It would have to be more than just key based, the private key also has to be encrypted forcing the user to enter a passphrase before the key can be used. Otherwise someone with access to the system could just steal the private key file... Essentially Filezilla asking users to store passwords and then not encrypting them is the same as a program requiring an unencrypted SSH private key.
B) Where is any information on this web based export? All I can find is some references to using the old TiVO Desktop software which is horrendous and painful if you do this very often and is still subject to the same CCI restrictions as MythTV would be.
F) $150/yr for guide data is ridiculous. The TCO on this product is horrible. The upfront costs may be slightly less than my MythTV setup but I've had the same HDHR Prime MythTV setup for going on 6 years now, with no signs of it stopping so that would be $850 so far just in fees, plus the original hardware purchase.
There is no doubt that the TiVO is better than the cable company DVR systems, those are really terrible. What I asked for though was someone to show something better than MythTV since the GP was basically making the argument MythTV was useless anyway. I don't think that's been done yet.
This. I switched my backend off Mythbuntu some time ago (once it became feasible to install reasonably recent copies of MythTV in other ways). But on frontends I really just want something that takes little time to configure and connects to the backend, very much appliance like so I've stuck with Mythbuntu. My suspician is that there is a pretty small minority of people running separate backends and frontends though so that's a pretty small audience. It really is ideal though, my frontends do seem to crash, stop responding to IR, etc. occasionally and need reboots. It's definitely nice to have the recording work being done in a rock solid VM so it is not interrupted by reboots.
What hardware systems are as capable as MythTV and as cost effective (ongoing subscription costs)? Even just for TV DVR capability, which is all I use Myth for, I haven't found one yet.
Requirements: A) Cable card support B) Ability to save and edit recordings (exportable, DRM free recordings) C) Automatic commercial skip (this works incredibly well on MythTV) D) Ability to schedule recordings over a web interface E) All of the standard DVR features
A) I would guess Filezilla is used much more as an SFTP and FTPS client (is there a better one on Windows?) than as an FTP client.
B & C could apply to SSH clients such as PuTTY as well, so we should stop using that?
If we only implemented security enhancements when they were perfect solutions we wouldn't implement very much security. Usually there is a balancing act between usability, security, and cost. In this case there seems to be very little usability impact on encrypting the password store so why not do it?
All that said I'm pretty particular about what software can hold passwords of mine so I've always typed them in to Filezilla on an as needed basis, seems as if that was a good idea.
Filezilla also supports SFTP and FTPS though and is probably the best Windows client for those protocols so it's used for a lot more than just FTP. In fact, I would venture to guess that Filezilla FTP use is pretty minimal.
Sometimes. I generally favor an open legislative process and there is no doubt that a good bit of political shenanigans happens at the last minute. On the other hand, there are a good number of things I can think of where a 72 hour waiting period might be inappropriate such as disaster relief and other time sensitive bills typically handled swiftly by all parties involved.
Actually, in cases like this it would make it worse. This is not the DoS of your youth with spoofed IP addresses. This is millions of bots making seemingly legitimate requests simultaneously. With UDP DNS requests are a single packet. With TCP you get a SYN, SYN ACK, and SYN before you even get to the part where you're making the query...that would dramatically multiply the number of packets for each query from each bot, or for that matter on a regular day from a legitimate user meaning the connections would just be that much closer to being flooded all the time.
Except that in reality the way it works is that each customer of an ISP is assigned a network block of IPs. If you find that customer is spamming you could block the entire network block. This is effectively the same thing as blocking the single IPv4 address assigned to a customer. The spammer would either need a new block of addresses from the ISP or a new ISP, effectively the same situation you have now with IPv4.
+1 There is so much undeserved hate for IPv6 because people haven't taken the time to understand it.
NAT is not a security solution. If you would put a NAT device between your network and the Internet you can put a firewall between your network and the Internet. Yes, someone could potentially learn a small amount about your internal topology, well if you call being able to identify possible subnets withing your network learning about the topology, but the little they can learn is of dubious use. You still have no idea how most of those subnets are connected to each other (if you disable ICMP at your firewall or otherwise block tracerouting of your network from the Internet you can even prevent more) and even if you did please explain what substantial advantage an attacker has knowing how subnets are connected? If they're going that far it's an APT attack against your organization directly and you're probably done for because they will likely just trick someone inside the organization into installing malware on the network allowing them inside access and you'd have the same problems on IPv4.
Most of the rest of the list sounds like whining about more things you would have liked to have seen done, not things that are actually worse in IPv6 compared with IPv4.
An Arduino is just an AVR microcontroller, the same chip found in many electroinc/IoT devices. Point being when does it become an IoT device? If I sell it? How about if I just sell it to a few friends? Maybe I make and sell a small quantity on etsy? etc. It's hard to draw a line about when it's an IoT device and when it's just me playing around with electronics.
