If it was really the case that these buildings shouldn't have fallen down and something like a "controlled demolition" was going on, every structural engineer in the US would be on the phone to the press. There would be a flood of expert opinion saying this was a stunt. There isn't. There's a few crackpots.
So are you saying that Leslie Robertson has been lying on-camera about the design of the WTC buildings in interviews conducted after 9/11? Holy cow! Yes, there are some crackpots, indeed.
Buildings are not something you should fly planes into.. they're not designed to keep standing up under that kind of stress.
It took me about ten seconds with Google to find numerous pages that describe how the Word Trade Center buildings were designed to keep standing up under that kind of stress.
Statements by Engineers
Engineers who participated in the design of the World Trade Center have stated, since the attack, that the Towers were designed to withstand jetliner collisions. For example, Leslie Robertson, who is featured on many documentaries about the attack, said he "designed it for a (Boeing) 707 to hit it." 2 Statements and documents predating the attack indicate that engineers considered the effects of not only of jetliner impacts, but also of ensuing fires.
John Skilling
John Skilling was the head structural engineer for the World Trade Center. In a 1993 interview, Skilling stated that the Towers were designed to withstand the impact and fires resulting from the collision of a large jetliner such as Boeing 707 or McDonald Douglas DC-8.
Our analysis indicated the biggest problem would be the fact that all the fuel (from the airplane) would dump into the building. There would be a horrendous fire. A lot of people would be killed,... The building structure would still be there. 3
A white paper released on February 3, 1964 states that the Towers could have withstood impacts of jetliners travelling 600 mph -- a speed greater than the impact speed of either jetliner used on 9/11/01.
The buildings have been investigated and found to be safe in an assumed collision with a large jet airliner (Boeing 707--DC 8) traveling at 600 miles per hour. Analysis indicates that such collision would result in only local damage which could not cause collapse or substantial damage to the building and would not endanger the lives and safety of occupants not in the immediate area of impact. 4
Actually, vegatable oils (natural ester fluids) have been used as an alternative dielectric fluid for several years now. A fair number of distribution-size transformers are filled with it,
I fired-up the way-back machine and dug up this old story that mixed big transformers with deep-frying oil. Old timers (like me) will remember this one.
Date: Mon, 26 Sep 1994 11:31:14 -0400 From: bostic@CS.Berkeley.EDU (Keith Bostic) Subject: The mother of all grease fires To:/dev/null@python.bostic.com
Forwarded-by: stripes@uunet.uu.net (Josh Osborne)
From: Brian Reid Date: Fri, 23 Sep 94 17:34:09 PDT
I work in the very center of the city of Palo Alto, in a nice office building. We are surrounded on every side by restaurants, hotels, and so forth. But we are a computer company, and so our building ends up needing a lot of electricity. We use about a megawatt (1 million watts).
In order to deliver a million watts of electricity to an office building, you need a very large transformer. These transformers are too big to put on poles, and besides in quaint downtown areas nobody likes those poles any more. So the transformers are put underground. The million-watt transformer that powers our office building is located in an underground vault in the middle of a walkway that leads to City Hall. The transformer is about the size of a small car, and the transformer vault is about the size of a one-car garage, except that the way you get in is to climb down a ladder from the street level. The top of the transformer vault is well ventilated, because a million-watt transformer generates a lot of heat.
Several fine restaurants are near this walkway, along with a bank, an art supply store, and so forth. There's a lot of foot traffic. This being California, where it never rains, and this being Palo Alto, where it is always springtime, the restaurants have outdoor seating areas that are very popular.
Recently the patrons of one restaurant started to complain that there was an unpleasant odor in their otherwise idyllic outdoor seating area. Soon the Health Department was called, and they quickly determined that the odor was caused by rancid oil that had seeped into the sidewalk. Further investigation showed that the source of the rancid oil was overflow from a nearby grating. The grating was marked "City of Palo Alto Utilities", so the utility department was called.
The utility crew quickly discovered the problem. The oil wasn't really oil, it was molten deep-frying grease, which was molten because it was being kept warm by a million-watt transformer. The entire vault was completely full of used frying grease, about 2000 gallons of it, which was enough to completely cover the transformer. The heat of the transformer kept the grease from solidifying.
Police quickly figured out what had happened. Every night for quite a number of years, one of the nearby restaurants had, at closing time, emptied its fryer into the transformer vault, thinking that they were dumping it into the storm sewer. It's quite illegal to dump grease into a storm sewer, of course, but they probably figured they would never get caught.
Transformers do occasionally overheat; this is why they are kept in concrete vaults. If this one had overheated, we would have had the mother of all grease fires.
