The Exploit only works from the same subnet (As it relies on DHCP)
Last I heard, DHCP requests were BROADCAST....to the BROADCAST address. Subnet shmubnet.....if your card BROADCASTS a DHCP request, any computer physically connected (or wirelessly, in this case) can respond.
Have you considered the possibility that an attacker may not be interested in any of the data you have on your computer. Instead, he or she may just root it, leave a back door and come back later to use your box as a launch platform for a DOS? Who's liable then?.....you. What if the person places child pornography on your computer and joins it to a P2P network?
I think there is a common mis-conception out there about the intentions of crackers. You don't have to have valuable data on your computer to have valuable computer resources.
Since he posted a workaround and explained the problem in enough detail to allow users to protect themselves, I don't think he was being irresponsible at all.
Also, the vendor has been fully aware of this problem (as noted in his advisory) for quite some time and has had several security updates since then. Ample opportunity to fix the problem.
That's a pretty lame way to get your point across. The university just doesn't want to get stuck in the middle of a legal battle over this. Which makes perfect sense to me......their main focus (by main focus, I mean, where their finances should go) should be educating people, not fighting legal battles.
Co-locating your servers at an established datacenter will give you (assuming you choose your vendor carefully) a datacenter that is far nicer than you ever could have built yourself. They will have had experts design a good HVAC system and redundant networks to boot.
It sounds like a bit more research may have been in order before diving into this project. Your power requirement estimations seem WAY off to me. We generally have at least 2 20 amp circuits feeding each rack. The power coming to each rack is coming straight off of Liebert UPS systems. If you have just regular old AC power coming to each rack then you need to size your UPS appropriately as well. Having two smaller UPS's will make you happier than one beefy UPS in the long run. If one small one fails, you can hopefully at least limp along until you can fix and/or replace the faulty UPS. And running your UPS at 90% is bad as well. What if you have a power outage long enough to deplete your battery? Then, when power comes back on and all of the systems plugged into your UPS try to boot up at once, you'll spike the power to levels higher than your UPS will be willing to provide.
As far as cooling goes, having raised floors with A/C ducts underneath gives you the ability to shoot cool air up from the bottom, rather than trying to push the hot air down from the top. So, if your A/C unit pulls hot air from above, cools it and pushes it back down below to begin the cycle again, you'll find that your machines will run a lot cooler. Having cooling dedicated to each rack helps a lot too.
Re: your nice wiring job
It may look nice but if all of your machines burn up and/or are under-powered then what's the point? Priorities man, priorities.
Bottom line: I'd spend a bit of your $15K on some professional consultation before going any further. This is a pretty small data center, but if you want it to last and be somewhat scaleable, you should start out on the right foot.
How on earth did this get moderated as flamebait?! This little bit of humor made reading the article and the ensuing barrage of pissed off (deservedly pissed albeit) slashdotters all worth while.
Seems like a pretty lame set of tests and results for this to actually get published. Would it have been *that* much more trouble to at least run a couple of the openly-available and easy-to-find disk benchmarking suites against both disks??
Sheesh....come on moderators....you can do better than this.
Having both in your network gives you more depth of security if you ask me. If your entire email infrastructure is based on a single piece of software and that software becomes vulnerable for some reason or another....at least you've partially mitigated your exposure. Having different MTA's for relaying and end-delivery is just a good 'defense in depth' strategy in general.
1) Our software is skinnable -- yes
2) our email is filled with HTML -- umm, no.....just the crap advertisements
3) our cases glow with colorful lights -- yes, the more the better
In my ideal world, each server would have one, and only one, purpose. That way if a piece of software is compromised in such a way that remote access is granted, the damage is somewhat contained.
Also, from a maintenance perspective having single purpose machines make life a lot easier....especially if they are redundant single-purpose boxen.
But, sometime reality has to set in and some service consolidation may have to occur to keep hardware costs down.
We use a commercial customer service product from RightNow Technologies. (www.rightnow.com) People can email in requests or fill out a request using a web based form. For hallway conversations, I just ask the person to send me an incident using the product. That way all requests are documented.
