it does nothing to protect "PC (192.168.0.2)" from "broadband router (192.168.1.1)".
How can the broadband router access the pc at 192.168.0.2 if the router and pc are on different subnets (assuming a/24 for each device)?
The diagram of the gpp poster, while not the most secure, does offer *some* protection. There is no way to get to the PC unless you pass through the "firewall". (I guess you could compromise the broadband router and give its enet interface an address on the 192.168.0.0/24 network).
So the analogy is fundamentally flawed- violating someone's home is much more... serious.. than violating a computer.
I take it you've never heard of HIPPA. Violating a computer system that results in the confidentiality of PHI being compromised is some pretty serious shit.
I'd have to say that violating certain computer systems is more serious than violating a person's home.
A friend of mine ran crack over/etc/passwd on his physics department's unix system, successfully cracking 20% of the passwords on file. He sent the results to his sysadmin, with a note asking the sysadmin to implement crack system-wide, and was promptly reprimanded.
A friend of mine tried a lock-picking tool on the front door of every house in his subdivision, successfully opening 20% of the locked doors. He sent the results to the local police department, with a note asking that the lock-picking tool be tried on every door in town, and was promptly arrested.
And once everyone is armed like you, muggers will shoot at us from a distance and take the money off our dead bodies. Thanks for making the world safer.
No...if everyone was armed, muggers would think twice about even pulling out a weapon.
Also, muggers are not trained snipers. When you say "at a distance", muggers are not going to hide behind trees 50 yds away and put two in your forehead before emptying your wallet.
Most muggers probably couldn't hit a person more than 25 feet away. Too many TV shows where people hold handguns horizontal and/or fire from the hip.
The other cool part of everyone being armed is that a mugger doesn't know that you are a fairy coward afriad of carrying a weapon. So, even if you don't want to carry, the criminal doesn't know that and he won't mess with you. You get the benefits of owning a gun without ever buying one.
I can see using the shotgun for home defense but with the slugs, do you have to be concerned about the slugs passing through walls in the event you miss?
In an urban setting, wouldn't a slug go through your walls and possibly through the walls of your neighbor's house?
Maybe I'm overestimating the range of a slug coming from a shotgun barrel. I've only hunted with shotguns using "normal" shotshells or rifles (30-06, 30-30). Never fired a shotgun containing a slug.
In a home defense situation, it would seem like you would want a weapon that wouldn't go through your neighbor's house, his neighbor's house and the house after that. I'd never depend on a rifle for home defense because if I did not hit my target, the bullet wouldn't stop until it had passed through quite a few walls.
How does the slug (or your wife's sidearm) handle passing through walls (conventional drywall, not bricks or poured walls)?
That a man caugth his wife cheating him with his best friend on the sofa. What he did? He trow away the sofa.
Wow! That's the dumbest analogy I've heard in a long time. To make it more accurate to the discussion, it should go something like this:
There was a man who came home to find he had 5000 guys in his living room. He heard that someone was banging his wife on the sofa but he didn't have the stamina to personally watch the sofa 24 hours a day to make sure that people weren't banging on the sofa (just sitting on the sofa next to the wife is permitted).
The guy got tired of the stories about someone banging his wife on the sofa so he through the sofa away.
Yeah, the innocent guy who wanted to just sit on the sofa and watch TV while sitting next to the wife was punished. But those are the breaks.
iHow can a student respond to such an accusation in order to defend the validity of BitTorrent and continue to benefit from its legitimate uses?
You can respond by getting all (and I mean ALL) of your fellow students to stop downloading movies and music that attract the attention of the RIAA/MPAA.
This is truly a case of throwing the baby out with the bathwater. Yes, there are legit uses for BitTorrent. But so many people use it for illegal purposes that the only solution left to IT staff is to block the use of BitTorrent for everyone.
In the past, I have blocked P2P apps for *everyone* (things like Kazaa, Gnutella, WinMX) behind my firewall because it is impossible to tell if a person is using the P2P app for legal purposes. Nearly all of the P2P usage is for illegal purposes (for the purposes of this discussion, we are talking about the laws in the U.S., I have never worked outside this country).
How could you respond on a personal level? Approach your friendly neighborhood I.S. person and ask him for a personal exemption to the BitTorrent block because you are going to (swear on your momma's grave) use BitTorrent for only legit purposes. He/She may decide to give you a special static address that is magically exempt from the rules that crush BitTorrent for everyone else. If you betray that trust, expect to be dealt with quickly and severely.
