it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability.
The thing weighing in at 20 megs is not an achievement, rather its an embarrassment showing total lack of craft. Much of the code in this thing is not the malware itself either, its interpreters and support libraries to run it, and much of open source and otherwise stuff that serves other purposes. Its not an efficiently built thing at all.
The only achievement here if there is one is somebody manged to deliver a payload that large, so often undetected and reliably. I agree it looks state sponsored to me, only government contractors could create a turd this large and still polish it enough that it mostly worked.
Right but the assumption has always been they don't vandalize their own bots because the owners would then discover they are part of a bot net. That does not hold if the bot net owner is already dismantling the network, I don't know what motivation they have to not nuke the hosts entirely to ensure there don't leave any finger prints.
The only thing I can think of is they may be concerned that if a large percentage of the public has their machines trashed all at the same time Joe Sixpack of Pakistani mangoes might wake up and start taking computer security seriously. Which could make future bot nets harder to construct.
We need something better. There was a buzzword utility that used to come with Dillbert's Desktop Games. What was neat is you could type a few sentences in plain English. It understood enough grammar rules and knew what part of speech the words you typed were that it could inject the buzzwords into your original text, obscuring but not really altering the meaning.
It usually left you with something ready to paste into the e-mail reply to your idiot co-workers. Usually that something was good enough to keep them busy parsing, and away from your cube, long enough for you get another coffee.
Have you ever taken a crap job because you needed the cash (especially when you were younger)? You might not have, but many others have, and I wouldn't be surprised if many of the attendees at these trade shows have, too.
Well if you read the article they are getting paid north of $50 and hour. Even if they need the money its hardly the case they are being abused. People should have the right to strike whatever contract they want with some very limited protections.
The reason this money is so good is because they have to be prepared to give the customer what they want. What the customer wants is for their customers to enjoy the fantasy these girls are attracted to them and at the same time be able to place themselves above them; in the hopes it will put them in a buying mood. I am not a woman but this job does not sound like much fun to me, but then that is why you can make $50+ an hour at it!
These 'models' know what they are getting into going in; its hard to be especially sympathetic. Personally I think they should be happy that they were blessed with features that make this 'option' available to them when the 'need the money', plenty of other women and men alike don't have that.
You CAN cut a/64 into smaller subnets but you really should not do that. That goes double for things like an 'untrusted sid' where you don't control the clients. It work fine if you are doing all manual addressing or DHCP6 allocation but you will break the MAC based auto configure; which assumes the subnet is at least a/64.
I think we are talking about different things. I am trying to get at marking droids attempting to answer questions like,
How many unique visits to our website did we get? How many people who visitied our flagship site ultrap0rn.com also visited our FaceSpace page? How many days a week did Jon Doe surf ultrap0rn.com? Did John Zoogle ultraDildos after visiting ultrap0rn.com
I don't think in practice ipv6 is going to make this significantly easier or harder for them to do, or have much impact on the quality of their data; for the reasons I have mention.
In other words, you're swapping out one box (the NAT) for another (the ALG - application layer gateway, which existed far longer than NAT).
No not really in a corporate environment you NEED to be doing application level gateway with our without NATing. Egress is just as dangerous and ingress. So you are going from FW NAT ALG ALG And marketers would love the trackability down to the PC level
As I have explained before I don't see this giving marketers more or less capability than they had before. They are going to pretty much just assume that each/64 subnet is one person or family just like they assume that each address is today. Might it make it a little easier to see discrete devices, possibly but they good ones do that pretty darn effectively now, by simply also looking at host headers, referrers, and timing characteristics. Look at what a good web analytic s package can do sometime; its not perfect but they do a pretty good job of seeing through NAT unless you are taking pretty heroic steps to stop it.
They don't need to 'scan' anything to track you for marketing purposes they just log where the requests are coming from. When they process their logs they simply only look first 64bits of any ipv6 address, and then enhance reliability the correlation that its the person/device using the same tricks they use now, also including the user agent string, cookies, referrers, date times, etc.
You are not leaking much information of any real use.
Your routing tables beneath your gateways won't be visible to anyone outside. So they won't learn anything about your network topology.
If as I suggested you proxy everything, something you should do in a secure environment because you need to know everything that is going in and out, they won't see the address anyway! So they won't know you are using public IPs or not.
