More likely, they will panic, and rush out to buy whatever expensive product claims it will solve their security problems while still allowing them to run an ancient browser...
If you do have apps like that, put a single win2k3 box running remote desktop inside of an isolated network and give people access to that... They login, run ie6 and access the app, they can't browse to anything outside of the isolated network.
Also, don't give users internet access directly from their workstations, make them connect to another box, preferably a unix of some kind running nx.
Although there are firefox packages for the various linux distributions, and they do get updated centrally by the distributor... It is quite easy to maintain a linux network with up to date versions of firefox and various other things...
When it comes to windows networks, it is reasonably common to see system updates installed (ie windowsupdate) but you very rarely see other things updated where they are installed, msoffice, acrobat reader, backup software, antivirus etc, very rarely gets updated.
You have no guarantee that they will release a patch in the next patch cycle, you might have to wait 60, or 90 days, or they might not release a patch at all. Blackhats launch new attacks just before (no time to rush a patch) or just after patch tuesday so they are guaranteed at least a month (worst case) before a patch is issued. And due to the closed source nature of microsoft products, it is extremely difficult or impossible for anyone else to create a patch.
Exploits are often extremely sensitive to differences in memory layout, loaded libraries, environment setup etc...
This makes commercial software somewhat easier to target, as there are less potential versions to write exploit code for. Contrast to most open source code, which could be compiled not only for different versions of linux, but several fundamentally different systems running on different host processors. And this code could have been compiled using a multitude of different compile time options and compiled against various versions of libraries and their header files. By contrast, windows has only a handful of versions, and only really runs on one type of processor, although some variation comes in because they seem to use different compiles for different languages rather than loading localisation files at runtime.
If you read the history on that, they licensed it based on a percentage of sales... Since IE was never sold as a standalone product, they don't pay spyglass anything.
It could have happened to any browser, but if you write an exploit for say firefox on linux - how many large corporations are you going to be able to target with that? The specific target was windows systems running ie, because they knew that's what all of their targets would be using.
If you had a competitive market, with a mix of different platforms and different browsers then these attacks would have been a lot harder.
The problem at least as far as PDF readers go, is that most users don't realise PDF is a standard and that there are multiple implementations... They think Adobe make the only pdf reader available. I would never install acrobat reader, the default pdf readers in macos and linux work much better, far less bloated, and there are plenty of alternatives available for other platforms too.
The problem is not that MS products are flawed, it's that they hold so much marketshare... When you are 99.9% certain that any given corporation you want to attack will be running windows, ie and msoffice you can divert a lot of resources to finding holes in those products. If your target could be running one of several things, planning an attack would be much harder.
Aside from this, because most large organizations are locked in to MS, they simply have no choice... Attack after attack, flaw after flaw, MS don't have to care because they know that regardless of how bad their software is, the majority of their customers won't be able to move away. In fact, they are more likely to buy new versions in the hope that they will solve the security problems.
If we had a competitive market, anyone with such a poor reputation would be forced to fix things or face going bankrupt. And anyone looking to attack, would have to investigate multiple platforms and do some research on which of these their intended victim was using.
They have a point, these attacks work primarily because for any given corporation or government you can be almost 100% certain that they are running windows desktops with msoffice installed and msie as the default browser. I have done a lot of contracts at different companies of varying sizes, and the only times i've seen anything else being used for workstations was either a small department in a huge organization, or an individual member of the tech staff on his own machine... A little more diversity would be hugely beneficial.
The current measures being employed to mitigate these risks are largely useless, i have encountered many companies where mass spreading malware has penetrated because their chosen antivirus product doesn't recognise it, let alone a concentrated attack where the attackers would be using new malware which is not detected by anything.
The trouble is, when the operators of those sites view their access stats they will conclude that 100% of their target market uses ie, and see no reason to change their site. I had a long argument with someone who couldn't understand that the reason noone viewed his site using any other browser was because his site didn't work and they didnt feel it important enough to complain.
