I'll be endangered by a protocol I don't use? Somehow I doubt that. I intend to keep using my VPNs and my encrypted VoIP technology, no matter what pinheaded ninnies might declare to be illegal.
I'd call it information about a protocol I'll never, ever willingly use. Not a chance.
What I consider rather suspicious about it is that it's been published at all. When you put this together with all the wonderful bills popping up recently that attempt to ban firewalls and VPNs it starts to paint a rather unpleasant picture.
My goodness, I hate to say it but you've got a rather slippery slope going here.
Most backbone providers DO currently take action against spammers, although some more than others. Typically this does not involve anything so delicate as filtering for spam traffic, but outright cutting the wankers off the network which is far more likely to be effective. I've actually been party to one incident where a phone call to a backbone provider at an opportune moment made a spammer, his ISP, and their ISP disappear off the face of the net with the perfectly reasonable assumption that a complete lack of packets makes news about neglected portions of an AUP travel fastest. The major problem with whacking spammers is the same with killing cockroaches with a shoe. Smash 10 and there's 100 more hiding under the cupboards waiting for the lights to go out....and by the time enough evidence has been gathered for a provider to order one of their downstreamers "Stop that twit or ELSE", the spammer has usually gotten a contract with another facility....plus, in case you haven't noticed, a whole fsckton of spam is now coming through overseas servers for companies operating domestically. When was the last time you tried to get a spammer run out of anything operating in China or Korea? Peering points between nations aren't so easily severed, nor would it be useful to do something so coarsely grained.
The approach AOL is taking is actually rather likely to be effective. Most of these spammers are sketchy little fly-by-nights and LLCs that even suing into oblivion wouldn't stop. The day after filing bankruptcy for their previous name, they'll just reincorporate in a different office with a different name for a cost less than the money they'd make for one spamming job. The majority of the small businesses paying for advertising on the other hand need a little more fiscal momentum than a 3U rack rental to survive. Make it clear to them that there's a good chance some mega-corp is liable to sue them crosseyed if they make use of a spammer for advertising, and suddenly they'll get a lot more choosy about who they do business with.
However, in case you haven't noticed...
"(b) The legislature, judicary, and executive branches of government coupled with industry and useful idiot consumers will require that traffic also be screened for other "bad data" - terrorist materials, copyrighted works, anti-American speech, evidence of criminal activity, financial data, medical data, and much more, and..."...has already occurred. The FBI has been monitoring NNTP, SMTP, IRC, and HTTP activity at major peering points across the nation for over a year now.
and:
"(c) the banning of encryption as we know it, since the conscentious masses will turn to it for day-to-day traffic, which will be politically unacceptable to those in power."...the political "unacceptability" has been the case for quite some time. The only reason the terrorism boojum hasn't caused it to be made explicitly illegal is that there are definite free speech issues preventing such from happening. If I had a nickel for every time I've heard the "kidnappers use crypto" argument, I don't think I'd need a job.
However, give it another ten years by which time failing to reduce the spam problem through civil measures will be likely to have actually encouraged people to call for government intervention, and then you'll see non-escrowed strong cryptography start to become explicitly illegal for domestic use--in the interests of preventing terrorism, of course.
This is absolutely disgusting. These people are clearly taking advantage of someone else's (Iraq's) misfortune to try and make a buck. This group does not already control the.iq domain, but they know that if they can steal it, it'll be like having a licence to print money. Absolutely nothing is being said on their website about how much of this money they're collecting would actually be going to Iraq, and frankly, I suspect that "paying big salaries at Citri" will somehow also be considered to be an important part of the general welfare of Iraq's IT infrastructure.
Let's see, there's also the small matter of it's not necessarily the desire of the Iraqi people that their domain space be sold off to people outside Iraq. For all we know, they could want a more conservative approach to be taken with it, and have it only be allowed for use by companies and organizations that reside within Iraq.
From their web page:
"The auction is set to continue over an intense two month period, after which funds will be called upon from the winners of each bid, and registrations formalised."
Translation: s/auction/looting/;
"In the case that a registration is not successful, no funds will be charged, unless the individual wishes to make a donation to the fund."
Translation: "If the piles of money offered for domains doesn't change the minds of the people in the IANA and get us Iraq's domain, then you won't be out a penny."
Should this guy have his privacy protected against being bombarded with unsolicited catalogs and faxes at home?
Not only "no", but "hell no".
I am positively rabid about not allowing my personal and private, non-business email address to be used for anything but personal, non-business email, and yet after a few years, every f**cking spammer on the planet seems to be using it anyway, it's getting a dozen spams a day, and there isn't any legitimate way they could have obtained it.
To make the spam go away, I have to virtually "move" by changing my email address, reducing my accessibility to that of a virtual drifter, and making it impossible for anyone to reach me who hasn't heard from me in a year or two. The same rules should apply to this piece of human waste calling himself a businessman. If he wants the spam to leave him alone, he can move somewhere else like the rest of us have to do.