Even if you do leak that your internal addressing scheme is to use the public IPs without knowing the topology, and your company having at least a/48 it tells them exactly nothing about how to locate hosts. Think about it a/48 is still many orders of magnitude larger that then the entire RFC1918 space today. Its to big to SYN scan if they have pwnd your gateway, and they can assume you are using RFC1918 address currently not to big to SYN scan.
So even if you don't NAT they still now LESS about your network then they do on ipv4.
You have many options, DHCP6, you don't have to use autoconfigure you can still assign all nice consecutive address to each machine if you like. Setup DNS that actually works and use the host names. Best yet and actually probably the easiest to do and still be secure both (dhcp6 server can do the DNS updates so the hosts don't need to).
This is not that difficult, and if you think it is you are in the wrong industry.
I predict this will mostly affect stuff outside of the firewall, not inside. Most companies will probably keep their internal network on IPv4. There's no way they're going to want all of their machines with an internet addressable location.
Addressable and reachable are two different things. I'd love to lose all the NATs around here.
One globally unique identifier will be handy even though I would never dream of letting most machines ingress or egress traffic to the internet without passing through some hardened application layer proxy.
Honestly it will make the firewalling and routing much more strait forward, easier to quickly understand the impact of changes on and therefore far more secure.
Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP.
You and the grand parent are missing the obvious outcome.
For the most part home users are going to end up with/64s some ISPs might be generous and hand out something bigger but I suspect most will decide not do so in the end.
Does that mean you can put 1,50,100,1000,10000 addresses on device sure, but the network portion the addresses will be the same. That network address is going to uniquely identify your household just like your full ipv4 address does today. Marketers will just assume that each/64 subnet is unique to a user or house hold. Just like the assume on ipv4address is an entire house hold behind NAT.
It changes little to nothing with regard to track ability.
Right they want copyright to touch every part of 'our lives' and when 'you' by blank media 'you' should pay a tax. When 'they' want to manufacture something and use GPL code 'they' think they ought be allowed to do so. When 'they' appropriate a photo or tune to use in 'their' works and sell it its just fine, but if 'you' even make a copy of 'their' stuff for you own viewing; 'you' should pay. The law if for 'you' not for 'them'.
We cannot have an informed discussion when so much is kept from us.
I agree, the only solution I see is to assume the worst. If our leaders can't operate with secrecy being the exception rather than the rule; we must assume they are tyrants unfit and unworthy to govern. We must assume their actions are contrary to the general welfare, and the founding principles of our nation and vote accordingly in elections and treat them accordingly in our day to day dealings.
That and while they use Chinese architecture, style, and cultural elements they don't generally seek to replicate precisely any particular town in China.
To determine if something is efficient or not you first need to decide what you are optimizing for. If electricity usage is your target no the move toward run time interpreters might not be great.
The thing is the more of the platform that is implemented as a collection of single use high performance machine code modules glued together with script code the more adaptable it is to my work flow. I don't have time to deal with all my information sources and various protocols I have to work with in C. Could I implement all that glue in C, yes, with enough wall time I could do that. Then again when Python/Perl/Ruby/Dialect abstractions exist I toss together a script that updates AD, our internal asset database, the HR system, and training/certification system to reflect the status change of 30 interns all in about 15min error free.
Might not work so well on my cell phone but it sure is nice on my laptop. Wall time is more valuable to me than added electricity cost per day.
Why is Windows Update using netbios? I thought the A record DNS results for update.microsoft.com and related were hard coded in the OS to prevent these sort of spoofing attacks.
Is this something with the WSUS based updating procedure?
Yes once in a great while you see a tiny glimmer of hope but not often enough. The former administration was slightly better in that they at least got Congress to authorize things, even if they boondoggled them to do it. The current admin has lets see:
1. Orchestrated the passage of the Affordable Care Act in a way that was deliberately designed to prevent congress for reading it before the vote.
2. Given an American Car company to the Italians over the objection of the bond holders, despite the proper order claims under bankruptcy law. Going on TV and (this is provable) knowingly lying about the position of the bond holders and thereby slandering them as unwilling to help the nation.
3. Conducted a military action without congressional approval in Libya for more than 60 days.
4. Decided on their own Due Process, where it comes to the execution of an American Citizen, is met by simply talking about it amongst themselves.
