Our webservers only have ports 80 and 443 open and are very "real world". (Ok, they also listen for ssh, but only on a private second network, not on the outward facing ethernet.)
Similarly, the mail server only listens on 25, 587 and 993. Restricting a server to only do what it needs to is considered to be a good (some might say essential) security practice.
And besides, for a real-world desktop system you shouldn't be listening on -any- ports.
"you could set up a webserver on *any* OS with only that..."
It's theoretically possible, but it's also really really difficult to get a Windows box to stop listening on non-essential ports, even for a desktop system. And, for your full convienience, many of those nearly impossible to turn off services are insecure and easily compromised.
It's not quite as trivial to set up as you suggest, because of two things...
first, not everyone agrees exactly on what is or isn't spam.
Second, and more importantly, spammers and other undesireables will attempt to poison your list.
Fortunately, people are already working together to make this work. Pyzor is another similar effort.
Spamassassin has hooks built in to interface to both Pyzor and Vipul's Razor.
Maybe ISPs should just start running spamassassin (or something similar) on all outgoing email and blocking everything that scores too high... this would slow down their servers slightly, but would cut spam drastically across the board.
Of course, if the user doesn't let their mail client "remember" their password (I never trust mail clients to remember anything for me), then the virus would indeed be unable to complete it's evil plan.
They'd need to take the time to write a more sophisticated version of the trojan that first does some keystroke logging to steal your AUTH password, -then- sends spam with it.
Once a virus allows "a remote attacker to gain complete control of your computer", there's really nothing that you could do that they won't be able to. Very disturbing how many MS virus alerts contain that very unpleasant phrase...
Yeah... the first thing I thought was that he needs a unity gain buffer to help with fan out issues.
The second thing I thought was that this sort of mechanical logic would prove much easier using an asynchronous handshake (One example description at: http://caltechcstr.library.caltech.edu/312/) than a standard clock pulse.
Using cams or a rotation-based system helps the power distribution, because you can always add additional 'power rails' as the circut grows... your first gate doesn't need to push through everything else.
The lack of torque is usually addressed through a simple gear-down at the motor.
Now that this has got me thinking, I'm wondering about circuts that are powered by rotation, but store their signals through the movement of rods (either back and forth or up and down). *sigh* and my lego gears -were- all neatly packed away in the closet...
RTOP people... it states clearly that the Secret Service said that the page was reported to them by someone. They did not stumble across it, nor is there some bureaucrat reading through LJ in an official capacity.
One bit of confusion I have about the article... the author refers, seemingly interchangeably, to 'Secret Service' (part of the Treasury Department) and 'FBI' (part of the Department of Justice). Which was it that showed up?
In the Linux CVS some reasonably fully-formed code just appears in several places saying 'donated from IBM' then proceeds to get integrated in over time.
SCO wants IBM to go through their internal version control system to generate full revision histories for every file ever attached to AIX. IBM says this would be a difficult undertaking, mostly because AIX is not just a single file, or even a single set of files, but is comprised of many disparate code projects that join, separate, rejoin, get dropped, get added and so forth, such that the thing called 'AIX' really only exists in the released versions (which they've provided).
One of the IBM sworn statements is from the maintainer of their internal version control system and goes into more detail on this.
IBM mostly argues that, legally, the information can't possibly help SCOs case, and thus they shouldn't be forced to go through the trouble and expense.
SCO has always had the SysV code they claim was stolen and the Linux code they say it was dropped into, so IBM says that should be sufficient to prove that there is or is not 'infringing code in Linux'.
Rather than legally provide any of this infringing code that their 'experts' allegedly found 'mountains of', SCO keeps changing the story.
Currently, the line is that IBMs contract prevented IBM from revealing not only any SysV code, but any IBM code that was shipped together with SysV code, or any IBM code that somehow derived from "UNIX methods and concepts".