I would maintain that's not possible. Attackers will just write software that mirrors normal user traffic accessing a site. It's simply the fact that millions of devices will be accessing the site at the same time that takes the site/service down. Just like ye olden days when nearly every site mentioned in a./ summary went down. The fundamental problem is that a truly distributed denial of service attack is just a coordinated accessing of a site from a large number of hosts. The only difference between that and just a lot of people visiting your site is that one is coordinated. Good luck detecting the coordination.
1) Yes, poorly designed IoT devices make the problem worse but it's existed long before IoT came along. 2) What qualifies as an IoT device, every Arduino with an Ethernet/WiFi port? The code isn't on them until you program them... 3) If mass regulation of all network connected products is the only way we have a problem because you're never going to get global agreement on that and it's going to be nearly impossible to enforce.
Yes, this is effective against some subset of attacks. There was a good reminder/discussion of this on the NANOG list this morning. The problem is 1) probably pretty much every ISP which can be convinced to do this is already doing it at this point, the others are probably a lost cause and 2) this only prevents attacks where the address actually is spoofed. If a large number of compromised devices are running malware they can just make an overwhelming number of legitimate service requests en masse...
I've heard a lot of people today saying there's a problem. Several of the commenters (on Brian Krebs' blog for example, on the NANOG list for another, and probably soon here on./) say we should do something to fix this so it doesn't happen again. What I haven't heard is a real proposal about what to do about stopping DDoS attacks.
First, note thought that I was using the firearms example as a hyperbolic one, it's a harder argument to ban them due to constitutional protection and even so we're just beginning to see erosion of the right to ban them. Electronic devices would be somewhere far down the list. Second, we're not talking about a parking lot here, we're talking about an already secured area where many other things are also prohibited.
This. The FCC is important, RF regulation is important as spectrum is a shared resource and is not contained by walls, geographic boundaries, etc. Someone needs to be in charge of preventing interference and encouraging research of effective use of a limited resource.
Side rant, I think it was a poor choice to raise a bunch of money by starting the sell spectrum to cell providers in the 90s instead of licensing it to them as had been done before and is still done for most frequencies. The FCC has effectively ceded regulatory control of huge chunks of spectrum so now a lot of power is concentrated into a few companies that own spectrum and it's not necessarily in their interest to pursue certain RF research or new RF technology and we have no societal via governmental way to force transitions to new technology. Imagine if TV stations owned their spectrum, we might never have been able to force a HD digital transition.
Signed contracts are so 80s. These days you shrink-wrap contracts, or in this case you just put it on the back of the ticket or in the T&C you have to click through to obtain a ticket.
Exactly this. What the University can't prohibit is someone on different property running a competing wifi network. If they allow some hotspots or allowed you to pay a fee to run your own hotspot I could see some creative arguments to be made. What you absolutely don't have a right to do is to carry whatever you want onto someone else's property. Take for example weapons bans which prohibit students from bringing knives to school, to Disney World, etc. You can tell people that they are not welcome if they bring X onto your property all you want.
Sort of. I may not be allowed to regulate your Part 15 device (e.g. emission levels, etc.) but I can tell you not to bring it onto my property. There are absolutely private establishments which prohibit you from taking a cell phone, laptop, or just about anything else inside. There is no guaranteed right to bring anything you want onto someone else's property. Even guns, a right specifically enumerated by the constitution, can be prohibited from a private establishment.
I think it's a substantial exaggeration to say that the entire security of the Internet relies on the root CA system. There are a lot of organizations and people running encrypted communications over the Internet that are PSK or internally signed certificates. Think VPN connections. While a lot of public services such as web servers, email servers do rely on a very flawed CA system my point is that even if the entire CA system crumbled (which would be bad as I haven't seen any legitimate proposals about what to replace it with) that would not be the end of security on the Internet.
Don't insult railroad engineers that deal with steam engines that require an immense amount of training compared to the very simple systems of diesel gen-set propulsion units.
Yes, it's true that 200 volts on a 110/120v circuit might damage a 110/120v power supply. However, the OP mentions that their power supplies are universal 110~240v. That means the supplies can actually handle up to 240v so they only need surge protection above 240v regardless.
You shouldn't do that. The US power strip is likely only rated for 120v. If you use it with an adapter in a country with 240v service you may find that some of the clearances are not enough and you get arcing, thus a fire hazard. I've actually had this happen to me. A better, but similar solution is to get a 220/230/240v power strip with surge protector. You can even get one that will accept US style plugs if you'd like. As long as your power supplies are rated for up to 240v input you'll be protected from surges.