Proxmox is good, i run a small hosting environment and have a pair of HP servers running proxmox, which has clustered storage using DRBD. Normally both servers can load balance, but if one fails the other can take up the load (with resulting performance hit).
PowerPC handles networking slightly better because it's a little endian architecture, and network packets are little endian encoded... x86 hardware has to reverse the byte order on every send/receive... Also, embedded PPC hardware consumes less power which is why cisco and others use them... Cisco have also used m68k and mips processors in their devices over the years, wouldn't be surprised to see arm processors on their lower end kit.
Where are you looking to deploy routers? I envisage your setup (in its simplest form) involving a number of AP devices sitting on towers, connected back to a central point where servers and an internet connection reside... Are you talking about the individual access point devices, or the central core routers? And how much traffic do you envisage pushing?
What you consider "commercial grade" isn't what it used to be... Much of the commercial offerings are based around generic x86 hardware, and sometimes the hardware is of a lower standard than you'd get by buying a regular server from one of the well known vendors... Look at the current Cisco ASA firewalls - the lower end models use celeron cpus, processors which are designed for use in cheap desktops.
Depending how many network ports you need, you could buy an openrd box, which has a 1.2ghz ARM cpu and 2 gigabit ports onboard, and consumes less power than a soekris box.. It also has hardware SSL acceleration for certain ciphers.
They also have PCIe, tho the slot doesn't have a connector attached (its just pins on the board), not sure if this can be made into a usable port for adding more network cards or not.
The cut+paste functionality implemented in many window managers is a step backwards from what X11 has natively too, again trying to emulate windows...
You find a lot of linux or mac users who use the system as if it was windows, instead of taking advantage of features like expose, virtual desktops, fast cut+paste with the mouse etc... I showed expose and spaces to a mac user who was minimizing all their apps to the dock and they were amazed.
Having programmer specific keyboards is the next step in an already bad trend, computers used to come with BASIC built in and a manual encouraging you to learn programming (think C64 and sinclair)... Nowadays, you get nothing like that, computers are geared up to keep the user as ignorant of their inner working as possible, and shipping a printed manual would put a tiny dent in the obscene profit margins on software so you never get a manual anymore.
Reference the "shallow pockets" comment again... Many of these people simply cannot afford to buy the movies they watch... Unemployed people and kids typically have plenty of time to watch movies but insufficient money to pay for them etc.
When i was young, i could barely afford a computer, pirated games were the only way i could have anything to play on it, and there were people worse off than me who couldn't afford a computer at all. Hardware has got much cheaper, but software and movies haven't.
And if your OS fails to boot, you will need to carry bootable media with you in any case.
There are also hardware encrypted drives, OS independent, no performance hit, no software to become corrupted... The only thing that would stop you getting at your data is a hardware failure, and a hardware failure will break an unencrypted drive just as badly.
The connection requests will be coming down, and your downstream is likely to be far higher than your upstream for a typical home connection... Sure, you can't control the rate of incoming SYN packets (new connections), but you can throttle the rate that existing connections send ACKs, and you can throttle the rate with which you send data (over your presumably slower upstream).
You are only depriving them if you would have purchased the software in the first place. Most people who pirate photoshop are actually depriving a cheaper or free program of userbase and/or revenue. Very few people need photoshop, most people just want it because it's well known. Most of those people have little or no need to manipulate images, and would easily be able to fulfil their needs with a whole host of free or cheap software, eg GIMP.
I know someone who uses a pirated photoshop for resizing images, yes resizing is all he ever does with it... If he was unable to pirate photoshop, he would have downloaded something else for free (legal or otherwise). He doesn't want to use gimp or any one of the other free tools available that are capable of resizing images because he's heard of photoshop, knows its expensive and considers anything with a pricetag of 0 to be inferior (and no, he has never even tried to use gimp or any other free programs because he thinks they're shit).
The same is true of a lot of other commercial software, and it's why vendors often turn a blind eye to piracy, especially by individuals, because a pirate copy is still more profitable for them (increases mindshare, one less customer/user for a competitor) than users migrating to something else.
