If you have more than 10-12 rules, then state table lookups are faster on OpenBSD pf. In addition to this, you may instruct pf to optimize the ruleset.
As for SYN-floods, you will have problems even if you don't use a packet filter;-) However, the OpenBSD packet filter has options (down to specific rules) to help deal with SYN-floods.
that although Slashdot regulars generally are in a "minimally conscious state", for rewiring to occur there must be something to rewire in the first place.
> But when? The times logged by smart are aggregates (e.g. time under load) and aren't pegged to an external clock.
I objected to the statement that no trace was left that the harddisk had been accessed when booting from a CD. If the user kept logs it should be possible to determine that the harddisk have been accessed, though you probably cannot conclude that it has not, though.
> Yeah, especially if they had done what I would have done: boot from CD and copy files out the ethernet port to another HD.
What most forget (i.e. dont know) is that a modern IDE drive collects alot of information (number of recycles, hours used, errors, bla bla), at least if S.M.A.R.T is enabled. I'm sure that this information is helpful.
In any case, booting from CD and copy files from the harddisk may very well leave traces that this maight have happened, contrary to what people believe.
if you already know your backup needs, know the applications your are using for backup, know how to configure the applications and don't do any testing that your backup actually works.
> Since in the American concept of justice, one is not innocent until proven guilty,
> if Bush is not indicted, then he cannot be said to have broken the law.
So, no indictement implies that no law is broken? You really believe that?
> Do you honestly think that the Hague would indict an American for war crimes?
They may very well do so.
> And even if Bush were indicted, do you really think that anyone would try > arresting him when the Marines would immediately be sent in to kick ass and > retrieve the president?
It's unlikely that they'll indict while Bush and his croonies while he is in office, but hey, there is no limit of stature for War Crimes. Note that the Bush Administration has bullied many states into agreements of not delivering US citizens (officials only?) to the International Court in Hague. This is an attempt to protect themselves from persecution of their war crimes.
> Illegal according to what law? You know that when they are attacking other countries they are not required to obey the laws in that country.
Invading another country, when not in self-defense, is a war crime ("supreme crime"), by the Geneva conventions, and USA has signed those and are bound by them. War crimes carries the death penality in USA. As an invader you are also required to follow local laws, with some exceptions. Of course, the invader may make new laws, but they may be illegal as well. Instituting new laws in order to loot Iraq is not legal, and you might have noticed oil companies reluctance to invest there...
Notice how the Bush Administration tries to avoid beeing persecuted for war crimes:
"Could it be that they were intending to monitor domestic calls (and internet traffic) all along, and the 'Global War on Terror' was just a convenient excuse when they got caught?"
Of course the so-called "War on Terror" is just an excuse! Before the illegal invasion of Iraq, no terrorist groups were based there, but look now! This was widely expected to happen. So the current Administration has increased, not reduced, the risk of Americans to be victims of terrorists.
> I was also a Corel Linux beta tester and signed NDA's - the bugs I reported carried through into the final versions and that meant that you couldn't boot the distro on certain hardware:(
Did you sign a NDA just to test someones applications? Assuming that you got binaries and not source code so that you could build yourself.
Re:Linux and other Unix FSes
on
EXT4 Is Coming
·
· Score: 3, Insightful
>I'm as big a Linux fan as anyone, but one glaring thing that it needs is some better filesystem tools.
I'm pretty certain that Linux would have better filesystem tools if the developers could resist add a new filesystem every few months.
>> It has incredible hardware support for a Linux distro.
> That line makes no sense to me at all.
> Linux has had incredible hardware support for many years now, and it's all built in.
I too wondered about what was meant by that. Quite possibly is that the Linux distribution includes binary-only drivers to use hardware from hardware vendors that don't care about their users (NVidia, for instance).
Look at all of the psychopathic kids who go online to "talk" about their problems with others of similar like mind.
I think that you are just talking out of your arse. A psychopath does not go online unless it is maintainh/create control, and I find it difficult to believe that any medcial proffesional would encourage such a "mailinglist". Of course, any psychopath is unlikely to participate in the first place;-) If you want to have examples of modern day psycopaths, have a look at part of former Enron mangement.
it's not the bleeding edge that bothers me, infact I like it with the software, but I want a stable base for it
Fedora Core is more or less beta testing of software that may eventually end up in Red Hat Enterprise. So by the time a new, say kernel, feature is part of Red Hat Enterprise, then it has been widely tested in Fedora. This means that Fedora is not very stable, but many (most?) Fedora users find this very acceptable.
If you want to have a stable base, then you should use another Linux distro or one of the *BSD.
Ah yes, thanks for reminding me. A change of name does not make ethereal/wireshark more secure, though. I am surprised that a tool with so many security problems is so popular among "security users".