"Our government only wants to protect us, and would never misuse technology"
This is a complete and utter load of horse shit.
I've been victimized by corrupt officials on the metropolitan and state level who abused technology, so there's no way in hell I'm going to blindly trust federal ones!
There's also a new RFC numbered 3514 for this year's April Fool's RFC that proposes a new bit to be added to IPv4 so that script kiddies and naer-do-wells can flag their packets appropriately when performing attacks. The editors of Slashdor are really asleep at the prompt to be overlooking this April 1st story!
It's no more crippled than any other DRM-supporting devices' digital-out. What's the matter? You don't know how to work DeCSS like the rest of the world?
Try using your AWE32 card to do effects processing like echo, flanging, pitch-shifting, and positional shifting taking into account varying number and placement of speakers in realtime (this is what EAX does, ahem) without gobbling down 20-80% of your CPU. Try using your AWE32 card to hardware accelerate encoding your MP3's to way better than realtime encoding (this is another thing the EAX circuitry is used for, courtesy of Creative Playcenter... may-they-soon-get-an-ogg-module) Astonishingly enough you don't have to spend $200 for this, because SBLive! cards retail for about $40 give or take $20 and seem to still support four speakers by default.
To my ears, your whining about a lack of "worthwhile 'innovation'" just sounds like so much kvetching about why everyone gets so excited over that "newfangled OpenGL thing" that video card manufacturers are so viciously forcing us to spend our money on.
When I first saw this, I thought to myself, "Surely Steve Gibson's name is on the report somewhere" because this is the sort of lunacy one usually finds his name on.
Much to my suprise, @Stake's name was on it. Looking further, I see that Eweek has genuinely made a mountain out of a molehill. Seventeen bytes of randomly chosen data can be snatched from a remote machine, provided it's literally in the same building as the attacker, and provided it's got a cheap-o network card. Pardon me while I quake in fear for the safety of the little children.
Why do we have to be in the same building? Because if the packet in question goes through most routers, they're quite likely to crumple the bits up and throw them away because of it's past use as a means for covert communication....and while it's good that the memory leakage is of contiguous bytes (otherwise they'd be entirely useless) seventeen bytes is a _really_ small window for any meaningful data to come through. If you were lucky, you might be able to get part of a (presumeably encrypted) password, or two and a half words from a typical email. It's also possible that fancy arp-foolery would get you *all* the victim's network traffic, making it the long and obnoxious way to go about doing something as simple as sniffing packets.
Their statement about it being "trivial to exploit" should have stopped at just saying it was "trivial". It was good of @Stake to bring this to the attention of programmers, although quite possibly publishing in PDF format made it look a little more important than it really is....What Eweek published about it was downright silly.
This poster has no clue whatsoever. They are either incredibly high, making a joke that simply isn't funny, or incredibly stupid.
Very possibly more than one of the above factors is at work here....and the people who foolishly moderated this as INFORMATIVE are almost assuredly being affected by at least two of the above factors.
Factual information to back up my claims, in simple and easy to understand words:
Needle grooves are not just squiggly lines like waveforms in your copy of WinRecord. The groove itself is going to be v-shaped, and can swing the needle both inboard and outboard, as well as rotate it slightly. Even a 2400 dpi scanner is not going to be sufficient to read that kind of subtlety... and let's not forget the other two factors here... the vinyl is both SHINY and BLACK. When was the last time you tried to scan the cover of a black vinyl three-ring binder? Could you see the naugahyde (sp?) pattern in the scanned result?
Anyone who feels like just moderating some comments down, feel free to hit this one and the ones below of the same vein...
Note carefully...
* Poster has only made one post ever--here.
* Poster's numeric ID is within a handful of the one above.
* Poster's comments are all very obviously marketing-speak.
Vexira has just cost themselves a possible customer. I don't buy products from people who lie about them, and astroturfing is lying.
I've recently been digging around trying to figure out which GF2 I'm going to buy (since there will obviously be a price drop on them shortly) and came across multiple sites with Q3A benchmarks from different speed CPUs (www.tomshardware.com being one of them). 850Mhz seems to be just a hair under the line for what Q3A really needs to scream. At 850Mhz performance appears to still bottleneck at the CPU for the Windows version (and likely the Linux version as well)... 900Mhz is where most of them show that performance tops out. Going above that doesn't seem to make the frame rate go significantly higher, but it's a fairly sizeable jump in performance from 850 to 900 Mhz.
This is not an entirely new approach to repairing damaged cartiledge. It appears that the only thing new about it is that they are cloning one type of tissue into a *different* type of tissue. Cartilaginous replacements are being done in other ways...