In an educational setting, the rules are a little more relaxed than in a business environment. Sometimes if you block a certain program or protocol, people cry "Free speech!". Then all you need to do (as an I.S. person) is tune up your handy-dandy PacketShaper to give that pain-in-the-neck protocol so little bandwidth that it's basically unusuable.
"I.T. Guy, are you blocking the student from using the Internet?"
"No, Dean Wormer. But we are using traffic shaping tools to proritize the various protocols on our Internet link."
Dean Wormer does not hear the word "block" in your response so he moves on to more important university business.
In a business environment, things are a little easier to deal with. The company exists to make money. And one of the tools it needs to be successful is a working network and Internet connection. If the I.T. group finds a user running a P2P app, Zing!, it gets blocked. No chance for appeal. Working for a business does not give a user the *right* to run eMule, WinMX, or anything else. The other issue is that companies have a great aversion to being sued. If a user is found doing something with company resources that would invite the attention of hostile lawyers, that activity gets stomped quickly.
Sorry for the long diatribe. How can a student respond? Please your individual case with the I.T. department and hope you catch the network admins on a good day.
You are, after all, at that particular institution to *learn*. The Internet connection is not for downloading music (unless that would be part of a class), gaming or swapping movies.
If the bank is that worried about spyware and keyloggers, why not just send every customer a SecurID fob?
Yeah, spyware could re-direct DNS name resolution and/or keyloggers could try to grab a username and password but SecurID would seem to fix those problems more easily that sending people CDs that they need to boot from.
DNS tom-foolery? When the bank client tries to authenticate with their SecurID fob, the phishing site would capture only a 12-digit number that is good for seconds (PIN + tokencode). The bank client would not be granted access to their bank accounts so they would know that something is wrong (spyware) with their PC.
Keylogging: Same as above, a keylogger may capture the username and password used to login to the banking site but that username and passcode are good for only 60 seconds.
Stop burning CDs and start mailing fobs! ACE authentication for everyone.:^)
and they can't be 100% certain that they're dinking with the right or wrong ones as at least a few of the VoIP services use port 80 to tunnel through firewalls.
Kind Sir/Madam:
If the ISP prioritizes its own VOIP traffic, wouldn't that ISP then know *exactly* how to identify that traffic and which ports it will use?
I believe your point is invalid and the premise will not "fall apart" as you believe.
I created a website that attacked my school district.
Wanna hear something funny? Your parents are paying killer property taxes for you to attend that school. BWAA-HA-HA-HA! Make sure you tell them about your little protest site as they pay their property tax bill each year. I'm sure they'll enjoy the irony of you attacking a school that they are funding with a noticeable chunk of their take-home pay.
> Do they have use sort of WEP, WPA, etc.?
If everyone in the store used the same WEP key, then they can see the packets flying through the air in a decrypted form.
WEP does not imply that each person has their own encrypted connection to the access point (like an SSH tunnel).
Everyone who knows the WEP key can see everyone else's business.
-Scott
The other cool thing you could do with Snort (if you are a consultant conducting a network security assessment) is to deploy Snort on the inside network and then show the customer all of the IIS-based attacks that are making it through their Layer 3 firewall because they have their firewall configured to allow inbound TCP port 80 to their webserver.
Snort can be configured to send TCP resets to an attacker therefore blocking the attack.
A cool way to use this is to put Snort on the inside network and have it watch the traffic coming in from the Internet. When it sees an attack, it sends a Reset to the attacker. The firewall sees that outbound Reset and tears down the TCP connection.
When the next packet arrives from the attacker, the firewall says "I don't seem to have an existing TCP connection for you. To the bit bucket you go."
Snort is also pretty handy at blocking P2P traffic because it works at Layer 7 (where most firewalls do their stuff at Layer 3).
Once you get comfortable with Snort and then realize you are spending 40 hours a week tuning and updating the box, you move to a real IDP like the Juniper Netscreen IDP.
Thanks,
-Scott
>Anybody have any good reasons why a company would want to adopt it nowadays?
1) OpenVMS runs 24 x 365
2) It has clustering that actually works
3) It runs 24 x 365
4) It takes to fibre channel storage like a fish to water
5) It runs 24 x 365
6) You can stake your personal reputation on a system that runs OpenVMS and not have to constantly carry a copy of your resume on a USB flashdrive in your pocket
7) Did I mention that it runs 24 x 365?
