I've always used the idea of an act such as that as a piss take for whenever we see hacked boxes that is clearly the users fault. Obviously such an act would never come into force and nor would I support it (except on 1st April). On the whole theft of details business I'd disagree over it being worse to steal details than making them available. Banks are always blaming their customers for leaving details in bins and so on yet when they make such a monumental fuck up all they do is get the person prosecuted (good thing, I'd agree) and quite happily sweep it under the carpet. They've made it easy for someone to do it so they have. Crime pays, however the cost to the criminal also increases as it gets harder - Organised criminals are bussinessmen - if it doesn't pay well enough they're not going to do it.
So going back to your anology of leaving a car unlocked (with the keys in too?) would you get any sympathy from the Police or insurance company? Oh no, you'd be laughed out of the building and charged far more on next years premium. Sorry, thats wrong - you'd lie and make a claim increasing everyone elses premium.
But what about the companies that send data in clear down an insecure medium?
Perhaps it is time our government created another act (Yes, I know we've got too many) which would be called the 'Computer responsible use act' which bans anyone from sending sensitive data in clear, bans all none bluetooth wireless keyboards and makes it an offense to have an unpatched machine on the internet.
Ok, what he did was illegal however what the ATM makers did is far far worse. So which banks care about ID theft?
Too right. The article is the biggest load of crap I've seen since I saw a heard of rhinos having a dump. I can't see any good reason for this research unless telefonica and the others involved really hate verizon as they've got a big head start.
The figures they quote are silly - 50 cat 3 pairs have 10Ge of bandwidth whereas the last bit of the fibre run has a total of 2.5Ge. They're completely different figures - the copper itself goes back to an exchange and so they take each bit a long way. If the fibre did that each house would get OC-192 or 10Ge without a problem. In the fibre model the fibre goes back to a road side cab and is combined into a single high bandwidth connection to a PoP - of course there isn't much bandwidth (although 2.5Ge is complete bollocks) however if each fibre was like a phone line and went to a big PoP there would be huge amounts (over 40 Ge each if we all had a Cisco CRS-1 or Juniper T640 in our living rooms).
So when did MUDs last give you a shell on the host that allowed you to direct access any of the file system. Sounds like those have a fundomental design floor too.
Obviously as I'm not a 1337 h4x0r I've got little chance of understanding the techniques you use to hack anything.
Write to one - the wiretap is bound to pick it up and everyone will see it.
Acutally, thats crap, they won't because there are no wiretaps in the states, there never have been and my mate George is the best man to have lived and done so much for maintaining a free and fair country.
Certainly is a big mistake. Likewise not changing the root password after installation is a bad thing just because installers log so much. Come to think of it, it wasn't a root password that was stored, it was the password of the first account which happens to have full sudo rights. Infact, it isn't that bad - I mean you can't exploit it remotely, you need an account on the box before you can which also means it has to be running as a multiuser system. How many people currently use Umbongo as anything other than a personal workstation? Not many, how many that do still leave the first account as the one with sudo access? Even fewer.
This is a not a serious problem as far as things go - it isn't a remote exploit. Just look back in history... ssh.com version 3.0.0 - now that was a big problem. Log into an account with a null password remotely just by giving the username. That is a security problem. Another is the network management software vendor that ships with tftproot set to being / and leaving the server running as root with no firewall, which also comes with a default account to ssh into but thats all ok because it tells you in the manual 783 pages into it.
I'll admit it was careless however in the grand scheme of things I would expect roughly zero machines to be rooted because of it compared to how many because of misconfigured or insecure services?
In the uk where BT rule the DSL market home multicast via an ISP has to be converted to unicast at their core because BT do not have multicast enabled DSLAMs. Many of the LLU companies now have multicast capable DSLAMs so for them it is in their interests to provide multicast to home users (and then charge them for the stream) allowing much better use of their bandwdith.
Of course, Universities on SuperJanet have access to multicast streams from the BBC and various others. It is a service that now I'd miss a lot.
This could be a good time to move back to the mainframe days - PoE is unlikely to provide enough power to power your dual P4 HT machine and you flat panel. How about powering your flat panel and a rather feeble machine allowing you to remote desktop etc to the more powerful shared central servers?
