Would you mind repeating that backhanded comment on spammers in your weekly column that I get in the back of Washington Post Magazine? The: "yeah, lets buy your penis enlargers and getaway vacations," followed by: "CASTRATION!!!"
I would photocopy it, hilite the relevant phrases, then mail it to as many spamhaus-related mailing addresses I can dig up.
It's got 2 USB, firewire, DVD/CD-RW slimline, builtin ethernet, ATI Mobility, 1024x768 14" screen, a PIII-M cpu at 1.2GHZ that sips power (almost 4h on one Li+ battery) and also doesn't burn your legs, even optional builtin Wifi. It is incredibly light, even the docking station (which is a little extra "layer" that holds the slimline CD/floppy and another battery). The footprint is smaller than most, but the reduced weight = happy hacking anywhere.
Redhat 8.0 works divine on it (detects both batteries, wireless and IEEE1394). No messing around with it.
Whole deal will set you back between $2000 and $2400.
I think the point is that no would do that because no one outside America would attempt to break TurboTax's DRM because they would never need to use it! (insert US-centric slashdot rant here) If you're still confused, people in Eastern Europe don't pay our Uncle Sam income tax.
I mean, if you're going to break the law in umpteen countries by circumventing the copy protection, you might as well have a good reason! No amount of charity would make me touch that POS software with a 10 foot pole. (really, turbotax is the pits, its not even fun!)
Those people that are in charge of the real game; aren't really in charge of much. In fact, it seems to me that in the whole internally funded bureaucracies, no one person is in charge of much of anything significant at all! It'd bet that the most powerful men in the government are actually the Senators, and they'll tell you otherwise. But all the money comes from them, and they ultimately decided the fate of any agency and any projects suckling beneath them in the shadows. And the people running those projects are just doing for a) the money b) ego trip, so they don't want the air supply cut off. It doesn't matter what the game is, they just want to keep doing what their doing so they act covertly and hope no one notices them. hey, free money, do whatever tickles your fancy. (Insert quote about $40 hammers)
There is no conspiracy, only inefficiency, stupidity, pride, and secrecy (mostly to hide the first 3). And we likes it that way. I think THAT is something that hasn't changed for 50 years.:-)
You should look for a job with one of us. We're all antisocial freaks, and we need company. What's the line, if you can't beat em, join em?;-P
If we could somehow distribute local WAP distribution points and everyone would have a common mode of connecting with reasonable transfer rates pretty much anywhere in the US, nay the world.
OH WAIT THAT SOUNDS LIKE THE 3G CELLULAR NETWORK!!! ::hitting self in head repeatedly::
Quick thing. I just want to lay something on the table about these supposed G-Men and people in the ivory towers.
Let me just state that I work with an FFRDC and I have had some contact with the kind of people who you would consider "the key people".
And frankly, they don't give a shit. They like to talk mostly about RADAR and RADAR avoidance. Which governments have access to which kinds of sensors, etc. They get hard-ons talking and speculating about that.
A lot of them are geeks. A lot of them subscribe to us not being alone in the universe. And a lot of them have 5 year reviews neccessary to keep their TS or COMSEC clearences. In that situation, you don't want them finding out you've been associating with Raelians or anyone with anything resembling a political or social motiviation because you like your job and geeky toys. You don't want to lose credibility, funding, or be made fun of by your associates.
So you ignore and just don't encourage any group who makes claims that you are involved with extraterrestial stuff. It makes you too high profile and some guy with the money may not look on you so favorably next fiscal year, especially since you can't deliver and your hair-brained project was probably stillborn.
Even though it's all in a black box, it's still the same ol' bullshit. Quid pro quo, tow the line, make the Joint Chiefs feel safer. Really.
They're all promotional videos for Sci-Fi. I mean jesus: who the hell says this kind of stuff on a helicopter ride of the NYC skyline:
"That's the World Trade Center?"
YES YOU DUMBFUCK. Thanks for letting all us Sci-Fi viewers who don't live in NYC know where this video takes place.
Also, there's a bug on your hand.
AND THEY DONT HAVE SHADOWS. Also they appear out of nowhere on the tablecloth. And the lighting for a crappy filiming-the-family camera is "too good".
The electrified fence one is the worst. HOLY SHIT HOW DUMB COULD YOU BE. I guess pretty dumb to think that one was real. Let me tell you, when you get electrocuted, THERE ARE NO FUCKING ARCING SPARKS. Also the fence is grounded SO WHAT THE FUCKING HELL!!!! WHAT KINDA MAGICAL ELECTRICITY IS THAT DUMB SHIT.
