Only we old folks use Usenet these days - after all, we have fewer days ahead of us than these young "l337" whippersnappers and can't hang about while BitTorrent downloads a 1GB movie file at 2bytes/week...
1. A Microsoft robot may not injure a human being or, through inaction, allow a human being to come to harm. However, if that human being's computer is running Linux, the robot may pass a large magnet over the hard drive in that human's computer. If that human then subsequently objects to the robot doing that, the robot may then throw a chair at the human and run around the room in circles with his shiny head bobbing up and down on a big spring shouting "Developers" over and over again.
2. A robot must obey orders given it by human beings except where such orders would conflict with the First Law. Note that the "First Law" referred to here is not the one listed above but the "First Law" in the book "Making Lots Of Money For Microsoft For Dummies". So, for example, should the human request the robot to re-install Windows XP on his computer, the robot may steal the human's credit card and go down to the local computer store to buy him a nice shiny copy of Windows Vista instead... and Office 2007... and a Zune player... Microsoft Laser Mouse... etc.
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law. Or until Microsoft change this law by some additional small print in an EULA nobody ever bothers to read...
Because when the moment has come that you need to upgrade its not unlikely that you won't be upgrading to a next kernel version but instead will be skipping several versions. And that can have quite a big impact since Linux isn't known to be backwards compatible like, for example, Windows, Solaris and some BSD's are.
I don't wish to be rude but I think you're getting a little confused here.
The kernel is all about hardware abstraction from the operating system - backwards compatibility is all about having the right OS libraries in place in the right locations. With Windows, most of that is about having the right dlls in place to be able to run an older application on a newer Windows environment; with Linux, you either have static binaries with the required libraries built in or you compile your source against the libraries you already have in your Linux OS.
Sure, in the case of hardware drivers, then those that are external to the kernel need to compiled against the correct kernel header versions and that's an operation that can be sometimes fraught with problems.
The only reason you'd ever need to replace the kernel is for better hardware support or for specific features built into the kernel like firewalling, SMBFS, NFS, etc.
I for one am very sceptical about the current development cycles where new code makes it into the same kernel tree which is also deemed stable.
I'm not sure I understand why you see this as a problem? If you're looking at a production server environment, there's probably no need to run the very latest kernel - sure, if you're a desktop user trying to get the latest hardware to work under Linux, especially USB-based stuff, then you're probably upgrading to the kernels quite regularly.
The only thing I'm saying is that while this current development model maybe good for Linux it simply isn't good at all when looking at this from an admins point of view. What about kernel modules which basicly stop working after you upgraded the kernel?
But isn't this precisely the reason why a lot of organisations run both test/development environments and production environments? This is no different than testing a Windows update in a test environment before rolling it out into production - all part of the daily job of a sysadmin anyway!:-)
Actually, his point is well made because Slashdot is already infested with far too many fanboys who seem to forget that Apple is out to make just as much money as Microsoft wants to.
And the sooner these fashion followers/brand junkies start making informed decisions about what to spend their money on then the better it will be for the rest of us - because then these corporations need to start creating good, value for money products rather than something with a pretty logo on it.
And as for your post, sitting there in your anonymous little dark cupboard ready to just throw abuse at anyone who posts something you don't personally like (perhaps you're a fanboy yourself?) is trollish behaviour if ever I saw it.
PS2: Neither do I look for admiration in the web, precisely on Slashdot, e-peen size doesn't matter I've heard.
But you've just contradicted yourself - you say you don't look for admiration on the web but in your initial comment you bragged about having the ability to update your illegal copy of Windows, like it is something to be proud of?
Sorry, but simply living in a Third World country does not justify piracy - it's the same the world over, if you don't like the price of something then DON'T buy it or use it, it's that simple; if lots of people do that, then MS has to listen and drop their prices.
I'm mostly a Linux user myself and even in the UK where I am, I personally do not believe MS products are worth the money based on the level of control they take of your PCs - so I just don't use the stuff, beyond what is supplied to me by my work and the single OEM copy of XP I have on one of my machines.
There is no such thing as being "forced" to use anything - very few people require the in-depth functionality of MS Office, for example, and for 90% of people, OpenOffice does more than what they need. The same is true for most other FOSS software, the real reason is that most people are just too damned lazy to have the strength of their convictions and do something about it.
Agreed - but they're running an embedded Linux meaning that they don't have much in the way of command shells, you can't drop trojan horse or bad scripts on them...
I'm not a *BSD user but is this any different to what the Linux kernel does with iptables & netfilter?