In December I underwent knee surgery to remove a piece of bone about the size of a quarter that had broken off from one of the inner surfaces of my knee. At the same time a cartiledge biopsy was taken (i.e., a small sample of tissue) which will be cloned into a piece of replacement cartiledge which will be reimplanted in my knee if enough scar cartiledge doesn't form where they drilled a bunch of tiny holes in the end of the bone (yes, it was even more painful than it sounds for about two weeks following the surgery) to stimulate scar cartiledge growth where the chunk of bone was removed from where it had been mangling the cartiledge in my knee.
My doctor might be irked with me for getting them Slashdotted this way, then again they might not mind the exposure, but here's a URL for the type of surgery I went through, and more specific details on the why and the how of the cloning of replacement cartiledge.
I'd like to point out that calendar servers have an open standard. Netscape makes one. Outlook is even (theoretically) supposed to be able to use it. Various other *nix programs can use standard calendaring servers. They can not, however, use Exchange because it's an entirely closed solution.
I do at least agree with this guy that the COST of migrating to Exchange must be considered, and I'm fairly sure it would be quite prohibitive for most organizations, primarily due to the expenses involved in ensuring everyone's anti-virus software is up-to-date and that everyone HAS anti-virus software. (Don't count on your mail server to be able to scan for viruses *and* deliver mail. Anti-virus on a mail server is pretty vicious on the CPU)
...there's also the issue that now you'll have to obtain a licence for Outlook for *every* seat in the enterprise if you "standardize" on Outlook, whereas before a portion of the company using Pine and other free mailers weren't costing you anything (if you had any sense).
I keep on remembering reasons, too... Here's another one. Microsoft products have an increased cost of ownership all by themselves due to Microsoft continually orphaning "legacy" versions of software. Whether you like it or now, Microsoft is going to come out with a new version of Outlook in the next 12-16 months, and users are going to start pushing for a move to it. If they continue on like they've been doing, expect them to completely *abandon* support for Outlook 2000 in late 2001 (tried getting security updates for Outlook 98 lately?), and you will be *forced* to update.
You don't *buy* Microsoft software, no matter what their reps might be telling you. You're only signing a lease that lasts as long as it takes them to crank out two newer versions of the software. They always find a way to force people to upgrade by the third release.
If your office decides to use Exchange, and then "standardize" on Outlook, unless you have additionally found a way to prevent each and every user who uses that Exchange server from disabling their anti-virus software (ha! good luck on that!) you're going to be ensuring that pretty much every user using mail from your server is a possible target. More importantly, two to three times a year when a *new* macro-virus comes out that the scanners *can't* spot, it's going to rip through your office like anthrax, and the additional load is going to make your Exchange server eat itself and DIE.
If you're already using an HA rig to deal with email, then you've got a pretty considerable load on those things already I'll bet. Imagine what happens when 20-50x that load starts pounding the server for about an hour or so.
I can give you an *exceptionally* good reason why not to use Exchange. Recovering from corrupted mail spools (which CAN happen quite easily) is extraordinarily painful and unwieldy. It basically requires that you have a hot spare of your mail systems ready to go, and frankly, the only reason I'd be keeping a hot spare around would be for hardware failure... not software. (I don't use software that's so bad it requires hot spares--which is what it basically comes down to.)
Let me outline you how exactly an Exchange administrator is supposed to "recover" from corrupted mail spools...
You have to build an *identical* system to the one that has begun corrupting it's spools. Then the administrator must manually (this can be scripted but that still doesn't make it any less horrifying) migrate each and every user off the damaged Exchange server over to the new one, leaving the corrupted data behind. Microsoft has provided no way to try to untangle corrupted spools whatsoever, and there's not even a way to just grab someones spool file and manipulate it.
After you're done you can do whatever you like with the old mail servers, but either way, at minumum your Total Cost of Ownership (a buzzword Microsoft Reps seem fond of flinging around) just *doubled* the price of your hardware for running an Exchange server.
...with a normal *nix-based system, you can at least just restore some backup files and go from there.
And, of course, don't forget that if they get Exchange installed there, you can bet they'll be wanting to move to Active Directory next so they can try for a Single Sign-On solution. The short of it is that your politically powerful faction that's pushing for Exchange is also likely pushing for more power in the office, and Active Directory has the unfortunate effect of concentrating complete control of your network into the hands of whoever owns the master directory server, which will probably be them. I've seen a lot of different corporate infrastructures, and none of them so far have really been able to dispose of the web of trust issues that something like this brings up.
Example: If you have an IT security department, and an network infrastructure department, the network infrastructure department is the logical choise to be responsible for maintaining the Active Directory servers. However, if anyone in the IT security department (or, say, PAYROLL for an even better example) is actually logging into the Active Directory crapola when they boot up their computer, all of their files are effectively under the control of the network infrastructure department. It's an improper trust relationship, and there is no way around it.
Microsoft makes a lot of nifty products that are easy for users and administrators to use. Unfortunately they lock you into a particularly small set of possibilities for organizing how your equipment is managed and controlled, which represents a HUGE threat in the form of weak/broken trust models resulting in possible collusion and/or internal espionage.