I SO GODDAMN HATE THE SCIFI CHANNEL. IT IS BAD SCIENCE AND EVEN WORSE FICTION.
The Sun Blade 1000 and 2000s have the motherboard oriented the normal way. The back is wider though because the power supply is huge and takes the whole "sidecar" portion of the case. There are some older HP cases like this.
Have a distribution for your application prototype
Have a reasonable approximation of a typical (or many) typical machines that would run said software prepared.
Then, you simply take aside a sysadmin and teach her how to install your package. Give them pointers on how to do a good installation. Then, let them install it on the machines on the DMZ. Some other person will install your load testing utility on yet another server on the DMZ which will hammer the machines, simulating heavy usage conditions. You will already have this tool too, if you have been testing your code.
Finally, do other important things. Every once in a while, check to see what, if anything, has happened to your honeypots. If they have been poked and proded at regularly, you will ONLY then spend the additional time analyzing it for faults, break-in attempts, etc.
Moreover, if the simulated load tool suddenly complains it can't talk to your application, then you switch focus and do a postmortem analysis of the dead machine on the DMZ. You can probably discover a quick fix or weak point right away.
The chance that you may have such a situation is valuable, and so is the knowledge that (provided the machine has been sufficiently poked at and fanagled with) it is resistant to, at least, unimaginative adversaries.
The key is to not put more than enough effort into the application than is necessary. For certain apps, certainly the honeypot test is overkill, or unneccessary. But there will be other cases where you can dedicated a small portion of time to the setup and monitoring of a production machine, to see how it currently resists real-world stress. The question is at what point does the early testing outweigh later struggles with security updates, errata, patches, and that ilk; those things that will be discovered after it deploys.
Of course, no app will gain critical attention until after it's released and it becomes widespread, and there it will meet the most sophisticated attempts to break in. But you don't want to give anyone the wrong first impression, when your software gets trivially borked in that first month.
Finally, the code audit will reveal whether you have used best practices and your code meets the specs. But it won't tell you when your specs, requirements or best practices are wrong from the start. EG, there is nothing wrong at all with in.rshd, it's a tank. You can throw anything at it, and it behaves exactly as it should. But its assumptions about the operating environment (a secure network where no one can have a privledged port) is a pipe dream. Thus, it is trivially hijacked and exploited.
He says that he predicts (and hopes) that the practice of using honeypots, etc. will decrease; that it only serves to illustrate to managers that security will be breached. Thus, we can assume that all sufficiently weak security will be breached eventually, ergo this practice is useless.
He forgets the other valuable feature of honeypots. You can deploy prototype installations and observe the kinds of attacks in the wild, to get a feel for the capabilities of the advisary. These techniques change over time, and that information is invaluable when determining where effort needs to be focused in a security plan for your product.
This short-sightedness casts doubt on some of the other parts of his essay, other than on the obvious points (to us at least, those involving Microsoft, Hollywood, the man keepin us down, blah blah blah)
If the guilty party had any sense the usage of widgets and controls would fall under the LGPL. Furthermore...
Applications developed with it would fall under the license associated with the source code of the user's choice, as is the case with GCC
Thus, all is well, you can use the tool, and no worries. But what you CANNOT do is make a tool based wholly or in significant part on it and not make THAT tool GPL.
Same thing with "SLIDE". (LGPL for API linkage, GPL for source derivations). Doesn't this seem natural, anyway? also note: mmmmm 4d.
If this thing had a bunch of nicities that made it more pleasurable to use, or was bundled with something that did something surprising or innovative, then you could call it a luxury PC.
But as far as I see it, this is a "sports coupe PC" and not a very exciting one either. Why the fuck do they need water cooling for a 2.8GHz->2.9GHz overclock?
It doesn't come with an HDTV capable video card, nor a Composite/S-VHS interface. I don't see a nice monitor in the bundle. No built in microphone bundled with voice recognition software. And a fucking Audigy. That's the crappiest prosumer sound card in existence.
Not even a friggin cupholder.
Oh, but cold cathode lights. Now we are living in style.
Sun's UltraSPARC III Cu tops out at 1.05Ghz last I checked. Does that mean that the P4 at 3Ghz stomps the hell out of it? If you said yes, you are a fucking idiot.