I am genuinely interested because I've deployed Linux boxes (successfully) as firewalls in a few SOHO environments - but if BSD does an even better job of it then I'll definitely need to go take a look at it.
In response to some of the comments in this topic, a lot of the people on here need to be aware of the fact that OS security is a *process*, not a *goal*. Whether you run Windows, Linux, FreeBSD or whatever, it is very dangerous to assume that just because you have the latest updates installed alongside the latest virus checker, that you are "secure" and can just then sit back and relax.
The unfortunate fact about OS security is that it is a case of "survival of the fittest". It's pretty safe to assume that as long as there is an Internet, then there will be crackers out there trying to break into PCs that sit on the Internet. From their perspective, if they crack open a PC then they are happy and that the longer it takes them to break into a PC, the more likely they are to just give up and try another one.
Consequently, the more "walls" you put in the way of a cracker, the more the chances that you'll reach the limit of his abilities & make him give up. So security is all about doing *multiple* things against attacks - disabling well-known account names, using strong passwords, deploying software firewalls *AND* NAT routers, turning off unnecessary services, tightening the configuration of needed services to only allow certain hosts to access... these are all *ADDITIONAL* steps to just applying software updates.
Sure, a lot of these processes are tricky for new users but a lot of them are also very simple to deploy - and any of those that you do deploy put you one step ahead of the people who don't deploy them and who are, consequently, put at more risk from attack by crackers.
I've never used that mechanism in XP so I don't know whether or not it would restrict outgoing connections also? After all, you will need to connect to a web server somewhere to download the updates...
Besides, this is about adding a good *additional* layer of security in a NAT router. Without one, your PC owns the Internet IP address meaning that it's directly exposed to the Internet - with a NAT router, the router has that IP address meaning that your PC only gets stuff that the router allows through.
PCs behind a NAT router should be given "private" IP addresses - either fixed ones or DHCP assigned ones. These private addresses are in the ranges 10.x.x.x, 172.16.x.x to 172.31.x.x, and 192.168.x.x.
Since every directed IP packet on the Internet contains the sender and receiver IP address, any Internet router that sees a private address in either the source or destination address will drop the packet and not route it. Consequently, no-one on the Internet can get to a PC in the private address range - not only that but there are probably thousands of PCs using anyone of those private IP addresses at any moment in time.
The trick of a NAT router is that when one of your PCs connects through the router to the Internet, the NAT router substitutes the private source IP address in each packet coming from one of those PCs with the real IP address on the Internet side of the router. So when a response comes back from, say, a web server one of your PCs is accessing, the response hits the router's Internet IP and the router puts the private IP address back in to send it back to the right PC.
It is possible to forward incoming connections to the router onto a PC in the private address space but this feature has to be manually configured on the router and is turned off by default.
So, yes, you can still download a nasty email or script from a server on the Internet, even with a NAT router in place - but then you just don't use a PC for those purposes until you've fully patched them.
No. But have you nmap'd a Windows install lately from the Internet side of a NAT router, Hawking?
I'm afraid you'd need to have mapped those ports through to the private network on the router first before you saw anything - and in my post I did quite clearly state usage of a NAT router...
Today at work a customer showed me the IP the PC had gotten from the DHCP. It was public. I had to tell the person to look for the word NAT in the Router. Had to write it down for her, and tell her to call if she doesn't find it.
But if it was a public (=valid) IP address then it probably just wouldn't work, or not make a great deal of difference, depending on what the NAT routed did. If the NAT router treated it like a private IP address and put the WAN (Internet) IP in the header in it's place, then I don't see there would be any difference in functionality; if it left the public IP in place, then it just wouldn't work because a router somewhere along the way would just route it to the *real* network where that public IP actually is.
Someone correct me if I'm wrong, BTW. I'm a LAN and OS man, not a Cisco or router guru.
> These are not SF FUD stories. There are a lot of people who:
> - don't know shit about security
> - don't know shit about patching
> - own USB xDSL modem or connect to *untrusted* network with wifi or something similar (do you carry a $50 router with your laptop?)
> - use computer to Just Work With it - as a tool - you know
I agree - but I've set up a number of these NAT routers recently for friends and colleagues, and apart from some simple configuration for ADSL accounts (and some wireless security if needed), these things now work pretty much out of the box. They are a whole heap of good security for little cost that are easy to setup - and protect you from about 90% of the bad things out there on the Internet the moment you switch them on.
And for your information, I carry round a Linux laptop with a fully locked down kernel firewall that I *carefully* open up as I need to if I'm on an unprotected (un-NAT-ed) Internet connection.:-)
> And Windows is not uber-user-friendly there. In fact I think you need to be relatively skilled to set up XP so it is relatively secured. Not
> something your mom or dad (I assume) can do with their computers.
