I spent 4 years at Univesity and didn't even have a PC until the last couple of months, in spite of doing a CS degree. I remember long evenings spent on campus in front of an INDY exercising the SuperJANET link heading South.
Back in early '93 I looked at going to St. Andrews (SE Scotland) and they'd just built a new hall right next to the CS building. Apparently 10-BaseT was going into all the rooms. It seemed kind of weird back then: "Can I grab my FidoNET echomail without running up a huge phone bill?"
And now we have AOL eating the world, and you can buy rubber dogshit online from the comfort of your armchair. It's great to be working in the spearhead of progress...
I didn't realise that 'nothing is foolproof' was the point I was making. Reading it again, though, I suppose it was -- at least in part.
Actually, though, I was fascinated by thinking about potential active, practical security implications. At least in one respect of one particular example given in the original article.
Seems quite strange when put in a broader context, that (to torture it all out a bit) it's amazing that computers on the Web last as long as they do. They typically have 'doctors' (sysadmins) on hand keeping an eye on them, but they don't have their own immune systems. From which it follows pretty reasonably that they're either 'immunised' (setup and patched properly) or tend to get thoroughly compromised as soon as someone finds a hole.
A topic for another time: This is (generally) about developing software immune systems. How long before corresponding software pathogens and other marauders are developed that meander about the Web of their own volition looking for victims? Beyond the current implementation of viruses, how quickly do we expect a proper, unattended software arms race to creep out across the Web?
Is there not still an attack against this? You generate strings by concatenating the source IP, destination IP, and destination port (that's me saying 'IP', it only says 'address' in the article and they may mean something more complex). If randomly generated 'detectors' have more than ~25% contiguous content in common with a passing packet, the detector is ditched, as the traffic is adjudged to be of a routine nature. Then a detector sits there for two days, in which time it's still ditched if it matches something. After that long, you've probably had enough routine traffic to rule out it being a spurious detector that's going to give out a lot of false positivies. So now it gets another five days to see if it matches against any other traffic, which will sound the alarm. If it makes it through five days without doing that, it gets ditched because it's probably esoteric. If it does trigger, it gets kept for good.
But if you have rough idea what's on the network you're trying to attack, and what hosts are on there, you may well have a good idea of roughly what kind of traffic is going about. If you know what hosts are there and have an idea of what traffic is (probably) there, then why not just bury a false ID somewhere in your packet?
You could attempt to forge an ID from knowledge of the network, and fool the alarm mechanism by effectively masquerading as normal traffic. This is probably preventable by looking at exactly where the ID occurs in the packet and deciding if that's where it should be.
Beyond that, though, what's to stop you quietly trickling a normal-looking flow of do-nothing packets through the network to a given port on a given host? Then when a detector is generated, it'll trigger on your harmless packets an get ditched. Then one day you make your packets do something nefarious, and they get overlooked, something like 'friendly fire'.
I have to look on this as a Good Thing, iff it turns out to be what it should be.
There are so many companies out there selling snake-oil security 'solutions' (monoalphabetic encryption anyone?) that people are putting their faith in because they don't know any better, and don't have the time to learn. Plus, when a company the size of Microsoft says 'Oh don't you worry about that, it'd never *really* happen' all too many people will take them at face value.
It's good to have people with some real cracking mileage under their feet doing this because it ads credibility to what they're saying. It doesn't matter if you like them or not, you'll sit up and take notice if the folk who wrote l0phtcrack put their hands up and say "it doesn't look right" when talking about the security of a given product. They've demonstrated that they know what they're talking about, and demonstrated that "that probably doesn't matter" is no way to regard security issues.
One of these days, we may even manage to convince the commercial side of the business that security is a fundamental, and that a robust security facility must inform every other aspect of installing and managing systems, especially on the Internet. But hell, it's easier just us techies aren't doing our jobs properly when someone gets cracked...
(not that I'm talking from sore experience or anything:)
They sacrificed a good deal more than Coventry, and went to extraordinary lengths to keep the Germans from becoming aware of exploited weaknesses in their encryption methods.
But that's an issue of strategy and ethics, not technology. You're really asking whether it's ever proper to sacrifice something (or someone) now for some supposed benefit in the future.
I could well be wildly off the ball with this one, but in the dim and distant past (when MD was released) I remember someone asking Sony how much computer data would go on an MD. They said 100 Mb.
ZDNet has a licensing agreement with MSNBC, under which MSNBC publishes ZDNet stories in its technology section (when relevant). As far as I know, it goes both ways, so ZDNet will sometimes publish MSNBC copy. In case nobody noticed the MSNBC logo on the ZDNet site...
Yahoo! is valued at something like $60bn, and most of the other never-make-money Internet companies are similarly expensive on paper.
Alta Vista is just another one on the heap, and arguably has a good chance of surviving the inevitable portal shake-out, because it's not a bad search engine. So it ought to fetch a reasonable price.