5. Granted states waivers for the No Child Left Behind act despite the fact that the low does not specify an provision for doing so and they have no legal authority to do fail to enforce the law in this way even if it is stupid.
I could go on and on but the above are the ones most people will be familiar with. Regardless of if in your view the immediate outcome of some of these actions has been positive or your feelings on the policy being correct. It show contempt for our political system. It damages the rule of law and the strength or our Constitutional protections.
Over the long term its bad for the nation. No simply voting a GOP at least the mainstream, or TEA party ticket is not the answer. There are good people on both sides of the political isle who act with integrity. That is the answer voters need to set aside their short term agendas and elect people who respect our laws and system. We need to vote for people who look at our political frame work as something to cherish and work within, rather than something to try and weasel around.
Maybe but it does not have to do. Those hurt people make a decision to give love and continue an emotional attachment to others who are undeserving of it have only themselves to blame.
Its not, that's just what the marketing droids wanted you to think. I would agree that it is about as much resolution as you can comfortably make use of; its not like if text or other glyphs gets much smaller you will be able to read them quickly let alone point at them.
What could improve slightly is the "quality" smoother looking rounds without jaggies, and perhaps cleaner color transitions.
The theory the FED operates under is that they are actually hurting Europe doing that. They think it protects the US export market by keeping products affordable for Europeans. To some simplistic extent they are correct.
Don't be fooled into think they are doing you any favors though. Its not about defending American jobs, and they ignoring the consequence to the average Joe with a passbook savings account. This is really about protecting the equity, derivative, and insurances bets made by them member banks.
Even though Rand herself does not think so; the most salient arguments against it I have ever read are in "We the Living", it was her first, about something she actually knew and is nothing like her other books. I highly recommend everyone read it, especially if they vehemently dislike her other works such as "Atlas Shrugged." You will probably enjoy it and learn something about the nature of men under communism.
The problem is not communism, its probably a fine political and social system for some space aliens some place else in the universe. It does not work well humans though. It simply exchanges one system of class and privilege based on monetary wealth, birth, or both for different one. Society must be run by people therefore there are politics. Under communism where and whenever its tried men turn political clout and favor into first a new form of currency which they then use to get more of the old form of currency. Within half a generation you move for the prospect of a future "workers paradise" like Marx describe to an authoritarian regime. Some people are lucky enough to be born (back to by birth) into good communist families and groomed to be future leadership everyone else becomes members of an under class.
With the added tragedy that production and resources (human and natural) are almost always badly allocated; corruption assures this even if don't believe the invisible hand is the most efficient system of allocation. At least with capitalism society is crudely steered in the vague direction of meritocracy.
Communism is evil and it should be opposed whenever it is proffered as a solution. We must not be naive though. We have gotten along okay for about 2 1/4 centuries but there are problems with our system. Our freedoms and equality really are being eroded by corruption as well.
So I would argue the current system is broken. For all the energy, time, and money our government puts into accountability you'd think we would not be reading headlines about how the GAO (Government Accountability Office) itself miss used all sorts of funds to throw wild parties. I am sure that the accountability processes and procedures and auditing do in fact prevent lots of fraud and abuse. The trouble is I am not sure they are cost effective.
You don't install a million dollar security system to protect a couple hundred thousand in other assets do you?
Perhaps accountability should be results focused. Did your your office/department/bureau accomplish its assigned objectives using the funds allotted? If bSuccess goto:quit; Else DisciplineTheResponsibleParty(Audit());
In the end there may be a little moral victory in seeing the money not go out the door to fraud and abuse, but if it costs as much to prevent that as the fraud an abuse costs does it matter to the tax payer in the end? As I see it either way my pockets been picked, and the money is been spent. I only care at that point society got the benefit was supposed to get from that.
That is a really terrible SOP as well. I can promise this, if you enter my home legally or illegally and do deliberate harm to my pet you will have removed any possibility the of the situation being resolved without additional violence. I don't care what uniform you have on, my response will be to defend my home and family inclusive of pets with any force that can be mustered.
it's 20 megabytes of code- which strongly implies that it was developed by a nation with an advanced cyber-warfare capability.