We should all just embrace our geekiness and start wearing the geek equivalent of the comabat assault vest. Plenty of pockets, all within easy reach.:)
One of my colleagues came up with the following the other day:
If you put your email address in a table with the border set to '0' cell-padding and cell-spacing also set to '0', then it will still be readable by humans. But, the code to create the table will obfuscate the address enough that it won't be harvestable.
I realize that stuff has improved in the year since I've seriously looked at it, but I'm doubtful it's reached the level of Oracle or SQL Server.
You should look again. MySQL, for example, has full transaction support with InnoDB table types.....AND it's pretty damn fast.
Watch 404 messages from websites for telling clues - mysql always fails before apache.
I'm sorry, but that doesn't seem like a very accurate way of measuring database reliability. One of the cool (and sometimes harmful) things about open databases is that there is no entry fee...meaning anybody and their brother can set up a MySQL server. This means that the number of ill-managed MySQL servers out there probably out-numbers Oracle or SQL Server installations (which, typically, have a somewhat knowledgeable admin behind them) by 10 to 1. A MySQL database managed by somebody who knows what they are doing will go head to head with Oracle or SQL Server installations which are also managed by someone who knows what they are doing.
ACID enforcement isn't there
Actually ACID compliance is getting pretty darn good in databases like MySQL. Care to elaborate about what ACID compliance issues you have?
Don't be an OSS idealogue in the business world, you end up unemployed.
Actually, in our flailing economy 'OSS idealogues' as you call them are making a lot of head-way. OSS now has a viable alternative to *just about* any commercial enterprise software out there.
We've been evaluating the Emic application cluster for MySQL and have had pretty good results. It's a new product (so YMMV), but it looks promising. Emic Networks
There were several hundred thousand computers compromised by blaster last month. Did they forget this statistic, or are they having steaks on uncle Billy tonight?
Slashdot Mirror
The Exploit only works from the same subnet (As it relies on DHCP)
Last I heard, DHCP requests were BROADCAST....to the BROADCAST address. Subnet shmubnet.....if your card BROADCASTS a DHCP request, any computer physically connected (or wirelessly, in this case) can respond.
Have you considered the possibility that an attacker may not be interested in any of the data you have on your computer. Instead, he or she may just root it, leave a back door and come back later to use your box as a launch platform for a DOS? Who's liable then?.....you. What if the person places child pornography on your computer and joins it to a P2P network?
I think there is a common mis-conception out there about the intentions of crackers. You don't have to have valuable data on your computer to have valuable computer resources.
Since he posted a workaround and explained the problem in enough detail to allow users to protect themselves, I don't think he was being irresponsible at all.
Also, the vendor has been fully aware of this problem (as noted in his advisory) for quite some time and has had several security updates since then. Ample opportunity to fix the problem.
...that ought to put an end to this kinda crap.
Obviously you haven't seen the Matrix......sheesh
At my local airport I've seen the BSOD on both the 'arriving flights' screen AND the the 'departing flights' screen.
That's a pretty lame way to get your point across. The university just doesn't want to get stuck in the middle of a legal battle over this. Which makes perfect sense to me......their main focus (by main focus, I mean, where their finances should go) should be educating people, not fighting legal battles.
I'm gonna be in the middle of nowhere in Montana camping this weekend. Hopefully I can get some cool northern lights pictures.
I think these robots are supposed to be lovers not fighters, eh?
Baahh....then what good are they? :)
how would it fair over here?
I see no flame throwers or hydraulic crushing devices.
Co-locating your servers at an established datacenter will give you (assuming you choose your vendor carefully) a datacenter that is far nicer than you ever could have built yourself. They will have had experts design a good HVAC system and redundant networks to boot.
It sounds like a bit more research may have been in order before diving into this project. Your power requirement estimations seem WAY off to me. We generally have at least 2 20 amp circuits feeding each rack. The power coming to each rack is coming straight off of Liebert UPS systems. If you have just regular old AC power coming to each rack then you need to size your UPS appropriately as well. Having two smaller UPS's will make you happier than one beefy UPS in the long run. If one small one fails, you can hopefully at least limp along until you can fix and/or replace the faulty UPS. And running your UPS at 90% is bad as well. What if you have a power outage long enough to deplete your battery? Then, when power comes back on and all of the systems plugged into your UPS try to boot up at once, you'll spike the power to levels higher than your UPS will be willing to provide.