(Basically, if it looks like a Fisher-Price toy, and works like a Fisher-Price toy, then it isn't something you should be basing your buisness model on.)
You should be ashamed. This has nothing to do with multiple-IP users and doesn't mean a thing to people who have more than one machine and only have one IP that they masquerade through. A "private network" is _not_ the same as a "virtual private network".
People claim that the people who post responses to/. often go off half-cocked, but I suppose this just shows that those posting the stories aren't immune.
This is neither a huge surprise, nor a bad idea
on
Tripwire Going GPL
·
· Score: 4
Tripwire is a security tool. That having been said, these sorts of tools have quite commonly become *much* better by being open source utilities, since there are definitely a lot of people running around on lists like Bugtraq who go into a positive frenzy over making security related patches. Tripwire is also one of the few integrity checkers that many people are familiar with using, and while a skilled system administrator who can code in C could probably come up with something very similar in a few weeks, it's not really all that feasible. Anywhere where this sort of integrity checking would be _demanded_ to ensure certain policy requirements, the system administrators are likely to not have the time necessary to develop such a tool (at least in most companies, time for R&D is pretty limited). GPL or no, it's these same companies that are most likely to be looking for a support contract for such a tool, because places that have policies requiring this level of attention to detail are also quite likely to have made it standard operation procedure to get support contracts for every possible piece of software they use, no matter how small. (This all falls under "assurance" guidelines by my book)
GPLing this code will make it more friendly to the freelance security consultants, as well as those who aren't so freelance because now they'll have a chance to exercise their paranoia and examine the code themselves to see for sure that it's good and solid.
...not to mention that Tripwire has recieved a great deal of help from the hacking community in the way of pointing out potentially weak implementation methods, and generally just making things tidier.
So I don't see making the code GPL making any serious dent in the company's profit model, especially with more companies starting to get used to being able to obtain support contracts for software they didn't have to actually pay anything for. It's only recently that you could even think of being able to obtain support contracts for software that wasn't backed by a company whose profit model was based on the sale of the software, which makes the whole trick of making certain there are experts that can be called on in a flash to help solve problems when something goes wrong highly improbable, if not impossible.
I know it might sound silly trying to obtain a support contract for Tripwire, but at the last company I worked for, such a thing would not only be desired, but not too terribly hard to get upper management to sign off on. (For some reason the bigger a company gets, the less likely they are to want to trust the word of their own employees alone... but then again, that quickly falls under the umbrella of assurance in a good set of security policies.)
Once again, I (along with a few others) are forced to wonder if we are the only people reading the articles referenced on Slashdot. Frankly, it looks like the blub posted here was based on the subject of the article on SecurityFocus, which was fairly off the mark to begin with... The post on/. refers to security _companies_, and makes it sound as if there were tiger teams out there devoting themselves to eliminating file sharing....yet I look at the posts below and see hundreds of angry articles written by people who CLEARLY didn't read the article, but are commenting freely upon it, based on this erroneous assessment. For crying out loud people, it's not like it's going to make you go blind to stop looking at pretty pictures and read an actual 3k of text every once in awhile...certain people at Slashdot would do to take a little more care to not post inflammatory one-off summaries of things they're linking to as well. The article, for those who STILL haven't read it, details news of two QoS/policy enforcement devices that have just hit the market. One is essentially a firewall with traffic shaping capabilities, and the other is a monitoring/enforcement box, similar to a dozen other products that I know of. GRrr....
I think that after reading the replies from Lars very carefully that the stark reality of the situation is clear. Lars has killed WAY too many brain cells.
I almost feel sorry for the guy. Either he has an absolutley unbelieveable problem with expressing himself clearly, or he's spending most of his life in a daze now, barely aware of the events going on around him.
...are *really* on the ball. I'm impressed. That reply was downright vicious. They all deserve plaques for Christmas bearing the title "Genuine Rat Bastard".
Speaking professionally, Win2k is the *last* platform I would put a firewall on to go beside a BSD box. BSD & Linux I would do fairly quickly, or either and a hardware solution, but never Win2k.
I prefer that the equipment a) be from a reputable vendor, b) has been tested it over time, and c) is resource efficient.
Microsoft and Windows 2000 fit *none* of those criteria.
I still think that the response of honest, good-natured intelligent people should be very simple.
The DMCA was signed into law by a man who is either a fascist, or who is a dupe of other fascists. Multiple White House officials have admitted now that they feel it was a mistake, yet apparently they don't feel bad enough to actually do anything about it.
I don't think we should do anything about it either. Nothing. Nada. Well, maybe one small thing of significance by way of response.
I feel that it should be two fingers raised to the sky in a simple display of peaceful civil disobedience.
Slashdot Mirror
I have to wonder if possibly Mitch Kapor is a strict Creationist and has the word "Evolution" being filtered at his home router or something.