I agree again - which is why I recommend a NAT router to anyone I know with ADSL; and if they refuse to buy one, I refuse to offer them any help when their PC goes wrong!:-)
> MS made some stupid decissions few years ago and now they pay the price. This is not FUD. People do not have the latest Vista and so on. Some of them
> use 5 year old computers since they tend to work for them.
Again, I agree. But, if anything, Windows 9x didn't have a complete enough IP stack to allow much to be run in the way of services out to the Internet - so it could be argued that unpatched and out of the box, a 9x machine is more secure than XP.
> I can surely install old version of Linux distribution or OSX and do not get infected in 10 minutes after connecting to untrusted network.
It depends on what's out there. Before I moved house last year, on my old ISP I ran an SSH (Secure Shell) server out to the Internet and my log files were filled with scripted access attempts against the server - just pounding away at my server with common account names hoping that one of them would allow entry.
Yes, a secured Linux server is always going to be more secure than a secured Windows server but please don't get complacent about it - it just takes one stupid mistake on either OS and someone will get into it.
If you hear people around here saying things like "Windows is insecure and/or isn't really ready for the Internet", that's because it's true, or you wouldn't need that stupid $25 router in the first place!
As a Linux user myself (Gentoo), I must say that you started to sound like you knew what you were talking about - until you made the above comment...
The whole point of a "$25 router" is that it separates valid Internet IP addresses from the reserved addresses normally used on a private LAN. When you take one of those things out of the box and switch it on with it's default config, there is absolutely *NO WAY* anyone on the Internet can connect into *ANY* PC on your private LAN, whether or not those PCs run Linux or Windows. Where damage *CAN* occur is when you connect out from the private LAN to the Internet to a web or mail server and allow something in as a result. Yes, that's generally something attached to an email or script that can damage a Windows PC - but you're treading on *VERY DANGEROUS* ground if you believe that you do not need one of these boxes to protect a Linux PC.
Yep, if you're ultra-confident with Linux and know *EXACTLY* which services to leave turned off and how to securely configure the services that you leave on, then you'll probably be okay - but the first lesson anyone learns about security is that you take a *LAYERED APPROACH* to it and deploy any security measures first that are "cheap and easy" (like one of these boxes), and then harden your PCs subsequently.
Believe me, I know. Five years ago, I opened up a Linux server to the Internet (behind a NAT router) and stupidly left an FTP server running on it. Within days, someone had buffer overflowed the FTP daemon, stuck an eggdrop script on my server and had it attacking IRC users on another ISP - I only found out because my ISP kicked me off my service and wouldn't let me on again until I'd proven in pages and pages of logs that I wasn't launching those attacks.
Please don't get complacent about security - take my advice.
I guess they think you are a complete and total hypocrite, just like I do.
If you're not prepared to pay for their software then you shouldn't be using it, simple. And you would probably be admired more if you had the courage and strength of conviction to go spend the time learning to use an alternative OS in order to make a much clearer statement to Microsoft that you're not prepared to pay the money they ask for their products.
Any fool can download a pirated Windows CD from the Internet, it takes initiative to go learn and legally use an alternative OS.
Anyone with any knowledge of security knows that if you deploy a NAT router/firewall between your unpatched PC and the Internet, whether a simple £50 box in a home environment or behind a DMZ in a corporate environment, then that PC, whether running Windows, Linux or any other OS, is pretty safe as long as you don't run any services out onto the Internet with it and don't do too much else with it. And if you run an Internet connection without one of these in place then more fool you...
On a Windows desktop PC behind a firewall, you are vulnerable to scripts and viruses that it come in from emails, documents & web pages but if you stick the PC on the network and don't use it for any of those things *until* you've put on all the updates, then nothing is going to happen to it. So let's get rid of this stupid notion that the moment you put an unpatched PC on a firewalled LAN, it's going to get swamped with viruses and rootkits - it just won't happen.
No, I'm no Microsoft fan but let's stick to facts rather than "science fiction" FUD stories...
Um, right. On the other hand, in the real world, when I tell people I work at MS, they think it's pretty damn cool. Good lord, this write-up was stupid.
About four years ago I was looking for another job and sent my CV off to a number of job agencies. After registering with them, I used to get a follow up call from some of them asking for more information and to name some companies that I would and would not like to work for.
Don't get me wrong, I'm under no illusions here - being a Linux/UNIX sysadmin/programmer type person, I doubt Microsoft would be interested in employing me particularly anyway but I told the various agents that I wouldn't want to work for Microsoft (there is a big Microsoft HQ in my old home town).