To prove this last point, they want IBM to provide the complete revision history of every file in AIX, including programmer notes, so that they can read through it all and try to find places where programmers writing IBM code were 'tainted' with SysV knowledge. IBM says that this theory is ridiculous and that they should not have to go through this burdensome procedure because it's irrelevant. SCO has SysV code, code from several releases of AIX and Dynix, and Linux code, and therefore has everything they would possibly need to prove infringement under standard copyright laws.
In any case, any code that one side provides to the other would be under seal, not availible to the public, and certainly not open sourced.
"there is simply no way for a firewall at the edge of a network to make intelligent decisions about application data flying past it."
There are plenty of ways for a firewall to make intelligent decisions about the application data going past it.
The first (and perhaps easiest) level is just to check that traffic conforms to known protocol specifications, as it's very often dealing with 'impossible' data that causes applications to have problems. As a simple example, simply blocking HTTP GET or POST requests with absurdly large fields can help prevent a whole range of webserver exploits.
You can't always count on the application software to properly check every field and flag to verify that the packets it's receiving conform to the protocols standards and limitations. In these cases it's very useful (and, for large or complex installations possibly much easier) to perform those checks at the firewall.
Beyond that, you really need to perform more in-depth characterization of your allowable traffic in order to intelligently characterize it, but there are numerous companies working on helping firewalls do just that.
"We need fundamental advances in creating robust, secure, and self-recovering software."
I'll agree with that, at least. Software needs to learn how to laugh. (When people are confronted by the impossible, contradictory, or unexpected, we generally laugh and move on without crashing...)
'The trick is, for our society to continue to function, we need a significant number of "drones" to do a lot of the work.'
I'd like to take issue with this comment. Yes, there are many jobs that are neccessary yet are considered 'unappealing' or 'brainless' to many, but the existance of such does not neccessitate the existance of 'mindless drones to fill them.
Example 1: The classic "burger flipper" and other similar "no experience needed" jobs are perfectly suited to young, inexperienced workers who want/need to earn some money while continuing their study towards something better. No permanent 'drones' are needed to fill these positions.
Example 2: Similarly, there are many jobs in similar categories that aren't really what the person wants to do, but give them enough livelihood to pursue their own intellectual pursuits. Examples include actors working as waiters or any other artist with a 'day job' in service or retail.
Example 3: Many of these 'drone' jobs people refer to currently aren't really neccessary for society to function. Society, arguably, would be better off if the current 'drone culture' were replaced with more intellectual individuals. Phone support lines, for example, could arguably be better served by people who actually know what they are talking about, or are at least interested in learning about it.
Example 4: The market should, in any case, rebalance to address any shortage of persons willing to fill 'drone jobs'. Supply and demand are powerful forces, and I'd happily scrub toilets 8 hours a day if the price was right. Admittedly, a rebalance of this sort would potentially have a tremendous impact of the (non)profitability of various current enterprises, but that just means society would change, not be destroyed.
Example 5: You never know what some people will consider attractive, or what their personal fiscal demands will be. Consider an otherwise retired security guard or school janitor, mentally fully-capable yet willing to staff a low-key menial position to fill their minor fiscal needs.
In our current post-industrial revolution state, we actually need -fewer- cogs than ever before, as more and more of those jobs become automated.
In most cases, these 'drone jobs' can and should be filled, not by permanent 'drones', but by young or inexperienced persons of learning and intellect on their way to better things. Look at the old apprentice model in the circumstances where it worked properly... the apprentices performed a lot of menial, uninteresting, thankless tasks while learning the basics of a trade. Eventually they became journeymen and graduated from those menial tasks to more skilled (yet still often uninspired) work under someone's direction, yet continue to learn and improve. Eventually they become fully skilled professionals and experts in their field (and hopefully continue to talk with each other and work to improve said field overall).
It may seem trite, but the point is that these menial jobs do not have to be, and perhaps should not be, permanent positions.
In any case, the existance of some jobs that do not require independant thought does -not- imply a need for people incapable of independant thought!!! That's like saying that we need more cripples to staff our many desk jobs...