I'll be endangered by a protocol I don't use? Somehow I doubt that. I intend to keep using my VPNs and my encrypted VoIP technology, no matter what pinheaded ninnies might declare to be illegal.
I wouldn't call this story a kneejerk reaction...
I'd call it information about a protocol I'll never, ever willingly use. Not a chance.
What I consider rather suspicious about it is that it's been published at all. When you put this together with all the wonderful bills popping up recently that attempt to ban firewalls and VPNs it starts to paint a rather unpleasant picture.
My goodness, I hate to say it but you've got a rather slippery slope going here.
...and by the time enough evidence has been gathered for a provider to order one of their downstreamers "Stop that twit or ELSE", the spammer has usually gotten a contract with another facility. ...plus, in case you haven't noticed, a whole fsckton of spam is now coming through overseas servers for companies operating domestically. When was the last time you tried to get a spammer run out of anything operating in China or Korea? Peering points between nations aren't so easily severed, nor would it be useful to do something so coarsely grained.
...has already occurred. The FBI has been monitoring NNTP, SMTP, IRC, and HTTP activity at major peering points across the nation for over a year now.
...the political "unacceptability" has been the case for quite some time. The only reason the terrorism boojum hasn't caused it to be made explicitly illegal is that there are definite free speech issues preventing such from happening. If I had a nickel for every time I've heard the "kidnappers use crypto" argument, I don't think I'd need a job.
Most backbone providers DO currently take action against spammers, although some more than others. Typically this does not involve anything so delicate as filtering for spam traffic, but outright cutting the wankers off the network which is far more likely to be effective. I've actually been party to one incident where a phone call to a backbone provider at an opportune moment made a spammer, his ISP, and their ISP disappear off the face of the net with the perfectly reasonable assumption that a complete lack of packets makes news about neglected portions of an AUP travel fastest. The major problem with whacking spammers is the same with killing cockroaches with a shoe. Smash 10 and there's 100 more hiding under the cupboards waiting for the lights to go out.
The approach AOL is taking is actually rather likely to be effective. Most of these spammers are sketchy little fly-by-nights and LLCs that even suing into oblivion wouldn't stop. The day after filing bankruptcy for their previous name, they'll just reincorporate in a different office with a different name for a cost less than the money they'd make for one spamming job. The majority of the small businesses paying for advertising on the other hand need a little more fiscal momentum than a 3U rack rental to survive. Make it clear to them that there's a good chance some mega-corp is liable to sue them crosseyed if they make use of a spammer for advertising, and suddenly they'll get a lot more choosy about who they do business with.
However, in case you haven't noticed...
"(b) The legislature, judicary, and executive branches of government coupled with industry and useful idiot consumers will require that traffic also be screened for other "bad data" - terrorist materials, copyrighted works, anti-American speech, evidence of criminal activity, financial data, medical data, and much more, and..."
and:
"(c) the banning of encryption as we know it, since the conscentious masses will turn to it for day-to-day traffic, which will be politically unacceptable to those in power."
However, give it another ten years by which time failing to reduce the spam problem through civil measures will be likely to have actually encouraged people to call for government intervention, and then you'll see non-escrowed strong cryptography start to become explicitly illegal for domestic use--in the interests of preventing terrorism, of course.
This is absolutely disgusting. These people are clearly taking advantage of someone else's (Iraq's) misfortune to try and make a buck. This group does not already control the .iq domain, but they know that if they can steal it, it'll be like having a licence to print money. Absolutely nothing is being said on their website about how much of this money they're collecting would actually be going to Iraq, and frankly, I suspect that "paying big salaries at Citri" will somehow also be considered to be an important part of the general welfare of Iraq's IT infrastructure.
Let's see, there's also the small matter of it's not necessarily the desire of the Iraqi people that their domain space be sold off to people outside Iraq. For all we know, they could want a more conservative approach to be taken with it, and have it only be allowed for use by companies and organizations that reside within Iraq.
From their web page:
"The auction is set to continue over an intense two month period, after which funds will be called upon from the winners of each bid, and registrations formalised."
Translation:
s/auction/looting/;
"In the case that a registration is not successful, no funds will be charged, unless the individual wishes to make a donation to the fund."
Translation:
"If the piles of money offered for domains doesn't change the minds of the people in the IANA and get us Iraq's domain, then you won't be out a penny."
Should this guy have his privacy protected against being bombarded with unsolicited catalogs and faxes at home?
Not only "no", but "hell no".
I am positively rabid about not allowing my personal and private, non-business email address to be used for anything but personal, non-business email, and yet after a few years, every f**cking spammer on the planet seems to be using it anyway, it's getting a dozen spams a day, and there isn't any legitimate way they could have obtained it.
To make the spam go away, I have to virtually "move" by changing my email address, reducing my accessibility to that of a virtual drifter, and making it impossible for anyone to reach me who hasn't heard from me in a year or two. The same rules should apply to this piece of human waste calling himself a businessman. If he wants the spam to leave him alone, he can move somewhere else like the rest of us have to do.
