He did not disclose it, the person who disclosed the vulnerability did so in a public space for development discussion on charybdis. Once it was out in the open, we quickly jumped into action to start mitigating it across all fronts including EFnet. The ratbox developers were notified at least an hour before the exploit was unleashed, with a patch to deploy and everything, so really we did everything we could possibly do to mitigate the possibility of fallout.
Once people started running the exploit on EFnet servers, there was not much we could do, other than get the ratbox devs and admins regrouped elsewhere to coordinate getting things patched. I would say that things mostly went down as well as could be expected given the situation...
The problem isn't performance as much as it is accessibility. Almost every UNIX system has a C/C++ toolchain installed, not so much with Lisp, Java or C#. Also, C and C++ are generally the lowest common denominator for contributors. Almost everyone knows a little bit about C, not so many people know about Lisp (which is a travesty in and of itself, but not my problem).
MUC is extremely inefficient though. There is no multicast notion in XMPP, so MUC works around this by sending duplicate messages to each user directly.
EFnet does not provide NickServ or ChanServ, which is a common criticism of the network. Due to not providing centralized authentication or channel ownership services, the other aspects of the modern IRC protocol mostly do not apply.
This was a NULL-pointer exception, not a buffer issue. But I do agree that it makes more sense to invest in building IRCd software which is written in string-safe and pointer-safe languages. Mozilla's rust language, for example looks promising for use in IRCd. The main thing is that we need a language which provides scalable data structures, as servicing IRC messages involves many data lookups.
However, it is easier for most people hacking on IRCd to just pick up a 2.8-derivative.
There has been a lot of work in this area with a few projects now... Microsoft's IRCX, then IRCNEXT, IRCPLUS and now atheme.org's IRCv3. IRCv3 is becoming the defacto standard at this point, supplanting the traditional IRC protocol, as almost all vendors that are noteworthy have adopted support for revision 3.1 of the protocol already.
Both Atheme and Anope can be interacted with via RPC from scripts allowing for web integrations. Also, there are immersive web clients which provide a lot of useful metadata to clients.
As for SoftLayer, their goal is quite simply to generate more sales channels. That's why most of the big DCs tolerate reselling and even encourage it. Like I said, the business model works to a certain point but then totally breaks down as the risk gets higher.
Bandwidth isn't something you can just oversell without consequence; if you have a massive overage from people actually using what they are paying for then you are probably out of business.
See, I think what happened here is that 100tb had a massive overage and found out that SimpleCDN was one of their big players and they are frantically trying to get the big guys off their bandwidth pool so that they can hedge against the overage while already having SimpleCDN's money. This would fit into my projections for the original business model of 10tb.com before they became 100tb. At least with 10tb there was some sign of it being at least somewhat realistic; with 100tb there is no way.
Or... let's think of it this way:
Say you buy a server from 100TB for $201.95/mo (baseline server with 100TB bandwidth). This works out to being ~303mbps 95% on a typical burst pattern (and likely much higher for streaming traffic!). The server probably costs $100/mo just to run, leaving $101.95 for bandwidth (in this example we're not making any profit mind you!).
This means that your ~303mbps 95% breaks down to $0.33/mbps.
Not even BANDCON can hit that price point and they go really, really low.
This business model does not make sense to me. There is very high risk and I see no way that they can hedge against overages if everyone actually opens up and uses all of their 100tb allotment. Maybe they are paying by GB instead of mbps but that makes no sense because then SoftLayer would be holding the bill and frankly I don't think they are that stupid.
So no, it's not possible to make up profit through volume on this when you keep in mind the risk you are hedging. It's just too much of a gamble for any sane business operator to even consider.
UK2 also confirmed to us many times that their business model fully supports 100TBs of transfer, and SimpleCDN has been utilizing these servers for many months now without problem.
Why didn't you look at their business model directly? What you were getting would cost at least 5 times more directly from SoftLayer...
You know, posting followups on every site where this is being discussed makes you look like less of a victim...
I would like to hear what ditlev has to say about this, as the numbers behind 100TB never made any sense to me as a business model... how can they make any money selling for $10000 what SoftLayer directly charges $50000 for?
Hurricane Electric sucks and is down more than you think. I used to colocate there, and it was a total disaster. HE is a provider which does not have a reliable UPS system (although they tote pictures of car batteries on their web site), infact their ATS failed (caught fire, I have been told) last year on two different occasions... which lead us to leave.
I would suggest looking into a different provider if you are using HE for anything.
Hi! I used to be freenode staff, and I figured I would comment on this.