What was amusing was that just about every agent said back in response "A lot of people say that, funnily enough".
The point I'm trying to make is that I think there are a lot of people out there who aren't just motivated by salaries and who do care who they offer their services and skills to - although I always try to do the best job possible, I take the attitude that any company only hires me because I can potentially make them a lot more money than they pay out to employ me and that I am doing them as much of a favour by offering my skills as they do me by paying me a good salary.
Your points are well made but you seem to have forgotten the power of clever marketing - for example, BluRay and/or HD-DVD where the merits of "increased disc capacities" and "high resolution video" are frequently touted but the DRM lock-in is not mentioned in all those glossy magazine adverts.
DRM is not going to go away that easily because far too many big corporations stand to make too much money from it - Microsoft (and others) for licensing the DRM algorithms and Sony/BMG/Warner/etc. for being able to force the consumer to re-buy all their music and video; even better for them, just have us all "rent" the stuff.
If anyone can see any benefit for the consumer in DRM, then I am willing to listen to the pro-DRM argument - but the fact is that whilst I don't personally believe in downloading music or videos free-of-charge, it has not actually been proven yet that piracy has any direct impact on sales of music and films. All piracy has done is given the producers and retailers their justifications for raising the prices even higher ("because the piracy made us do it") meaning that as an honest consumer, who just wants to format change the stuff I own, I have to put up with anti-piracy adverts (that I cannot fast-forward through) and copy protection on media that I am expected to pay even more for. I guess, in one sense, the movie and CD companies have scored their victory on me because they've made me hate the pirates as much as I hate the MPAA/RIAA/Sony/etc.
But the real "fact" here is that people have always bought music and movies to "share" with others - whether it's sitting on a couch with a few friends watching a movie or lending someone a CD, it's just considered "fair use" of those products in using them that way and DRM impinges on that usage to the point where honest consumers are also affected. Sure, it could be argued that sharing MP3s with someone 5,000 miles away is not "fair use" but then that's down to the technology of the Internet that allows that to happen.
Personally, I believe people will pay money for products of high enough quality that are at a reasonable enough price - but the fact is that most movies and music are manufactured as "throwaway" fashion accessories rather than art to be cherished for long periods of time.
DRM is an easy way out for the movie and music companies - the harder way out would be for them to actually take the time to produce good quality products.
I'm not a direct supporter of the death penalty purely because I don't believe our legal system is capable of proving with 100% accuracy the innocence or guilt of any individual and that there is always a risk of an innocent person being put to death.
However, with that said, if someone cannot be rehabilitated or is a proven re-offender for serious crimes like murder, rape or abuse of a child, then I see no point in keeping them locked up forever at our expense.
Additionally, the whole paedophile issue is totally overblown anyway. Sure, paedophiles exist and when they're caught then impose the stiffest possible penalties on them - but the fact is that there are simply *NOT* hordes of them cyberstalking children on the Internet. Yep, there's a few wierd people out there but kids are a lot more at risk from bullying by their peers, whether on the streets or on the Internet, than they are from paedophiles.
We have a legal system that is supposed to punish criminals to a point where they can be rehabilitated into the community when they have served a long enough sentence - this is no different whether they have stolen a car, burgled a house, murdered someone or committed an indecent act with a minor. If convicted paedophiles are released back into the community only to re-offend, then it is the legal and rehabilitation systems that need to be changed; this is no different to when a convicted burglar starts breaking into houses again.
"Sex offenders registers" do absolutely nothing apart from giving small-minded people someone to feel superior over and to justify their behaviour as banner-wielding thugs - you only need to look at these people in news reports to see that they are probably not the sort of people who should be reproducing in the first place.
Sure, have the legal authorities monitor rehabilited criminals but let them get on with doing that - for the rest of us, it really is none of our business what those who have "paid" for their crimes have done in their pasts.
the whole DRM issue is just something Linux users bleat on about.
I agree with your points about DRM dying out within a few years (and good riddance to it) but I took offence at your above comment.
I use Linux far more than I use Windows - but not because I'm some "hippie activist" which is what you seem to be implying. Sure, I don't want DRM infesting any PC I own and I like to know what's running on my PC; but I'm also a technical support guy on a number of Linux-based products, any programming I do is with shell scripts, Perl and a little C and I like tinkering with PCs. But at the same time, the last few Linux and scripting courses I ran at my place of work were done around Powerpoint presentations and I'm a pretty avid PC gamer, so I also use Windows.
I thought it important to clarify the above because most people I know who use Linux are not *just* making a political statement - there are genuine practical reasons for doing so also; and if someone like yourself uses Windows or a Mac then good luck to you.