Last night they shut off all of the electrical power, pumped out the hot grease, washed out the vault, and replaced the transformer. It's very fortunate that nobody was killed.
Today's "daily special" menu did not include the usual fried fish.
There are so many annoying restrictions at work, that a few people I know just take their own laptops.
And if you bring your own laptop, how do you access resources on the corporate network? Please tell me that you're not connecting your network cable to your laptop while your wifi connection is enabled.
Every time that Internet usage monitoring comes up on Slashdot, all the k00l kidz post their solutions for getting around tools like Websense and restrictive firewall policies on outbound traffic. As fun as "pulling one over on The Man" can be, violating the AUP is grounds for termination. Complain all you want about being fired but at the end of the day, you'll still be unemployed.
To head-off the "Oh yeah, I'm tool l33t to work at a square company with draconian fw admins like that dude!" comments, please know that we can't afford to have people like you on the payroll. Your methods of skirting URL filtering and/or firewall policies will get the organization sued, get us into the newspaper or both. We can't afford to have that happen.
I've been there and seen it happen. Once your organization is in the newspaper for something unsavory, that kind of damage to the credibility of the organization is hard to repair. The old saying goes "There's no such thing as bad publicity." Well, there *is* bad publicity and it can be quite costly.
The firewalls supported a VPN partner network to our companies specs that the cisco pix could not do. Fortinet wrote custom code for us just to make this work.
That sentence caught my eye. Can you provide more details on what you were trying to do with VPN that the PIX could not handle? I do a lot of work with IPSec tunnels and it sounds like you were pushing the VPN feature pretty hard. I don't doubt what you said. I am simply asking for further technical detail into the issue you uncovered with the PIX and IPSec. Please share as many details as you can without posting something that would cause security issues for the sites that deployed your solution. Thanks.
Sidewinder from Secure Computing is the only commercially available sidewinder to never have a CERT. http://www.securecomputing.com/index.cfm?skey=20&l ang=en [securecomputing.com] You get anti-virus, anti-spam, and the strongest firewall in the world on a single appliance. Hook it into Secure Computing's TrustedSource solution and you will not only have an incredible firewall but you will also stop 99% of Spam (including image spam) from hitting your network.
ACK! Secure Computing Sidewinders suck! I know first-hand. I have two G2s (in an active/passive cluster) at work. I have a long list of problems that I've encountered with those beasts over the last year. They are going to be replaced soon by a very fast, very capable product from Juniper.
I am currently running Sidewinder G2 version 6. A few of my problems:
1. Slow. The Sidewinders (specifically the "proxy" part) are a significant bottleneck in our network.
2. Email. For a while, certain inbound email messages were being dropped due to "feature" in Sendmail. The only was to fix the problem was for me to get into the guts of the Sendmail config files and edit things by hand.
3. Traceroute. Is it too much to ask to be able to run a traceroute *through* a firewall? The Sidewinder G2s do not allow this to happen.
4. HA: Failover is slow and clumsy. There is no "state table" shared between the Sidewinders so any active TCP connections will get terminated when the failover happens.
5. Reboot: Certain operations require the firewalls to be rebooted. What???? My PIX or Juniper Netscreen firewalls never pop-up a message saying "That change will go into effect after the next reboot."
6. The whole "proxy" thing is a pain in the neck. I can't tell you how many IPtables-style rules I have had to create to get around problems caused by the Secure Computing "tcp proxies".
7. The admin GUI is really nothing to write home about.
8. Logging. Logging is really, really sucky. Compared to the syslog messages that come from a PIX, the difference between the Sidewinders and a PIX is like night and day.
9. "Application Defense". Yeah, had to disable that is most places because, believe it or not, every single website on the Internet is not RFC-compliant.
10. I ran into a situation recently where I wanted to create a tcp proxy for ports 2000-2010. I couldn't do that because earlier I had created a proxy for the single tcp port 2001. What's up with that? I left the tcp proxy in place and then opened tcp 2000-2010 using an IPTables rule.
That's enough for now. I do have more.
The Sidewinder G2s will be removed from our network and replaced by high performance firewalls from Juniper. I'm very familiar with ScreenOS and I've seen the Juniper Netscreen HA feature in action. The failover time between two firewalls in an active/passive NSRP cluster is amazing.
So, we are going to cease being a Secure Computing customer and the Sidewinders (which are really Dell servers running some flavor of BSD) will get turned into test servers (probably get Win2003 server loaded onto them). I will say this for Secure Computing, we have a LOT of RSA tokens and we are taking a very serious look at Secure Computing's Safeword tokens. S.C. has a very nice product in that market.