You obviously have no idea how freenode's infrastructure is managed -- the infrastucture isn't a land of ZOMG I BOUGHT SHELLZ FROM SHELLFX.NET garbage. Most of these servers exist solely to host freenode, do not use ssh passwords (instead private keys are used), and do not use the same passwords as lilo's o:line password.
The fact is that they rooted servers close to freenode servers (i.e., on the same switch); then used ettercap to sniff o:line passwords. This was exacerbated by the fact that o:lines are (NOT masked *@*, but masked ?=levin@*), so basically all that had to be done was use the username levin, and boom you're opered up.
That is what the issue is, the o:lines are insecure masked. Nothing more.
HOWEVER, since they were sniffing, it is possible that they may have lifted services passwords as well -- people should probably change them. Then again, how do you know that they still aren't sniffing. Quite simply, nobody except the people behind this know.
Also, the group freenode is dealing with is known as Bantown, which has a reputation of causing whatever hell they wish wherever they feel like doing so. So no, none of what you said is truly relevant, as this group is a tad more unpleasant than the GNAA is. Infact the GNAA is a bunch of nice guys in comparison to Bantown.
I liked the philosophy behind no buttons, it made the game unique. People grumble too much about it, when they should realize that in the end it probably did not impact their experience as much as they thought it did.
At first, I thought mouse gestures in a game were stupid, now they're everywhere, even available in Mozilla.
WebObjects, originally being a NeXT product, ran under Windows NT4/IIS with the OPENSTEP Enterprise framework. Therefore, WebObjects has the ability to talk to a MSSQL server.
You do not need windows to play games. You may need windows to play games designed to run on Windows though. But if you're dumping windows, you no longer have a need for those games.
That's why Cedega exists, right? Surely there are people out there who keep them in business. Probably all those Linux using CS1.6 players.
Linux, as it exists today, is a philosophical choice. I'm not supporting Redmond or any of the companies that butter their bread using that damnable product.
Please point out what "philosophy" Linux states, besides hating Microsoft? If you're looking for the UNIX philosophy, you need to be using real UNIX, i.e. 4.3BSD derived systems such as FreeBSD. I'm very interested in hearing about what, if any, positive philosophies Linux provides; as the userbase seems to reflect a mantra of endless hatrid towards the Microsoft Corporation (which may or may not be appropriate; irrelevant).
Also, please do not bother replying if your primary intent is to be Zealous; there's just no point.
It's not Linux that's good in servers, it's unix. Unix has always been used for servers. Linux is merely the latest version of unix. If Linux wasn't around servers would run on other variants of unix like they did in the past and still do today.
No. Linux is a POSIX-compliant OS, it does not use any AT&T Unix code (BSD, 32V etc), and therefore is not the 'latest version of unix'.
Sadly, Linux's biggest strength is that it implements ideas from other oses very well. It just just implements them a few years after everyone else. Kde and Gnome look a lot like very pretty versions Windows 98.
Really? That's why Linux has implemented things that other OS software do not have, such as Microcode loading for Intel/AMD (x86) CPU's right? Right! Yep, that was such an idea taken from another OS!
The whole Windows on a Dos kernel and X Windows on Linux kernel is a great example.
No. You see, XWindows is:
Older than linux.
Not a 16/32-bit 80386 protected mode application running on top of 8-bit MS-DOS 6.
Therefore, that comparison is just silly.
Another example would be how Open Office is slowly implementing everything that MS Office does.
Ok, first of all: OpenOffice is doing no such thing! They are implementing commonly-needed office tasks. They are responding to demand, not responding to whatever fantasy need you may think there is to "clone Microsoft products".
I can make a list of programs that run on Windows and programs that reimplement them on Linux all night.
Great! I'm sure I can too! rm -rf / (windows equivilant: rd c:/s/q/y)
To make Linux really cool, someone needs to create something for Linux that everyone needs but doesn't exist on Windows or the Mac. I'd do it but I'm on Slashdot waiting for the booze to kick in instead of codeing;) If someone comes up with anything I'd be willing to help...
I'm glad to see you think that. Have I mentioned that Linux is a kernel? Ok. Lets compare kernel features and see if we cant come up with some differences between Mach (OS X) and Linux and NT and Linux!
Linux supports edge-trigger event polling (epoll). Does Mac or Windows? No! (The closest Mach gets is kqueue support.)
Linux supports CPU microcode updating.
In other words, quit being a hype-lemming on crack.
