You need to get warmer CFL's then. The manufacturer makes a big differnece in the quality of the light and some manufacturers make warm bulbs. All of my bulbs are warm light CFL's and they rock. I've seen CFL's that still sort of flicker when first turned on and others that have terrible color light. Mine are warm and come on instantly with no flicker at all. The only funny thing is that the bulbs get brighter after they've been on for a few seconds- but only if it is cold in the room (obviously).
First off- be prepared for a damned attack and don't wait til it happens. When an attack does come:
1- Identify the target IP address 2- Immediately null-route traffic for that address (preferably using BGP community based null-routing) This gets the rest of your systems back up and gives you time to work on the problem. 3- Try to identify a pattern in the attacking traffic- use a product from a company like Mazu- or just tcpdump if you're good with sed and awk. 4- If there is a pattern ask the upstream ISP to block based on that pattern (same source port, same source IP, same TTL, whatever). Or block it yourself if you have the router and bandwidth capacity to deal with the attack yourself- though that's generally a waste of your resources. 5- If there is no pattern but the traffic is malformed then enabled a Cisco Riverguard or similar protection device that can filter out malformed traffic at the higher protocol layers. As an alternative, sign up for such a service form a company like Prolexic. 6- Remove your null route and see how you did. 7- If you can't afford a protection service, you can try moving the host/dns records to new IP's. Sometimes the attacks don't follow- sometimes they do. It's often worth a try as it can be done faster than enabling protection services in many cases. In this case leave the old null route in place until the attack stops. Be prepared for the attack to return at any time once they realize what's happened.
Make sure to keep traffic logs for law-enforcement and to share with other ISP's so that they can track down the offending bots.
In the future try to keep your traffic as segregated as possible such that an attack on a single host will not take down too many other services should you need to null-route that address for an extended period of time.
The easiest solution- block all IP addresses assigned to the APNIC region and watch as your site immediately returns to normal. Sadly most of the DDoS's I've seen recently had the majority of their traffic sourced from APNIC addresses.
If your upstream provider can't handle 400Mbps of traffic then you're being hosted by a pretty shitty ISP/data-center. It's not like gig uplinks are expensive (even if you only commit to a tiny rate you can generally get gig uplinks). Spread this across 4 or more datacenters and you've got a lot of bandwidth.
Not to mention that networking people generally don't give a shit about bandwidth- it's packets per second that kill routers, not bandwidth. Assuming 100 byte packets that's about 4Mpps- Even a basic 7600 can handle this kind of traffic. Assuming 30 byte packets (can't be smaller than that) you're talking about 15Mpps. Again Even a basic 7600 should be able to handle that- not to mention a Juniper M7i or similar. Most Foundry equipment would laugh at that rate. All of these routers can do ACL's at full packet rates.
That said- other recent DNS attacks exceeded 1.5 Gigabits per second of traffic and were a lot more vicious than the attack being described here.
I'm not knocking EveryDNS- I know what a bitch dealing with a DDoS can be- the problem tends to be that most people aren't ready to deal with it. Using BGP community based nullrouting most service can be restored within seconds of the target IP(s) being identified. That allows admins to keep untargeted systems and services up while the attacked systems are dealt with. The admins can then use the time to locate some/any pattern in the attack or enable the appropriate filtering such as a Cisco Riverguard or similar.
First off- by all accounts Windows NT borrowed heavily from VMS.
Secondly, the Morris worm compromised _Unix_ systems- not windows boxes. I loathe Windows but please don't pretend Unix doesn't have it's own sins. The difference is the Unix folks tend to learn from their mistakes and the Windows folks don't.
Seriously though- Cisco makes terrible switches. Oversubscribed ports, slow backplanes, etc. Add to this the fact that their TAC has gone to pot (ask just about anyone on NANOG) and they're not a sound choice right now.
Seriously! A person who administers Windows Servers/System is a Server/System administrator- not a damned network administrator. Network admins have had to start calling themselves network engineers to try to differentiate themselves. Frankly I'm tired of getting resumes for "Network Administrators" who are systems administrators.
Not just foreign terrorists either- we're going to restrict so many things in this country that our own citizens are going to start fighting back- in some cases by blowing things up. The tighter you squeeze the citizenry the more they slip through your fingers. The biggest danger in the future is not going to be a crazed Al Queda operative- it's going to be some guy from the midwest who wanted to fly a rocket and couldn't.
