That would only help if your room was lead lined... faraday cages keep signals OUT not in. A well grounded cage will limit the output, but not stop it.
(And I would recommend aluminum foil... it's lighter, cheaper, and less toxic.)
(And if they do it will still show up as MAC addresses appearing multiply in the maps and/or addresses outside the allocated ranges.)
What? "outsite allocated ranges"? Unless they're changing the first 3 octect -- the manufacturer, there's no such things. Manufacturers don't keep, and certainly don't publish, which addresses they've used. And let me go ahead and burst your bubble... MAC addresses are not globally unique. They only have to be unique within a lan segment -- with a wrinkle or two from other uses (licenses keys attached to MACs, DHCP, etc.)
Quick format takes all of 5 seconds -- just writes a new blank directory structure. Erasing 85,000 files can take hours.
Plus, Windows(tm) really wants to be installed in \WINDOWS. You can put it where ever you want, but some things still don't use %windir%, et. al. AND windows(tm) puts things outside %windir% that cannot easily be relocated -- esp. during a fresh install.
Hah! Stop using cheap-shit "QIC80" tapes. Almost all enterprise level tape technology will last at least 30 years. Some of the crap sold for PC/home users won't even last as long as it takes to write them; and good luck getting any other drive to read them.
(I've pulled data from telco tape backups that were ~50 years old... those tapes were twice my age.)
I don't need to run my own CD/DVD factory to know it's a ripoff. I know of several such factories, and they do make money faster than the mint. You make it sound like it takes a dozen people to make a disc. If you're using a PC to burn 'em, then that's true. However commercial manufacturers use presses, not burners. They can (and do) churn out thousands of discs without a single human being in sight.
If what you say is true, the discs should never land in the bargin bin. At 5$ each, they should be losing money. Yet, in the bargin bin at $5 to $8 each, they're still booking a profit on those discs. They don't have to sell them at 20-30$ to make any money. They sell them at 20-30$ because a) it provides a tremendous profit, and b) there are enough people willing to pay the "ripoff" price to make it economical.
Why do you think there's a pricing tier? So many people will pay $29.99. Once everyone willing to pay that has bought it, guess what, they lower the f'ing price. This continues all the way down to the supermarket checkout isle bargin bin. This is all a process to maximize profit. (which I label "greed") One might say they're milking their consumers.
Back in the VHS tape days, there really was a reason to change 20-30$ for a tape. It takes a long time to make a video tape -- even with their specialized hardware it still takes 15-30min to "press" a 2hr movie. A DVD takes, litteraly, a fraction of a second to press; a single press can churn out hundreds of discs per hour. A factory with hundreds or thousands of presses can pump out millions of discs. Each disc costs pennies. As with everything, it's all a matter of greed... $20 for something that costs under a buck to make.
Look at video games. Most are $49.99 at release. They drop to $39.99 a few months or even weeks after release. A year later, $29.99 and lower.
The BSA is unlikely to walk in exactly when the contractors are there. And I'm not saying the contractors are installing bootleg software on the company machines (at least not for long.) In the context of the competition, they weren't allowed to bring in anything. How many people bring in "naked" contractors? Contractors come in with their laptop(s) and tools.
You don't even need to unplug them... the first step is math: 24 port switch with 19 cables (all active) and a network diagram showing 12 machines. Obviously there's something amis. Start with port 1, wrap your grubby finger around the cable and trace it back to whatever is on the other end; log this on the diagram. Repeat for the remaining cables.
I've had to do this repeatedly everywhere I've ever worked. (even had to make a bellsouth tech literally do this to find a loop plug.)
I'm not saying it's unrealistic. I'm saying it's unfair in the context of the competition... if the firewall is off limits to the teams, it should be off limits to the hackers. No matter how well secured your internal network may be, if the hackers can sit on your network (on the firewall no less), it's game over.
(Honestly, it wouldn't be much of a learning experience if it weren't tipped in favor of the hackers.)
Except the contractor(s) are professionals being paid for their experience and expert knowledge. They will have more than "a few hours" to inspect things and do their patching; they won't be scolded for using "illegal tools". (nobody cares how the job gets done as long as it gets done.) And above all else, they're brought in to do a single job -- with the contract spelling out exactly what they are expected to provide.
In the end, I don't think the game is supposed to be realistic. I think it's more about making a point: security is not simple; "detail" is everything. How big was their network that no one noticed an access point plugged into it?