Slashdot Mirror
He did not disclose it, the person who disclosed the vulnerability did so in a public space for development discussion on charybdis. Once it was out in the open, we quickly jumped into action to start mitigating it across all fronts including EFnet. The ratbox developers were notified at least an hour before the exploit was unleashed, with a patch to deploy and everything, so really we did everything we could possibly do to mitigate the possibility of fallout.
Once people started running the exploit on EFnet servers, there was not much we could do, other than get the ratbox devs and admins regrouped elsewhere to coordinate getting things patched. I would say that things mostly went down as well as could be expected given the situation...
PSYC suffers the same issue as MUC.
The problem isn't performance as much as it is accessibility. Almost every UNIX system has a C/C++ toolchain installed, not so much with Lisp, Java or C#. Also, C and C++ are generally the lowest common denominator for contributors. Almost everyone knows a little bit about C, not so many people know about Lisp (which is a travesty in and of itself, but not my problem).
MUC is extremely inefficient though. There is no multicast notion in XMPP, so MUC works around this by sending duplicate messages to each user directly.
EFnet does not provide NickServ or ChanServ, which is a common criticism of the network. Due to not providing centralized authentication or channel ownership services, the other aspects of the modern IRC protocol mostly do not apply.
This was a NULL-pointer exception, not a buffer issue. But I do agree that it makes more sense to invest in building IRCd software which is written in string-safe and pointer-safe languages. Mozilla's rust language, for example looks promising for use in IRCd. The main thing is that we need a language which provides scalable data structures, as servicing IRC messages involves many data lookups.
However, it is easier for most people hacking on IRCd to just pick up a 2.8-derivative.
There has been a lot of work in this area with a few projects now... Microsoft's IRCX, then IRCNEXT, IRCPLUS and now atheme.org's IRCv3. IRCv3 is becoming the defacto standard at this point, supplanting the traditional IRC protocol, as almost all vendors that are noteworthy have adopted support for revision 3.1 of the protocol already.
Both Atheme and Anope can be interacted with via RPC from scripts allowing for web integrations. Also, there are immersive web clients which provide a lot of useful metadata to clients.
you do not know what you are talking about. the actual bug was disclosed in the IRC channel for charybdis. there was no "bug report."
They have a bandwidth pooling agreement.
As for SoftLayer, their goal is quite simply to generate more sales channels. That's why most of the big DCs tolerate reselling and even encourage it. Like I said, the business model works to a certain point but then totally breaks down as the risk gets higher.
Except they don't. Because it's impossible.
Bandwidth isn't something you can just oversell without consequence; if you have a massive overage from people actually using what they are paying for then you are probably out of business.
See, I think what happened here is that 100tb had a massive overage and found out that SimpleCDN was one of their big players and they are frantically trying to get the big guys off their bandwidth pool so that they can hedge against the overage while already having SimpleCDN's money. This would fit into my projections for the original business model of 10tb.com before they became 100tb. At least with 10tb there was some sign of it being at least somewhat realistic; with 100tb there is no way.
Or... let's think of it this way:
Say you buy a server from 100TB for $201.95/mo (baseline server with 100TB bandwidth). This works out to being ~303mbps 95% on a typical burst pattern (and likely much higher for streaming traffic!). The server probably costs $100/mo just to run, leaving $101.95 for bandwidth (in this example we're not making any profit mind you!).
This means that your ~303mbps 95% breaks down to $0.33/mbps.
Not even BANDCON can hit that price point and they go really, really low.
This business model does not make sense to me. There is very high risk and I see no way that they can hedge against overages if everyone actually opens up and uses all of their 100tb allotment. Maybe they are paying by GB instead of mbps but that makes no sense because then SoftLayer would be holding the bill and frankly I don't think they are that stupid.
So no, it's not possible to make up profit through volume on this when you keep in mind the risk you are hedging. It's just too much of a gamble for any sane business operator to even consider.
UK2 also confirmed to us many times that their business model fully supports 100TBs of transfer, and SimpleCDN has been utilizing these servers for many months now without problem.
Why didn't you look at their business model directly? What you were getting would cost at least 5 times more directly from SoftLayer...
You know, posting followups on every site where this is being discussed makes you look like less of a victim...
I would like to hear what ditlev has to say about this, as the numbers behind 100TB never made any sense to me as a business model... how can they make any money selling for $10000 what SoftLayer directly charges $50000 for?
"Our 121 expert-approved articles are reliable and of world-class quality, rivaling the best printed encyclopedias."
Wow, 121 whole articles! Amazing!
Hurricane Electric sucks and is down more than you think. I used to colocate there, and it was a total disaster. HE is a provider which does not have a reliable UPS system (although they tote pictures of car batteries on their web site), infact their ATS failed (caught fire, I have been told) last year on two different occasions... which lead us to leave.