But please stop with the snide comments - there are too many Linux zealots on Slashdot but also too many people trying to turn Linux into a political statement...
So when "Copypod" can no longer archive your music collection because your collection is totally DRMed, I guess it will be the fault of the Linux users then also?
Anyway, I hope you've got good muscles in your legs - having sold your ass to some big corporation somewhere, you're not going to be sitting down any time in the near future...
1. Low quality product - the stuff that's played on mainstream radio stations and music video TV channels is recycled rubbish. Very few current popular artists write their own songs anymore, they're just there to look good miming on a video while record company backroom songwriters churn out endless, mindless, formulaic tunes. The *real* artists are either those who have spent many years making records without selling their asses to Sony or BMG, or the lesser known artists signed to independent labels or selling their own recordings. Sorry, but there's only so much "R 'n' B" or "emo" punk bands anyone can take, let alone a fashion-following teenager.
2. DRM - the good thing here is that, in my opinion, "Joe Bloke" is starting to get the message about the evils of DRM, we have Sony's big f*ck up to thank for a that. People have traditionally "shared" their music and movies with friends & whilst I do not in any way support illegal downloads, lending CDs and DVDs to friends is something people have always done. Anything the media companies do to restrict that activity will fail.
3. Price - check out online retailers, even the music section of the local supermarket & you'll find CDs that you can buy cheaper than downloading all of the tracks from iTunes. Like HMV & Virgin, iTunes has got away for far too long selling overpriced products, all three of them are now suffering as a result - and good riddance to bad rubbish.
Anyday. Don't think for a minute that since Sony got nailed that this crap is off the plate.
I think you are somewhat overstating the point when it comes to protected CDs - yes, the Sony debacle was pure stupidity on their part, but the fact is that protected CDs are still very much in the minority; I buy *a lot* of CDs and very few of them are actually protected.
Besides, I have not yet found one CD that I have been unable to rip to MP3 in whatever format I choose - ExactAudioCopy within Windows and cdparanoia in Linux both seem to happily ignore any protection on any CDs I throw at them.
Slashdot Mirror
Only we old folks use Usenet these days - after all, we have fewer days ahead of us than these young "l337" whippersnappers and can't hang about while BitTorrent downloads a 1GB movie file at 2bytes/week...
2. A robot must obey orders given it by human beings except where such orders would conflict with the First Law. Note that the "First Law" referred to here is not the one listed above but the "First Law" in the book "Making Lots Of Money For Microsoft For Dummies". So, for example, should the human request the robot to re-install Windows XP on his computer, the robot may steal the human's credit card and go down to the local computer store to buy him a nice shiny copy of Windows Vista instead... and Office 2007... and a Zune player... Microsoft Laser Mouse... etc.
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law. Or until Microsoft change this law by some additional small print in an EULA nobody ever bothers to read...
I don't wish to be rude but I think you're getting a little confused here.
The kernel is all about hardware abstraction from the operating system - backwards compatibility is all about having the right OS libraries in place in the right locations. With Windows, most of that is about having the right dlls in place to be able to run an older application on a newer Windows environment; with Linux, you either have static binaries with the required libraries built in or you compile your source against the libraries you already have in your Linux OS.
Sure, in the case of hardware drivers, then those that are external to the kernel need to compiled against the correct kernel header versions and that's an operation that can be sometimes fraught with problems.
The only reason you'd ever need to replace the kernel is for better hardware support or for specific features built into the kernel like firewalling, SMBFS, NFS, etc.
I'm not sure I understand why you see this as a problem? If you're looking at a production server environment, there's probably no need to run the very latest kernel - sure, if you're a desktop user trying to get the latest hardware to work under Linux, especially USB-based stuff, then you're probably upgrading to the kernels quite regularly.
The only thing I'm saying is that while this current development model maybe good for Linux it simply isn't good at all when looking at this from an admins point of view. What about kernel modules which basicly stop working after you upgraded the kernel?
But isn't this precisely the reason why a lot of organisations run both test/development environments and production environments? This is no different than testing a Windows update in a test environment before rolling it out into production - all part of the daily job of a sysadmin anyway! :-)
And the sooner these fashion followers/brand junkies start making informed decisions about what to spend their money on then the better it will be for the rest of us - because then these corporations need to start creating good, value for money products rather than something with a pretty logo on it.
And as for your post, sitting there in your anonymous little dark cupboard ready to just throw abuse at anyone who posts something you don't personally like (perhaps you're a fanboy yourself?) is trollish behaviour if ever I saw it.