The problem with a code like that is that it presumes that a secure communication (the information on the code itself) has already occurred, that the code has not been captured or compromised, and that the message you want to convey is within the scope of the code already exchanged.
People have used codes in that way for thousands of years, and they still have the same weaknesses.
It's much more powerful and effective to send a message encrypted with good asymmetric key cryptography.
In the US legal system, copying a copyrighted work without proper permission is a particular crime known as "copyright infringement".
It is legally distinct from theft... "the felonious taking and removing of personal property, with an intent to deprive the rightful owner of the same".
In a case of illegal copying, no property is actually removed from the rightful owner.
I'm not saying that makes it any less illegal, or makes it morally justified, but the earlier poster was at least correct in that it is -not- theft.
Don't know about OpenExchange, but I've been talking with the people at www.consilient.com, who sell software to make your BES server talk to something that isn't Exchange.
Unfortunately, I'm still having trouble finding a solution that pulls in contact management.
Web-only services don't let you sync up at the office/hotel then carry your email/calendar/contacts with you to the plane/bus/meeting, work on them there, then sync your changes back to the server when you get backto the hotel/office.
That's one of the main (valid) reasons why business people don't want to 'just run in a web browser'...
That's fine for SMTP, but you've left out the rest of the picture.
A decent IMAP server (like cyrus) does a good job of completing email support, but you'll still be missing shared contacts and calendaring.
We do the above (postfix+ & cyrus IMAP) and then use Oracle's Collaboration Suite to handle the calendaring, but I still need to find a good way to bring in shared contact management.
It's even worse now that the sales guys picked up Blackberries... that they also want to sync instantly to their email/calendar/contacts.
I've been tracking the availible options pretty closely, and still haven't found one that really hits the right spot.
I support my remote users by having an smtp server that only accepts authenticated TLS connections. It was listening on port 25, because THAT'S THE PORT THAT WAS ASSIGNED FOR SMTP, but I'm going to have to move it elsewhere.
There doesn't appear to be a clear consensus for what port to use for authenticated smtp. Some people use 465 (assigned for SMTP over SSL), others seem to use 26, 2525, or 4025. I think I'm going to go along with stealing 26, because I want a low numbered port, don't think it's appropriate to run a non-SSL-wrapped SMTP service on 465, and because some ISPs that already block 25 also block 465.
To prevent the kind of problems we had with the 0.8 release (users were having the browser not start with "No XBL Binding for Browser" errors, and finding that their theme was broken), when you run 0.9 for the first time all of your extensions will be automatically disabled, and the theme will be reset to the default. You must then look for newer versions of your extensions that are compatible with Firefox 0.9 since the extension API has changed. After Firefox 0.9 these updates should be more seamless. ---from the release notes
...or was it something more annoying?
Adblock appears to be happily available through their new extension manager from the usual place...
Yeah... they describe that currently you need to look through a particular fixed lens/pinhole that everything is calibrated towards.
It seems that only the reflective material he uses is really something new.
Somewhere on my shelf of old notebooks I have a number of pages involved with trying to figure out ways to make this sort of thing work in 3D. It's quite difficult, even if you limit yourself to flat planes... my best plan involved complicated little lenses over each pixel (which was really an entire array of light emitting or sensing devices) such that the system would naturally display different images depending on the viewing angle.
It was technically feasible, being basically a 2D variation of those little novelty devices that 'change' as you tilt them back and forth, but would be prohibitively expensive to actually manufacture.
My goal back then was to put one each at the end of a hallway (or next to the coffee) in two different buildings thus virtually connecting the buildings in a more natural way than current telecon equipment does (or did).
Slashdot Mirror
Our webservers only have ports 80 and 443 open and are very "real world". (Ok, they also listen for ssh, but only on a private second network, not on the outward facing ethernet.)
Similarly, the mail server only listens on 25, 587 and 993. Restricting a server to only do what it needs to is considered to be a good (some might say essential) security practice.