People were making these chemicals in home labratories for years and years. It's just not that hard. Gordon Moore (founder of Intel) use to make nitroglycerine as a kid for heavens sake.
I have a great idea- you leave me the hell alone- and I'll leave you alone. How about this country try that for a change.
How does: "Leave everyone the fuck alone" result in an erosion of civil liberties? If you really think it's hard to manufacture any explosive then you haven't taken a damned organic chemistry class.
You can't change the battery because adding a removable cover for it would make the iPod far larger than it currently is. Considering the 24+ hours available from a single charge on some models, and the much larger number of charge cycles available from lithium ion batteries today this becomes a moot point. You don't need to change it so don't worry about it. (This isn't the 1st generation iPod).
iTunes is a simple, easy to use interface. That said- there are third party interfaces including ones that run under Linux.
What conversion are you talking about? The iPod groks mp3 natively- it doesn't do any conversions. AAC is the format Apples sells songs from iTunes in- but that's only songs you buy from iTunes. Perhaps you are thinking of the cracked conversions Sony did with their moronic ATRAC format.
Your dragging question is the same as the iTunes question. Either use iTunes or use a third party app. I use iTunes even without an iPod. I used winamp 3 (IIRC) and never seriosuly considered winamp after that. Is iTunes perfect? Hardly- but it does the job and gives me no grief.
Looks are purely subject and up to you. That said- ever held an iPod? They feel solid. Everything about them feels right. The interface is simple, the buttons and scroll wheel are perfect, and the screen on the newest models is gorgeous. It isn't just about looking cool- they are beautifully designed, inside and out.
Actually it is your problem. You're using an ISP that probably hosts spammers. In case you didn't know- this was a HUGE problem for a while. Spammers were offering ISP's big money to use their pipes. It wasn't until the ISP found itself blacklisted that they started kicking spammers off their connections.
If you find yourself blocked then start by finding out why. It might even be your own damned mail server- you wouldn't be the first clueless admin I've had to deal with. If it isn't you then complain to your ISP to kick off the offending spammer. If that doesn't work then leave and move to another, responsible ISP. Please don't bitch to us- we don't care. (if you have a contract then break it- if the ISP is engaging in activity (hosting a spammer) the is preventing you from using the connection that you are paying for then they are in breach of contract and you are within your rights to terminate the contract.)
It is entirely boneheaded. That a business from another country should fail to correctly interpret US law should not come as a surprise. I'm a US citizen and _I_ can't interpret US law. Hell- US lawyers can't interpret US law. If they could- court cases would be a lot fucking shorter.
Spamhaus said - "wait a second- this isn't a case that belongs in Illinois." By the time it was moved to Federal court Spamhaus realized that "hey- this fucking case doesn't belong in the US at all." The fact of the matter is that Spamhaus did exactly what they should have- ignored the fucking order. If they had to respond to every trivial lawsuit brought about anywhere in the world they'd be bankrupt and fat lot of good that would do me as a mail server admin.
Personally I think the judge should get his head out of his ass, recognize he doesn't have jurisdiction, and drop the case. Of course given the arrogance of most judges that isn't likely to happen. He obviously got pissed off, decided he wanted to "make a point" (something judges decidedly should not do) and stayed involved. Instead I can sit back and hope he drives his SUV off a bridge at high speed during a winter snow storm. The world might just be a slightly better place.
Let me be clear- Linux _can_ offer almost all of the same services as Cisco- but not in a single unified way. You need to use Zebra for BGP and add in other software for the other protocols. And what happens if you disappear tomorrow. If your environment is Cisco then you can call any other Cisco admin and they can admin it immediately. Try that with a cobbled together Linux solution.
Wow- switches for high speed stuff? Jesus what networks do you work with? Where is my OSPF, EIGRP, and BGP on Linux? Where is my VRRP, HSRP and GLBP? Where are the DS3 and OC3 interfaces? Linux works fine for smaller isntallations. If all you are trying to do is connect your office to the Internet then we're not even on the same page. If you work at an ISP, large corporation, or otherwise handle core routing requirements you would never even consider using Linux.