We run several PIXes (Cisco) at work and at branches across the country. They handle the VPNs well enough and are simple enough to work with but when you see shit like this (IPs removed):
Mar 28 14:45:25 x.x.x.x Mar 28 2007 14:46:16: %PIX-4-407001: Deny traffic for local-host inside:y.y.y.y, license limit of 50 exceeded
in your logs from units which cost thousands of dollars, you have to scratch your head. Yeah, they charge for how many machines you'll run through it. We have a few "unrestricted" ones but they're thousands of dollars. Thousands of dollars I can better spend on other stuff.
I laughed when I read your message. You spent THOUSANDS of dollars and you wonder why you don't have unlimited users allowed through your firewall. I've never seen the PIX syslog message that you listed above (and I've worked with a lot of PIX firewalls). I've never deployed a firewall with a limited user count (unless you count the 10-user Netscreen 5GT and PIX 501 in my home network). Step up to the big leagues and pay for the unlimited platforms. When you say "THOUSANDS of dollars" in a firewall conversation, the first thing that comes to mind is that I think that's a pretty good deal for annual maintenance, not the total cost of purchasing the firewall hardware itself. You'd wet yourself if you saw our annual Secure Computing support cost (Sidewinder G2s).
If you have the budget, go with Checkpoint. Otherwise, Juniper is a solid choice.
The budget is a big factor. Checkpoint is known for their bend-you-over-the-rail annual maintenance costs. Comparable products from other vendors will not consume so much of your budget when it comes time to renew the support contract.
If you can find one, the best machine to use as a firewall would be an old DEC VAX. Why? Because nobody has (yet) broken the security of a correctly-configured VMS system. making it two exploits better than even OpenBSD. It makes no difference that porting to VMS is a nightmare, because you wouldn't want to do so. Nor does it matter that VMS kernel developers are about as common as honest lawyers - whatever holes exist are far beyond the capabilities of a sizable percentage of experts in the field. Unless you're keeping nuke missile codes, VMS or OpenVMS should be more than strong enough to keep anyone out
1. The name of the OS was officially changed to "OpenVMS" a while ago. There is no "VMS or OpenVMS" (unless you work in HR and you're putting a job posting on Monster.com).
2. You're advocating that a company with twelve employees buy a VAX? The maintenance contract alone on the hardware would suck-up all of their profits. Also, the VAX platforms were never known for their awesome number crunching power. I've got a Core 2 Duo E6600 (home PC) that would eat any VAX (or reasonable cluster of VAXen) for lunch. The fastest VAX systems were built by buying the motherboard from a third-party company and replacing the standard motherboard (http://www.nemonixengineering.com/). If you actually did buy a larger VAX (6000 or 7000-class), you'd find that the licensing costs would burn a whole in your IT budget. VMScluster licenses were especially expensive.
The same comments you made about OpenVMS on VAX being secure also apply to OpenVMS on Alpha. It's more realistic that you suggest a small company buy the smallest used Alpha they could find and run OpenVMS on there. But even then, you'd be hard-pressed to find a good firewall package to run on that OS. One other problem with the VAX line was that unless you are very fond of FDDI, you are going to have a hard time going above 10Mbit/sec on your LAN connections.
Your comment about fewer and fewer people being left that actually write code for or know VMS is true. There are less than ten good VMS admins left in the world (I used to be one of them;) ).
I know that anyone with a seven-digit Slashdot ID is going to say "What's all this VAX and VMS stuff this dude is talking about?" The glory days for VMS have been gone for quite a while. Most of the old-timers (people my age) will say "I used a VAX to write Fortan programs when I was in college." and that's the last time they saw a VMS system. The OS was truly a work of art and you couldn't beat that platform when you needed serious uptime. I was managing VMSclusters when Microsoft was still trying to work the bugs out of two-node NT clusters that shared a few disks on a common SCSI bus. We had a cluster of systems all connected to the same shared storage bus (CI) to access disk storage that was available to all of the cluster members. This was ten years before the word "SAN" became popular.
Those were the good old days. But, alas, it has been three years since I logged into a VMS system, ran Autogen or used Eve to edit SYSTARTUP_VMS.COM. I miss those days.:)
Maybe I'm biased, since one of the Web sites being blocked was mine.
To throw a little salt on that wound, Websense has your website (www.peacefire.org) categorized as "Proxy Avoidance". There are probably a LOT of Websense customers who can't get to your website.
A thousand a year for insurance? Stop hitting things, man.