8) Scales like crazy
What brand of firewall do you have that a device plugged into the "inside" network can request that the firewall allow inbound tcp port 80? And also request a NAT rule to connect a "real address" to the address on the internal network?
> But it'd still be too expensive in terms of privacy for me.
Mr. Goat, I agree with your privacy concerns. Filing through a non-governmental agency does come with a certain amount of risk.
However, in the recent past, have you:
1) Purchased a new car by financing part of the cost (i.e. not paying cash for the whole thing)?
2) Built/purchased a new home?
3) Refinanced your mortgage?
The list is not comprehensive, just a few of the most intrusive transactions I can think of. When you finance a car, build/buy a new house, or refinance your mortage, it seems like you have to provide almost too much financial data about yourself.
It's an odd feeling to hand over a stack of papers that basically represent the entire financial side of your life to a person you just met so you can get another 0.5% off that 30-year mortgage.
My point is that while I agree with your concerns about privacy, there are other transactions that we encounter which ask for a lot more information about our personal life and we are at the mercy of the companys we deal with to keep that information confidential.
Slashdot Mirror
And a nifty ankle brace that fit into my regular shoes.
:^)
"Run, Soupdevil! Run!"
it does nothing to protect "PC (192.168.0.2)" from "broadband router (192.168.1.1)".
/24 for each device)?
How can the broadband router access the pc at 192.168.0.2 if the router and pc are on different subnets (assuming a
The diagram of the gpp poster, while not the most secure, does offer *some* protection. There is no way to get to the PC unless you pass through the "firewall". (I guess you could compromise the broadband router and give its enet interface an address on the 192.168.0.0/24 network).
So the analogy is fundamentally flawed- violating someone's home is much more... serious.. than violating a computer.
I take it you've never heard of HIPPA. Violating a computer system that results in the confidentiality of PHI being compromised is some pretty serious shit.
I'd have to say that violating certain computer systems is more serious than violating a person's home.
A friend of mine ran crack over /etc/passwd on his physics department's unix system, successfully cracking 20% of the passwords on file. He sent the results to his sysadmin, with a note asking the sysadmin to implement crack system-wide, and was promptly reprimanded.
A friend of mine tried a lock-picking tool on the front door of every house in his subdivision, successfully opening 20% of the locked doors. He sent the results to the local police department, with a note asking that the lock-picking tool be tried on every door in town, and was promptly arrested.
You don't happen to live along the western side of Lake Michigan, do you? ;^)
The criminals are lucky that they use Progressive and not Geico. That little lizzard would not go so easy on someone who used a stolen credit card. :^)
And once everyone is armed like you, muggers will shoot at us from a distance and take the money off our dead bodies. Thanks for making the world safer.
No...if everyone was armed, muggers would think twice about even pulling out a weapon. Also, muggers are not trained snipers. When you say "at a distance", muggers are not going to hide behind trees 50 yds away and put two in your forehead before emptying your wallet.
Most muggers probably couldn't hit a person more than 25 feet away. Too many TV shows where people hold handguns horizontal and/or fire from the hip.
The other cool part of everyone being armed is that a mugger doesn't know that you are a fairy coward afriad of carrying a weapon. So, even if you don't want to carry, the criminal doesn't know that and he won't mess with you. You get the benefits of owning a gun without ever buying one.
-s
Mr. Droopus:
6 rifled slugs for the obstinate types
I can see using the shotgun for home defense but with the slugs, do you have to be concerned about the slugs passing through walls in the event you miss?
In an urban setting, wouldn't a slug go through your walls and possibly through the walls of your neighbor's house?
Maybe I'm overestimating the range of a slug coming from a shotgun barrel. I've only hunted with shotguns using "normal" shotshells or rifles (30-06, 30-30). Never fired a shotgun containing a slug.
In a home defense situation, it would seem like you would want a weapon that wouldn't go through your neighbor's house, his neighbor's house and the house after that. I'd never depend on a rifle for home defense because if I did not hit my target, the bullet wouldn't stop until it had passed through quite a few walls.
How does the slug (or your wife's sidearm) handle passing through walls (conventional drywall, not bricks or poured walls)?
Thanks, -s
That a man caugth his wife cheating him with his best friend on the sofa. What he did? He trow away the sofa.