But you've just contradicted yourself - you say you don't look for admiration on the web but in your initial comment you bragged about having the ability to update your illegal copy of Windows, like it is something to be proud of?
Sorry, but simply living in a Third World country does not justify piracy - it's the same the world over, if you don't like the price of something then DON'T buy it or use it, it's that simple; if lots of people do that, then MS has to listen and drop their prices.
I'm mostly a Linux user myself and even in the UK where I am, I personally do not believe MS products are worth the money based on the level of control they take of your PCs - so I just don't use the stuff, beyond what is supplied to me by my work and the single OEM copy of XP I have on one of my machines.
There is no such thing as being "forced" to use anything - very few people require the in-depth functionality of MS Office, for example, and for 90% of people, OpenOffice does more than what they need. The same is true for most other FOSS software, the real reason is that most people are just too damned lazy to have the strength of their convictions and do something about it.
Agreed - but they're running an embedded Linux meaning that they don't have much in the way of command shells, you can't drop trojan horse or bad scripts on them...
I am genuinely interested because I've deployed Linux boxes (successfully) as firewalls in a few SOHO environments - but if BSD does an even better job of it then I'll definitely need to go take a look at it.
The unfortunate fact about OS security is that it is a case of "survival of the fittest". It's pretty safe to assume that as long as there is an Internet, then there will be crackers out there trying to break into PCs that sit on the Internet. From their perspective, if they crack open a PC then they are happy and that the longer it takes them to break into a PC, the more likely they are to just give up and try another one.
Consequently, the more "walls" you put in the way of a cracker, the more the chances that you'll reach the limit of his abilities & make him give up. So security is all about doing *multiple* things against attacks - disabling well-known account names, using strong passwords, deploying software firewalls *AND* NAT routers, turning off unnecessary services, tightening the configuration of needed services to only allow certain hosts to access... these are all *ADDITIONAL* steps to just applying software updates.
Sure, a lot of these processes are tricky for new users but a lot of them are also very simple to deploy - and any of those that you do deploy put you one step ahead of the people who don't deploy them and who are, consequently, put at more risk from attack by crackers.
Besides, this is about adding a good *additional* layer of security in a NAT router. Without one, your PC owns the Internet IP address meaning that it's directly exposed to the Internet - with a NAT router, the router has that IP address meaning that your PC only gets stuff that the router allows through.
Since every directed IP packet on the Internet contains the sender and receiver IP address, any Internet router that sees a private address in either the source or destination address will drop the packet and not route it. Consequently, no-one on the Internet can get to a PC in the private address range - not only that but there are probably thousands of PCs using anyone of those private IP addresses at any moment in time.
The trick of a NAT router is that when one of your PCs connects through the router to the Internet, the NAT router substitutes the private source IP address in each packet coming from one of those PCs with the real IP address on the Internet side of the router. So when a response comes back from, say, a web server one of your PCs is accessing, the response hits the router's Internet IP and the router puts the private IP address back in to send it back to the right PC.
It is possible to forward incoming connections to the router onto a PC in the private address space but this feature has to be manually configured on the router and is turned off by default.
So, yes, you can still download a nasty email or script from a server on the Internet, even with a NAT router in place - but then you just don't use a PC for those purposes until you've fully patched them.
I'm afraid you'd need to have mapped those ports through to the private network on the router first before you saw anything - and in my post I did quite clearly state usage of a NAT router...
But if it was a public (=valid) IP address then it probably just wouldn't work, or not make a great deal of difference, depending on what the NAT routed did. If the NAT router treated it like a private IP address and put the WAN (Internet) IP in the header in it's place, then I don't see there would be any difference in functionality; if it left the public IP in place, then it just wouldn't work because a router somewhere along the way would just route it to the *real* network where that public IP actually is.
Someone correct me if I'm wrong, BTW. I'm a LAN and OS man, not a Cisco or router guru.
I agree - but I've set up a number of these NAT routers recently for friends and colleagues, and apart from some simple configuration for ADSL accounts (and some wireless security if needed), these things now work pretty much out of the box. They are a whole heap of good security for little cost that are easy to setup - and protect you from about 90% of the bad things out there on the Internet the moment you switch them on.
And for your information, I carry round a Linux laptop with a fully locked down kernel firewall that I *carefully* open up as I need to if I'm on an unprotected (un-NAT-ed) Internet connection. :-)
> And Windows is not uber-user-friendly there. In fact I think you need to be relatively skilled to set up XP so it is relatively secured. Not > something your mom or dad (I assume) can do with their computers.