Auto insurance is not based only on your record of "hitting things". Your zip code also comes into play. If you live in or near a high crime area where your car is likely to be stolen, your rates are higher. If you live in a nicer suburb, the "someone's gonna steal your car while it's parked in your driveway" penalty goes down. It's all based on your zip code. I learned this the hard way when I moved to Michigan and lived in one of the suburbs of Detroit. My zip code was close enough to Detroit that I had to pay higher rates than someone living a few miles further away from Hell, err, I mean the City of Detroit.
There is also something crazy in Michigan called "No fault insurance" where you pay through the ass for auto insurance because in an accident, no one is at fault (or something like that). The auto insurance agent who explained all of this to me was highly amused when I told him my auto insurance used to be half of what he was quoting me before I moved to Michigan. I remember telling him, "That's what I'd pay back home if I got caught for DUI!!"
So despite having a clean driving record, I paid a LOT more for auto insurance because I 1) moved to a state with a crazy insurance scheme and 2) my zip code was close to Detroit (but not in the city itself).
You know, I think the thing that aggravates me the most is that these distributed computing systems are helping drug companies find cures to illnesses using OUR processing power and computers WE paid for, only to sell us the drug that they would have been hard pressed to develop without our hardware back to us at an extremely inflated price.
Posting a reply to your comment is going to un-do my moderation this morning but I can't let your comment go by without a response. Yes, we (people who run the distributed computing clients on our home PCs) are contributing OUR resources to large pharmaceutical companies (directly or indirectly). I am running the F@H client on multiple PCs (at my home) that I bought with my take-home pay. Furthermore, my electric bill is impacted by having those PCs running (my electricity is about $0.03/kwh off-peak) *and* there is an additional cooling load on my home's HVAC system in the summer. Yes, the drug companies are getting something from me without ever acknowledging the money I have invested in helping them produce a new drug. But I don't do it for the recognition or the fame (okay, I do watch the F@H stats to see how many points I am producing each week compared to the other contributors on my F@H team) but instead I do it for the greater good. Is it possible that a company like Pfizer will take the results from my F@H clients and create their next blockbuster drug? Yes, it could happen. Will I be pissed if they don't cut me in on the action? No.
Regarding your comment: "only to sell us the drug...at an extremely inflated price." Who really knows what the true price of a drug is? How many millions need to go into the salaries of researchers, sophisticated lab equipment and large facilities to house that stuff? How do you *know* the price of a drug is "extremely inflated"?
If you don't like the distributed computing project like Folding At Home (F@H), please be aware that you don't have to run the software and you can feel quite smug every night when you tuck yourself into bed knowing that all of your home PCs are powered-off. You can even have a little chuckle and say "Suckers! My electric bill won't suffer just to benefit the drug companies!" before you turn out the light. But when the next big life-saving drug comes to market and it turns out that YOU need it to live, feel free to not purchase that drug. Show those evil drug companies that they won't get one penny of your hard-earned money.
Last year, I donated a big chunk (thousands) of my take-home pay to the Leukemia and Lymphoma Society. While I am not personally afflicted by those diseases nor is anyone in my family, I donated to that organization in the hope that a cure will be found. [My donation was not tax-deductible so I did not make the donation in the hope of reducing the amount of income tax I would pay for 2006.] I run the F@H client on my home PCs for the same reason: Somebody somewhere (maybe someone who hasn't even been born yet) will benefit from my home PCs crunching numbers throughout the night. *I* paid for these PCs, *I* pay for the power to run them, *I* pay for the extra cooling load they generate in the summer. I am doing this in the hope that someone else on the planet will benefit from my "investment".
Then, you would be shit out, processed and sold nationwide as a fertilizer, under the name Milorganite.
No, really, go to Home Depot. Hell, google it. I'm not kidding.
I know you're just trolling but I'll play along. It's too cold to do anything outside today. Why not feed the Slashtrolls...
I knew people who were making a decent living doing computer consulting for home users who went out of business because of how many 15 year old neighbours could do most of what they do for free.
That one line has got to be the best advertisement/endorsement for Linux and open source software that I've seen in a long time. If you are truly not trolling, think of how powerful that statement is: "Linux: even your neighbor's 15-year-old kid can maintain it." We should welcome software that is that easy to use and maintain, not lament it's arrival .
because "cold" to people is still a long way from too cold to extract usable heat from.
How cold can the outside temps get before a heat pump isn't an effective way of heating your house? I had minus three degrees (fahrenheit) outside this morning when I woke up.
Are heat pumps meant to work in cold temps like that or are they better suited for "milder" days in the 40's and 50's?