As for the "marginal cost of media etc" comment... In any other market (eg hardware) margins start off very fat to pay for the initial development costs (the early adopters tax) and then plummet as the product ages and competition kicks up, such that margins tend to be extremely thin on most hardware products. Software seems to stay in the "screw the early adopters" phase, with extremely high margins relative to the production costs. Hopefully in a few years the market will mature, and software vendors won't be able to continue screwing their customers like this. When that happens, piracy will decrease massively too, you only get copied merchandise in markets where goods are being sold with ridiculous and unrealistic margins... In any other market, you may pay a small premium for a brand but that small premium is not worth the risk of producing counterfeit goods. That's why you get counterfeit prada, but you don't get counterfeit walmart clothes...
The important fact, is that windows includes service ports listening by default, which expose a LOT of functionality, and which do not provide any function which is useful to the average desktop user.
If a user makes a conscious decision to install something that listens on the network then that's one thing, the user knows it's there and has made a decision to use it. The average windows user is probably completely unaware that their system is offering SMB and MSRPC services (among others) to the world.
Services should NOT be present by default, especially on workstation systems. The user should make a conscious decision to enable a service *IF* they want to be running that service.
And in terms of shutting all the ports and blocking them, yes, thats all fine and good until you need to do some work, or use a computer for what it was designed for.
I'm specifically not advocating blocking ports, i'm advocating not having anything open by default, so that anything the user turns on they have done intentionally (ie when they need to do some work as you put it).
This has the other side benefit of creating a diverse culture, since not everyone will run the same things.
Depends on capacity required, once you have more than a few discs worth of data, shipping a single HD actually becomes cheaper and more convenient, especially if you use 2.5" drives.
More likely, they will panic, and rush out to buy whatever expensive product claims it will solve their security problems while still allowing them to run an ancient browser...
If you do have apps like that, put a single win2k3 box running remote desktop inside of an isolated network and give people access to that... They login, run ie6 and access the app, they can't browse to anything outside of the isolated network.
Also, don't give users internet access directly from their workstations, make them connect to another box, preferably a unix of some kind running nx.
Although there are firefox packages for the various linux distributions, and they do get updated centrally by the distributor... It is quite easy to maintain a linux network with up to date versions of firefox and various other things...
When it comes to windows networks, it is reasonably common to see system updates installed (ie windowsupdate) but you very rarely see other things updated where they are installed, msoffice, acrobat reader, backup software, antivirus etc, very rarely gets updated.
You have no guarantee that they will release a patch in the next patch cycle, you might have to wait 60, or 90 days, or they might not release a patch at all.
Blackhats launch new attacks just before (no time to rush a patch) or just after patch tuesday so they are guaranteed at least a month (worst case) before a patch is issued.
And due to the closed source nature of microsoft products, it is extremely difficult or impossible for anyone else to create a patch.
Exploits are often extremely sensitive to differences in memory layout, loaded libraries, environment setup etc...
This makes commercial software somewhat easier to target, as there are less potential versions to write exploit code for. Contrast to most open source code, which could be compiled not only for different versions of linux, but several fundamentally different systems running on different host processors. And this code could have been compiled using a multitude of different compile time options and compiled against various versions of libraries and their header files.
By contrast, windows has only a handful of versions, and only really runs on one type of processor, although some variation comes in because they seem to use different compiles for different languages rather than loading localisation files at runtime.
If you read the history on that, they licensed it based on a percentage of sales... Since IE was never sold as a standalone product, they don't pay spyglass anything.
It could have happened to any browser, but if you write an exploit for say firefox on linux - how many large corporations are you going to be able to target with that?
The specific target was windows systems running ie, because they knew that's what all of their targets would be using.
If you had a competitive market, with a mix of different platforms and different browsers then these attacks would have been a lot harder.
The problem at least as far as PDF readers go, is that most users don't realise PDF is a standard and that there are multiple implementations... They think Adobe make the only pdf reader available.