As far as cooling goes, having raised floors with A/C ducts underneath gives you the ability to shoot cool air up from the bottom, rather than trying to push the hot air down from the top. So, if your A/C unit pulls hot air from above, cools it and pushes it back down below to begin the cycle again, you'll find that your machines will run a lot cooler. Having cooling dedicated to each rack helps a lot too.
Re: your nice wiring job
It may look nice but if all of your machines burn up and/or are under-powered then what's the point? Priorities man, priorities.
Bottom line: I'd spend a bit of your $15K on some professional consultation before going any further. This is a pretty small data center, but if you want it to last and be somewhat scaleable, you should start out on the right foot.
How on earth did this get moderated as flamebait?! This little bit of humor made reading the article and the ensuing barrage of pissed off (deservedly pissed albeit) slashdotters all worth while.
Seems like a pretty lame set of tests and results for this to actually get published. Would it have been *that* much more trouble to at least run a couple of the openly-available and easy-to-find disk benchmarking suites against both disks??
Sheesh....come on moderators....you can do better than this.
Having both in your network gives you more depth of security if you ask me. If your entire email infrastructure is based on a single piece of software and that software becomes vulnerable for some reason or another....at least you've partially mitigated your exposure. Having different MTA's for relaying and end-delivery is just a good 'defense in depth' strategy in general.
My $.02
1) Our software is skinnable -- yes
2) our email is filled with HTML -- umm, no.....just the crap advertisements
3) our cases glow with colorful lights -- yes, the more the better
In my ideal world, each server would have one, and only one, purpose. That way if a piece of software is compromised in such a way that remote access is granted, the damage is somewhat contained.
Also, from a maintenance perspective having single purpose machines make life a lot easier....especially if they are redundant single-purpose boxen.
But, sometime reality has to set in and some service consolidation may have to occur to keep hardware costs down.
We use a commercial customer service product from RightNow Technologies. (www.rightnow.com) People can email in requests or fill out a request using a web based form. For hallway conversations, I just ask the person to send me an incident using the product. That way all requests are documented.
We should all just embrace our geekiness and start wearing the geek equivalent of the comabat assault vest. Plenty of pockets, all within easy reach. :)
One of my colleagues came up with the following the other day:
If you put your email address in a table with the border set to '0' cell-padding and cell-spacing also set to '0', then it will still be readable by humans. But, the code to create the table will obfuscate the address enough that it won't be harvestable.
I realize that stuff has improved in the year since I've seriously looked at it, but I'm doubtful it's reached the level of Oracle or SQL Server.
You should look again. MySQL, for example, has full transaction support with InnoDB table types.....AND it's pretty damn fast.
Watch 404 messages from websites for telling clues - mysql always fails before apache.
I'm sorry, but that doesn't seem like a very accurate way of measuring database reliability. One of the cool (and sometimes harmful) things about open databases is that there is no entry fee...meaning anybody and their brother can set up a MySQL server. This means that the number of ill-managed MySQL servers out there probably out-numbers Oracle or SQL Server installations (which, typically, have a somewhat knowledgeable admin behind them) by 10 to 1. A MySQL database managed by somebody who knows what they are doing will go head to head with Oracle or SQL Server installations which are also managed by someone who knows what they are doing.
ACID enforcement isn't there
Actually ACID compliance is getting pretty darn good in databases like MySQL. Care to elaborate about what ACID compliance issues you have?
Don't be an OSS idealogue in the business world, you end up unemployed.
Actually, in our flailing economy 'OSS idealogues' as you call them are making a lot of head-way. OSS now has a viable alternative to *just about* any commercial enterprise software out there.
We've been evaluating the Emic application cluster for MySQL and have had pretty good results. It's a new product (so YMMV), but it looks promising.
Emic Networks
Ummm....I think that would be VOIP (Voice OVER IP) over IP over PPP.
There were several hundred thousand computers compromised by blaster last month. Did they forget this statistic, or are they having steaks on uncle Billy tonight?
(sarcasm)Well, we're still using the space shuttle after some ungodly amount of time.....why not bring back Apollo too!(/sarcasm)