How many people genuinely need the power that modern desktops have except for running windows? I rarely use my P4 2.8GHz to its full even running vmware and fedora bloatware even with fairly serious logging and log handling running on it. For the average user a thin client is ideal which I believe could be made to run well on PoE.
That said - be wary of moving to PoE where some devices still run on none PoE kit. Should you be using HP Procurve 2650s and Cisco 7960 VoIP phones (probably all cisco VoIP phones) with some wiring that isn't reliably labeled and a student happens to decide to move a phone to a none PoE socket you could have a crippled network. Why? Well Cisco VoIP phones short tx and rx when not powered up (correct behaviour, I understand). Procurses bring the port up in full duplex mode if they detect a link (should be half duplex). They then decide it is safe to bring that port up (after spanning tree has done its business) quite happily passing packets back into the interface where they just came from. No matter what configuration options you do on a HP they'll destroy your network in one easy step. Spanning tree doesn't see it as a problem as it is on the same port therefore the downstream device should deal with it.
Anyway, rant over for the time - I'm sure HP TAC will come back to me again saying how it is a Cisco problem. My trusty shorted network lead also causes the same problem on procurves yet no other vendors kit.
15 Watts is enough for anyone just like 640 kilobytes of RAM was...
More seriously running gig over fibre will only get you 550 metres on Multimode and AFAIK no vendors currently do 10gig over multimode fibre so any 'future proof' installation is going to be single mode. This is much more expensive to install and terminate than multimode. In the medium term Cat5e or cat6 is ideal for building installations. How many office blocks do you know that run fibre to the desktop?
Too right! The university I work at has an MBA scheme - the department claims it is the best in the UK (don't they all!) however the support headache from them is massive so I hate them before I try and sort their problems...
My degree is in Environmental Science however I now work in building one of the UK's largest deployment of mixed media WANs in some of the most wireless hostile parts of the England along with some of the worst weather.
Of the people we employ in networking the bulk of the senior ones have Natural Sciences backgrounds with only one out of 6 with a computer science degree (2nd time of asking too). Of the newer people the bulk are computer scientists however knowing the theory doesn't appear to help them with being able to make radios talk or routers route. Interestingly, all of the ones that can get their heads round all of our network are dyslexic, the ones who aren't have real problems and often cannot find a solution to many problems.
Go out with your CS degree (now I've slagged them off a bit) and get experience. An MBA isn't going to help do a technical job, infact any degree isn't going to help after your first.
And the most use I make of my degree? I know when it'll piss it down so I make sure someone else goes to climb the radio mast...
The low tech problems have made migrating to a moving block system like used in TGV networks in France impossible. The use of GPS to give speed and location is certainly a good option for making moving block signalling a real option on the UK's somewhat knackered railway network.
Currently the UK runs on a fixed block system whereby the maximum speed on the line determines the separation in terms of blocks. This is inefficient and causes corners to be cut. Moving to a 'Moving block system' whereby the speed and location of the train is used to work out where is safe gives a much higher utilisation rate of track and as a result saves money and reduces the risks of corners being cut.
France have had it right for a long time, if only we British could swallow our pride and use their system.
I saw several Meteors between 11pm last night and 2am this morning on the North Wales coast while doing some field work on some lagoons there (don't ask, Ok). It was certainly the best view of meteors I have had made even better by seeing some reflections of them in the pools.
In Somerset you will certainly be able to see them unless you're:
a) in a town centre
b) standing below a street light
c) It's cloudy (Yes, I know someone who spent hours looking on a cloudy night)
d) blind
e) unlucky
It might take a while and don't expect to see one in 5 minutes - I was lucky last night as I'd forgotten about it until I saw a streak across the sky and started to look. I was also unlucky as my welly leaked and it wasn't all that warm last night...
Limax Max (a geek who gets out - almost)
Certainly evolution is the way. All our new telephones are carried by standard multicores to our comms rooms and then over cat5 to offices/student rooms. This allows us to jump to VoIP when the time is right without having to rewire or add new structured cabling.
We do have a VoIP system in place for some of the new bigger building projects on site which is being very sucessful but is currently running on a physically separate network - We don't like windaz boxes on our network...