'Push' marketing (advertising) should be replaced by 'Pull' marketing
I'd agree with you most of the time but there have been times when 'push' marketing actually introduced me to a new product that I did not know about.
For example, in 2001, Honda started advertising a new motorcycle called the VTX. They played-up the fact that the soon-to-be introduced motorcycle would have an 1800cc engine with "pistons bigger than X" and "valves bigger than Y". Before I saw those ads, I was thinking of buying a Valkyrie. But as soon as I heard about the VTX, I went to the Honda web page to learn more. After doing some research and taking a look at a VTX (but not driving it, the bike was already sold to another customer) in a local dealership, I placed my order. If Honda had not used their 'push' advertising on TV, I would not have known that they were introducing a new model in 2001.
Now, my example is about 'push' marketing on TV. I don't mind that a bit and sometimes I find it entertaining and educational. But 'push' marketing via email is never okay. I *never* want to receive 'push' marketing in my work email account. If I waste my own personal time watching TV, that's one thing. But sending ads to my work email inbox is wasting my time at work and the advertiser is stealing from my employer.
Slashdot Mirror
If it was really the case that these buildings shouldn't have fallen down and something like a "controlled demolition" was going on, every structural engineer in the US would be on the phone to the press. There would be a flood of expert opinion saying this was a stunt. There isn't. There's a few crackpots.
So are you saying that Leslie Robertson has been lying on-camera about the design of the WTC buildings in interviews conducted after 9/11? Holy cow! Yes, there are some crackpots, indeed.
It took me about ten seconds with Google to find numerous pages that describe how the Word Trade Center buildings were designed to keep standing up under that kind of stress.
http://911research.wtc7.net/wtc/analysis/design.h
I fired-up the way-back machine and dug up this old story that mixed big transformers with deep-frying oil. Old timers (like me) will remember this one.
http://homes.cerias.purdue.edu/~spaf/Yucks/V4/msg
There are so many annoying restrictions at work, that a few people I know just take their own laptops.
And if you bring your own laptop, how do you access resources on the corporate network? Please tell me that you're not connecting your network cable to your laptop while your wifi connection is enabled.
Every time that Internet usage monitoring comes up on Slashdot, all the k00l kidz post their solutions for getting around tools like Websense and restrictive firewall policies on outbound traffic. As fun as "pulling one over on The Man" can be, violating the AUP is grounds for termination. Complain all you want about being fired but at the end of the day, you'll still be unemployed.
To head-off the "Oh yeah, I'm tool l33t to work at a square company with draconian fw admins like that dude!" comments, please know that we can't afford to have people like you on the payroll. Your methods of skirting URL filtering and/or firewall policies will get the organization sued, get us into the newspaper or both. We can't afford to have that happen.
I've been there and seen it happen. Once your organization is in the newspaper for something unsavory, that kind of damage to the credibility of the organization is hard to repair. The old saying goes "There's no such thing as bad publicity." Well, there *is* bad publicity and it can be quite costly.
Here's a challenge for you. Name a tech company that's based on the East Coast.
r poration
Here's my guess:
http://en.wikipedia.org/wiki/Digital_Equipment_Co
What do I win?
Ethernet was around for quite a few years before Netscape and Mosaic.
1 _rack.jpg
10Base5 and vampire taps, babeeeeeee!
http://en.wikipedia.org/wiki/10BASE5
Those were the days. I couldn't find a good picture of a DELNI so this will have to do:
http://wwwx.cs.unc.edu/help/network/graphics/sn39
although i thought the common approximation was 6.22*10^23
You were verrrrry close:
http://en.wikipedia.org/wiki/Mole_(unit)
The firewalls supported a VPN partner network to our companies specs that the cisco pix could not do. Fortinet wrote custom code for us just to make this work.
That sentence caught my eye. Can you provide more details on what you were trying to do with VPN that the PIX could not handle? I do a lot of work with IPSec tunnels and it sounds like you were pushing the VPN feature pretty hard. I don't doubt what you said. I am simply asking for further technical detail into the issue you uncovered with the PIX and IPSec. Please share as many details as you can without posting something that would cause security issues for the sites that deployed your solution. Thanks.
Sidewinder from Secure Computing is the only commercially available sidewinder to never have a CERT. http://www.securecomputing.com/index.cfm?skey=20&l ang=en [securecomputing.com] You get anti-virus, anti-spam, and the strongest firewall in the world on a single appliance. Hook it into Secure Computing's TrustedSource solution and you will not only have an incredible firewall but you will also stop 99% of Spam (including image spam) from hitting your network.