And besides, for a real-world desktop system you shouldn't be listening on -any- ports.
"you could set up a webserver on *any* OS with only that..."
It's theoretically possible, but it's also really really difficult to get a Windows box to stop listening on non-essential ports, even for a desktop system. And, for your full convienience, many of those nearly impossible to turn off services are insecure and easily compromised.
So... something like Vipul's Razor?
It's not quite as trivial to set up as you suggest, because of two things...
Fortunately, people are already working together to make this work. Pyzor is another similar effort.
Spamassassin has hooks built in to interface to both Pyzor and Vipul's Razor.
Maybe ISPs should just start running spamassassin (or something similar) on all outgoing email and blocking everything that scores too high... this would slow down their servers slightly, but would cut spam drastically across the board.
Of course, if the user doesn't let their mail client "remember" their password (I never trust mail clients to remember anything for me), then the virus would indeed be unable to complete it's evil plan.
They'd need to take the time to write a more sophisticated version of the trojan that first does some keystroke logging to steal your AUTH password, -then- sends spam with it.
Once a virus allows "a remote attacker to gain complete control of your computer", there's really nothing that you could do that they won't be able to. Very disturbing how many MS virus alerts contain that very unpleasant phrase...
Um... there's a -lot- of possible names they might be using, and more than one vector that can result in zombification.
Consult your preferred anti-virus vendor's online database for more detailed information.
Yeah... the first thing I thought was that he needs a unity gain buffer to help with fan out issues.
The second thing I thought was that this sort of mechanical logic would prove much easier using an asynchronous handshake (One example description at: http://caltechcstr.library.caltech.edu/312/) than a standard clock pulse.
Using cams or a rotation-based system helps the power distribution, because you can always add additional 'power rails' as the circut grows... your first gate doesn't need to push through everything else.
The lack of torque is usually addressed through a simple gear-down at the motor.
Now that this has got me thinking, I'm wondering about circuts that are powered by rotation, but store their signals through the movement of rods (either back and forth or up and down). *sigh* and my lego gears -were- all neatly packed away in the closet...
The picture that accompanies the article does not appear to have anything to do with IDI or their alleged new product.
It appears to be a device used for general ICF research at LLNL.
This has already caused confusion in a few posters.
RTOP people... it states clearly that the Secret Service said that the page was reported to them by someone. They did not stumble across it, nor is there some bureaucrat reading through LJ in an official capacity.
One bit of confusion I have about the article... the author refers, seemingly interchangeably, to 'Secret Service' (part of the Treasury Department) and 'FBI' (part of the Department of Justice). Which was it that showed up?
I seem to remember an old joke on this very concept...
"If elected, I will work to fund and create large packs of bioengineered wolves which will be released into major urban areas."
In the Linux CVS some reasonably fully-formed code just appears in several places saying 'donated from IBM' then proceeds to get integrated in over time.
SCO wants IBM to go through their internal version control system to generate full revision histories for every file ever attached to AIX. IBM says this would be a difficult undertaking, mostly because AIX is not just a single file, or even a single set of files, but is comprised of many disparate code projects that join, separate, rejoin, get dropped, get added and so forth, such that the thing called 'AIX' really only exists in the released versions (which they've provided).
One of the IBM sworn statements is from the maintainer of their internal version control system and goes into more detail on this.
IBM mostly argues that, legally, the information can't possibly help SCOs case, and thus they shouldn't be forced to go through the trouble and expense.
SCO has always had the SysV code they claim was stolen and the Linux code they say it was dropped into, so IBM says that should be sufficient to prove that there is or is not 'infringing code in Linux'.
Rather than legally provide any of this infringing code that their 'experts' allegedly found 'mountains of', SCO keeps changing the story.
Currently, the line is that IBMs contract prevented IBM from revealing not only any SysV code, but any IBM code that was shipped together with SysV code, or any IBM code that somehow derived from "UNIX methods and concepts".