I think moving over purely to VoIP and not having the copper there is a dangerous thing as was proved to me only yesterday when some builders who are building about 5000 student rooms dug through one of our fibre ducts and due to other things can't get the fibre fixed for a few days. Luckily the telephone copper goes on a different route so with a pair of EPS8 SDSL units we've now got 4.6 Meg into a comms which (if it was purely VoIP) would have had no phones or data for several days. Thanks Jarvis;)
Equally another institution we are involved in has many remote sites (which we provide the connections to) has decided to move purely to VoIP without understanding the consequences of using VoIP to sites which are connected by congested links. Their consultants (who have now been fired) said 'Oh, just get your provider to turn QoS on in their network, It will just work'. Clearly neither had any concept of VoIP requirements on link characteristics or the difficulties in turning QoS on in a large network using various technologies with very finite bandwidth.
Looking very much on the bright side... When their remote sites want to report a network problem to us they can't as mobiles don't work there and they've got no old fashioned telephones:)
VoIP - the network administrators dream - when it goes to shit you can work on it without being hassled by users.
I'm rather surprised its been lost for several reasons. The recent upgrade to 3 sites (one at a Janet core pop in Reading which has multiple gigs into it) was a huge boost for performance which wouldn't have happened if the mirror service was going to lose out quite so soon.
The experience of the UKMS team is huge, the connectivity to the UKMS nodes means that any one university should be no more than 4 or 5 hops from the nearest UKMS node and most importantly it is all within Janet. No matter how many links out side of the UK are lost you can still get your linux distro.
Likewise I did my degree at Lancaster and know a lot of the past and current Mirror Service staff however any service such as UKMS is doomed when it has more managers than technical people. UKMS had a ratio of about 2:1 in Lancaster, I don't know about Kent.
Its just a pity it is going just before Lancaster gets its new fast 'net connection. Perhaps a better way to save money by JANet is to provide porn mirrors at every institution...
Tell me of this University. I work for one of the UK's leading network research universities with the largest WAN of its type in the UK and typically work 10-11 hour days 6 days a week and get paid very little for it, get minimal training and a lot of grief for not connecting our target of 50 new sites a month.
If I do not leave the country for a holiday it'll probably end up being cancelled or I'll work it all just to deal with the problems of doing things on the cheap - that is routing a 700 site WAN with HP Procurves and static routes. (ok, thats just in jest, but it'll come soon)
Now I'd love to see anyone in industry who gets paid less per hour worked than we do. Even the students that fill the printers on campus get more per hour than us networkers.
Next move for me is to a research charity to stay at the cutting edge of science yet lose some (most) of the commercial crap that our institution has given us yet keep the benefits of acedemia.
Anyone want to employ a networker with multi vendor experience in a mixed media WAN/LAN environment?
Many places seem to refer to magic healing properties of waters from some springs or rivers. Probably most notably as sites of religious significance. Could it just be that these waters have very high levels of the reovirus? I mean that would explain why some places can 'heal' diseases and lose the relgious aspect which I've always believe has been a psychosymatic healing rather than a real benefit.
Of course as we are all good network administrators we'll have all the management addresses of our switchs on a separate vlan which is restricted access to only network management stations. Likewise with routers, blocking direct access to all the interfaces except your management interface (which is from a serial switch). I mean how brain dead do you need to be not to do this?
Now where did I hide the crate of redbull and list of routers...
For the most part I fully agree. A firewall is useless as it gives people a false sense of security.
Recently I saw a box that had been routed via ssh and the owner of it asked if we could protect it with a firewall yet he still wanted access to it from his DHCP based dialup without the hassles of using a VPN. This was someone who is highly computer literate however has been sold on firewalls as a perfect solution by many sales droids. He wouldn't have been protected by a firewall in the ssh case.
This worm got into our network via a DMZ owned by a department that wanted a DMZ for 'research'. Why they ever had an Microsoft box on it is a mystery and why it hadn't been patched for 6 months is something else.
In my view security should be done at the edge and only very simple security in the core. The only problem is that you need users with clue > 0 who can set up personal firewalls properly. Sadly I am yet to see a decent iptables type firewall for windows.
Things are getting easier with layer 3 switches becoming affordable. When they are common place they will make moving security closer to the edge much easier. Core routers should route, they shouldn't access control, that way you can keep your wire speed routing and give a more flexible environment for users while keeping security where you need security.
There is still no substitute for keeping a box patched.