PS: The entire "game" is heavily stacked in favor of the hackers. For example, the teams were told to leave the firewall alone (after 7 out of 8 broke theirs) and then one of the hackers turns around and breaks into the firewall; if you're going to make the players stay away from the firewall, then it needs to be off limits to the hackers as well.
It takes significant experience to walk into a network blind and secure it in hours. I have 2 decades of experience, and I've walked into places where it took days just to figure out w.t.f. they're running. It would take a day or more to figure out what all is going on in the network in my house -- and there's only 4 computers on at the moment.
And if you're dealing with Windows(tm), it can take hours to download and install all the freakin' patches. (unless you happen to wander around with a fully populated WSUS/SMS server.)
I've worked in the ISP world for over a decade. Such comparisons have always been flawed. All access is shared. It doesn't matter if your access to the head-end is dedicated or shared; the combined input FAR exceeds it's uplink. That is doubly true for DSL... cable heads tend to be in data centers where gigE is plentiful; DSLAMs are on street corners where connectivity is often limited.
For instance look at a garden variety rack mount DSLAM: 192 ports. Even if those are the lowest speed that still gets called "DSL" (IDSL), it'd be 27Mbps. It'd take a DS3 to carry that, and you'd be wasting half of it -- translation: it'd have 1 to 4 T1's for an uplink. On the upper end (7M ADSL), that'd be 1.3Gbps. The best connected DSLAMs I've seen were OC-3 (155Mbps) linked -- and they had 3000 ports.
Moral of the story: ISPs over sell their bandwidth by huge margins.
The MAC was derived from the hostid (stored in NVRAM, btw.) Sun was blindly assuming no one would ever plug more than one nic into the same physical network. It might've been a reasonable assumption for a few years, but has always been an obvious Bad Idea(tm). PROM's for the last decade(?) have supported a "local" per-interface MAC:
[root:pts/2{1}]spacemeat:~/[05:30 PM]:eeprom|grep local local-mac-address?=true
Well, if we are sticking to the textbook... NAT is just that: NETWORK ADDRESS TRANSLATION. It's all about morfing addresses... a/32,/24,/16 to an other.
PAT -- Port Address Translation -- is what everything does these days. That's what allows a/24 to appear as a/32 to the rest of the world. It changes the address and port.
And neither offer significant protection. Once [ext]:80 is mapped to [int]:80, packets flow freely without any filtering or inspection. That's the difference between a router and firewall. Firewalls care about what's in the packets; routers only care where packets need to go.
Cisco routers have a firewall (provided you have the right IOS build), but it's not exposed in SDM so you can't set it in a user friendly way (and setting up cisco firewalls using the IOS command line sucks donkey).
I don't know if SDM understands IPv6 or not... I rarely use SDM and never use IPv6:-) At any rate, SDM is an interface for sheep; it forces you to do some very stupid things to your router. And it doesn't help with some of the complex tasks where a GUI is nice (QoS, IPSec, long access-lists...) IMHO, anyone who prefers SDM over CLI is either lazy or inexperienced. (or both)
I think all home/SME routers that connect to the internet have firewalls that are enabled to block incoming traffic by default.
That's not entirely true. It's not so much blocking incoming traffic as it is dropping traffic because it doesn't know what to do with it. Unless port 80 has been forwarded, the router has no destination for the traffic. Almost all "home" routers I've seen support a "DMZ host" to which the router will send all such traffic.
A "true" firewall blocks all traffic in all directions until explicitly configured otherwise. Think Cisco Pix: even with a port forwarded a conduit or access list must permit the traffic flow -- in the inbound (increasing security level) direction. In contrast, a netgear or linksys "cable/dsl router" will forward inbound traffic as soon as it knows where to send it, and allows outbound traffic with zero configuration.
The DynDNS part is necessary to find your "network" at all. It only needs to be done once no matter how many services you run. And if your ISP/DNS host allows dynamic registration, or automatically updates dns based on dhcp leases, then setting up dyndns is as simple as clicking a checkbox.
Exactly. NAT works. NAT is relatively simple by comparison.
But the biggest reason of all... NO MIGRATION PATH. IPv6 is in no way compatible with IPv4. Any migration requires running (and maintaining) two networks. Add up all the little embeded (old) systems that will never have IPv6 support, and IPv6 becomes an even worse idea. I guess the IPng members are all too young to remember the world before IPv4... where IPX and appletalk walked the LANs; moving to IP was a mess that took years, but it was a valuable and necessary move. IPv6 is a HUGE mess, and it's almost entirely unnecessary. It's unlikely to be necessary (larger address space) for decades.