ACK! Secure Computing Sidewinders suck! I know first-hand. I have two G2s (in an active/passive cluster) at work. I have a long list of problems that I've encountered with those beasts over the last year. They are going to be replaced soon by a very fast, very capable product from Juniper.
I am currently running Sidewinder G2 version 6. A few of my problems:
1. Slow. The Sidewinders (specifically the "proxy" part) are a significant bottleneck in our network.
2. Email. For a while, certain inbound email messages were being dropped due to "feature" in Sendmail. The only was to fix the problem was for me to get into the guts of the Sendmail config files and edit things by hand.
3. Traceroute. Is it too much to ask to be able to run a traceroute *through* a firewall? The Sidewinder G2s do not allow this to happen.
4. HA: Failover is slow and clumsy. There is no "state table" shared between the Sidewinders so any active TCP connections will get terminated when the failover happens.
5. Reboot: Certain operations require the firewalls to be rebooted. What???? My PIX or Juniper Netscreen firewalls never pop-up a message saying "That change will go into effect after the next reboot."
6. The whole "proxy" thing is a pain in the neck. I can't tell you how many IPtables-style rules I have had to create to get around problems caused by the Secure Computing "tcp proxies".
7. The admin GUI is really nothing to write home about.
8. Logging. Logging is really, really sucky. Compared to the syslog messages that come from a PIX, the difference between the Sidewinders and a PIX is like night and day.
9. "Application Defense". Yeah, had to disable that is most places because, believe it or not, every single website on the Internet is not RFC-compliant.
10. I ran into a situation recently where I wanted to create a tcp proxy for ports 2000-2010. I couldn't do that because earlier I had created a proxy for the single tcp port 2001. What's up with that? I left the tcp proxy in place and then opened tcp 2000-2010 using an IPTables rule.
That's enough for now. I do have more.
The Sidewinder G2s will be removed from our network and replaced by high performance firewalls from Juniper. I'm very familiar with ScreenOS and I've seen the Juniper Netscreen HA feature in action. The failover time between two firewalls in an active/passive NSRP cluster is amazing.
So, we are going to cease being a Secure Computing customer and the Sidewinders (which are really Dell servers running some flavor of BSD) will get turned into test servers (probably get Win2003 server loaded onto them). I will say this for Secure Computing, we have a LOT of RSA tokens and we are taking a very serious look at Secure Computing's Safeword tokens. S.C. has a very nice product in that market.
We run several PIXes (Cisco) at work and at branches across the country. They handle the VPNs well enough and are simple enough to work with but when you see shit like this (IPs removed):
Mar 28 14:45:25 x.x.x.x Mar 28 2007 14:46:16: %PIX-4-407001: Deny traffic for local-host inside:y.y.y.y, license limit of 50 exceeded
in your logs from units which cost thousands of dollars, you have to scratch your head. Yeah, they charge for how many machines you'll run through it. We have a few "unrestricted" ones but they're thousands of dollars. Thousands of dollars I can better spend on other stuff.
I laughed when I read your message. You spent THOUSANDS of dollars and you wonder why you don't have unlimited users allowed through your firewall. I've never seen the PIX syslog message that you listed above (and I've worked with a lot of PIX firewalls). I've never deployed a firewall with a limited user count (unless you count the 10-user Netscreen 5GT and PIX 501 in my home network). Step up to the big leagues and pay for the unlimited platforms. When you say "THOUSANDS of dollars" in a firewall conversation, the first thing that comes to mind is that I think that's a pretty good deal for annual maintenance, not the total cost of purchasing the firewall hardware itself. You'd wet yourself if you saw our annual Secure Computing support cost (Sidewinder G2s).
If you have the budget, go with Checkpoint. Otherwise, Juniper is a solid choice.
The budget is a big factor. Checkpoint is known for their bend-you-over-the-rail annual maintenance costs. Comparable products from other vendors will not consume so much of your budget when it comes time to renew the support contract.
If you can find one, the best machine to use as a firewall would be an old DEC VAX. Why? Because nobody has (yet) broken the security of a correctly-configured VMS system. making it two exploits better than even OpenBSD. It makes no difference that porting to VMS is a nightmare, because you wouldn't want to do so. Nor does it matter that VMS kernel developers are about as common as honest lawyers - whatever holes exist are far beyond the capabilities of a sizable percentage of experts in the field. Unless you're keeping nuke missile codes, VMS or OpenVMS should be more than strong enough to keep anyone out
;) ).
:)
1. The name of the OS was officially changed to "OpenVMS" a while ago. There is no "VMS or OpenVMS" (unless you work in HR and you're putting a job posting on Monster.com).