Slashdot Mirror
I've always used the idea of an act such as that as a piss take for whenever we see hacked boxes that is clearly the users fault. Obviously such an act would never come into force and nor would I support it (except on 1st April). On the whole theft of details business I'd disagree over it being worse to steal details than making them available. Banks are always blaming their customers for leaving details in bins and so on yet when they make such a monumental fuck up all they do is get the person prosecuted (good thing, I'd agree) and quite happily sweep it under the carpet. They've made it easy for someone to do it so they have. Crime pays, however the cost to the criminal also increases as it gets harder - Organised criminals are bussinessmen - if it doesn't pay well enough they're not going to do it.
So going back to your anology of leaving a car unlocked (with the keys in too?) would you get any sympathy from the Police or insurance company? Oh no, you'd be laughed out of the building and charged far more on next years premium. Sorry, thats wrong - you'd lie and make a claim increasing everyone elses premium.
But what about the companies that send data in clear down an insecure medium?
Perhaps it is time our government created another act (Yes, I know we've got too many) which would be called the 'Computer responsible use act' which bans anyone from sending sensitive data in clear, bans all none bluetooth wireless keyboards and makes it an offense to have an unpatched machine on the internet.
Ok, what he did was illegal however what the ATM makers did is far far worse. So which banks care about ID theft?
Too right. The article is the biggest load of crap I've seen since I saw a heard of rhinos having a dump. I can't see any good reason for this research unless telefonica and the others involved really hate verizon as they've got a big head start.
The figures they quote are silly - 50 cat 3 pairs have 10Ge of bandwidth whereas the last bit of the fibre run has a total of 2.5Ge. They're completely different figures - the copper itself goes back to an exchange and so they take each bit a long way. If the fibre did that each house would get OC-192 or 10Ge without a problem. In the fibre model the fibre goes back to a road side cab and is combined into a single high bandwidth connection to a PoP - of course there isn't much bandwidth (although 2.5Ge is complete bollocks) however if each fibre was like a phone line and went to a big PoP there would be huge amounts (over 40 Ge each if we all had a Cisco CRS-1 or Juniper T640 in our living rooms).
So when did MUDs last give you a shell on the host that allowed you to direct access any of the file system. Sounds like those have a fundomental design floor too.
Obviously as I'm not a 1337 h4x0r I've got little chance of understanding the techniques you use to hack anything.
Write to one - the wiretap is bound to pick it up and everyone will see it. Acutally, thats crap, they won't because there are no wiretaps in the states, there never have been and my mate George is the best man to have lived and done so much for maintaining a free and fair country.
Certainly is a big mistake. Likewise not changing the root password after installation is a bad thing just because installers log so much. Come to think of it, it wasn't a root password that was stored, it was the password of the first account which happens to have full sudo rights. Infact, it isn't that bad - I mean you can't exploit it remotely, you need an account on the box before you can which also means it has to be running as a multiuser system. How many people currently use Umbongo as anything other than a personal workstation? Not many, how many that do still leave the first account as the one with sudo access? Even fewer.
This is a not a serious problem as far as things go - it isn't a remote exploit. Just look back in history... ssh.com version 3.0.0 - now that was a big problem. Log into an account with a null password remotely just by giving the username. That is a security problem. Another is the network management software vendor that ships with tftproot set to being / and leaving the server running as root with no firewall, which also comes with a default account to ssh into but thats all ok because it tells you in the manual 783 pages into it.
I'll admit it was careless however in the grand scheme of things I would expect roughly zero machines to be rooted because of it compared to how many because of misconfigured or insecure services?
In the uk where BT rule the DSL market home multicast via an ISP has to be converted to unicast at their core because BT do not have multicast enabled DSLAMs. Many of the LLU companies now have multicast capable DSLAMs so for them it is in their interests to provide multicast to home users (and then charge them for the stream) allowing much better use of their bandwdith.
Of course, Universities on SuperJanet have access to multicast streams from the BBC and various others. It is a service that now I'd miss a lot.
This could be a good time to move back to the mainframe days - PoE is unlikely to provide enough power to power your dual P4 HT machine and you flat panel. How about powering your flat panel and a rather feeble machine allowing you to remote desktop etc to the more powerful shared central servers?
How many people genuinely need the power that modern desktops have except for running windows? I rarely use my P4 2.8GHz to its full even running vmware and fedora bloatware even with fairly serious logging and log handling running on it. For the average user a thin client is ideal which I believe could be made to run well on PoE.
