In that respect, any unix is more attractive including bsd. But your right, many old school hackers will exclusively target unix machines because they are simply more useful from their perspective. People typically only target windows machines to run a particular program (their bot) which has a fixed set of built in capabilities. Gaining access to a shell gives someone far more scope, and makes it much easier to deploy new malicious code. You will rarely get an attacker interactively connecting to a hacked windows system to do something, but this is common with compromised unix systems. When a windows box is compromised, it's typically by an automated process which will install a bot and move on to the next host. Automated attacks are less common on unix, partly also because of the increased diversity of unix systems.
Scanning for weak passwords does not indicate a vulnerability in the OS... SSH is the standard for remote administration of unix servers and networking equipment, the mere fact people are scanning for weak passwords shows they don't have many useable exploits these days. If they could scan for something that would give a quick root, they would. Brute forcing is time consuming, and often only yields nonroot accounts.
I would greatly prefer if patches DIDNT include any new features. They should only fix the vulnerability in question, and nothing else. Adding new features brings potentially new vulnerabilities, and could cause other problems which may delay or stop people deploying the patch.
If you get rooted, the only sane thing to do is a complete format and reinstall, since you can never be sure what malware will be hidden on the system.
There are sound business reasons for using ipv6 if you think long term, in the short term it's only a cost.
IPv6 will be required sooner or later, when it is there will be huge demand for it.
These days IPv6 knowledge isn't a selling point, when it comes into demand staff with ipv6 experience will become far more expensive as many companies scramble to get onto it (as happened with v4 a few years back).
When ipv6 adoption happens, there will still be a lag before everyone gets connected to it, getting in there early gives you a head start.
IPv6 offers many advantages over v4, not just the increased address space but it also fixes some flaws from v4, integrates some things as standard which were optional extensions to v4, and because of the increased address space there is far less work necessary to allocate and keep track of ip allocations. With v4 there is a lot of work to keep subnets as small as possible, so as not to run out of addresses.
I witnessed a kid in my class being given a detention, for "trying to break the school computers". He was using keyboard shortcuts, instead of going through the slow laborious way the teacher had shown the class.
Well, there are few short term benefits but plenty of long term ones. These agencies don't care about long term, since their budgets are done on a yearly basis. That's where the problem lies.
You dont need to "switch" per se, you can use v4 and v6 at the same time easily.
It's a chicken and egg situation, organisations don't switch because other organisations/individuals they deal with haven't either. On the other hand, if you enable v6 now you get a step ahead. Eventually the v4 addresses will run out, and people will have no alternative but to start using v6. Those of us who already use v6 will be good to go by then, and already have the kinks ironed out of our setups.
Script kiddies have been using IPv6 for years... Just look at Efnet or IRCnet, lots of kiddies using ipv6 there. From their perspective, larger number of IPs freely available means easier vanity hosts for ircing from, and it makes it a little harder for other kiddies to dos them offline.
Very few ISPs offer IPv6, and those that do often don't advertise it because most of the customers wouldn't even understand what it was.
The ISP i use offers native IPv6 over any connection you can get from them (dsl, dialup, leased line, colo, iptransit etc)... But getting a DSL router that actually supports v6 was a pain, i had to buy a pricey cisco in the end.
// If you wanted a Starbucks coffee, and it was one street down, and someone told you you had to go through the in-between building, climb up and down its twenty flights of stairs// just to get to the next street for you coffee, and you knew you could just walk around the building on the sidewalk, what would you do? Now, if the building were only two stories// high, and the block to walk around were 600 ft each side, it might be a different choice.
I don't know, what is the weather like? What's the crime rate in the area?
As a test tho, login to a fast box hosted somewhere, and run a syn flooding tool against your home box over the cheap consumer level router. Flood yourself with small packets, and see how many of them actually make it past the router to hit your box.
I managed to receive about 300k of small packets, on an 8mb dsl connection. When hit with small packets, 300k is all the router could manage. The box flooding me was generating more than 8mb of packets, and needless to say my connection was completely crippled by the flood. But it does mean that i could have killed the router by sending 400k of packets, far less than the connection itself should be able to handle.
The grandparent post mentioned moving parts, many decent switches have fans while cheap small ones don't... Tho this is for quite the opposite reason, fans will keep the device cooler and increase its life. If the fans fail, your just in the same boat as a cheaper switch.
Those cheaper switches often have no protection against connecting two of their ports together with a crossover cable either, that can cause utter chaos.