Then you have never experienced a UltraSPARC III Cu side by side with a decent x86 system. While it has a huge amount of cache, it is SLOW SLOW SLOW. Matlab (with float heavy code) is at worst 50% faster on a lowly 1.67GHz (MP2000) Athlon compared to the 900MHz USparc III. It gets smoked in integer performance, but does better clock for clock in FPU usage. Alas, overall, it is about 40-50% "better" on a MHz basis. In my experience, the 3GHz PIV (Xeon, mind you) stomps HARD on the USparc. It's embarrasing.
The 1.0GHz is about on par with a 2GHz PIV. And that's the uber-blest 8MB of L2 cache version. Cheaper ones don't fair so well. High memory bandwidth on Athlon MP and PIV Xeon systems help make up for cache shortcomings.
I like the SPARC instruction set and the impressive FPU speed attainable on low GHz cores, but it is entirely too expensive and it doesn't pack enough oomph for smaller (4-way) servers and workstations. The same can be said for the various iterations of the R10000 series in workstation environments (too keep from going entirely offtopic here).
And in bigger configurations, IBM's Power4 architecture makes it look like a toy too.:-{
You young whippersnappers with your Ethernet and DECNet and Fidonet.::shaking fist::
Why, my internet connection still consists of handwritten shell scripts carried by carrier pigeon to a local University where a peon scans it in using OCR. They are then copied via UUCP (over a noisy landline, 600 baud!!!!) to a machine on a frame relay circuit. The results of my jobs are printed on a line printer and are mailed via UPS in huge boxes.
Ideally, a simple tool should be developed that does the following:
Compare the MD5sums of critical files to a recent known "snapshot" of the system on RO media, which only indexes files that were changed and reconciled. Perhaps there is a list of files of which only certain byte ranges (perhaps just executable ELF sections) are checked, are some are omitted. (Other slashdotters mention caches/timestamps in certain relevant files that screw up checksums). You would have a whitelist (files which must match), then a graylist (files which meet byte-range criteria), and perhaps even a blacklist that prevents files that would normally be flagged to be ignored.
In checking full file checksums, those not explicitly listed above would fallback to a check using a HTTP get request conforming to this helpful document these guys have offered.
And to those who were asking about other distributions: they are looking for people willing to work with them to add new distros/architectures to their database.
Slashdot Mirror
And this is why the state of commercial software these days is as sorry as it is.
Just make it work and screw the details. Great.
Dear Dave:
Would you mind repeating that backhanded comment on spammers in your weekly column that I get in the back of Washington Post Magazine? The: "yeah, lets buy your penis enlargers and getaway vacations," followed by: "CASTRATION!!!"
I would photocopy it, hilite the relevant phrases, then mail it to as many spamhaus-related mailing addresses I can dig up.
PSYCHOLOGICAL VICTORY!!!
Thanks, pr0ntab
What you need is an IBM Thinkpad X30.
It's got 2 USB, firewire, DVD/CD-RW slimline, builtin ethernet, ATI Mobility, 1024x768 14" screen, a PIII-M cpu at 1.2GHZ that sips power (almost 4h on one Li+ battery) and also doesn't burn your legs, even optional builtin Wifi. It is incredibly light, even the docking station (which is a little extra "layer" that holds the slimline CD/floppy and another battery). The footprint is smaller than most, but the reduced weight = happy hacking anywhere.
Redhat 8.0 works divine on it (detects both batteries, wireless and IEEE1394). No messing around with it.
Whole deal will set you back between $2000 and $2400.
I think the point is that no would do that because no one outside America would attempt to break TurboTax's DRM because they would never need to use it! (insert US-centric slashdot rant here) If you're still confused, people in Eastern Europe don't pay our Uncle Sam income tax.
I mean, if you're going to break the law in umpteen countries by circumventing the copy protection, you might as well have a good reason! No amount of charity would make me touch that POS software with a 10 foot pole. (really, turbotax is the pits, its not even fun!)
Those people that are in charge of the real game; aren't really in charge of much. In fact, it seems to me that in the whole internally funded bureaucracies, no one person is in charge of much of anything significant at all! It'd bet that the most powerful men in the government are actually the Senators, and they'll tell you otherwise. But all the money comes from them, and they ultimately decided the fate of any agency and any projects suckling beneath them in the shadows. And the people running those projects are just doing for a) the money b) ego trip, so they don't want the air supply cut off. It doesn't matter what the game is, they just want to keep doing what their doing so they act covertly and hope no one notices them. hey, free money, do whatever tickles your fancy. (Insert quote about $40 hammers)
:-)
;-P
There is no conspiracy, only inefficiency, stupidity, pride, and secrecy (mostly to hide the first 3). And we likes it that way. I think THAT is something that hasn't changed for 50 years.