The thing weighing in at 20 megs is not an achievement, rather its an embarrassment showing total lack of craft. Much of the code in this thing is not the malware itself either, its interpreters and support libraries to run it, and much of open source and otherwise stuff that serves other purposes. Its not an efficiently built thing at all.
The only achievement here if there is one is somebody manged to deliver a payload that large, so often undetected and reliably. I agree it looks state sponsored to me, only government contractors could create a turd this large and still polish it enough that it mostly worked.
Right but the assumption has always been they don't vandalize their own bots because the owners would then discover they are part of a bot net. That does not hold if the bot net owner is already dismantling the network, I don't know what motivation they have to not nuke the hosts entirely to ensure there don't leave any finger prints.
The only thing I can think of is they may be concerned that if a large percentage of the public has their machines trashed all at the same time Joe Sixpack of Pakistani mangoes might wake up and start taking computer security seriously. Which could make future bot nets harder to construct.
We need something better. There was a buzzword utility that used to come with Dillbert's Desktop Games. What was neat is you could type a few sentences in plain English. It understood enough grammar rules and knew what part of speech the words you typed were that it could inject the buzzwords into your original text, obscuring but not really altering the meaning.
It usually left you with something ready to paste into the e-mail reply to your idiot co-workers. Usually that something was good enough to keep them busy parsing, and away from your cube, long enough for you get another coffee.
Have you ever taken a crap job because you needed the cash (especially when you were younger)? You might not have, but many others have, and I wouldn't be surprised if many of the attendees at these trade shows have, too.
Well if you read the article they are getting paid north of $50 and hour. Even if they need the money its hardly the case they are being abused. People should have the right to strike whatever contract they want with some very limited protections.
The reason this money is so good is because they have to be prepared to give the customer what they want. What the customer wants is for their customers to enjoy the fantasy these girls are attracted to them and at the same time be able to place themselves above them; in the hopes it will put them in a buying mood. I am not a woman but this job does not sound like much fun to me, but then that is why you can make $50+ an hour at it!
These 'models' know what they are getting into going in; its hard to be especially sympathetic. Personally I think they should be happy that they were blessed with features that make this 'option' available to them when the 'need the money', plenty of other women and men alike don't have that.
You CAN cut a /64 into smaller subnets but you really should not do that. That goes double for things like an 'untrusted sid' where you don't control the clients. It work fine if you are doing all manual addressing or DHCP6 allocation but you will break the MAC based auto configure; which assumes the subnet is at least a /64.
I think we are talking about different things. I am trying to get at marking droids attempting to answer questions like,
How many unique visits to our website did we get?
How many people who visitied our flagship site ultrap0rn.com also visited our FaceSpace page?
How many days a week did Jon Doe surf ultrap0rn.com?
Did John Zoogle ultraDildos after visiting ultrap0rn.com
I don't think in practice ipv6 is going to make this significantly easier or harder for them to do, or have much impact on the quality of their data; for the reasons I have mention.
In other words, you're swapping out one box (the NAT) for another (the ALG - application layer gateway, which existed far longer than NAT).
No not really in a corporate environment you NEED to be doing application level gateway with our without NATing. Egress is just as dangerous and ingress. So you are going from FW NAT ALG ALG And marketers would love the trackability down to the PC level
As I have explained before I don't see this giving marketers more or less capability than they had before. They are going to pretty much just assume that each /64 subnet is one person or family just like they assume that each address is today. Might it make it a little easier to see discrete devices, possibly but they good ones do that pretty darn effectively now, by simply also looking at host headers, referrers, and timing characteristics. Look at what a good web analytic s package can do sometime; its not perfect but they do a pretty good job of seeing through NAT unless you are taking pretty heroic steps to stop it.
They don't need to 'scan' anything to track you for marketing purposes they just log where the requests are coming from. When they process their logs they simply only look first 64bits of any ipv6 address, and then enhance reliability the correlation that its the person/device using the same tricks they use now, also including the user agent string, cookies, referrers, date times, etc.
You are not leaking much information of any real use.
Your routing tables beneath your gateways won't be visible to anyone outside. So they won't learn anything about your network topology.
If as I suggested you proxy everything, something you should do in a secure environment because you need to know everything that is going in and out, they won't see the address anyway! So they won't know you are using public IPs or not.