I agree again - which is why I recommend a NAT router to anyone I know with ADSL; and if they refuse to buy one, I refuse to offer them any help when their PC goes wrong! :-)
> MS made some stupid decissions few years ago and now they pay the price. This is not FUD. People do not have the latest Vista and so on. Some of them > use 5 year old computers since they tend to work for them.
Again, I agree. But, if anything, Windows 9x didn't have a complete enough IP stack to allow much to be run in the way of services out to the Internet - so it could be argued that unpatched and out of the box, a 9x machine is more secure than XP.
> I can surely install old version of Linux distribution or OSX and do not get infected in 10 minutes after connecting to untrusted network.
It depends on what's out there. Before I moved house last year, on my old ISP I ran an SSH (Secure Shell) server out to the Internet and my log files were filled with scripted access attempts against the server - just pounding away at my server with common account names hoping that one of them would allow entry.
Yes, a secured Linux server is always going to be more secure than a secured Windows server but please don't get complacent about it - it just takes one stupid mistake on either OS and someone will get into it.
As a Linux user myself (Gentoo), I must say that you started to sound like you knew what you were talking about - until you made the above comment...
The whole point of a "$25 router" is that it separates valid Internet IP addresses from the reserved addresses normally used on a private LAN. When you take one of those things out of the box and switch it on with it's default config, there is absolutely *NO WAY* anyone on the Internet can connect into *ANY* PC on your private LAN, whether or not those PCs run Linux or Windows. Where damage *CAN* occur is when you connect out from the private LAN to the Internet to a web or mail server and allow something in as a result. Yes, that's generally something attached to an email or script that can damage a Windows PC - but you're treading on *VERY DANGEROUS* ground if you believe that you do not need one of these boxes to protect a Linux PC.
Yep, if you're ultra-confident with Linux and know *EXACTLY* which services to leave turned off and how to securely configure the services that you leave on, then you'll probably be okay - but the first lesson anyone learns about security is that you take a *LAYERED APPROACH* to it and deploy any security measures first that are "cheap and easy" (like one of these boxes), and then harden your PCs subsequently.
Believe me, I know. Five years ago, I opened up a Linux server to the Internet (behind a NAT router) and stupidly left an FTP server running on it. Within days, someone had buffer overflowed the FTP daemon, stuck an eggdrop script on my server and had it attacking IRC users on another ISP - I only found out because my ISP kicked me off my service and wouldn't let me on again until I'd proven in pages and pages of logs that I wasn't launching those attacks.
Please don't get complacent about security - take my advice.
If you're not prepared to pay for their software then you shouldn't be using it, simple. And you would probably be admired more if you had the courage and strength of conviction to go spend the time learning to use an alternative OS in order to make a much clearer statement to Microsoft that you're not prepared to pay the money they ask for their products.
Any fool can download a pirated Windows CD from the Internet, it takes initiative to go learn and legally use an alternative OS.
On a Windows desktop PC behind a firewall, you are vulnerable to scripts and viruses that it come in from emails, documents & web pages but if you stick the PC on the network and don't use it for any of those things *until* you've put on all the updates, then nothing is going to happen to it. So let's get rid of this stupid notion that the moment you put an unpatched PC on a firewalled LAN, it's going to get swamped with viruses and rootkits - it just won't happen.
No, I'm no Microsoft fan but let's stick to facts rather than "science fiction" FUD stories...
About four years ago I was looking for another job and sent my CV off to a number of job agencies. After registering with them, I used to get a follow up call from some of them asking for more information and to name some companies that I would and would not like to work for.
Don't get me wrong, I'm under no illusions here - being a Linux/UNIX sysadmin/programmer type person, I doubt Microsoft would be interested in employing me particularly anyway but I told the various agents that I wouldn't want to work for Microsoft (there is a big Microsoft HQ in my old home town).
What was amusing was that just about every agent said back in response "A lot of people say that, funnily enough".
The point I'm trying to make is that I think there are a lot of people out there who aren't just motivated by salaries and who do care who they offer their services and skills to - although I always try to do the best job possible, I take the attitude that any company only hires me because I can potentially make them a lot more money than they pay out to employ me and that I am doing them as much of a favour by offering my skills as they do me by paying me a good salary.
DRM is not going to go away that easily because far too many big corporations stand to make too much money from it - Microsoft (and others) for licensing the DRM algorithms and Sony/BMG/Warner/etc. for being able to force the consumer to re-buy all their music and video; even better for them, just have us all "rent" the stuff.