You should look for a job with one of us. We're all antisocial freaks, and we need company. What's the line, if you can't beat em, join em?
If we could somehow distribute local WAP distribution points and everyone would have a common mode of connecting with reasonable transfer rates pretty much anywhere in the US, nay the world.
::hitting self in head repeatedly::
OH WAIT THAT SOUNDS LIKE THE 3G CELLULAR NETWORK!!!
Quick thing. I just want to lay something on the table about these supposed G-Men and people in the ivory towers.
Let me just state that I work with an FFRDC and I have had some contact with the kind of people who you would consider "the key people".
And frankly, they don't give a shit. They like to talk mostly about RADAR and RADAR avoidance. Which governments have access to which kinds of sensors, etc. They get hard-ons talking and speculating about that.
A lot of them are geeks. A lot of them subscribe to us not being alone in the universe. And a lot of them have 5 year reviews neccessary to keep their TS or COMSEC clearences. In that situation, you don't want them finding out you've been associating with Raelians or anyone with anything resembling a political or social motiviation because you like your job and geeky toys. You don't want to lose credibility, funding, or be made fun of by your associates.
So you ignore and just don't encourage any group who makes claims that you are involved with extraterrestial stuff. It makes you too high profile and some guy with the money may not look on you so favorably next fiscal year, especially since you can't deliver and your hair-brained project was probably stillborn.
Even though it's all in a black box, it's still the same ol' bullshit. Quid pro quo, tow the line, make the Joint Chiefs feel safer.
Really.
He brought packet radio to the most remote places, Indian Reservations, etc.
Or is that Johnny Internet-seed?
They're all promotional videos for Sci-Fi. I mean jesus: who the hell says this kind of stuff on a helicopter ride of the NYC skyline: "That's the World Trade Center?" YES YOU DUMBFUCK. Thanks for letting all us Sci-Fi viewers who don't live in NYC know where this video takes place. Also, there's a bug on your hand. AND THEY DONT HAVE SHADOWS. Also they appear out of nowhere on the tablecloth. And the lighting for a crappy filiming-the-family camera is "too good". The electrified fence one is the worst. HOLY SHIT HOW DUMB COULD YOU BE. I guess pretty dumb to think that one was real. Let me tell you, when you get electrocuted, THERE ARE NO FUCKING ARCING SPARKS. Also the fence is grounded SO WHAT THE FUCKING HELL!!!! WHAT KINDA MAGICAL ELECTRICITY IS THAT DUMB SHIT. I SO GODDAMN HATE THE SCIFI CHANNEL. IT IS BAD SCIENCE AND EVEN WORSE FICTION.
Because I was thinking about "poisoned chicken parmegian" and "ironic shootings" as soon as I read it.
Ciao
The Sun Blade 1000 and 2000s have the motherboard oriented the normal way. The back is wider though because the power supply is huge and takes the whole "sidecar" portion of the case. There are some older HP cases like this.
Right? I mean it's only 10+ Megs to download now...
There is a reason for this distinction, by the way.
Firewire (IEEE1394) is SCSI (scroll to the bottom).
Then, you simply take aside a sysadmin and teach her how to install your package. Give them pointers on how to do a good installation. Then, let them install it on the machines on the DMZ. Some other person will install your load testing utility on yet another server on the DMZ which will hammer the machines, simulating heavy usage conditions. You will already have this tool too, if you have been testing your code.
Finally, do other important things. Every once in a while, check to see what, if anything, has happened to your honeypots. If they have been poked and proded at regularly, you will ONLY then spend the additional time analyzing it for faults, break-in attempts, etc.
Moreover, if the simulated load tool suddenly complains it can't talk to your application, then you switch focus and do a postmortem analysis of the dead machine on the DMZ. You can probably discover a quick fix or weak point right away.
The chance that you may have such a situation is valuable, and so is the knowledge that (provided the machine has been sufficiently poked at and fanagled with) it is resistant to, at least, unimaginative adversaries.
The key is to not put more than enough effort into the application than is necessary. For certain apps, certainly the honeypot test is overkill, or unneccessary. But there will be other cases where you can dedicated a small portion of time to the setup and monitoring of a production machine, to see how it currently resists real-world stress. The question is at what point does the early testing outweigh later struggles with security updates, errata, patches, and that ilk; those things that will be discovered after it deploys.
Of course, no app will gain critical attention until after it's released and it becomes widespread, and there it will meet the most sophisticated attempts to break in. But you don't want to give anyone the wrong first impression, when your software gets trivially borked in that first month.