To prove this last point, they want IBM to provide the complete revision history of every file in AIX, including programmer notes, so that they can read through it all and try to find places where programmers writing IBM code were 'tainted' with SysV knowledge. IBM says that this theory is ridiculous and that they should not have to go through this burdensome procedure because it's irrelevant. SCO has SysV code, code from several releases of AIX and Dynix, and Linux code, and therefore has everything they would possibly need to prove infringement under standard copyright laws.
In any case, any code that one side provides to the other would be under seal, not availible to the public, and certainly not open sourced.
"there is simply no way for a firewall at the edge of a network to make intelligent decisions about application data flying past it."
There are plenty of ways for a firewall to make intelligent decisions about the application data going past it.
The first (and perhaps easiest) level is just to check that traffic conforms to known protocol specifications, as it's very often dealing with 'impossible' data that causes applications to have problems. As a simple example, simply blocking HTTP GET or POST requests with absurdly large fields can help prevent a whole range of webserver exploits.
You can't always count on the application software to properly check every field and flag to verify that the packets it's receiving conform to the protocols standards and limitations. In these cases it's very useful (and, for large or complex installations possibly much easier) to perform those checks at the firewall.
Beyond that, you really need to perform more in-depth characterization of your allowable traffic in order to intelligently characterize it, but there are numerous companies working on helping firewalls do just that.
"We need fundamental advances in creating robust, secure, and self-recovering software."
I'll agree with that, at least.
Software needs to learn how to laugh. (When people are confronted by the impossible, contradictory, or unexpected, we generally laugh and move on without crashing...)
'The trick is, for our society to continue to function, we need a significant number of "drones" to do a lot of the work.'
I'd like to take issue with this comment. Yes, there are many jobs that are neccessary yet are considered 'unappealing' or 'brainless' to many, but the existance of such does not neccessitate the existance of 'mindless drones to fill them.
Example 1: The classic "burger flipper" and other similar "no experience needed" jobs are perfectly suited to young, inexperienced workers who want/need to earn some money while continuing their study towards something better. No permanent 'drones' are needed to fill these positions.
Example 2: Similarly, there are many jobs in similar categories that aren't really what the person wants to do, but give them enough livelihood to pursue their own intellectual pursuits. Examples include actors working as waiters or any other artist with a 'day job' in service or retail.
Example 3: Many of these 'drone' jobs people refer to currently aren't really neccessary for society to function. Society, arguably, would be better off if the current 'drone culture' were replaced with more intellectual individuals. Phone support lines, for example, could arguably be better served by people who actually know what they are talking about, or are at least interested in learning about it.
Example 4: The market should, in any case, rebalance to address any shortage of persons willing to fill 'drone jobs'. Supply and demand are powerful forces, and I'd happily scrub toilets 8 hours a day if the price was right. Admittedly, a rebalance of this sort would potentially have a tremendous impact of the (non)profitability of various current enterprises, but that just means society would change, not be destroyed.
Example 5: You never know what some people will consider attractive, or what their personal fiscal demands will be. Consider an otherwise retired security guard or school janitor, mentally fully-capable yet willing to staff a low-key menial position to fill their minor fiscal needs.
In our current post-industrial revolution state, we actually need -fewer- cogs than ever before, as more and more of those jobs become automated.
In most cases, these 'drone jobs' can and should be filled, not by permanent 'drones', but by young or inexperienced persons of learning and intellect on their way to better things. Look at the old apprentice model in the circumstances where it worked properly... the apprentices performed a lot of menial, uninteresting, thankless tasks while learning the basics of a trade. Eventually they became journeymen and graduated from those menial tasks to more skilled (yet still often uninspired) work under someone's direction, yet continue to learn and improve. Eventually they become fully skilled professionals and experts in their field (and hopefully continue to talk with each other and work to improve said field overall).
It may seem trite, but the point is that these menial jobs do not have to be, and perhaps should not be, permanent positions.