Even if you do leak that your internal addressing scheme is to use the public IPs without knowing the topology, and your company having at least a /48 it tells them exactly nothing about how to locate hosts. Think about it a /48 is still many orders of magnitude larger that then the entire RFC1918 space today. Its to big to SYN scan if they have pwnd your gateway, and they can assume you are using RFC1918 address currently not to big to SYN scan.
So even if you don't NAT they still now LESS about your network then they do on ipv4.
You have many options, DHCP6, you don't have to use autoconfigure you can still assign all nice consecutive address to each machine if you like. Setup DNS that actually works and use the host names. Best yet and actually probably the easiest to do and still be secure both (dhcp6 server can do the DNS updates so the hosts don't need to).
This is not that difficult, and if you think it is you are in the wrong industry.
I predict this will mostly affect stuff outside of the firewall, not inside. Most companies will probably keep their internal network on IPv4. There's no way they're going to want all of their machines with an internet addressable location.
Addressable and reachable are two different things. I'd love to lose all the NATs around here.
One globally unique identifier will be handy even though I would never dream of letting most machines ingress or egress traffic to the internet without passing through some hardened application layer proxy.
Honestly it will make the firewalling and routing much more strait forward, easier to quickly understand the impact of changes on and therefore far more secure.
Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP.
You and the grand parent are missing the obvious outcome.
For the most part home users are going to end up with /64s some ISPs might be generous and hand out something bigger but I suspect most will decide not do so in the end.
Does that mean you can put 1,50,100,1000,10000 addresses on device sure, but the network portion the addresses will be the same. That network address is going to uniquely identify your household just like your full ipv4 address does today. Marketers will just assume that each /64 subnet is unique to a user or house hold. Just like the assume on ipv4address is an entire house hold behind NAT.
It changes little to nothing with regard to track ability.
Right they want copyright to touch every part of 'our lives' and when 'you' by blank media 'you' should pay a tax. When 'they' want to manufacture something and use GPL code 'they' think they ought be allowed to do so. When 'they' appropriate a photo or tune to use in 'their' works and sell it its just fine, but if 'you' even make a copy of 'their' stuff for you own viewing; 'you' should pay. The law if for 'you' not for 'them'.
We cannot have an informed discussion when so much is kept from us.
I agree, the only solution I see is to assume the worst. If our leaders can't operate with secrecy being the exception rather than the rule; we must assume they are tyrants unfit and unworthy to govern. We must assume their actions are contrary to the general welfare, and the founding principles of our nation and vote accordingly in elections and treat them accordingly in our day to day dealings.
That and while they use Chinese architecture, style, and cultural elements they don't generally seek to replicate precisely any particular town in China.
To determine if something is efficient or not you first need to decide what you are optimizing for. If electricity usage is your target no the move toward run time interpreters might not be great.
The thing is the more of the platform that is implemented as a collection of single use high performance machine code modules glued together with script code the more adaptable it is to my work flow. I don't have time to deal with all my information sources and various protocols I have to work with in C. Could I implement all that glue in C, yes, with enough wall time I could do that. Then again when Python/Perl/Ruby/Dialect abstractions exist I toss together a script that updates AD, our internal asset database, the HR system, and training/certification system to reflect the status change of 30 interns all in about 15min error free.
Might not work so well on my cell phone but it sure is nice on my laptop. Wall time is more valuable to me than added electricity cost per day.
Why is Windows Update using netbios? I thought the A record DNS results for update.microsoft.com and related were hard coded in the OS to prevent these sort of spoofing attacks.
Is this something with the WSUS based updating procedure?
Yes once in a great while you see a tiny glimmer of hope but not often enough. The former administration was slightly better in that they at least got Congress to authorize things, even if they boondoggled them to do it. The current admin has lets see:
1. Orchestrated the passage of the Affordable Care Act in a way that was deliberately designed to prevent congress for reading it before the vote.
2. Given an American Car company to the Italians over the objection of the bond holders, despite the proper order claims under bankruptcy law. Going on TV and (this is provable) knowingly lying about the position of the bond holders and thereby slandering them as unwilling to help the nation.
3. Conducted a military action without congressional approval in Libya for more than 60 days.
4. Decided on their own Due Process, where it comes to the execution of an American Citizen, is met by simply talking about it amongst themselves.