A lot of supposedly higher end kit falls over well below it's rated capacity too... Try synflooding across 100mb interfaces on a 7200vxr, a lot of cisco kit is based on the same pci-bus design as a pc but with a slower cpu. The NIC will generate an interrupt on the bus for each packet, lots of small packets will saturate the pci bus and take the device down wether it's a cisco 7200 or a pc with 2 nics. You can improve the situation by using 64bit pci, pcie, pci-x etc but the problem remains it's just got a higher threshold. The layer 3 switches on the other hand, use a very different architecture and can easily handle this level of traffic.
Cisco make a lot of devices which are linux based... Their current version of call manager runs on linux Their old IDS boxes ran on linux The current series of ASA boxes run on linux And a lot more too i would imagine.
It might be fun to show fake interest in worthless domain names... If you can make these squatters think your interested in some pointless domain, they're more likely to hold on to it for longer and try to sell it back to you for an extortionate rate. So we find some worthless domains, offer well below what they want, and when their counter offer comes in just say you'l wait for it to expire... Get them to renew the worthless domains for a few more years.
They actually just switched one of the frontend information systems to windows, this system is called "infolect" and is used to display/distribute the current prices. The backend trading systems run on something else, probably mainframes tho i'm not entirely sure.
They could at least be in the same ballpark as other browsers... And should definitely be required to fix bugs (bugs defined where behaviour differs from the published standard) for free and within a reasonable time frame. Perhaps make them implement any standard feature which is implemented by at least 2 other browsers.
If the windows gui layer can't initialise, the system won't boot at all. It has no command line based recovery options available so it will just hang and often with no indication of what happened.
I have a Cisco a/b/g card, Ubuntu detected it out of the box and connected to my WPA2 network without issues... The trouble with most consumer level wireless cards is that the chipsets keep being changed without updating the model number of the card. Cisco cards always have the same chipset...
If the GUI layer of modern windows fails, the entire system won't boot because it no longer has any non gui interaction.. (the boot to command prompt option still uses the gui, as does the supposed gui-less 2008 beta which just loads a command prompt window inside of a graphical environment with the window manager but no explorer). I'm sure many people have encountered windows systems which failed to boot, some of those problems could be the gui layer failing completely.
If the GUI of OSX fails, you get dropped to a commandline shell, i have had this happen to me when the videocard in my G4 wasn't seated properly, also OSX will not try to run the gui if it doesn't detect a videocard (like in a server).
What linux does need, is a "recovery mode", where it loads a minimal X using vesa or generic vga drivers and lets you reconfigure it properly (this is exactly what windows does with safe mode).
Indeed, any OS that's designed for the hardware it's running on is trivial to install like that... Windows does it with vendor supplied restore cd's... Solaris does it on sparc hardware IRIX did it on sgi hardware Amigaos did it Ultrix was one of the easiest os's i ever installed, asked me for like 1 confirmation and then got on with it.
I've used linux for even longer than that... However, I first bought an x86 machine specifically for linux (was using amiga, sun, sgi and mac before that), so i looked at what hardware was best supported by linux, and specifically went for that. I had an early pci based 486 dx2/66, s3 trio64 video, soundblaster awe32, 3com 3c509 nic, and it all worked fine on redhat 4.x, the installer picked up everything but the sound and the sound config program picked that up immediately... i also found that simply loading the sd module would get the card working too, since it was on the default soundblaster irq/dma/etc.
Coming from amiga/sun/sgi/mac hardware, where the software was built specifically for the hardware, i was always used to things just working as they should out of the box.
The problem is that... Intel produced the ACPI specs, and people implemented those specs into linux/bsd/etc even before there was much ACPI supporting hardware... Microsoft implemented ACPI too, but not quite according to the specs... Hardware manufacturers follow microsoft's implementation, and use microsoft's dsdt compiler etc, instead of the standard intel one. And ofcourse the specs aren't published for the broken microsoft implementation. End result is that ACPI works fairly poorly almost everywhere. If you have a laptop that still supports APM suspend on linux usually works pretty well (i always used apm suspend on my older thinkpads), modern windows no longer supports apm at all (and amusing things happen if you install ibm's apm suspend drivers on xp).
In that respect, any unix is more attractive including bsd.
But your right, many old school hackers will exclusively target unix machines because they are simply more useful from their perspective. People typically only target windows machines to run a particular program (their bot) which has a fixed set of built in capabilities. Gaining access to a shell gives someone far more scope, and makes it much easier to deploy new malicious code.