Slashdot Mirror
It would have to be more than just key based, the private key also has to be encrypted forcing the user to enter a passphrase before the key can be used. Otherwise someone with access to the system could just steal the private key file... Essentially Filezilla asking users to store passwords and then not encrypting them is the same as a program requiring an unencrypted SSH private key.
B) Where is any information on this web based export? All I can find is some references to using the old TiVO Desktop software which is horrendous and painful if you do this very often and is still subject to the same CCI restrictions as MythTV would be.
F) $150/yr for guide data is ridiculous. The TCO on this product is horrible. The upfront costs may be slightly less than my MythTV setup but I've had the same HDHR Prime MythTV setup for going on 6 years now, with no signs of it stopping so that would be $850 so far just in fees, plus the original hardware purchase.
There is no doubt that the TiVO is better than the cable company DVR systems, those are really terrible. What I asked for though was someone to show something better than MythTV since the GP was basically making the argument MythTV was useless anyway. I don't think that's been done yet.
This. I switched my backend off Mythbuntu some time ago (once it became feasible to install reasonably recent copies of MythTV in other ways). But on frontends I really just want something that takes little time to configure and connects to the backend, very much appliance like so I've stuck with Mythbuntu. My suspician is that there is a pretty small minority of people running separate backends and frontends though so that's a pretty small audience. It really is ideal though, my frontends do seem to crash, stop responding to IR, etc. occasionally and need reboots. It's definitely nice to have the recording work being done in a rock solid VM so it is not interrupted by reboots.
What hardware systems are as capable as MythTV and as cost effective (ongoing subscription costs)? Even just for TV DVR capability, which is all I use Myth for, I haven't found one yet.
Requirements:
A) Cable card support
B) Ability to save and edit recordings (exportable, DRM free recordings)
C) Automatic commercial skip (this works incredibly well on MythTV)
D) Ability to schedule recordings over a web interface
E) All of the standard DVR features
A) I would guess Filezilla is used much more as an SFTP and FTPS client (is there a better one on Windows?) than as an FTP client.
B & C could apply to SSH clients such as PuTTY as well, so we should stop using that?
If we only implemented security enhancements when they were perfect solutions we wouldn't implement very much security. Usually there is a balancing act between usability, security, and cost. In this case there seems to be very little usability impact on encrypting the password store so why not do it?
All that said I'm pretty particular about what software can hold passwords of mine so I've always typed them in to Filezilla on an as needed basis, seems as if that was a good idea.
Filezilla also supports SFTP and FTPS though and is probably the best Windows client for those protocols so it's used for a lot more than just FTP. In fact, I would venture to guess that Filezilla FTP use is pretty minimal.
Sometimes. I generally favor an open legislative process and there is no doubt that a good bit of political shenanigans happens at the last minute. On the other hand, there are a good number of things I can think of where a 72 hour waiting period might be inappropriate such as disaster relief and other time sensitive bills typically handled swiftly by all parties involved.
Actually, in cases like this it would make it worse. This is not the DoS of your youth with spoofed IP addresses. This is millions of bots making seemingly legitimate requests simultaneously. With UDP DNS requests are a single packet. With TCP you get a SYN, SYN ACK, and SYN before you even get to the part where you're making the query...that would dramatically multiply the number of packets for each query from each bot, or for that matter on a regular day from a legitimate user meaning the connections would just be that much closer to being flooded all the time.
Except that in reality the way it works is that each customer of an ISP is assigned a network block of IPs. If you find that customer is spamming you could block the entire network block. This is effectively the same thing as blocking the single IPv4 address assigned to a customer. The spammer would either need a new block of addresses from the ISP or a new ISP, effectively the same situation you have now with IPv4.
+1 There is so much undeserved hate for IPv6 because people haven't taken the time to understand it.
NAT is not a security solution. If you would put a NAT device between your network and the Internet you can put a firewall between your network and the Internet. Yes, someone could potentially learn a small amount about your internal topology, well if you call being able to identify possible subnets withing your network learning about the topology, but the little they can learn is of dubious use. You still have no idea how most of those subnets are connected to each other (if you disable ICMP at your firewall or otherwise block tracerouting of your network from the Internet you can even prevent more) and even if you did please explain what substantial advantage an attacker has knowing how subnets are connected? If they're going that far it's an APT attack against your organization directly and you're probably done for because they will likely just trick someone inside the organization into installing malware on the network allowing them inside access and you'd have the same problems on IPv4.
Most of the rest of the list sounds like whining about more things you would have liked to have seen done, not things that are actually worse in IPv6 compared with IPv4.
An Arduino is just an AVR microcontroller, the same chip found in many electroinc/IoT devices. Point being when does it become an IoT device? If I sell it? How about if I just sell it to a few friends? Maybe I make and sell a small quantity on etsy? etc. It's hard to draw a line about when it's an IoT device and when it's just me playing around with electronics.