Negative. Every address block allocated by ARIN is paid for; stop paying the bill and they take your address(es) away. It's just much easier to request and be granted a/20 -- I've done it several times at various places over the years.
017/8 Jul 92 Apple Computer Inc. 056/8 Jun 94 U.S. Postal Service
The USPS definately does not need every computer in every post office, sort facility, and truck to have a public (firewalled off) IP address; 99% of those systems have no reason to be connected to the internet AT ALL.
Not if the router does any IP logic in hardware (packet checksuming, switching, etc.) For the extremely simple (read: cheap and/or crappy) 100% software router, yes, new software is all that's needed. However, IPv6 is a lot more work than IPv4.
Slashdot Mirror
That would only help if your room was lead lined... faraday cages keep signals OUT not in. A well grounded cage will limit the output, but not stop it.
(And I would recommend aluminum foil... it's lighter, cheaper, and less toxic.)
Quick format takes all of 5 seconds -- just writes a new blank directory structure. Erasing 85,000 files can take hours.
Plus, Windows(tm) really wants to be installed in \WINDOWS. You can put it where ever you want, but some things still don't use %windir%, et. al. AND windows(tm) puts things outside %windir% that cannot easily be relocated -- esp. during a fresh install.
Hah! Stop using cheap-shit "QIC80" tapes. Almost all enterprise level tape technology will last at least 30 years. Some of the crap sold for PC/home users won't even last as long as it takes to write them; and good luck getting any other drive to read them.
(I've pulled data from telco tape backups that were ~50 years old... those tapes were twice my age.)
I don't need to run my own CD/DVD factory to know it's a ripoff. I know of several such factories, and they do make money faster than the mint. You make it sound like it takes a dozen people to make a disc. If you're using a PC to burn 'em, then that's true. However commercial manufacturers use presses, not burners. They can (and do) churn out thousands of discs without a single human being in sight.
If what you say is true, the discs should never land in the bargin bin. At 5$ each, they should be losing money. Yet, in the bargin bin at $5 to $8 each, they're still booking a profit on those discs. They don't have to sell them at 20-30$ to make any money. They sell them at 20-30$ because a) it provides a tremendous profit, and b) there are enough people willing to pay the "ripoff" price to make it economical.
Why do you think there's a pricing tier? So many people will pay $29.99. Once everyone willing to pay that has bought it, guess what, they lower the f'ing price. This continues all the way down to the supermarket checkout isle bargin bin. This is all a process to maximize profit. (which I label "greed") One might say they're milking their consumers.
BINGO!
Back in the VHS tape days, there really was a reason to change 20-30$ for a tape. It takes a long time to make a video tape -- even with their specialized hardware it still takes 15-30min to "press" a 2hr movie. A DVD takes, litteraly, a fraction of a second to press; a single press can churn out hundreds of discs per hour. A factory with hundreds or thousands of presses can pump out millions of discs. Each disc costs pennies. As with everything, it's all a matter of greed... $20 for something that costs under a buck to make.
Look at video games. Most are $49.99 at release. They drop to $39.99 a few months or even weeks after release. A year later, $29.99 and lower.
The BSA is unlikely to walk in exactly when the contractors are there. And I'm not saying the contractors are installing bootleg software on the company machines (at least not for long.) In the context of the competition, they weren't allowed to bring in anything. How many people bring in "naked" contractors? Contractors come in with their laptop(s) and tools.
Yes, but that also means downtime -- which costs points.
You don't even need to unplug them... the first step is math: 24 port switch with 19 cables (all active) and a network diagram showing 12 machines. Obviously there's something amis. Start with port 1, wrap your grubby finger around the cable and trace it back to whatever is on the other end; log this on the diagram. Repeat for the remaining cables.
I've had to do this repeatedly everywhere I've ever worked. (even had to make a bellsouth tech literally do this to find a loop plug.)
I'm not saying it's unrealistic. I'm saying it's unfair in the context of the competition... if the firewall is off limits to the teams, it should be off limits to the hackers. No matter how well secured your internal network may be, if the hackers can sit on your network (on the firewall no less), it's game over.