I would suggest looking into a different provider if you are using HE for anything.
Except it also attacks the http daemons on several models.
That analysis is old.
And, it only targets DD-WRT/OpenWRT/Tomato routers configured in the way described in the article.
Actually, the worm also exploits some vulnerabilities in the HTTP servers in some of these models.
Hi! I used to be freenode staff, and I figured I would comment on this.
You obviously have no idea how freenode's infrastructure is managed -- the infrastucture isn't a land of ZOMG I BOUGHT SHELLZ FROM SHELLFX.NET garbage. Most of these servers exist solely to host freenode, do not use ssh passwords (instead private keys are used), and do not use the same passwords as lilo's o:line password.
The fact is that they rooted servers close to freenode servers (i.e., on the same switch); then used ettercap to sniff o:line passwords. This was exacerbated by the fact that o:lines are (NOT masked *@*, but masked ?=levin@*), so basically all that had to be done was use the username levin, and boom you're opered up.
That is what the issue is, the o:lines are insecure masked. Nothing more.
HOWEVER, since they were sniffing, it is possible that they may have lifted services passwords as well -- people should probably change them. Then again, how do you know that they still aren't sniffing. Quite simply, nobody except the people behind this know.
Also, the group freenode is dealing with is known as Bantown, which has a reputation of causing whatever hell they wish wherever they feel like doing so. So no, none of what you said is truly relevant, as this group is a tad more unpleasant than the GNAA is. Infact the GNAA is a bunch of nice guys in comparison to Bantown.
I liked the philosophy behind no buttons, it made the game unique. People grumble too much about it, when they should realize that in the end it probably did not impact their experience as much as they thought it did.
At first, I thought mouse gestures in a game were stupid, now they're everywhere, even available in Mozilla.
WebObjects, originally being a NeXT product, ran under Windows NT4/IIS with the OPENSTEP Enterprise framework. Therefore, WebObjects has the ability to talk to a MSSQL server.
You do not need windows to play games. You may need windows to play games designed to run on Windows though. But if you're dumping windows, you no longer have a need for those games.
That's why Cedega exists, right? Surely there are people out there who keep them in business. Probably all those Linux using CS1.6 players.
Linux, as it exists today, is a philosophical choice. I'm not supporting Redmond or any of the companies that butter their bread using that damnable product.
Please point out what "philosophy" Linux states, besides hating Microsoft? If you're looking for the UNIX philosophy, you need to be using real UNIX, i.e. 4.3BSD derived systems such as FreeBSD. I'm very interested in hearing about what, if any, positive philosophies Linux provides; as the userbase seems to reflect a mantra of endless hatrid towards the Microsoft Corporation (which may or may not be appropriate; irrelevant).
Also, please do not bother replying if your primary intent is to be Zealous; there's just no point.
They could be denied by contract to stay out of the Linux market for up to 24 months. That buys Microsoft time. Therefore they win for a while.
One last thing -- XWindows is older than Microsoft Windows, itself.
No. Linux is a POSIX-compliant OS, it does not use any AT&T Unix code (BSD, 32V etc), and therefore is not the 'latest version of unix'.
Sadly, Linux's biggest strength is that it implements ideas from other oses very well. It just just implements them a few years after everyone else. Kde and Gnome look a lot like very pretty versions Windows 98.
Really? That's why Linux has implemented things that other OS software do not have, such as Microcode loading for Intel/AMD (x86) CPU's right? Right! Yep, that was such an idea taken from another OS!
The whole Windows on a Dos kernel and X Windows on Linux kernel is a great example.
No. You see, XWindows is:
Therefore, that comparison is just silly.
Another example would be how Open Office is slowly implementing everything that MS Office does.
Ok, first of all: OpenOffice is doing no such thing! They are implementing commonly-needed office tasks. They are responding to demand, not responding to whatever fantasy need you may think there is to "clone Microsoft products".
I can make a list of programs that run on Windows and programs that reimplement them on Linux all night.
Great! I'm sure I can too!
rm -rf / (windows equivilant: rd c:
To make Linux really cool, someone needs to create something for Linux that everyone needs but doesn't exist on Windows or the Mac. I'd do it but I'm on Slashdot waiting for the booze to kick in instead of codeing
I'm glad to see you think that. Have I mentioned that Linux is a kernel? Ok. Lets compare kernel features and see if we cant come up with some differences between Mach (OS X) and Linux and NT and Linux!
In other words, quit being a hype-lemming on crack.
Erm, no. The claims were not true. You can tell by the way that it was written.