I also use tcpdump (and, for more complex tasks, ethereal) very often when debugging network problems.
Ethereal was the second most popular tool in the 2003 survey, but this time it did not even make it on the list for 2006. Not surprising, considering its bad security history.
That was impression during that time, though Raadt was later on giving public recognition for this (2004 FSF Award). I do not imply that Linux developers does not care in general.
> Drivers developed under the constraints of an NDA are usually released as blob, no?
Not always. There are several drivers in the Linux kernel with docs under NDA.
UltraSPARC III support, for instance. Drivers written with docs under a NDA
are the open source equivalent of a blob.
> BLOBs are bad, and their legality in the kernel is questionable. > Of course really free drivers that let us extend devices are better.
It would be helpful if the Linux developers would be more supportive of OpenBSDs work on getting hardware manufactures to release documentation that is not under a NDA. When OpenBSD had the campaign for release of wi-fi chipset docs, it seemed that the Linux developers where sitting on the fence.
I think the problem is that the BSD code may not be considered "clean room" by the Linux people, hence it's "dirty" (not my opinion) and not to be touched. You can probably trace a lot of this obsession to the SCO lawsuit.
But developing Linux drivers with documentation under NDA is popular, though.
If the Coverity (google: coverity ethereal) results are any indication things have gotten somewhat better, I'm not sure if any of the BSDs have changed their minds.
Revision 1.4, Wed Jul 14 21:52:26 2004 UTC (22 months, 3 weeks ago) by pvalchev Branch: MAIN CVS Tags: HEAD Changes since 1.3: +0 -0 lines FILE REMOVED
Remove ethereal from the ports tree. Right during 3.5, it had more than a dozen remote holes being fixed, that we shipped with. Weeks later things have not improved, and there continue to be problems reported to bugtraq, and respective band-aids - but it is clear the ethereal team does not care about security, as new protocols get added, and nothing gets done about the many more holes that exist.
Maybe someone will at least privilege separate this one day, and then the OpenBSD stance with respect to this may change.
Encouraging people to run broken software by distributing packages with known security holes is not desired by any of us.
I don't know why people give so much credence to Coverity. I don't see how it could possibly know what are bugs and what aren't. Didn't mathematicians and computer science people show this already as the Halting Problem? "Bugs per line of code" from a program is a ridiculous measurement to use.
The Coverity program is useful for detecting some types of bugs in C and C++ programs. The OpenBSD developers has recently put effort into
make lint more useful i.e. don't let you drown in false warnings.
I've never used Coverity since it's impossible to get the program, but it wouldn't surprise me if it called anything that wasn't safe or good coding style a "bug". Like, yell at you if you use "strcpy". Or if you don't check for a NULL pointer when it can't be.
There are some open source tools for this, like lint, but you easily will be drowned in warnings. On OpenBSD, gcc/linker has been enhanced to detect certain types of problems (like format errors in printf, or use of strcpy).
Slashdot Mirror
If you have more than 10-12 rules, then state table lookups are faster on OpenBSD pf. In addition to this, you may instruct pf to optimize the ruleset.
;-) However, the OpenBSD packet filter has options (down to specific rules) to help deal with SYN-floods.
As for SYN-floods, you will have problems even if you don't use a packet filter
that although Slashdot regulars generally are in a "minimally conscious state", for rewiring to occur there must be something to rewire in the first place.
> But when? The times logged by smart are aggregates (e.g. time under load) and aren't pegged to an external clock.
I objected to the statement that no trace was left that the
harddisk had been accessed when booting from a CD. If the user kept
logs it should be possible to determine that the harddisk have been
accessed, though you probably cannot conclude that it has not, though.
> It is trivial to copy the contents from a hard drive and leave NO sign that the data was read.
So you claim, but if S.M.A.R.T is enabled, then for sure you have left traces
that the hard disk has at least been booted.
> Yeah, especially if they had done what I would have done: boot from CD and copy files out the ethernet port to another HD.
What most forget (i.e. dont know) is that a modern IDE drive collects alot of
information (number of recycles, hours used, errors, bla bla), at least
if S.M.A.R.T is enabled. I'm sure that this information is helpful.
In any case, booting from CD and copy files from the harddisk may very well
leave traces that this maight have happened, contrary to what people believe.
if you already know your backup needs, know the applications your are using for backup, know how to configure the applications and don't do any testing that your backup actually works.
The article is nothing but a stunt.
> Since in the American concept of justice, one is not innocent until proven guilty, > if Bush is not indicted, then he cannot be said to have broken the law. So, no indictement implies that no law is broken? You really believe that?
> Do you honestly think that the Hague would indict an American for war crimes?
They may very well do so.