(Honestly, it wouldn't be much of a learning experience if it weren't tipped in favor of the hackers.)
Except the contractor(s) are professionals being paid for their experience and expert knowledge. They will have more than "a few hours" to inspect things and do their patching; they won't be scolded for using "illegal tools". (nobody cares how the job gets done as long as it gets done.) And above all else, they're brought in to do a single job -- with the contract spelling out exactly what they are expected to provide.
In the end, I don't think the game is supposed to be realistic. I think it's more about making a point: security is not simple; "detail" is everything. How big was their network that no one noticed an access point plugged into it?
PS: The entire "game" is heavily stacked in favor of the hackers. For example, the teams were told to leave the firewall alone (after 7 out of 8 broke theirs) and then one of the hackers turns around and breaks into the firewall; if you're going to make the players stay away from the firewall, then it needs to be off limits to the hackers as well.
... not to mention the network having already been compromised.
It takes significant experience to walk into a network blind and secure it in hours. I have 2 decades of experience, and I've walked into places where it took days just to figure out w.t.f. they're running. It would take a day or more to figure out what all is going on in the network in my house -- and there's only 4 computers on at the moment.
And if you're dealing with Windows(tm), it can take hours to download and install all the freakin' patches. (unless you happen to wander around with a fully populated WSUS/SMS server.)
I've worked in the ISP world for over a decade. Such comparisons have always been flawed. All access is shared. It doesn't matter if your access to the head-end is dedicated or shared; the combined input FAR exceeds it's uplink. That is doubly true for DSL... cable heads tend to be in data centers where gigE is plentiful; DSLAMs are on street corners where connectivity is often limited.
For instance look at a garden variety rack mount DSLAM: 192 ports. Even if those are the lowest speed that still gets called "DSL" (IDSL), it'd be 27Mbps. It'd take a DS3 to carry that, and you'd be wasting half of it -- translation: it'd have 1 to 4 T1's for an uplink. On the upper end (7M ADSL), that'd be 1.3Gbps. The best connected DSLAMs I've seen were OC-3 (155Mbps) linked -- and they had 3000 ports.
Moral of the story: ISPs over sell their bandwidth by huge margins.
The MAC was derived from the hostid (stored in NVRAM, btw.) Sun was blindly assuming no one would ever plug more than one nic into the same physical network. It might've been a reasonable assumption for a few years, but has always been an obvious Bad Idea(tm). PROM's for the last decade(?) have supported a "local" per-interface MAC:
Well, if we are sticking to the textbook... NAT is just that: NETWORK ADDRESS TRANSLATION. It's all about morfing addresses... a /32, /24, /16 to an other.
/24 to appear as a /32 to the rest of the world. It changes the address and port.
PAT -- Port Address Translation -- is what everything does these days. That's what allows a
And neither offer significant protection. Once [ext]:80 is mapped to [int]:80, packets flow freely without any filtering or inspection. That's the difference between a router and firewall. Firewalls care about what's in the packets; routers only care where packets need to go.
A "true" firewall blocks all traffic in all directions until explicitly configured otherwise. Think Cisco Pix: even with a port forwarded a conduit or access list must permit the traffic flow -- in the inbound (increasing security level) direction. In contrast, a netgear or linksys "cable/dsl router" will forward inbound traffic as soon as it knows where to send it, and allows outbound traffic with zero configuration.
Today: UPNP-aware-service &
Next.
The DynDNS part is necessary to find your "network" at all. It only needs to be done once no matter how many services you run. And if your ISP/DNS host allows dynamic registration, or automatically updates dns based on dhcp leases, then setting up dyndns is as simple as clicking a checkbox.
But the biggest reason of all... NO MIGRATION PATH. IPv6 is in no way compatible with IPv4. Any migration requires running (and maintaining) two networks. Add up all the little embeded (old) systems that will never have IPv6 support, and IPv6 becomes an even worse idea. I guess the IPng members are all too young to remember the world before IPv4... where IPX and appletalk walked the LANs; moving to IP was a mess that took years, but it was a valuable and necessary move. IPv6 is a HUGE mess, and it's almost entirely unnecessary. It's unlikely to be necessary (larger address space) for decades.
Not if the router does any IP logic in hardware (packet checksuming, switching, etc.) For the extremely simple (read: cheap and/or crappy) 100% software router, yes, new software is all that's needed. However, IPv6 is a lot more work than IPv4.