You will rarely get an attacker interactively connecting to a hacked windows system to do something, but this is common with compromised unix systems. When a windows box is compromised, it's typically by an automated process which will install a bot and move on to the next host. Automated attacks are less common on unix, partly also because of the increased diversity of unix systems.
Scanning for weak passwords does not indicate a vulnerability in the OS...
SSH is the standard for remote administration of unix servers and networking equipment, the mere fact people are scanning for weak passwords shows they don't have many useable exploits these days. If they could scan for something that would give a quick root, they would. Brute forcing is time consuming, and often only yields nonroot accounts.
I would greatly prefer if patches DIDNT include any new features.
They should only fix the vulnerability in question, and nothing else. Adding new features brings potentially new vulnerabilities, and could cause other problems which may delay or stop people deploying the patch.
If you get rooted, the only sane thing to do is a complete format and reinstall, since you can never be sure what malware will be hidden on the system.
There are sound business reasons for using ipv6 if you think long term, in the short term it's only a cost.
IPv6 will be required sooner or later, when it is there will be huge demand for it.
These days IPv6 knowledge isn't a selling point, when it comes into demand staff with ipv6 experience will become far more expensive as many companies scramble to get onto it (as happened with v4 a few years back).
When ipv6 adoption happens, there will still be a lag before everyone gets connected to it, getting in there early gives you a head start.
IPv6 offers many advantages over v4, not just the increased address space but it also fixes some flaws from v4, integrates some things as standard which were optional extensions to v4, and because of the increased address space there is far less work necessary to allocate and keep track of ip allocations. With v4 there is a lot of work to keep subnets as small as possible, so as not to run out of addresses.
I witnessed a kid in my class being given a detention, for "trying to break the school computers".
He was using keyboard shortcuts, instead of going through the slow laborious way the teacher had shown the class.
Well, there are few short term benefits but plenty of long term ones.
These agencies don't care about long term, since their budgets are done on a yearly basis. That's where the problem lies.
You dont need to "switch" per se, you can use v4 and v6 at the same time easily.
It's a chicken and egg situation, organisations don't switch because other organisations/individuals they deal with haven't either.
On the other hand, if you enable v6 now you get a step ahead. Eventually the v4 addresses will run out, and people will have no alternative but to start using v6. Those of us who already use v6 will be good to go by then, and already have the kinks ironed out of our setups.
Script kiddies have been using IPv6 for years...
Just look at Efnet or IRCnet, lots of kiddies using ipv6 there.
From their perspective, larger number of IPs freely available means easier vanity hosts for ircing from, and it makes it a little harder for other kiddies to dos them offline.
Very few ISPs offer IPv6, and those that do often don't advertise it because most of the customers wouldn't even understand what it was.
The ISP i use offers native IPv6 over any connection you can get from them (dsl, dialup, leased line, colo, iptransit etc)... But getting a DSL router that actually supports v6 was a pain, i had to buy a pricey cisco in the end.
// If you wanted a Starbucks coffee, and it was one street down, and someone told you you had to go through the in-between building, climb up and down its twenty flights of stairs // just to get to the next street for you coffee, and you knew you could just walk around the building on the sidewalk, what would you do? Now, if the building were only two stories // high, and the block to walk around were 600 ft each side, it might be a different choice.
I don't know, what is the weather like? What's the crime rate in the area?
So do my linux and macos based laptops..
As a test tho, login to a fast box hosted somewhere, and run a syn flooding tool against your home box over the cheap consumer level router. Flood yourself with small packets, and see how many of them actually make it past the router to hit your box.
I managed to receive about 300k of small packets, on an 8mb dsl connection. When hit with small packets, 300k is all the router could manage. The box flooding me was generating more than 8mb of packets, and needless to say my connection was completely crippled by the flood. But it does mean that i could have killed the router by sending 400k of packets, far less than the connection itself should be able to handle.
The grandparent post mentioned moving parts, many decent switches have fans while cheap small ones don't... Tho this is for quite the opposite reason, fans will keep the device cooler and increase its life. If the fans fail, your just in the same boat as a cheaper switch.
Those cheaper switches often have no protection against connecting two of their ports together with a crossover cable either, that can cause utter chaos.
A lot of supposedly higher end kit falls over well below it's rated capacity too...