That said - be wary of moving to PoE where some devices still run on none PoE kit. Should you be using HP Procurve 2650s and Cisco 7960 VoIP phones (probably all cisco VoIP phones) with some wiring that isn't reliably labeled and a student happens to decide to move a phone to a none PoE socket you could have a crippled network. Why? Well Cisco VoIP phones short tx and rx when not powered up (correct behaviour, I understand). Procurses bring the port up in full duplex mode if they detect a link (should be half duplex). They then decide it is safe to bring that port up (after spanning tree has done its business) quite happily passing packets back into the interface where they just came from. No matter what configuration options you do on a HP they'll destroy your network in one easy step. Spanning tree doesn't see it as a problem as it is on the same port therefore the downstream device should deal with it.
Anyway, rant over for the time - I'm sure HP TAC will come back to me again saying how it is a Cisco problem. My trusty shorted network lead also causes the same problem on procurves yet no other vendors kit.
15 Watts is enough for anyone just like 640 kilobytes of RAM was...
nah, it should read Cat5e only I typo'ed it. Ok?
More seriously running gig over fibre will only get you 550 metres on Multimode and AFAIK no vendors currently do 10gig over multimode fibre so any 'future proof' installation is going to be single mode. This is much more expensive to install and terminate than multimode. In the medium term Cat5e or cat6 is ideal for building installations. How many office blocks do you know that run fibre to the desktop?
Too right! The university I work at has an MBA scheme - the department claims it is the best in the UK (don't they all!) however the support headache from them is massive so I hate them before I try and sort their problems...
My degree is in Environmental Science however I now work in building one of the UK's largest deployment of mixed media WANs in some of the most wireless hostile parts of the England along with some of the worst weather.
Of the people we employ in networking the bulk of the senior ones have Natural Sciences backgrounds with only one out of 6 with a computer science degree (2nd time of asking too). Of the newer people the bulk are computer scientists however knowing the theory doesn't appear to help them with being able to make radios talk or routers route. Interestingly, all of the ones that can get their heads round all of our network are dyslexic, the ones who aren't have real problems and often cannot find a solution to many problems.
Go out with your CS degree (now I've slagged them off a bit) and get experience. An MBA isn't going to help do a technical job, infact any degree isn't going to help after your first.
And the most use I make of my degree? I know when it'll piss it down so I make sure someone else goes to climb the radio mast...
The low tech problems have made migrating to a moving block system like used in TGV networks in France impossible. The use of GPS to give speed and location is certainly a good option for making moving block signalling a real option on the UK's somewhat knackered railway network.
Currently the UK runs on a fixed block system whereby the maximum speed on the line determines the separation in terms of blocks. This is inefficient and causes corners to be cut. Moving to a 'Moving block system' whereby the speed and location of the train is used to work out where is safe gives a much higher utilisation rate of track and as a result saves money and reduces the risks of corners being cut.
France have had it right for a long time, if only we British could swallow our pride and use their system.
I saw several Meteors between 11pm last night and 2am this morning on the North Wales coast while doing some field work on some lagoons there (don't ask, Ok). It was certainly the best view of meteors I have had made even better by seeing some reflections of them in the pools. In Somerset you will certainly be able to see them unless you're: a) in a town centre b) standing below a street light c) It's cloudy (Yes, I know someone who spent hours looking on a cloudy night) d) blind e) unlucky It might take a while and don't expect to see one in 5 minutes - I was lucky last night as I'd forgotten about it until I saw a streak across the sky and started to look. I was also unlucky as my welly leaked and it wasn't all that warm last night... Limax Max (a geek who gets out - almost)
Certainly evolution is the way. All our new telephones are carried by standard multicores to our comms rooms and then over cat5 to offices/student rooms. This allows us to jump to VoIP when the time is right without having to rewire or add new structured cabling.
;)
:)
We do have a VoIP system in place for some of the new bigger building projects on site which is being very sucessful but is currently running on a physically separate network - We don't like windaz boxes on our network...
