service ports) relate it to an existing state table or create a new entry, perform any necessary packet mangling such as nat translation and finally forward the packet on through the internal interface. All of this uses CPU, memory and bus bandwidth before it even hits the actual server.
    Then look at the hardware that goes in to firewalls, take Cisco as an example... Their current firewalls are linux based (most commercial firewalls are linux or bsd based), and run on generic x86 hardware... According to http://en.wikipedia.org/wiki/Cisco_ASA even the most modern ASA firewalls are of a relatively modest spec, meaning that their ability to handle traffic is likely to be less than the servers behind it before even taking into account the additional load of having to do ruleset, state lookups, nat and forward the traffic back out again.

    If you won't put a server on the internet without a firewall, what is the firewall itself? Most firewalls are just relatively lowend servers, running linux or bsd... What makes a cisco asa safer than a normal linux box? You allow the services you need through the firewall anyway, so the additional risk of not having a firewall and a properly configured server is very low, no extra services are really exposed but you are increasing performance and decreasing costs.