Wow! That's the dumbest analogy I've heard in a long time. To make it more accurate to the discussion, it should go something like this:
There was a man who came home to find he had 5000 guys in his living room. He heard that someone was banging his wife on the sofa but he didn't have the stamina to personally watch the sofa 24 hours a day to make sure that people weren't banging on the sofa (just sitting on the sofa next to the wife is permitted).
The guy got tired of the stories about someone banging his wife on the sofa so he through the sofa away.
Yeah, the innocent guy who wanted to just sit on the sofa and watch TV while sitting next to the wife was punished. But those are the breaks.
-s
iHow can a student respond to such an accusation in order to defend the validity of BitTorrent and continue to benefit from its legitimate uses?
You can respond by getting all (and I mean ALL) of your fellow students to stop downloading movies and music that attract the attention of the RIAA/MPAA.
This is truly a case of throwing the baby out with the bathwater. Yes, there are legit uses for BitTorrent. But so many people use it for illegal purposes that the only solution left to IT staff is to block the use of BitTorrent for everyone.
In the past, I have blocked P2P apps for *everyone* (things like Kazaa, Gnutella, WinMX) behind my firewall because it is impossible to tell if a person is using the P2P app for legal purposes. Nearly all of the P2P usage is for illegal purposes (for the purposes of this discussion, we are talking about the laws in the U.S., I have never worked outside this country).
How could you respond on a personal level? Approach your friendly neighborhood I.S. person and ask him for a personal exemption to the BitTorrent block because you are going to (swear on your momma's grave) use BitTorrent for only legit purposes. He/She may decide to give you a special static address that is magically exempt from the rules that crush BitTorrent for everyone else. If you betray that trust, expect to be dealt with quickly and severely.
In an educational setting, the rules are a little more relaxed than in a business environment. Sometimes if you block a certain program or protocol, people cry "Free speech!". Then all you need to do (as an I.S. person) is tune up your handy-dandy PacketShaper to give that pain-in-the-neck protocol so little bandwidth that it's basically unusuable.
"I.T. Guy, are you blocking the student from using the Internet?"
"No, Dean Wormer. But we are using traffic shaping tools to proritize the various protocols on our Internet link."
Dean Wormer does not hear the word "block" in your response so he moves on to more important university business.
In a business environment, things are a little easier to deal with. The company exists to make money. And one of the tools it needs to be successful is a working network and Internet connection. If the I.T. group finds a user running a P2P app, Zing!, it gets blocked. No chance for appeal. Working for a business does not give a user the *right* to run eMule, WinMX, or anything else. The other issue is that companies have a great aversion to being sued. If a user is found doing something with company resources that would invite the attention of hostile lawyers, that activity gets stomped quickly.
Sorry for the long diatribe. How can a student respond? Please your individual case with the I.T. department and hope you catch the network admins on a good day.
You are, after all, at that particular institution to *learn*. The Internet connection is not for downloading music (unless that would be part of a class), gaming or swapping movies.
Sec ur I D
:^)
If the bank is that worried about spyware and keyloggers, why not just send every customer a SecurID fob?
Yeah, spyware could re-direct DNS name resolution and/or keyloggers could try to grab a username and password but SecurID would seem to fix those problems more easily that sending people CDs that they need to boot from.
DNS tom-foolery? When the bank client tries to authenticate with their SecurID fob, the phishing site would capture only a 12-digit number that is good for seconds (PIN + tokencode). The bank client would not be granted access to their bank accounts so they would know that something is wrong (spyware) with their PC.
Keylogging: Same as above, a keylogger may capture the username and password used to login to the banking site but that username and passcode are good for only 60 seconds.
Stop burning CDs and start mailing fobs! ACE authentication for everyone.
You can die more than once?
:^)
http://www.imdb.com/title/tt0062512/
Yes, you can die more than once.
Some special channels (adult oriented) are encrypted so it's the cable box's job to decrypt the channel for viewing.
Dude, here in SouthEast Wisconsin, Time Warner encrypts *all* of the digital channels except for the local stations.
It doesn't matter if the content is NASCAR, hunting/fishing or cooking. I can't decrypt the channels between 100 and 189 without my CableCARD.
I *can* get the local stations in HD (in the 500s) but TNT HD, Discovery HD, Fox Sports HD and the HD movie channels are encrypted.
-s
Gary Gilmore was shot years ago.
o re.htm
http://crime.about.com/od/history/qt/lstwrds_gilm
Are you proposing that we shoot him again?
and they can't be 100% certain that they're dinking with the right or wrong ones as at least a few of the VoIP services use port 80 to tunnel through firewalls.