I think moving over purely to VoIP and not having the copper there is a dangerous thing as was proved to me only yesterday when some builders who are building about 5000 student rooms dug through one of our fibre ducts and due to other things can't get the fibre fixed for a few days. Luckily the telephone copper goes on a different route so with a pair of EPS8 SDSL units we've now got 4.6 Meg into a comms which (if it was purely VoIP) would have had no phones or data for several days. Thanks Jarvis
Equally another institution we are involved in has many remote sites (which we provide the connections to) has decided to move purely to VoIP without understanding the consequences of using VoIP to sites which are connected by congested links. Their consultants (who have now been fired) said 'Oh, just get your provider to turn QoS on in their network, It will just work'. Clearly neither had any concept of VoIP requirements on link characteristics or the difficulties in turning QoS on in a large network using various technologies with very finite bandwidth.
Looking very much on the bright side... When their remote sites want to report a network problem to us they can't as mobiles don't work there and they've got no old fashioned telephones
VoIP - the network administrators dream - when it goes to shit you can work on it without being hassled by users.
...We've already got 10Gigabits. What we do with it? I've not seen it go above 15 Megabits yet and we've had it in for a year.
I'm rather surprised its been lost for several reasons. The recent upgrade to 3 sites (one at a Janet core pop in Reading which has multiple gigs into it) was a huge boost for performance which wouldn't have happened if the mirror service was going to lose out quite so soon.
The experience of the UKMS team is huge, the connectivity to the UKMS nodes means that any one university should be no more than 4 or 5 hops from the nearest UKMS node and most importantly it is all within Janet. No matter how many links out side of the UK are lost you can still get your linux distro.
Likewise I did my degree at Lancaster and know a lot of the past and current Mirror Service staff however any service such as UKMS is doomed when it has more managers than technical people. UKMS had a ratio of about 2:1 in Lancaster, I don't know about Kent. Its just a pity it is going just before Lancaster gets its new fast 'net connection. Perhaps a better way to save money by JANet is to provide porn mirrors at every institution...
Tell me of this University. I work for one of the UK's leading network research universities with the largest WAN of its type in the UK and typically work 10-11 hour days 6 days a week and get paid very little for it, get minimal training and a lot of grief for not connecting our target of 50 new sites a month.
If I do not leave the country for a holiday it'll probably end up being cancelled or I'll work it all just to deal with the problems of doing things on the cheap - that is routing a 700 site WAN with HP Procurves and static routes. (ok, thats just in jest, but it'll come soon)
Now I'd love to see anyone in industry who gets paid less per hour worked than we do. Even the students that fill the printers on campus get more per hour than us networkers.
Next move for me is to a research charity to stay at the cutting edge of science yet lose some (most) of the commercial crap that our institution has given us yet keep the benefits of acedemia.
Anyone want to employ a networker with multi vendor experience in a mixed media WAN/LAN environment?
Many places seem to refer to magic healing properties of waters from some springs or rivers. Probably most notably as sites of religious significance. Could it just be that these waters have very high levels of the reovirus? I mean that would explain why some places can 'heal' diseases and lose the relgious aspect which I've always believe has been a psychosymatic healing rather than a real benefit.
Of course as we are all good network administrators we'll have all the management addresses of our switchs on a separate vlan which is restricted access to only network management stations. Likewise with routers, blocking direct access to all the interfaces except your management interface (which is from a serial switch). I mean how brain dead do you need to be not to do this?
Now where did I hide the crate of redbull and list of routers...
For the most part I fully agree. A firewall is useless as it gives people a false sense of security.
Recently I saw a box that had been routed via ssh and the owner of it asked if we could protect it with a firewall yet he still wanted access to it from his DHCP based dialup without the hassles of using a VPN. This was someone who is highly computer literate however has been sold on firewalls as a perfect solution by many sales droids. He wouldn't have been protected by a firewall in the ssh case.
This worm got into our network via a DMZ owned by a department that wanted a DMZ for 'research'. Why they ever had an Microsoft box on it is a mystery and why it hadn't been patched for 6 months is something else.
In my view security should be done at the edge and only very simple security in the core. The only problem is that you need users with clue > 0 who can set up personal firewalls properly. Sadly I am yet to see a decent iptables type firewall for windows.
Things are getting easier with layer 3 switches becoming affordable. When they are common place they will make moving security closer to the edge much easier. Core routers should route, they shouldn't access control, that way you can keep your wire speed routing and give a more flexible environment for users while keeping security where you need security.
There is still no substitute for keeping a box patched.