5. Granted states waivers for the No Child Left Behind act despite the fact that the low does not specify an provision for doing so and they have no legal authority to do fail to enforce the law in this way even if it is stupid.
I could go on and on but the above are the ones most people will be familiar with. Regardless of if in your view the immediate outcome of some of these actions has been positive or your feelings on the policy being correct. It show contempt for our political system. It damages the rule of law and the strength or our Constitutional protections.
Over the long term its bad for the nation. No simply voting a GOP at least the mainstream, or TEA party ticket is not the answer. There are good people on both sides of the political isle who act with integrity. That is the answer voters need to set aside their short term agendas and elect people who respect our laws and system. We need to vote for people who look at our political frame work as something to cherish and work within, rather than something to try and weasel around.
it hurts a lot of people a lot when a user ODs.
Maybe but it does not have to do. Those hurt people make a decision to give love and continue an emotional attachment to others who are undeserving of it have only themselves to blame.
We don't have "American Law" we have whatever your favorite executive agency decides to this week or worse with this person. That is the real problem.
Its not, that's just what the marketing droids wanted you to think. I would agree that it is about as much resolution as you can comfortably make use of; its not like if text or other glyphs gets much smaller you will be able to read them quickly let alone point at them.
What could improve slightly is the "quality" smoother looking rounds without jaggies, and perhaps cleaner color transitions.
The theory the FED operates under is that they are actually hurting Europe doing that. They think it protects the US export market by keeping products affordable for Europeans. To some simplistic extent they are correct.
Don't be fooled into think they are doing you any favors though. Its not about defending American jobs, and they ignoring the consequence to the average Joe with a passbook savings account. This is really about protecting the equity, derivative, and insurances bets made by them member banks.
End the Fed
Even though Rand herself does not think so; the most salient arguments against it I have ever read are in "We the Living", it was her first, about something she actually knew and is nothing like her other books. I highly recommend everyone read it, especially if they vehemently dislike her other works such as "Atlas Shrugged." You will probably enjoy it and learn something about the nature of men under communism.
The problem is not communism, its probably a fine political and social system for some space aliens some place else in the universe. It does not work well humans though. It simply exchanges one system of class and privilege based on monetary wealth, birth, or both for different one. Society must be run by people therefore there are politics. Under communism where and whenever its tried men turn political clout and favor into first a new form of currency which they then use to get more of the old form of currency. Within half a generation you move for the prospect of a future "workers paradise" like Marx describe to an authoritarian regime. Some people are lucky enough to be born (back to by birth) into good communist families and groomed to be future leadership everyone else becomes members of an under class.
With the added tragedy that production and resources (human and natural) are almost always badly allocated; corruption assures this even if don't believe the invisible hand is the most efficient system of allocation. At least with capitalism society is crudely steered in the vague direction of meritocracy.
Communism is evil and it should be opposed whenever it is proffered as a solution. We must not be naive though. We have gotten along okay for about 2 1/4 centuries but there are problems with our system. Our freedoms and equality really are being eroded by corruption as well.
So I would argue the current system is broken. For all the energy, time, and money our government puts into accountability you'd think we would not be reading headlines about how the GAO (Government Accountability Office) itself miss used all sorts of funds to throw wild parties. I am sure that the accountability processes and procedures and auditing do in fact prevent lots of fraud and abuse. The trouble is I am not sure they are cost effective.
You don't install a million dollar security system to protect a couple hundred thousand in other assets do you?
Perhaps accountability should be results focused. Did your your office/department/bureau accomplish its assigned objectives using the funds allotted? If bSuccess goto :quit; Else DisciplineTheResponsibleParty(Audit());
In the end there may be a little moral victory in seeing the money not go out the door to fraud and abuse, but if it costs as much to prevent that as the fraud an abuse costs does it matter to the tax payer in the end? As I see it either way my pockets been picked, and the money is been spent. I only care at that point society got the benefit was supposed to get from that.
That is a really terrible SOP as well. I can promise this, if you enter my home legally or illegally and do deliberate harm to my pet you will have removed any possibility the of the situation being resolved without additional violence. I don't care what uniform you have on, my response will be to defend my home and family inclusive of pets with any force that can be mustered.