Kind Sir/Madam:
If the ISP prioritizes its own VOIP traffic, wouldn't that ISP then know *exactly* how to identify that traffic and which ports it will use?
I believe your point is invalid and the premise will not "fall apart" as you believe.
Thank you,
-Scott
I created a website that attacked my school district.
:^)
Wanna hear something funny? Your parents are paying killer property taxes for you to attend that school. BWAA-HA-HA-HA! Make sure you tell them about your little protest site as they pay their property tax bill each year. I'm sure they'll enjoy the irony of you attacking a school that they are funding with a noticeable chunk of their take-home pay.
Apparently, OIT people like having piles and piles of unused bandwidth.
No, dickhead. OIT people don't like days when they get nastygrams from the MPAA/RIAA.
They also dis-like days when when a faculty member makes the front page of the local newspaper for downloading kidding porn onto his PC at work.
It's not a bandwidth issue. It's a "gee, I don't want us to get sued and/or end up on the front page" issue.
-Scott
One of those OIT people
... Truckasaurus?
> Do they have use sort of WEP, WPA, etc.? If everyone in the store used the same WEP key, then they can see the packets flying through the air in a decrypted form. WEP does not imply that each person has their own encrypted connection to the access point (like an SSH tunnel). Everyone who knows the WEP key can see everyone else's business. -Scott
The other cool thing you could do with Snort (if you are a consultant conducting a network security assessment) is to deploy Snort on the inside network and then show the customer all of the IIS-based attacks that are making it through their Layer 3 firewall because they have their firewall configured to allow inbound TCP port 80 to their webserver.
"But I thought my firewall blocked that stuff!!!"
-Scott
Snort can be configured to send TCP resets to an attacker therefore blocking the attack. A cool way to use this is to put Snort on the inside network and have it watch the traffic coming in from the Internet. When it sees an attack, it sends a Reset to the attacker. The firewall sees that outbound Reset and tears down the TCP connection. When the next packet arrives from the attacker, the firewall says "I don't seem to have an existing TCP connection for you. To the bit bucket you go." Snort is also pretty handy at blocking P2P traffic because it works at Layer 7 (where most firewalls do their stuff at Layer 3). Once you get comfortable with Snort and then realize you are spending 40 hours a week tuning and updating the box, you move to a real IDP like the Juniper Netscreen IDP. Thanks, -Scott
>Anybody have any good reasons why a company would want to adopt it nowadays?
:^)
1) OpenVMS runs 24 x 365
2) It has clustering that actually works
3) It runs 24 x 365
4) It takes to fibre channel storage like a fish to water
5) It runs 24 x 365
6) You can stake your personal reputation on a system that runs OpenVMS and not have to constantly carry a copy of your resume on a USB flashdrive in your pocket
7) Did I mention that it runs 24 x 365?
8) Scales like crazy
-Scott
Former VMS Dude/Fibre Channel Plumber
What?
What brand of firewall do you have that a device plugged into the "inside" network can request that the firewall allow inbound tcp port 80? And also request a NAT rule to connect a "real address" to the address on the internal network?
I need some examples....
-s
> But it'd still be too expensive in terms of privacy for me.
Mr. Goat, I agree with your privacy concerns. Filing through a non-governmental agency does come with a certain amount of risk.
However, in the recent past, have you:
1) Purchased a new car by financing part of the cost (i.e. not paying cash for the whole thing)?
2) Built/purchased a new home?
3) Refinanced your mortgage?
The list is not comprehensive, just a few of the most intrusive transactions I can think of. When you finance a car, build/buy a new house, or refinance your mortage, it seems like you have to provide almost too much financial data about yourself.
It's an odd feeling to hand over a stack of papers that basically represent the entire financial side of your life to a person you just met so you can get another 0.5% off that 30-year mortgage.
My point is that while I agree with your concerns about privacy, there are other transactions that we encounter which ask for a lot more information about our personal life and we are at the mercy of the companys we deal with to keep that information confidential.
-Scott
Turbo Tax For the Web.
http://www.turbotax.com/
Why are people talking about buying and *installing* software? Just use the freakin web version.
I've filed electronically using TTFTW for the past couple of years (both state and fed). Return goes directly into my checking account via EFT.
Cost is under $50 to file both fed and state. Can't beat it with a stick.
-Scott