Your university got ripped off. I could have put in a completely redundant CheckPoint/Cisco/Whoever firewall routing the same GigE connections for less than 20k pounds. Hell I could have put it in for less than 20k dollars. Perhaps there was some sort of crazy requirement you are unaware of that made a simpler solution unacceptable? The last company I consulted for just installed a clustered ChecKpoint firewall with management station routing GigE connections for about $18k.
I don't disagree that OpenBSD, pfsync and pf make a good choice- I use them in a lot of smaller installs. I also use pfsense and monowall a LOT. That said, I suspect there were other reasons the firewall your university installed cost 20k pounds. As for the outages- I have no explanation there unless your university has a very complicated network. I haven't experienced the sorts of deployment problems you are describing and I've been involved in a number of very large firewall deployments.
In the event of a total explosive failure your ashes will be scattered in space free of charge- an honor usually reserved for famous Science Fiction icons.
I'd think it would be playable without the nunchuck- I'd rather not be swinging around a controller when I can just press buttons. Hell if it isn't playable without the nunchuck then I don't have to get a Wii at all- yay!:)
The $250 price point rules out a Wii for me. I don't actually need a console and for whatever reason $200 was my limit for buying this one. It seems a shame too- I hate sports games and so both Sports and the nunchuck seem wasted on me. Get rid of them and let me buy Zelda instead for the same $250 and I would have bought one as soon as I could get my hands on it. I'm not even talking about dropping the price- get rid of the crap I (and I'm sure many others) don't want.
I read the summary for this article and was outraged- then I read the article, realized it was in England and my reaction was "yeah that's about right." The UK has lost its collective mind. The English are the only people on the planet who could have read 1984 and said "Hey, that sounds like a nice place to live- let's give it a try."
Hence the random "Non-system or disk error." They would think the disk had failed. The beauty of building this myself in hardware is that no one else would have a similar system.
This might have worked if no one knew about TrueCrypt- Unfortunately everyone does now. This means everyone knows it can provide you with a bogus OS. If they come after you and you are running this and they don't find what they want to they will simply claim you are hiding the real data and throw you in jail for contempt. It's no worse than having an encrypted controller. The encrypted controller, however, will be faster, and data can not be written to the disk without it being encrypted. Obviously I need to look into Seagates drive encryption and see how it is implemented.
I refuse to trust Windows with security. Some virus/trojan will come along and disable the encryption- or just put unencrypted copies onto other parts of the disk, etc. etc. etc. I want layers of security. Use EFS/Bitlocker for the FS and hardware encryption on the disk.
Exactly how the fuck does your god damned BIOS boot your OS if _EVERYTHING_ is encrypted? Would you like to explain that to us laymen? Oh- gee- wait- you said it's not your boot drive. Great- So when Windows writes a fucking temp file to the unencrypted boot disk TrueCrypt doesn't fucking help me. I don't want a single bit to be written to the disk without it being encrypted. I don't even want it to be _POSSIBLE_ to write something unencrypted to the disk- even if someone does a write to the raw disk.
I suggest reading the fine manual that comes with Truecrypt and studying the bit about plausible deniability. And the bit about encrypting whole devices. *Then* come back and bring a informed opinion.
Please don't tell me to bring back an informed decision- I use TrueCrypt on my bloody laptop and know full well how it works. The plausible deniability is great- the problem is everyone knows TrueCrypt provides said feature and in this day and age just knowing it is there can be a problem. Moreover there is always the possibility that something goes wrong and unecnrypted data is written to your hard drive- or a virus gets in an disables it- or the government figures out how to crash it, etc. etc. etc. I want hardware encryption- preferably that I have designed myself.
The problem is that some part of the disk is unencrypted - otherwise you would not be able to boot it. If someone gets hold of the disk they will see the unencrypted partition and realize that there is an encrypted partition (because of the partition table / fstab / etc.). With a hardware controller the data on the disk is entirely gibberish. If someone gets hold of just the disk there is nothing sensible on it. If they get it with the controller it shows a non-system or disk error. Either way it reveals nothing.
Slashdot Mirror
They're certainly not made by engineers- Who designs a router (704) that with a single 8 port gigE card requires a 2.7 kilowatt power supply?