A lot of people thought Compaq might sell AV for a couple of reasons: it might be worth a (riculously) large sum of money, and it doesn't fit well into anything else Compaq does. Compaq is hardly a successful direct-seller, and it's been having a pretty tough time swallowing Digital as it is, what with integrating two lots-of-people organisations.
Selling off Alta Vista looks like an obvious move. The question is, who'll buy it? I start the bidding at 'bloody AOL'...
There's a key point that Bob Metacalfe, and many others are missing here: age is not a relevant metric when measuring usefulness.
BM says that Linux is doomed, in part, because it is based on 60s technology. He assumes that the reason Linux popularity has mushroomed is because of some king of techno nostalgia trip. You could argue that preferences for particular technologies are somewhat cyclic (dumb terminal -> PC -> Network computer (etc.) ->...) but isn't a good model for Linux.
Linux is popular for several reasons. But the technological reason for its popularity (as always) is that it *works*, fulfilling a requirement. Ten years ago PCs weren't typically hanging off a network, and certainly no 'average' users had their home PCs hooked up to the Internet.
So far fewer people were interested in networks. Nowadays, just about everyone has some kind of network connection, just about every company has a leased line (of some sort) and everyone and his dog a Web site. So suddenly people need robust, reasonably secure, network-aware OSs. Options include NT, various flavours of Unix, and so on. What better place to start than with a free Unix-like OS? Linux has excellent networking features, and you can build a Web site arguably as good as any other with a distribution downloaded from the Web for free, or bought at minimal cost.
Web sites are just one example. Linux excels in several areas that are in demand; mostly to do with networking. It was designed from the ground up to run in a networked environment -- imagine an OS that didn't have TCP/IP support nowadays?
That's an example of something Linux is good at. It was always ready to be good at it, and now people need it to be. It's for these reasons that it's become popular.
But just because it's technically competent and has a loyal userbase, Linux isn't future proof. If it's not useful to enough people to maintain momentum, or something vastly better comes along, it'll get chucked on the scrapheap with everything else. That is what progress is all about, after all.
Slightly off topic point... That review reads like a pasting. You're essentially saying that the book is convoluted, abstruse and deeply flawed. Yet it gets 6/10. Doesn't anybody ever use the bottom half of the scoreboard?
I'm guessing that under UK law such a disclaimer wouldn't protect the ISP. You might be able to word it so the ISP can go after the original poster (assuming it was posted via that same ISP) to recover any damages they are forced to pay out. But the ISP still counts as 'publisher', so it's libel for what gets 'published' via its systems. The UK isn't very hot on signing away responsibilties on things. Disclaimers often have no actual legal standing, and are just used (when it gets to the courts) to demonstrate intent.
Slashdot Mirror
I spent 4 years at Univesity and didn't even have a PC until the last couple of months, in spite of doing a CS degree. I remember long evenings spent on campus in front of an INDY exercising the SuperJANET link heading South.
Back in early '93 I looked at going to St. Andrews (SE Scotland) and they'd just built a new hall right next to the CS building. Apparently 10-BaseT was going into all the rooms. It seemed kind of weird back then: "Can I grab my FidoNET echomail without running up a huge phone bill?"
And now we have AOL eating the world, and you can buy rubber dogshit online from the comfort of your armchair. It's great to be working in the spearhead of progress...
Actually, though, I was fascinated by thinking about potential active, practical security implications. At least in one respect of one particular example given in the original article.
Seems quite strange when put in a broader context, that (to torture it all out a bit) it's amazing that computers on the Web last as long as they do. They typically have 'doctors' (sysadmins) on hand keeping an eye on them, but they don't have their own immune systems. From which it follows pretty reasonably that they're either 'immunised' (setup and patched properly) or tend to get thoroughly compromised as soon as someone finds a hole.
A topic for another time: This is (generally) about developing software immune systems. How long before corresponding software pathogens and other marauders are developed that meander about the Web of their own volition looking for victims? Beyond the current implementation of viruses, how quickly do we expect a proper, unattended software arms race to creep out across the Web?
But if you have rough idea what's on the network you're trying to attack, and what hosts are on there, you may well have a good idea of roughly what kind of traffic is going about. If you know what hosts are there and have an idea of what traffic is (probably) there, then why not just bury a false ID somewhere in your packet?
You could attempt to forge an ID from knowledge of the network, and fool the alarm mechanism by effectively masquerading as normal traffic. This is probably preventable by looking at exactly where the ID occurs in the packet and deciding if that's where it should be.
Beyond that, though, what's to stop you quietly trickling a normal-looking flow of do-nothing packets through the network to a given port on a given host? Then when a detector is generated, it'll trigger on your harmless packets an get ditched. Then one day you make your packets do something nefarious, and they get overlooked, something like 'friendly fire'.
I have to look on this as a Good Thing, iff it turns out to be what it should be.