I would maintain that's not possible. Attackers will just write software that mirrors normal user traffic accessing a site. It's simply the fact that millions of devices will be accessing the site at the same time that takes the site/service down. Just like ye olden days when nearly every site mentioned in a ./ summary went down. The fundamental problem is that a truly distributed denial of service attack is just a coordinated accessing of a site from a large number of hosts. The only difference between that and just a lot of people visiting your site is that one is coordinated. Good luck detecting the coordination.
1) Yes, poorly designed IoT devices make the problem worse but it's existed long before IoT came along. 2) What qualifies as an IoT device, every Arduino with an Ethernet/WiFi port? The code isn't on them until you program them... 3) If mass regulation of all network connected products is the only way we have a problem because you're never going to get global agreement on that and it's going to be nearly impossible to enforce.
You can't just say that, please explain your reasoning.
Yes, this is effective against some subset of attacks. There was a good reminder/discussion of this on the NANOG list this morning. The problem is 1) probably pretty much every ISP which can be convinced to do this is already doing it at this point, the others are probably a lost cause and 2) this only prevents attacks where the address actually is spoofed. If a large number of compromised devices are running malware they can just make an overwhelming number of legitimate service requests en masse...
I've heard a lot of people today saying there's a problem. Several of the commenters (on Brian Krebs' blog for example, on the NANOG list for another, and probably soon here on ./) say we should do something to fix this so it doesn't happen again. What I haven't heard is a real proposal about what to do about stopping DDoS attacks.
First, note thought that I was using the firearms example as a hyperbolic one, it's a harder argument to ban them due to constitutional protection and even so we're just beginning to see erosion of the right to ban them. Electronic devices would be somewhere far down the list. Second, we're not talking about a parking lot here, we're talking about an already secured area where many other things are also prohibited.
This. The FCC is important, RF regulation is important as spectrum is a shared resource and is not contained by walls, geographic boundaries, etc. Someone needs to be in charge of preventing interference and encouraging research of effective use of a limited resource.
Side rant, I think it was a poor choice to raise a bunch of money by starting the sell spectrum to cell providers in the 90s instead of licensing it to them as had been done before and is still done for most frequencies. The FCC has effectively ceded regulatory control of huge chunks of spectrum so now a lot of power is concentrated into a few companies that own spectrum and it's not necessarily in their interest to pursue certain RF research or new RF technology and we have no societal via governmental way to force transitions to new technology. Imagine if TV stations owned their spectrum, we might never have been able to force a HD digital transition.
Signed contracts are so 80s. These days you shrink-wrap contracts, or in this case you just put it on the back of the ticket or in the T&C you have to click through to obtain a ticket.
Exactly this. What the University can't prohibit is someone on different property running a competing wifi network. If they allow some hotspots or allowed you to pay a fee to run your own hotspot I could see some creative arguments to be made. What you absolutely don't have a right to do is to carry whatever you want onto someone else's property. Take for example weapons bans which prohibit students from bringing knives to school, to Disney World, etc. You can tell people that they are not welcome if they bring X onto your property all you want.
Sort of. I may not be allowed to regulate your Part 15 device (e.g. emission levels, etc.) but I can tell you not to bring it onto my property. There are absolutely private establishments which prohibit you from taking a cell phone, laptop, or just about anything else inside. There is no guaranteed right to bring anything you want onto someone else's property. Even guns, a right specifically enumerated by the constitution, can be prohibited from a private establishment.
I think it's a substantial exaggeration to say that the entire security of the Internet relies on the root CA system. There are a lot of organizations and people running encrypted communications over the Internet that are PSK or internally signed certificates. Think VPN connections. While a lot of public services such as web servers, email servers do rely on a very flawed CA system my point is that even if the entire CA system crumbled (which would be bad as I haven't seen any legitimate proposals about what to replace it with) that would not be the end of security on the Internet.
Don't insult railroad engineers that deal with steam engines that require an immense amount of training compared to the very simple systems of diesel gen-set propulsion units.
Yes, it's true that 200 volts on a 110/120v circuit might damage a 110/120v power supply. However, the OP mentions that their power supplies are universal 110~240v. That means the supplies can actually handle up to 240v so they only need surge protection above 240v regardless.
You shouldn't do that. The US power strip is likely only rated for 120v. If you use it with an adapter in a country with 240v service you may find that some of the clearances are not enough and you get arcing, thus a fire hazard. I've actually had this happen to me. A better, but similar solution is to get a 220/230/240v power strip with surge protector. You can even get one that will accept US style plugs if you'd like. As long as your power supplies are rated for up to 240v input you'll be protected from surges.