-sirket
You need to get warmer CFL's then. The manufacturer makes a big differnece in the quality of the light and some manufacturers make warm bulbs. All of my bulbs are warm light CFL's and they rock. I've seen CFL's that still sort of flicker when first turned on and others that have terrible color light. Mine are warm and come on instantly with no flicker at all. The only funny thing is that the bulbs get brighter after they've been on for a few seconds- but only if it is cold in the room (obviously).
I just spit soda all over my keyboard. Damn you! :)
Not quite- It generally works like this:
First off- be prepared for a damned attack and don't wait til it happens. When an attack does come:
1- Identify the target IP address
2- Immediately null-route traffic for that address (preferably using BGP community based null-routing)
This gets the rest of your systems back up and gives you time to work on the problem.
3- Try to identify a pattern in the attacking traffic- use a product from a company like Mazu- or just tcpdump if you're good with sed and awk.
4- If there is a pattern ask the upstream ISP to block based on that pattern (same source port, same source IP, same TTL, whatever). Or block it yourself if you have the router and bandwidth capacity to deal with the attack yourself- though that's generally a waste of your resources.
5- If there is no pattern but the traffic is malformed then enabled a Cisco Riverguard or similar protection device that can filter out malformed traffic at the higher protocol layers. As an alternative, sign up for such a service form a company like Prolexic.
6- Remove your null route and see how you did.
7- If you can't afford a protection service, you can try moving the host/dns records to new IP's. Sometimes the attacks don't follow- sometimes they do. It's often worth a try as it can be done faster than enabling protection services in many cases. In this case leave the old null route in place until the attack stops. Be prepared for the attack to return at any time once they realize what's happened.
Make sure to keep traffic logs for law-enforcement and to share with other ISP's so that they can track down the offending bots.
In the future try to keep your traffic as segregated as possible such that an attack on a single host will not take down too many other services should you need to null-route that address for an extended period of time.
The easiest solution- block all IP addresses assigned to the APNIC region and watch as your site immediately returns to normal. Sadly most of the DDoS's I've seen recently had the majority of their traffic sourced from APNIC addresses.
-sirket
If your upstream provider can't handle 400Mbps of traffic then you're being hosted by a pretty shitty ISP/data-center. It's not like gig uplinks are expensive (even if you only commit to a tiny rate you can generally get gig uplinks). Spread this across 4 or more datacenters and you've got a lot of bandwidth.
Not to mention that networking people generally don't give a shit about bandwidth- it's packets per second that kill routers, not bandwidth. Assuming 100 byte packets that's about 4Mpps- Even a basic 7600 can handle this kind of traffic. Assuming 30 byte packets (can't be smaller than that) you're talking about 15Mpps. Again Even a basic 7600 should be able to handle that- not to mention a Juniper M7i or similar. Most Foundry equipment would laugh at that rate. All of these routers can do ACL's at full packet rates.
That said- other recent DNS attacks exceeded 1.5 Gigabits per second of traffic and were a lot more vicious than the attack being described here.
I'm not knocking EveryDNS- I know what a bitch dealing with a DDoS can be- the problem tends to be that most people aren't ready to deal with it. Using BGP community based nullrouting most service can be restored within seconds of the target IP(s) being identified. That allows admins to keep untargeted systems and services up while the attacked systems are dealt with. The admins can then use the time to locate some/any pattern in the attack or enable the appropriate filtering such as a Cisco Riverguard or similar.
-sirket
First off- by all accounts Windows NT borrowed heavily from VMS.
Secondly, the Morris worm compromised _Unix_ systems- not windows boxes. I loathe Windows but please don't pretend Unix doesn't have it's own sins. The difference is the Unix folks tend to learn from their mistakes and the Windows folks don't.
-sirket
Or he could get a real switch from Foundry :)
Seriously though- Cisco makes terrible switches. Oversubscribed ports, slow backplanes, etc. Add to this the fact that their TAC has gone to pot (ask just about anyone on NANOG) and they're not a sound choice right now.
-sirket
Seriously! A person who administers Windows Servers/System is a Server/System administrator- not a damned network administrator. Network admins have had to start calling themselves network engineers to try to differentiate themselves. Frankly I'm tired of getting resumes for "Network Administrators" who are systems administrators.