:)
There are so many companies out there selling snake-oil security 'solutions' (monoalphabetic encryption anyone?) that people are putting their faith in because they don't know any better, and don't have the time to learn. Plus, when a company the size of Microsoft says 'Oh don't you worry about that, it'd never *really* happen' all too many people will take them at face value.
It's good to have people with some real cracking mileage under their feet doing this because it ads credibility to what they're saying. It doesn't matter if you like them or not, you'll sit up and take notice if the folk who wrote l0phtcrack put their hands up and say "it doesn't look right" when talking about the security of a given product. They've demonstrated that they know what they're talking about, and demonstrated that "that probably doesn't matter" is no way to regard security issues.
One of these days, we may even manage to convince the commercial side of the business that security is a fundamental, and that a robust security facility must inform every other aspect of installing and managing systems, especially on the Internet. But hell, it's easier just us techies aren't doing our jobs properly when someone gets cracked...
(not that I'm talking from sore experience or anything
They sacrificed a good deal more than Coventry, and went to extraordinary lengths to keep the Germans from becoming aware of exploited weaknesses in their encryption methods.
But that's an issue of strategy and ethics, not technology. You're really asking whether it's ever proper to sacrifice something (or someone) now for some supposed benefit in the future.
I could well be wildly off the ball with this one, but in the dim and distant past (when MD was released) I remember someone asking Sony how much computer data would go on an MD. They said 100 Mb.
But then that was years ago...
I think you mean George McFly, old chap.
ZDNet has a licensing agreement with MSNBC, under which MSNBC publishes ZDNet stories in its technology section (when relevant). As far as I know, it goes both ways, so ZDNet will sometimes publish MSNBC copy. In case nobody noticed the MSNBC logo on the ZDNet site...
There's a broken link (to IDT) in the standfirst
Yahoo! is valued at something like $60bn, and most of the other never-make-money Internet companies are similarly expensive on paper.
Alta Vista is just another one on the heap, and arguably has a good chance of surviving the inevitable portal shake-out, because it's not a bad search engine. So it ought to fetch a reasonable price.
A lot of people thought Compaq might sell AV for a couple of reasons: it might be worth a (riculously) large sum of money, and it doesn't fit well into anything else Compaq does. Compaq is hardly a successful direct-seller, and it's been having a pretty tough time swallowing Digital as it is, what with integrating two lots-of-people organisations.
Selling off Alta Vista looks like an obvious move. The question is, who'll buy it? I start the bidding at 'bloody AOL'...
if (thing == mine) {
print "This is fantastic\n";
}
else {
print "Horseshit. Total horseshit. And yo mama is a who' \n";
}
Ask any eight year-old, they'll tell you.
There's a key point that Bob Metacalfe, and many others are missing here: age is not a relevant metric when measuring usefulness.
...) but isn't a good model for Linux.
BM says that Linux is doomed, in part, because it is based on 60s technology. He assumes that the reason Linux popularity has mushroomed is because of some king of techno nostalgia trip. You could argue that preferences for particular technologies are somewhat cyclic (dumb terminal -> PC -> Network computer (etc.) ->
Linux is popular for several reasons. But the technological reason for its popularity (as always) is that it *works*, fulfilling a requirement. Ten years ago PCs weren't typically hanging off a network, and certainly no 'average' users had their home PCs hooked up to the Internet.
So far fewer people were interested in networks. Nowadays, just about everyone has some kind of network connection, just about every company has a leased line (of some sort) and everyone and his dog a Web site. So suddenly people need robust, reasonably secure, network-aware OSs. Options include NT, various flavours of Unix, and so on. What better place to start than with a free Unix-like OS? Linux has excellent networking features, and you can build a Web site arguably as good as any other with a distribution downloaded from the Web for free, or bought at minimal cost.
Web sites are just one example. Linux excels in several areas that are in demand; mostly to do with networking. It was designed from the ground up to run in a networked environment -- imagine an OS that didn't have TCP/IP support nowadays?
That's an example of something Linux is good at. It was always ready to be good at it, and now people need it to be. It's for these reasons that it's become popular.
But just because it's technically competent and has a loyal userbase, Linux isn't future proof. If it's not useful to enough people to maintain momentum, or something vastly better comes along, it'll get chucked on the scrapheap with everything else. That is what progress is all about, after all.
Slightly off topic point... That review reads like a pasting. You're essentially saying that the book is convoluted, abstruse and deeply flawed. Yet it gets 6/10. Doesn't anybody ever use the bottom half of the scoreboard?
I'm guessing that under UK law such a disclaimer wouldn't protect the ISP. You might be able to word it so the ISP can go after the original poster (assuming it was posted via that same ISP) to recover any damages they are forced to pay out. But the ISP still counts as 'publisher', so it's libel for what gets 'published' via its systems.
The UK isn't very hot on signing away responsibilties on things. Disclaimers often have no actual legal standing, and are just used (when it gets to the courts) to demonstrate intent.