I would never install acrobat reader, the default pdf readers in macos and linux work much better, far less bloated, and there are plenty of alternatives available for other platforms too.
The problem is not that MS products are flawed, it's that they hold so much marketshare... When you are 99.9% certain that any given corporation you want to attack will be running windows, ie and msoffice you can divert a lot of resources to finding holes in those products. If your target could be running one of several things, planning an attack would be much harder.
Aside from this, because most large organizations are locked in to MS, they simply have no choice... Attack after attack, flaw after flaw, MS don't have to care because they know that regardless of how bad their software is, the majority of their customers won't be able to move away. In fact, they are more likely to buy new versions in the hope that they will solve the security problems.
If we had a competitive market, anyone with such a poor reputation would be forced to fix things or face going bankrupt. And anyone looking to attack, would have to investigate multiple platforms and do some research on which of these their intended victim was using.
They have a point, these attacks work primarily because for any given corporation or government you can be almost 100% certain that they are running windows desktops with msoffice installed and msie as the default browser. I have done a lot of contracts at different companies of varying sizes, and the only times i've seen anything else being used for workstations was either a small department in a huge organization, or an individual member of the tech staff on his own machine...
A little more diversity would be hugely beneficial.
The current measures being employed to mitigate these risks are largely useless, i have encountered many companies where mass spreading malware has penetrated because their chosen antivirus product doesn't recognise it, let alone a concentrated attack where the attackers would be using new malware which is not detected by anything.
The trouble is, when the operators of those sites view their access stats they will conclude that 100% of their target market uses ie, and see no reason to change their site. I had a long argument with someone who couldn't understand that the reason noone viewed his site using any other browser was because his site didn't work and they didnt feel it important enough to complain.
Proxmox is good, i run a small hosting environment and have a pair of HP servers running proxmox, which has clustered storage using DRBD. Normally both servers can load balance, but if one fails the other can take up the load (with resulting performance hit).
PowerPC handles networking slightly better because it's a little endian architecture, and network packets are little endian encoded... x86 hardware has to reverse the byte order on every send/receive... Also, embedded PPC hardware consumes less power which is why cisco and others use them... Cisco have also used m68k and mips processors in their devices over the years, wouldn't be surprised to see arm processors on their lower end kit.
Where are you looking to deploy routers? I envisage your setup (in its simplest form) involving a number of AP devices sitting on towers, connected back to a central point where servers and an internet connection reside... Are you talking about the individual access point devices, or the central core routers? And how much traffic do you envisage pushing?
What you consider "commercial grade" isn't what it used to be... Much of the commercial offerings are based around generic x86 hardware, and sometimes the hardware is of a lower standard than you'd get by buying a regular server from one of the well known vendors...
Look at the current Cisco ASA firewalls - the lower end models use celeron cpus, processors which are designed for use in cheap desktops.
Depending how many network ports you need, you could buy an openrd box, which has a 1.2ghz ARM cpu and 2 gigabit ports onboard, and consumes less power than a soekris box..
It also has hardware SSL acceleration for certain ciphers.
They also have PCIe, tho the slot doesn't have a connector attached (its just pins on the board), not sure if this can be made into a usable port for adding more network cards or not.
Encryption won't hinder a drive swap, your drive will boot on the new machine and request its password just like it did on your original machine.
The cut+paste functionality implemented in many window managers is a step backwards from what X11 has natively too, again trying to emulate windows...
You find a lot of linux or mac users who use the system as if it was windows, instead of taking advantage of features like expose, virtual desktops, fast cut+paste with the mouse etc...
I showed expose and spaces to a mac user who was minimizing all their apps to the dock and they were amazed.
How about websites using the apache user dirs feature, http://hostname/~user
Referencing homedirs in unix: ~/ or ~username/
Having programmer specific keyboards is the next step in an already bad trend, computers used to come with BASIC built in and a manual encouraging you to learn programming (think C64 and sinclair)... Nowadays, you get nothing like that, computers are geared up to keep the user as ignorant of their inner working as possible, and shipping a printed manual would put a tiny dent in the obscene profit margins on software so you never get a manual anymore.