In any case, the existance of some jobs that do not require independant thought does -not- imply a need for people incapable of independant thought!!! That's like saying that we need more cripples to staff our many desk jobs...
The problem with a code like that is that it presumes that a secure communication (the information on the code itself) has already occurred, that the code has not been captured or compromised, and that the message you want to convey is within the scope of the code already exchanged.
People have used codes in that way for thousands of years, and they still have the same weaknesses.
It's much more powerful and effective to send a message encrypted with good asymmetric key cryptography.
In the US legal system, copying a copyrighted work without proper permission is a particular crime known as "copyright infringement".
It is legally distinct from theft... "the felonious
taking and removing of personal property, with an intent to deprive the rightful owner of the same".
In a case of illegal copying, no property is actually removed from the rightful owner.
I'm not saying that makes it any less illegal, or makes it morally justified, but the earlier poster was at least correct in that it is -not- theft.
Don't know about OpenExchange, but I've been talking with the people at www.consilient.com, who sell software to make your BES server talk to something that isn't Exchange.
Unfortunately, I'm still having trouble finding a solution that pulls in contact management.
Web-only services don't let you sync up at the office/hotel then carry your email/calendar/contacts with you to the plane/bus/meeting, work on them there, then sync your changes back to the server when you get backto the hotel/office.
That's one of the main (valid) reasons why business people don't want to 'just run in a web browser'...
That's fine for SMTP, but you've left out the rest of the picture.
A decent IMAP server (like cyrus) does a good job of completing email support, but you'll still be missing shared contacts and calendaring.
We do the above (postfix+ & cyrus IMAP) and then use Oracle's Collaboration Suite to handle the calendaring, but I still need to find a good way to bring in shared contact management.
It's even worse now that the sales guys picked up Blackberries... that they also want to sync instantly to their email/calendar/contacts.
I've been tracking the availible options pretty closely, and still haven't found one that really hits the right spot.
We considered the Xserve , but eventually went with this box instead:
http://www.rackable.com/products/storage.htm
Incidently, I believe the Xserve RAID box is just a SAN unit, so you'd still need a front-end server (like a G5) to actually "serve" the disk.
Addendum to myself.
Finally found the information I was looking for...
authenticated smtp is supposed to be on port 587.
VPN is indeed one choice (and a good one).
I support my remote users by having an smtp server that only accepts authenticated TLS connections. It was listening on port 25, because THAT'S THE PORT THAT WAS ASSIGNED FOR SMTP, but I'm going to have to move it elsewhere.
There doesn't appear to be a clear consensus for what port to use for authenticated smtp. Some people use 465 (assigned for SMTP over SSL), others seem to use 26, 2525, or 4025. I think I'm going to go along with stealing 26, because I want a low numbered port, don't think it's appropriate to run a non-SSL-wrapped SMTP service on 465, and because some ISPs that already block 25 also block 465.
Was your problem just a manifestation of this
...or was it something more annoying?
Adblock appears to be happily available through their new extension manager from the usual place...
Yeah... they describe that currently you need to look through a particular fixed lens/pinhole that everything is calibrated towards.
It seems that only the reflective material he uses is really something new.
Somewhere on my shelf of old notebooks I have a number of pages involved with trying to figure out ways to make this sort of thing work in 3D. It's quite difficult, even if you limit yourself to flat planes... my best plan involved complicated little lenses over each pixel (which was really an entire array of light emitting or sensing devices) such that the system would naturally display different images depending on the viewing angle.
It was technically feasible, being basically a 2D variation of those little novelty devices that 'change' as you tilt them back and forth, but would be prohibitively expensive to actually manufacture.
My goal back then was to put one each at the end of a hallway (or next to the coffee) in two different buildings thus virtually connecting the buildings in a more natural way than current telecon equipment does (or did).
That's probably the only actual response to the comments people have made questioning the validity of his research.
Amen to that.
Now if we could just remind our duly elected representatives of this handy fact...