-sirket
Not just foreign terrorists either- we're going to restrict so many things in this country that our own citizens are going to start fighting back- in some cases by blowing things up. The tighter you squeeze the citizenry the more they slip through your fingers. The biggest danger in the future is not going to be a crazed Al Queda operative- it's going to be some guy from the midwest who wanted to fly a rocket and couldn't.
People were making these chemicals in home labratories for years and years. It's just not that hard. Gordon Moore (founder of Intel) use to make nitroglycerine as a kid for heavens sake.
I have a great idea- you leave me the hell alone- and I'll leave you alone. How about this country try that for a change.
-sirket
How does: "Leave everyone the fuck alone" result in an erosion of civil liberties? If you really think it's hard to manufacture any explosive then you haven't taken a damned organic chemistry class.
-sirket
You can't change the battery because adding a removable cover for it would make the iPod far larger than it currently is. Considering the 24+ hours available from a single charge on some models, and the much larger number of charge cycles available from lithium ion batteries today this becomes a moot point. You don't need to change it so don't worry about it. (This isn't the 1st generation iPod).
iTunes is a simple, easy to use interface. That said- there are third party interfaces including ones that run under Linux.
What conversion are you talking about? The iPod groks mp3 natively- it doesn't do any conversions. AAC is the format Apples sells songs from iTunes in- but that's only songs you buy from iTunes. Perhaps you are thinking of the cracked conversions Sony did with their moronic ATRAC format.
Your dragging question is the same as the iTunes question. Either use iTunes or use a third party app. I use iTunes even without an iPod. I used winamp 3 (IIRC) and never seriosuly considered winamp after that. Is iTunes perfect? Hardly- but it does the job and gives me no grief.
Looks are purely subject and up to you. That said- ever held an iPod? They feel solid. Everything about them feels right. The interface is simple, the buttons and scroll wheel are perfect, and the screen on the newest models is gorgeous. It isn't just about looking cool- they are beautifully designed, inside and out.
-sirket
Actually it is your problem. You're using an ISP that probably hosts spammers. In case you didn't know- this was a HUGE problem for a while. Spammers were offering ISP's big money to use their pipes. It wasn't until the ISP found itself blacklisted that they started kicking spammers off their connections.
If you find yourself blocked then start by finding out why. It might even be your own damned mail server- you wouldn't be the first clueless admin I've had to deal with. If it isn't you then complain to your ISP to kick off the offending spammer. If that doesn't work then leave and move to another, responsible ISP. Please don't bitch to us- we don't care. (if you have a contract then break it- if the ISP is engaging in activity (hosting a spammer) the is preventing you from using the connection that you are paying for then they are in breach of contract and you are within your rights to terminate the contract.)
-sirket
It is entirely boneheaded. That a business from another country should fail to correctly interpret US law should not come as a surprise. I'm a US citizen and _I_ can't interpret US law. Hell- US lawyers can't interpret US law. If they could- court cases would be a lot fucking shorter.
Spamhaus said - "wait a second- this isn't a case that belongs in Illinois." By the time it was moved to Federal court Spamhaus realized that "hey- this fucking case doesn't belong in the US at all." The fact of the matter is that Spamhaus did exactly what they should have- ignored the fucking order. If they had to respond to every trivial lawsuit brought about anywhere in the world they'd be bankrupt and fat lot of good that would do me as a mail server admin.
Personally I think the judge should get his head out of his ass, recognize he doesn't have jurisdiction, and drop the case. Of course given the arrogance of most judges that isn't likely to happen. He obviously got pissed off, decided he wanted to "make a point" (something judges decidedly should not do) and stayed involved. Instead I can sit back and hope he drives his SUV off a bridge at high speed during a winter snow storm. The world might just be a slightly better place.
-sirket
Let me be clear- Linux _can_ offer almost all of the same services as Cisco- but not in a single unified way. You need to use Zebra for BGP and add in other software for the other protocols. And what happens if you disappear tomorrow. If your environment is Cisco then you can call any other Cisco admin and they can admin it immediately. Try that with a cobbled together Linux solution.
-sirket
Wow- switches for high speed stuff? Jesus what networks do you work with? Where is my OSPF, EIGRP, and BGP on Linux? Where is my VRRP, HSRP and GLBP? Where are the DS3 and OC3 interfaces? Linux works fine for smaller isntallations. If all you are trying to do is connect your office to the Internet then we're not even on the same page. If you work at an ISP, large corporation, or otherwise handle core routing requirements you would never even consider using Linux.