Finally, the code audit will reveal whether you have used best practices and your code meets the specs. But it won't tell you when your specs, requirements or best practices are wrong from the start. EG, there is nothing wrong at all with in.rshd, it's a tank. You can throw anything at it, and it behaves exactly as it should. But its assumptions about the operating environment (a secure network where no one can have a privledged port) is a pipe dream. Thus, it is trivially hijacked and exploited.
::laughing so hard it hurts::
He says that he predicts (and hopes) that the practice of using honeypots, etc. will decrease; that it only serves to illustrate to managers that security will be breached. Thus, we can assume that all sufficiently weak security will be breached eventually, ergo this practice is useless.
He forgets the other valuable feature of honeypots. You can deploy prototype installations and observe the kinds of attacks in the wild, to get a feel for the capabilities of the advisary. These techniques change over time, and that information is invaluable when determining where effort needs to be focused in a security plan for your product.
This short-sightedness casts doubt on some of the other parts of his essay, other than on the obvious points (to us at least, those involving Microsoft, Hollywood, the man keepin us down, blah blah blah)
Thus, all is well, you can use the tool, and no worries. But what you CANNOT do is make a tool based wholly or in significant part on it and not make THAT tool GPL.
Same thing with "SLIDE". (LGPL for API linkage, GPL for source derivations). Doesn't this seem natural, anyway?
also note: mmmmm 4d.
If this thing had a bunch of nicities that made it more pleasurable to use, or was bundled with something that did something surprising or innovative, then you could call it a luxury PC. But as far as I see it, this is a "sports coupe PC" and not a very exciting one either. Why the fuck do they need water cooling for a 2.8GHz->2.9GHz overclock? It doesn't come with an HDTV capable video card, nor a Composite/S-VHS interface. I don't see a nice monitor in the bundle. No built in microphone bundled with voice recognition software. And a fucking Audigy. That's the crappiest prosumer sound card in existence. Not even a friggin cupholder. Oh, but cold cathode lights. Now we are living in style.
Sun's UltraSPARC III Cu tops out at 1.05Ghz last I checked. Does that mean that the P4 at 3Ghz stomps the hell out of it? If you said yes, you are a fucking idiot.
:-{
Then you have never experienced a UltraSPARC III Cu side by side with a decent x86 system. While it has a huge amount of cache, it is SLOW SLOW SLOW. Matlab (with float heavy code) is at worst 50% faster on a lowly 1.67GHz (MP2000) Athlon compared to the 900MHz USparc III. It gets smoked in integer performance, but does better clock for clock in FPU usage. Alas, overall, it is about 40-50% "better" on a MHz basis. In my experience, the 3GHz PIV (Xeon, mind you) stomps HARD on the USparc. It's embarrasing.
The 1.0GHz is about on par with a 2GHz PIV. And that's the uber-blest 8MB of L2 cache version. Cheaper ones don't fair so well. High memory bandwidth on Athlon MP and PIV Xeon systems help make up for cache shortcomings.
I like the SPARC instruction set and the impressive FPU speed attainable on low GHz cores, but it is entirely too expensive and it doesn't pack enough oomph for smaller (4-way) servers and workstations. The same can be said for the various iterations of the R10000 series in workstation environments (too keep from going entirely offtopic here).
And in bigger configurations, IBM's Power4 architecture makes it look like a toy too.
You young whippersnappers with your Ethernet and DECNet and Fidonet. ::shaking fist::
Why, my internet connection still consists of handwritten shell scripts carried by carrier pigeon to a local University where a peon scans it in using OCR. They are then copied via UUCP (over a noisy landline, 600 baud!!!!) to a machine on a frame relay circuit. The results of my jobs are printed on a line printer and are mailed via UPS in huge boxes.
And it's all in EDBCIC, with 2 PARITY BITS.
Also my beard is 3 feet long. Thank you.
Ideally, a simple tool should be developed that does the following:
Compare the MD5sums of critical files to a recent known "snapshot" of the system on RO media, which only indexes files that were changed and reconciled. Perhaps there is a list of files of which only certain byte ranges (perhaps just executable ELF sections) are checked, are some are omitted. (Other slashdotters mention caches/timestamps in certain relevant files that screw up checksums). You would have a whitelist (files which must match), then a graylist (files which meet byte-range criteria), and perhaps even a blacklist that prevents files that would normally be flagged to be ignored.
In checking full file checksums, those not explicitly listed above would fallback to a check using a HTTP get request conforming to this helpful document these guys have offered.
And to those who were asking about other distributions: they are looking for people willing to work with them to add new distros/architectures to their database.