2. You're advocating that a company with twelve employees buy a VAX? The maintenance contract alone on the hardware would suck-up all of their profits. Also, the VAX platforms were never known for their awesome number crunching power. I've got a Core 2 Duo E6600 (home PC) that would eat any VAX (or reasonable cluster of VAXen) for lunch. The fastest VAX systems were built by buying the motherboard from a third-party company and replacing the standard motherboard (http://www.nemonixengineering.com/). If you actually did buy a larger VAX (6000 or 7000-class), you'd find that the licensing costs would burn a whole in your IT budget. VMScluster licenses were especially expensive.
The same comments you made about OpenVMS on VAX being secure also apply to OpenVMS on Alpha. It's more realistic that you suggest a small company buy the smallest used Alpha they could find and run OpenVMS on there. But even then, you'd be hard-pressed to find a good firewall package to run on that OS. One other problem with the VAX line was that unless you are very fond of FDDI, you are going to have a hard time going above 10Mbit/sec on your LAN connections.
Your comment about fewer and fewer people being left that actually write code for or know VMS is true. There are less than ten good VMS admins left in the world (I used to be one of them
I know that anyone with a seven-digit Slashdot ID is going to say "What's all this VAX and VMS stuff this dude is talking about?" The glory days for VMS have been gone for quite a while. Most of the old-timers (people my age) will say "I used a VAX to write Fortan programs when I was in college." and that's the last time they saw a VMS system. The OS was truly a work of art and you couldn't beat that platform when you needed serious uptime. I was managing VMSclusters when Microsoft was still trying to work the bugs out of two-node NT clusters that shared a few disks on a common SCSI bus. We had a cluster of systems all connected to the same shared storage bus (CI) to access disk storage that was available to all of the cluster members. This was ten years before the word "SAN" became popular.
Those were the good old days. But, alas, it has been three years since I logged into a VMS system, ran Autogen or used Eve to edit SYSTARTUP_VMS.COM. I miss those days.
Today, the fastest VAX systems are running in a VM on an Intel platform http://www.stanq.com/charon-vax.html.
Maybe I'm biased, since one of the Web sites being blocked was mine.
To throw a little salt on that wound, Websense has your website (www.peacefire.org) categorized as "Proxy Avoidance". There are probably a LOT of Websense customers who can't get to your website.
A thousand a year for insurance? Stop hitting things, man.
Auto insurance is not based only on your record of "hitting things". Your zip code also comes into play. If you live in or near a high crime area where your car is likely to be stolen, your rates are higher. If you live in a nicer suburb, the "someone's gonna steal your car while it's parked in your driveway" penalty goes down. It's all based on your zip code. I learned this the hard way when I moved to Michigan and lived in one of the suburbs of Detroit. My zip code was close enough to Detroit that I had to pay higher rates than someone living a few miles further away from Hell, err, I mean the City of Detroit.
There is also something crazy in Michigan called "No fault insurance" where you pay through the ass for auto insurance because in an accident, no one is at fault (or something like that). The auto insurance agent who explained all of this to me was highly amused when I told him my auto insurance used to be half of what he was quoting me before I moved to Michigan. I remember telling him, "That's what I'd pay back home if I got caught for DUI!!"
So despite having a clean driving record, I paid a LOT more for auto insurance because I 1) moved to a state with a crazy insurance scheme and 2) my zip code was close to Detroit (but not in the city itself).
Keep an eye on the Firehose, if you're a /. subscriber, and you'll see what I mean.
I've never been a subscriber yet I am invited to drink from the Firehouse on a weekly basis.
If your a bounty hunter, and your trespass onto my property without a warrant for my arrest, I will shoot you and claim self defense.
Better yet, throw your dictionary at the bounty hunter and save the bullets for your third grade grammar teacher.
You know, I think the thing that aggravates me the most is that these distributed computing systems are helping drug companies find cures to illnesses using OUR processing power and computers WE paid for, only to sell us the drug that they would have been hard pressed to develop without our hardware back to us at an extremely inflated price.
Posting a reply to your comment is going to un-do my moderation this morning but I can't let your comment go by without a response. Yes, we (people who run the distributed computing clients on our home PCs) are contributing OUR resources to large pharmaceutical companies (directly or indirectly). I am running the F@H client on multiple PCs (at my home) that I bought with my take-home pay. Furthermore, my electric bill is impacted by having those PCs running (my electricity is about $0.03/kwh off-peak) *and* there is an additional cooling load on my home's HVAC system in the summer. Yes, the drug companies are getting something from me without ever acknowledging the money I have invested in helping them produce a new drug. But I don't do it for the recognition or the fame (okay, I do watch the F@H stats to see how many points I am producing each week compared to the other contributors on my F@H team) but instead I do it for the greater good. Is it possible that a company like Pfizer will take the results from my F@H clients and create their next blockbuster drug? Yes, it could happen. Will I be pissed if they don't cut me in on the action? No.