> And even if Bush were indicted, do you really think that anyone would try
> arresting him when the Marines would immediately be sent in to kick ass and
> retrieve the president?
It's unlikely that they'll indict while Bush and his croonies while he is in
office, but hey, there is no limit of stature for War Crimes. Note that the Bush
Administration has bullied many states into agreements of not delivering US citizens
(officials only?) to the International Court in Hague. This is an attempt to protect
themselves from persecution of their war crimes.
> Illegal according to what law? You know that when they are attacking other countries they are not required to obey the laws in that country.
D =10038
Invading another country, when not in self-defense, is a war crime ("supreme crime"),
by the Geneva conventions, and USA has signed those and are bound by them. War crimes
carries the death penality in USA. As an invader you are also required to follow
local laws, with some exceptions. Of course, the invader may make new laws, but they
may be illegal as well. Instituting new laws in order to loot Iraq is not legal, and
you might have noticed oil companies reluctance to invest there...
Notice how the Bush Administration tries to avoid beeing persecuted for war crimes:
http://www.zmag.org/content/showarticle.cfm?ItemI
"Could it be that they were intending to monitor domestic calls (and internet traffic) all along, and the 'Global War on Terror' was just a convenient excuse when they got caught?"
Of course the so-called "War on Terror" is just an excuse! Before the illegal
invasion of Iraq, no terrorist groups were based there, but look now! This
was widely expected to happen. So the current Administration has increased, not
reduced, the risk of Americans to be victims of terrorists.
> I was also a Corel Linux beta tester and signed NDA's - the bugs I reported carried through into the final versions and that meant that you couldn't boot the distro on certain hardware :(
Did you sign a NDA just to test someones applications? Assuming that you got binaries and not source code so that you could build yourself.
>I'm as big a Linux fan as anyone, but one glaring thing that it needs is some better filesystem tools.
I'm pretty certain that Linux would have better filesystem tools if the developers could resist add a new filesystem every few months.
>> It has incredible hardware support for a Linux distro.
> That line makes no sense to me at all.
> Linux has had incredible hardware support for many years now, and it's all built in.
I too wondered about what was meant by that. Quite possibly is that the Linux distribution includes binary-only drivers to use hardware from hardware vendors that don't care about their users (NVidia, for instance).
That article does not even contain the word "psychopath". Did you even read it? If so, your surely did not understand it.
I think that you are just talking out of your arse. A psychopath does not go online unless it is maintainh/create control, and I find it difficult to believe that any medcial proffesional would encourage such a "mailinglist". Of course, any psychopath is unlikely to participate in the first place ;-) If you want to have examples of modern day psycopaths, have a look at part of former Enron mangement.
Fedora Core is more or less beta testing of software that may eventually end up in Red Hat Enterprise. So by the time a new, say kernel, feature is part of Red Hat Enterprise, then it has been widely tested in Fedora. This means that Fedora is not very stable, but many (most?) Fedora users find this very acceptable.
If you want to have a stable base, then you should use another Linux distro or one of the *BSD.
Ah yes, thanks for reminding me. A change of name does not make ethereal/wireshark more secure, though. I am surprised that a tool with so many security problems is so popular among "security users".
Ethereal was the second most popular tool in the 2003 survey, but this time it did not even make it on the list for 2006. Not surprising, considering its bad security history.
That was impression during that time, though Raadt was later
on giving public recognition for this (2004 FSF Award). I do
not imply that Linux developers does not care in general.
> Drivers developed under the constraints of an NDA are usually released as blob, no? Not always. There are several drivers in the Linux kernel with docs under NDA. UltraSPARC III support, for instance. Drivers written with docs under a NDA are the open source equivalent of a blob.
> BLOBs are bad, and their legality in the kernel is questionable.
> Of course really free drivers that let us extend devices are better.
It would be helpful if the Linux developers would be more supportive
of OpenBSDs work on getting hardware manufactures to release
documentation that is not under a NDA. When OpenBSD had the campaign
for release of wi-fi chipset docs, it seemed that the Linux developers where
sitting on the fence.
But developing Linux drivers with documentation under NDA is popular, though.
can be found by reading the man pages
From commit message removing Ethereal:
The Coverity program is useful for detecting some types of bugs in C and C++ programs. The OpenBSD developers has recently put effort into make lint more useful i.e. don't let you drown in false warnings.
I've never used Coverity since it's impossible to get the program, but it wouldn't surprise me if it called anything that wasn't safe or good coding style a "bug". Like, yell at you if you use "strcpy". Or if you don't check for a NULL pointer when it can't be.
There are some open source tools for this, like lint, but you easily will be drowned in warnings. On OpenBSD, gcc/linker has been enhanced to detect certain types of problems (like format errors in printf, or use of strcpy).