"Our government only wants to protect us, and would never misuse technology"
This is a complete and utter load of horse shit.
I've been victimized by corrupt officials on the metropolitan and state level who abused technology, so there's no way in hell I'm going to blindly trust federal ones!
There's also a new RFC numbered 3514 for this year's April Fool's RFC that proposes a new bit to be added to IPv4 so that script kiddies and naer-do-wells can flag their packets appropriately when performing attacks. The editors of Slashdor are really asleep at the prompt to be overlooking this April 1st story!
It's no more crippled than any other DRM-supporting devices' digital-out. What's the matter? You don't know how to work DeCSS like the rest of the world?
Try using your AWE32 card to do effects processing like echo, flanging, pitch-shifting, and positional shifting taking into account varying number and placement of speakers in realtime (this is what EAX does, ahem) without gobbling down 20-80% of your CPU. Try using your AWE32 card to hardware accelerate encoding your MP3's to way better than realtime encoding (this is another thing the EAX circuitry is used for, courtesy of Creative Playcenter... may-they-soon-get-an-ogg-module) Astonishingly enough you don't have to spend $200 for this, because SBLive! cards retail for about $40 give or take $20 and seem to still support four speakers by default.
To my ears, your whining about a lack of "worthwhile 'innovation'" just sounds like so much kvetching about why everyone gets so excited over that "newfangled OpenGL thing" that video card manufacturers are so viciously forcing us to spend our money on.
Get the clue.
When I first saw this, I thought to myself, "Surely Steve Gibson's name is on the report somewhere" because this is the sort of lunacy one usually finds his name on.
...and while it's good that the memory leakage is of contiguous bytes (otherwise they'd be entirely useless) seventeen bytes is a _really_ small window for any meaningful data to come through. If you were lucky, you might be able to get part of a (presumeably encrypted) password, or two and a half words from a typical email. It's also possible that fancy arp-foolery would get you *all* the victim's network traffic, making it the long and obnoxious way to go about doing something as simple as sniffing packets.
...What Eweek published about it was downright silly.
Much to my suprise, @Stake's name was on it. Looking further, I see that Eweek has genuinely made a mountain out of a molehill. Seventeen bytes of randomly chosen data can be snatched from a remote machine, provided it's literally in the same building as the attacker, and provided it's got a cheap-o network card. Pardon me while I quake in fear for the safety of the little children.
Why do we have to be in the same building? Because if the packet in question goes through most routers, they're quite likely to crumple the bits up and throw them away because of it's past use as a means for covert communication.
Their statement about it being "trivial to exploit" should have stopped at just saying it was "trivial". It was good of @Stake to bring this to the attention of programmers, although quite possibly publishing in PDF format made it look a little more important than it really is.
I hate to LART someone I don't know, but...
...and the people who foolishly moderated this as INFORMATIVE are almost assuredly being affected by at least two of the above factors.
This poster has no clue whatsoever. They are either incredibly high, making a joke that simply isn't funny, or incredibly stupid.
Very possibly more than one of the above factors is at work here.
Factual information to back up my claims, in simple and easy to understand words:
Needle grooves are not just squiggly lines like waveforms in your copy of WinRecord. The groove itself is going to be v-shaped, and can swing the needle both inboard and outboard, as well as rotate it slightly. Even a 2400 dpi scanner is not going to be sufficient to read that kind of subtlety... and let's not forget the other two factors here... the vinyl is both SHINY and BLACK.
When was the last time you tried to scan the cover of a black vinyl three-ring binder? Could you see the naugahyde (sp?) pattern in the scanned result?
Pffft.
Step _away_ from the bong, people.
Anyone who feels like just moderating some comments down, feel free to hit this one and the ones below of the same vein...
Note carefully...
* Poster has only made one post ever--here.
* Poster's numeric ID is within a handful of the one above.
* Poster's comments are all very obviously marketing-speak.
Vexira has just cost themselves a possible customer. I don't buy products from people who lie about them, and astroturfing is lying.
I've recently been digging around trying to figure out which GF2 I'm going to buy (since there will obviously be a price drop on them shortly) and came across multiple sites with Q3A benchmarks from different speed CPUs (www.tomshardware.com being one of them). 850Mhz seems to be just a hair under the line for what Q3A really needs to scream. At 850Mhz performance appears to still bottleneck at the CPU for the Windows version (and likely the Linux version as well)... 900Mhz is where most of them show that performance tops out. Going above that doesn't seem to make the frame rate go significantly higher, but it's a fairly sizeable jump in performance from 850 to 900 Mhz.
This is not an entirely new approach to repairing damaged cartiledge. It appears that the only thing new about it is that they are cloning one type of tissue into a *different* type of tissue. Cartilaginous replacements are being done in other ways...