If anyone can see any benefit for the consumer in DRM, then I am willing to listen to the pro-DRM argument - but the fact is that whilst I don't personally believe in downloading music or videos free-of-charge, it has not actually been proven yet that piracy has any direct impact on sales of music and films. All piracy has done is given the producers and retailers their justifications for raising the prices even higher ("because the piracy made us do it") meaning that as an honest consumer, who just wants to format change the stuff I own, I have to put up with anti-piracy adverts (that I cannot fast-forward through) and copy protection on media that I am expected to pay even more for. I guess, in one sense, the movie and CD companies have scored their victory on me because they've made me hate the pirates as much as I hate the MPAA/RIAA/Sony/etc.
But the real "fact" here is that people have always bought music and movies to "share" with others - whether it's sitting on a couch with a few friends watching a movie or lending someone a CD, it's just considered "fair use" of those products in using them that way and DRM impinges on that usage to the point where honest consumers are also affected. Sure, it could be argued that sharing MP3s with someone 5,000 miles away is not "fair use" but then that's down to the technology of the Internet that allows that to happen.
Personally, I believe people will pay money for products of high enough quality that are at a reasonable enough price - but the fact is that most movies and music are manufactured as "throwaway" fashion accessories rather than art to be cherished for long periods of time.
DRM is an easy way out for the movie and music companies - the harder way out would be for them to actually take the time to produce good quality products.
However, with that said, if someone cannot be rehabilitated or is a proven re-offender for serious crimes like murder, rape or abuse of a child, then I see no point in keeping them locked up forever at our expense.
Additionally, the whole paedophile issue is totally overblown anyway. Sure, paedophiles exist and when they're caught then impose the stiffest possible penalties on them - but the fact is that there are simply *NOT* hordes of them cyberstalking children on the Internet. Yep, there's a few wierd people out there but kids are a lot more at risk from bullying by their peers, whether on the streets or on the Internet, than they are from paedophiles.
We have a legal system that is supposed to punish criminals to a point where they can be rehabilitated into the community when they have served a long enough sentence - this is no different whether they have stolen a car, burgled a house, murdered someone or committed an indecent act with a minor. If convicted paedophiles are released back into the community only to re-offend, then it is the legal and rehabilitation systems that need to be changed; this is no different to when a convicted burglar starts breaking into houses again.
"Sex offenders registers" do absolutely nothing apart from giving small-minded people someone to feel superior over and to justify their behaviour as banner-wielding thugs - you only need to look at these people in news reports to see that they are probably not the sort of people who should be reproducing in the first place.
Sure, have the legal authorities monitor rehabilited criminals but let them get on with doing that - for the rest of us, it really is none of our business what those who have "paid" for their crimes have done in their pasts.
I agree with your points about DRM dying out within a few years (and good riddance to it) but I took offence at your above comment.
I use Linux far more than I use Windows - but not because I'm some "hippie activist" which is what you seem to be implying. Sure, I don't want DRM infesting any PC I own and I like to know what's running on my PC; but I'm also a technical support guy on a number of Linux-based products, any programming I do is with shell scripts, Perl and a little C and I like tinkering with PCs. But at the same time, the last few Linux and scripting courses I ran at my place of work were done around Powerpoint presentations and I'm a pretty avid PC gamer, so I also use Windows.
I thought it important to clarify the above because most people I know who use Linux are not *just* making a political statement - there are genuine practical reasons for doing so also; and if someone like yourself uses Windows or a Mac then good luck to you.
But please stop with the snide comments - there are too many Linux zealots on Slashdot but also too many people trying to turn Linux into a political statement...
Anyway, I hope you've got good muscles in your legs - having sold your ass to some big corporation somewhere, you're not going to be sitting down any time in the near future...
2. DRM - the good thing here is that, in my opinion, "Joe Bloke" is starting to get the message about the evils of DRM, we have Sony's big f*ck up to thank for a that. People have traditionally "shared" their music and movies with friends & whilst I do not in any way support illegal downloads, lending CDs and DVDs to friends is something people have always done. Anything the media companies do to restrict that activity will fail.
3. Price - check out online retailers, even the music section of the local supermarket & you'll find CDs that you can buy cheaper than downloading all of the tracks from iTunes. Like HMV & Virgin, iTunes has got away for far too long selling overpriced products, all three of them are now suffering as a result - and good riddance to bad rubbish.
I think you are somewhat overstating the point when it comes to protected CDs - yes, the Sony debacle was pure stupidity on their part, but the fact is that protected CDs are still very much in the minority; I buy *a lot* of CDs and very few of them are actually protected.
Besides, I have not yet found one CD that I have been unable to rip to MP3 in whatever format I choose - ExactAudioCopy within Windows and cdparanoia in Linux both seem to happily ignore any protection on any CDs I throw at them.