Try synflooding across 100mb interfaces on a 7200vxr, a lot of cisco kit is based on the same pci-bus design as a pc but with a slower cpu. The NIC will generate an interrupt on the bus for each packet, lots of small packets will saturate the pci bus and take the device down wether it's a cisco 7200 or a pc with 2 nics.
You can improve the situation by using 64bit pci, pcie, pci-x etc but the problem remains it's just got a higher threshold.
The layer 3 switches on the other hand, use a very different architecture and can easily handle this level of traffic.
Cisco make a lot of devices which are linux based...
Their current version of call manager runs on linux
Their old IDS boxes ran on linux
The current series of ASA boxes run on linux
And a lot more too i would imagine.
It might be fun to show fake interest in worthless domain names...
If you can make these squatters think your interested in some pointless domain, they're more likely to hold on to it for longer and try to sell it back to you for an extortionate rate.
So we find some worthless domains, offer well below what they want, and when their counter offer comes in just say you'l wait for it to expire... Get them to renew the worthless domains for a few more years.
They actually just switched one of the frontend information systems to windows, this system is called "infolect" and is used to display/distribute the current prices.
The backend trading systems run on something else, probably mainframes tho i'm not entirely sure.
And interestingly, infolect had an outage fairly recently, while the trading system remained up:
http://business.timesonline.co.uk/tol/business/markets/article2828050.ece
Your right, it's more soviet than communism... The USSR was only communist by name. What you describe is actually closer to fascism.
They could at least be in the same ballpark as other browsers...
And should definitely be required to fix bugs (bugs defined where behaviour differs from the published standard) for free and within a reasonable time frame.
Perhaps make them implement any standard feature which is implemented by at least 2 other browsers.
If the windows gui layer can't initialise, the system won't boot at all. It has no command line based recovery options available so it will just hang and often with no indication of what happened.
I have a Cisco a/b/g card, Ubuntu detected it out of the box and connected to my WPA2 network without issues...
The trouble with most consumer level wireless cards is that the chipsets keep being changed without updating the model number of the card. Cisco cards always have the same chipset...
If the GUI layer of modern windows fails, the entire system won't boot because it no longer has any non gui interaction.. (the boot to command prompt option still uses the gui, as does the supposed gui-less 2008 beta which just loads a command prompt window inside of a graphical environment with the window manager but no explorer). I'm sure many people have encountered windows systems which failed to boot, some of those problems could be the gui layer failing completely.
If the GUI of OSX fails, you get dropped to a commandline shell, i have had this happen to me when the videocard in my G4 wasn't seated properly, also OSX will not try to run the gui if it doesn't detect a videocard (like in a server).
What linux does need, is a "recovery mode", where it loads a minimal X using vesa or generic vga drivers and lets you reconfigure it properly (this is exactly what windows does with safe mode).
Indeed, any OS that's designed for the hardware it's running on is trivial to install like that...
Windows does it with vendor supplied restore cd's...
Solaris does it on sparc hardware
IRIX did it on sgi hardware
Amigaos did it
Ultrix was one of the easiest os's i ever installed, asked me for like 1 confirmation and then got on with it.
I've used linux for even longer than that...
However, I first bought an x86 machine specifically for linux (was using amiga, sun, sgi and mac before that), so i looked at what hardware was best supported by linux, and specifically went for that.
I had an early pci based 486 dx2/66, s3 trio64 video, soundblaster awe32, 3com 3c509 nic, and it all worked fine on redhat 4.x, the installer picked up everything but the sound and the sound config program picked that up immediately... i also found that simply loading the sd module would get the card working too, since it was on the default soundblaster irq/dma/etc.
Coming from amiga/sun/sgi/mac hardware, where the software was built specifically for the hardware, i was always used to things just working as they should out of the box.
The problem is that...
Intel produced the ACPI specs, and people implemented those specs into linux/bsd/etc even before there was much ACPI supporting hardware...
Microsoft implemented ACPI too, but not quite according to the specs...
Hardware manufacturers follow microsoft's implementation, and use microsoft's dsdt compiler etc, instead of the standard intel one. And ofcourse the specs aren't published for the broken microsoft implementation.
End result is that ACPI works fairly poorly almost everywhere. If you have a laptop that still supports APM suspend on linux usually works pretty well (i always used apm suspend on my older thinkpads), modern windows no longer supports apm at all (and amusing things happen if you install ibm's apm suspend drivers on xp).