In December I underwent knee surgery to remove a piece of bone about the size of a quarter that had broken off from one of the inner surfaces of my knee. At the same time a cartiledge biopsy was taken (i.e., a small sample of tissue) which will be cloned into a piece of replacement cartiledge which will be reimplanted in my knee if enough scar cartiledge doesn't form where they drilled a bunch of tiny holes in the end of the bone (yes, it was even more painful than it sounds for about two weeks following the surgery) to stimulate scar cartiledge growth where the chunk of bone was removed from where it had been mangling the cartiledge in my knee.
My doctor might be irked with me for getting them Slashdotted this way, then again they might not mind the exposure, but here's a URL for the type of surgery I went through, and more specific details on the why and the how of the cloning of replacement cartiledge.
http://www.iasm.com/ccc.html
I'd like to point out that calendar servers have an open standard. Netscape makes one. Outlook is even (theoretically) supposed to be able to use it. Various other *nix programs can use standard calendaring servers. They can not, however, use Exchange because it's an entirely closed solution.
I do at least agree with this guy that the COST of migrating to Exchange must be considered, and I'm fairly sure it would be quite prohibitive for most organizations, primarily due to the expenses involved in ensuring everyone's anti-virus software is up-to-date and that everyone HAS anti-virus software. (Don't count on your mail server to be able to scan for viruses *and* deliver mail. Anti-virus on a mail server is pretty vicious on the CPU)
...there's also the issue that now you'll have to obtain a licence for Outlook for *every* seat in the enterprise if you "standardize" on Outlook, whereas before a portion of the company using Pine and other free mailers weren't costing you anything (if you had any sense).
I keep on remembering reasons, too... Here's another one. Microsoft products have an increased cost of ownership all by themselves due to Microsoft continually orphaning "legacy" versions of software. Whether you like it or now, Microsoft is going to come out with a new version of Outlook in the next 12-16 months, and users are going to start pushing for a move to it. If they continue on like they've been doing, expect them to completely *abandon* support for Outlook 2000 in late 2001 (tried getting security updates for Outlook 98 lately?), and you will be *forced* to update.
You don't *buy* Microsoft software, no matter what their reps might be telling you. You're only signing a lease that lasts as long as it takes them to crank out two newer versions of the software. They always find a way to force people to upgrade by the third release.
I can't believe I forgot this...
If your office decides to use Exchange, and then "standardize" on Outlook, unless you have additionally found a way to prevent each and every user who uses that Exchange server from disabling their anti-virus software (ha! good luck on that!) you're going to be ensuring that pretty much every user using mail from your server is a possible target. More importantly, two to three times a year when a *new* macro-virus comes out that the scanners *can't* spot, it's going to rip through your office like anthrax, and the additional load is going to make your Exchange server eat itself and DIE.
If you're already using an HA rig to deal with email, then you've got a pretty considerable load on those things already I'll bet. Imagine what happens when 20-50x that load starts pounding the server for about an hour or so.
I can give you an *exceptionally* good reason why not to use Exchange. Recovering from corrupted mail spools (which CAN happen quite easily) is extraordinarily painful and unwieldy. It basically requires that you have a hot spare of your mail systems ready to go, and frankly, the only reason I'd be keeping a hot spare around would be for hardware failure... not software. (I don't use software that's so bad it requires hot spares--which is what it basically comes down to.)
Let me outline you how exactly an Exchange administrator is supposed to "recover" from corrupted mail spools...
You have to build an *identical* system to the one that has begun corrupting it's spools. Then the administrator must manually (this can be scripted but that still doesn't make it any less horrifying) migrate each and every user off the damaged Exchange server over to the new one, leaving the corrupted data behind. Microsoft has provided no way to try to untangle corrupted spools whatsoever, and there's not even a way to just grab someones spool file and manipulate it.
After you're done you can do whatever you like with the old mail servers, but either way, at minumum your Total Cost of Ownership (a buzzword Microsoft Reps seem fond of flinging around) just *doubled* the price of your hardware for running an Exchange server.
...with a normal *nix-based system, you can at least just restore some backup files and go from there.
And, of course, don't forget that if they get Exchange installed there, you can bet they'll be wanting to move to Active Directory next so they can try for a Single Sign-On solution. The short of it is that your politically powerful faction that's pushing for Exchange is also likely pushing for more power in the office, and Active Directory has the unfortunate effect of concentrating complete control of your network into the hands of whoever owns the master directory server, which will probably be them. I've seen a lot of different corporate infrastructures, and none of them so far have really been able to dispose of the web of trust issues that something like this brings up.
Example: If you have an IT security department, and an network infrastructure department, the network infrastructure department is the logical choise to be responsible for maintaining the Active Directory servers. However, if anyone in the IT security department (or, say, PAYROLL for an even better example) is actually logging into the Active Directory crapola when they boot up their computer, all of their files are effectively under the control of the network infrastructure department. It's an improper trust relationship, and there is no way around it.