Regarding your comment: "only to sell us the drug...at an extremely inflated price." Who really knows what the true price of a drug is? How many millions need to go into the salaries of researchers, sophisticated lab equipment and large facilities to house that stuff? How do you *know* the price of a drug is "extremely inflated"?
If you don't like the distributed computing project like Folding At Home (F@H), please be aware that you don't have to run the software and you can feel quite smug every night when you tuck yourself into bed knowing that all of your home PCs are powered-off. You can even have a little chuckle and say "Suckers! My electric bill won't suffer just to benefit the drug companies!" before you turn out the light. But when the next big life-saving drug comes to market and it turns out that YOU need it to live, feel free to not purchase that drug. Show those evil drug companies that they won't get one penny of your hard-earned money.
Last year, I donated a big chunk (thousands) of my take-home pay to the Leukemia and Lymphoma Society. While I am not personally afflicted by those diseases nor is anyone in my family, I donated to that organization in the hope that a cure will be found. [My donation was not tax-deductible so I did not make the donation in the hope of reducing the amount of income tax I would pay for 2006.] I run the F@H client on my home PCs for the same reason: Somebody somewhere (maybe someone who hasn't even been born yet) will benefit from my home PCs crunching numbers throughout the night. *I* paid for these PCs, *I* pay for the power to run them, *I* pay for the extra cooling load they generate in the summer. I am doing this in the hope that someone else on the planet will benefit from my "investment".
I have a degree in Mathematics...
In that case, I'd like a Whopper meal without tomatoes. Can I get a coupla packets of ketchup for my fries?
Then, you would be shit out, processed and sold nationwide as a fertilizer, under the name Milorganite.
No, really, go to Home Depot. Hell, google it. I'm not kidding.
Or you could just browse over to the Milorganite website to see how Milorganite is made:
http://www.milorganite.com/about/
...if some guy in Afghanistan (or Milwaukee, for that matter)...
Do not meddle in the affairs of people from Southeastern Wisconsin, for you would taste good boiled in beer and smothered in sauerkraut.
I know you're just trolling but I'll play along. It's too cold to do anything outside today. Why not feed the Slashtrolls...
I knew people who were making a decent living doing computer consulting for home users who went out of business because of how many 15 year old neighbours could do most of what they do for free.
That one line has got to be the best advertisement/endorsement for Linux and open source software that I've seen in a long time. If you are truly not trolling, think of how powerful that statement is: "Linux: even your neighbor's 15-year-old kid can maintain it." We should welcome software that is that easy to use and maintain, not lament it's arrival .
and still be able to deliver 600, 480, 240 or 120 volts (and many others) to a customer.
My home is wired for 220...221, whatever it takes.
It's not really a proper Hypnotoad reference if you don't include the cool sound:
http://tfp.killbots.com/flash/010_hypnotoad.php
because "cold" to people is still a long way from too cold to extract usable heat from.
How cold can the outside temps get before a heat pump isn't an effective way of heating your house? I had minus three degrees (fahrenheit) outside this morning when I woke up.
Are heat pumps meant to work in cold temps like that or are they better suited for "milder" days in the 40's and 50's?
'Push' marketing (advertising) should be replaced by 'Pull' marketing
:^)]
I'd agree with you most of the time but there have been times when 'push' marketing actually introduced me to a new product that I did not know about.
For example, in 2001, Honda started advertising a new motorcycle called the VTX. They played-up the fact that the soon-to-be introduced motorcycle would have an 1800cc engine with "pistons bigger than X" and "valves bigger than Y". Before I saw those ads, I was thinking of buying a Valkyrie. But as soon as I heard about the VTX, I went to the Honda web page to learn more. After doing some research and taking a look at a VTX (but not driving it, the bike was already sold to another customer) in a local dealership, I placed my order. If Honda had not used their 'push' advertising on TV, I would not have known that they were introducing a new model in 2001.
Now, my example is about 'push' marketing on TV. I don't mind that a bit and sometimes I find it entertaining and educational. But 'push' marketing via email is never okay. I *never* want to receive 'push' marketing in my work email account. If I waste my own personal time watching TV, that's one thing. But sending ads to my work email inbox is wasting my time at work and the advertiser is stealing from my employer.
[Yes, I still have the VTX and yes, it rocks!