Reference the "shallow pockets" comment again... Many of these people simply cannot afford to buy the movies they watch... Unemployed people and kids typically have plenty of time to watch movies but insufficient money to pay for them etc.
When i was young, i could barely afford a computer, pirated games were the only way i could have anything to play on it, and there were people worse off than me who couldn't afford a computer at all. Hardware has got much cheaper, but software and movies haven't.
Then the data entry program for such reports should interpret any keypress as an uppercase key.
A lot of older keyboards had a ctrl key where capslock is usually placed on modern keyboards...
And if your OS fails to boot, you will need to carry bootable media with you in any case.
There are also hardware encrypted drives, OS independent, no performance hit, no software to become corrupted... The only thing that would stop you getting at your data is a hardware failure, and a hardware failure will break an unencrypted drive just as badly.
Most warez comes chopped into small rar files anyway, chopping it up into 250mb chunks is not going to be hard for warez groups.
The connection requests will be coming down, and your downstream is likely to be far higher than your upstream for a typical home connection... Sure, you can't control the rate of incoming SYN packets (new connections), but you can throttle the rate that existing connections send ACKs, and you can throttle the rate with which you send data (over your presumably slower upstream).
You are only depriving them if you would have purchased the software in the first place. Most people who pirate photoshop are actually depriving a cheaper or free program of userbase and/or revenue.
Very few people need photoshop, most people just want it because it's well known. Most of those people have little or no need to manipulate images, and would easily be able to fulfil their needs with a whole host of free or cheap software, eg GIMP.
I know someone who uses a pirated photoshop for resizing images, yes resizing is all he ever does with it... If he was unable to pirate photoshop, he would have downloaded something else for free (legal or otherwise). He doesn't want to use gimp or any one of the other free tools available that are capable of resizing images because he's heard of photoshop, knows its expensive and considers anything with a pricetag of 0 to be inferior (and no, he has never even tried to use gimp or any other free programs because he thinks they're shit).
The same is true of a lot of other commercial software, and it's why vendors often turn a blind eye to piracy, especially by individuals, because a pirate copy is still more profitable for them (increases mindshare, one less customer/user for a competitor) than users migrating to something else.
As for the "marginal cost of media etc" comment... In any other market (eg hardware) margins start off very fat to pay for the initial development costs (the early adopters tax) and then plummet as the product ages and competition kicks up, such that margins tend to be extremely thin on most hardware products.
Software seems to stay in the "screw the early adopters" phase, with extremely high margins relative to the production costs. Hopefully in a few years the market will mature, and software vendors won't be able to continue screwing their customers like this.
When that happens, piracy will decrease massively too, you only get copied merchandise in markets where goods are being sold with ridiculous and unrealistic margins... In any other market, you may pay a small premium for a brand but that small premium is not worth the risk of producing counterfeit goods.
That's why you get counterfeit prada, but you don't get counterfeit walmart clothes...
The important fact, is that windows includes service ports listening by default, which expose a LOT of functionality, and which do not provide any function which is useful to the average desktop user.
If a user makes a conscious decision to install something that listens on the network then that's one thing, the user knows it's there and has made a decision to use it.
The average windows user is probably completely unaware that their system is offering SMB and MSRPC services (among others) to the world.
Services should NOT be present by default, especially on workstation systems. The user should make a conscious decision to enable a service *IF* they want to be running that service.
And in terms of shutting all the ports and blocking them, yes, thats all fine and good until you need to do some work, or use a computer for what it was designed for.
I'm specifically not advocating blocking ports, i'm advocating not having anything open by default, so that anything the user turns on they have done intentionally (ie when they need to do some work as you put it).
This has the other side benefit of creating a diverse culture, since not everyone will run the same things.
Depends on capacity required, once you have more than a few discs worth of data, shipping a single HD actually becomes cheaper and more convenient, especially if you use 2.5" drives.