Microsoft makes a lot of nifty products that are easy for users and administrators to use. Unfortunately they lock you into a particularly small set of possibilities for organizing how your equipment is managed and controlled, which represents a HUGE threat in the form of weak/broken trust models resulting in possible collusion and/or internal espionage.
(Basically, if it looks like a Fisher-Price toy, and works like a Fisher-Price toy, then it isn't something you should be basing your buisness model on.)
You should be ashamed. This has nothing to do with multiple-IP users and doesn't mean a thing to people who have more than one machine and only have one IP that they masquerade through. A "private network" is _not_ the same as a "virtual private network".
/. often go off half-cocked, but I suppose this just shows that those posting the stories aren't immune.
People claim that the people who post responses to
Tripwire is a security tool. That having been said, these sorts of tools have quite commonly become *much* better by being open source utilities, since there are definitely a lot of people running around on lists like Bugtraq who go into a positive frenzy over making security related patches. Tripwire is also one of the few integrity checkers that many people are familiar with using, and while a skilled system administrator who can code in C could probably come up with something very similar in a few weeks, it's not really all that feasible. Anywhere where this sort of integrity checking would be _demanded_ to ensure certain policy requirements, the system administrators are likely to not have the time necessary to develop such a tool (at least in most companies, time for R&D is pretty limited). GPL or no, it's these same companies that are most likely to be looking for a support contract for such a tool, because places that have policies requiring this level of attention to detail are also quite likely to have made it standard operation procedure to get support contracts for every possible piece of software they use, no matter how small. (This all falls under "assurance" guidelines by my book)
GPLing this code will make it more friendly to the freelance security consultants, as well as those who aren't so freelance because now they'll have a chance to exercise their paranoia and examine the code themselves to see for sure that it's good and solid.
...not to mention that Tripwire has recieved a great deal of help from the hacking community in the way of pointing out potentially weak implementation methods, and generally just making things tidier.
So I don't see making the code GPL making any serious dent in the company's profit model, especially with more companies starting to get used to being able to obtain support contracts for software they didn't have to actually pay anything for. It's only recently that you could even think of being able to obtain support contracts for software that wasn't backed by a company whose profit model was based on the sale of the software, which makes the whole trick of making certain there are experts that can be called on in a flash to help solve problems when something goes wrong highly improbable, if not impossible.
I know it might sound silly trying to obtain a support contract for Tripwire, but at the last company I worked for, such a thing would not only be desired, but not too terribly hard to get upper management to sign off on. (For some reason the bigger a company gets, the less likely they are to want to trust the word of their own employees alone... but then again, that quickly falls under the umbrella of assurance in a good set of security policies.)
Once again, I (along with a few others) are forced to wonder if we are the only people reading the articles referenced on Slashdot. Frankly, it looks like the blub posted here was based on the subject of the article on SecurityFocus, which was fairly off the mark to begin with... The post on /. refers to security _companies_, and makes it sound as if there were tiger teams out there devoting themselves to eliminating file sharing. ...yet I look at the posts below and see hundreds of angry articles written by people who CLEARLY didn't read the article, but are commenting freely upon it, based on this erroneous assessment. For crying out loud people, it's not like it's going to make you go blind to stop looking at pretty pictures and read an actual 3k of text every once in awhile. ..certain people at Slashdot would do to take a little more care to not post inflammatory one-off summaries of things they're linking to as well. The article, for those who STILL haven't read it, details news of two QoS/policy enforcement devices that have just hit the market. One is essentially a firewall with traffic shaping capabilities, and the other is a monitoring/enforcement box, similar to a dozen other products that I know of. GRrr....
I think that after reading the replies from Lars very carefully that the stark reality of the situation is clear. Lars has killed WAY too many brain cells.
I almost feel sorry for the guy. Either he has an absolutley unbelieveable problem with expressing himself clearly, or he's spending most of his life in a daze now, barely aware of the events going on around him.
Very sad.
...are *really* on the ball. I'm impressed. That reply was downright vicious. They all deserve plaques for Christmas bearing the title "Genuine Rat Bastard".
:)
Slashdot is in good hands.
Speaking professionally, Win2k is the *last* platform I would put a firewall on to go beside a BSD box. BSD & Linux I would do fairly quickly, or either and a hardware solution, but never Win2k.
I prefer that the equipment a) be from a reputable vendor, b) has been tested it over time, and c) is resource efficient.
Microsoft and Windows 2000 fit *none* of those criteria.
I still think that the response of honest, good-natured intelligent people should be very simple.
The DMCA was signed into law by a man who is either a fascist, or who is a dupe of other fascists. Multiple White House officials have admitted now that they feel it was a mistake, yet apparently they don't feel bad enough to actually do anything about it.
I don't think we should do anything about it either. Nothing. Nada. Well, maybe one small thing of significance by way of response.
I feel that it should be two fingers raised to the sky in a simple display of peaceful civil disobedience.
...one on each hand.