-sirket
Your university got ripped off. I could have put in a completely redundant CheckPoint/Cisco/Whoever firewall routing the same GigE connections for less than 20k pounds. Hell I could have put it in for less than 20k dollars. Perhaps there was some sort of crazy requirement you are unaware of that made a simpler solution unacceptable? The last company I consulted for just installed a clustered ChecKpoint firewall with management station routing GigE connections for about $18k.
I don't disagree that OpenBSD, pfsync and pf make a good choice- I use them in a lot of smaller installs. I also use pfsense and monowall a LOT. That said, I suspect there were other reasons the firewall your university installed cost 20k pounds. As for the outages- I have no explanation there unless your university has a very complicated network. I haven't experienced the sorts of deployment problems you are describing and I've been involved in a number of very large firewall deployments.
-sirket
In the event of a total explosive failure your ashes will be scattered in space free of charge- an honor usually reserved for famous Science Fiction icons.
I'd think it would be playable without the nunchuck- I'd rather not be swinging around a controller when I can just press buttons. Hell if it isn't playable without the nunchuck then I don't have to get a Wii at all- yay! :)
-sirket
The $250 price point rules out a Wii for me. I don't actually need a console and for whatever reason $200 was my limit for buying this one. It seems a shame too- I hate sports games and so both Sports and the nunchuck seem wasted on me. Get rid of them and let me buy Zelda instead for the same $250 and I would have bought one as soon as I could get my hands on it. I'm not even talking about dropping the price- get rid of the crap I (and I'm sure many others) don't want.
-sirket
I read the summary for this article and was outraged- then I read the article, realized it was in England and my reaction was "yeah that's about right." The UK has lost its collective mind. The English are the only people on the planet who could have read 1984 and said "Hey, that sounds like a nice place to live- let's give it a try."
-sirket
Hence the random "Non-system or disk error." They would think the disk had failed. The beauty of building this myself in hardware is that no one else would have a similar system.
This might have worked if no one knew about TrueCrypt- Unfortunately everyone does now. This means everyone knows it can provide you with a bogus OS. If they come after you and you are running this and they don't find what they want to they will simply claim you are hiding the real data and throw you in jail for contempt. It's no worse than having an encrypted controller. The encrypted controller, however, will be faster, and data can not be written to the disk without it being encrypted. Obviously I need to look into Seagates drive encryption and see how it is implemented.
-sirket
I refuse to trust Windows with security. Some virus/trojan will come along and disable the encryption- or just put unencrypted copies onto other parts of the disk, etc. etc. etc. I want layers of security. Use EFS/Bitlocker for the FS and hardware encryption on the disk.
-sirket
Exactly how the fuck does your god damned BIOS boot your OS if _EVERYTHING_ is encrypted? Would you like to explain that to us laymen? Oh- gee- wait- you said it's not your boot drive. Great- So when Windows writes a fucking temp file to the unencrypted boot disk TrueCrypt doesn't fucking help me. I don't want a single bit to be written to the disk without it being encrypted. I don't even want it to be _POSSIBLE_ to write something unencrypted to the disk- even if someone does a write to the raw disk.
I suggest reading the fine manual that comes with Truecrypt and studying the bit about plausible deniability. And the bit about encrypting whole devices. *Then* come back and bring a informed opinion.
Please don't tell me to bring back an informed decision- I use TrueCrypt on my bloody laptop and know full well how it works. The plausible deniability is great- the problem is everyone knows TrueCrypt provides said feature and in this day and age just knowing it is there can be a problem. Moreover there is always the possibility that something goes wrong and unecnrypted data is written to your hard drive- or a virus gets in an disables it- or the government figures out how to crash it, etc. etc. etc. I want hardware encryption- preferably that I have designed myself.
-sirket
The problem is that some part of the disk is unencrypted - otherwise you would not be able to boot it. If someone gets hold of the disk they will see the unencrypted partition and realize that there is an encrypted partition (because of the partition table / fstab / etc.). With a hardware controller the data on the disk is entirely gibberish. If someone gets hold of just the disk there is nothing sensible on it. If they get it with the controller it shows a non-system or disk error. Either way it reveals nothing.