I've commented about that SSH/VPN idea somewhere else here.
What is the advantage of having an extra VPN in terms of SSH usage? (I know there are other advantages, but you seem to imply that's just to allow SSH access from everywhere but a list of known addresses)
Something interesting about your usage of tcp/2022. I did the same thing recently on an occasion when I could not use tcp/22, since it seemed an obvious choice. Probable most automated attacks only concentrate on tcp/22 (the obvious target and if you can move it, you probably know enough to secure it properly), but I've been wondering if someone might start considering scanning on 2022 or any other "obvious" choice.
Right now it seems that nobody is scanning for them, but is anyone else setting ssh servers on tcp/2022 or tcp/2222?
(maybe I should give nmap a try, but I lose nothing by asking I guess)
Use VPN. Although it may seem redundant, SSH thru a VPN tunnel does provide a secondary access method which is secure.
While a VPN is secure, so is SSH. Your idea might have some merit, until someone decides to go for your VPN solution instead of SSH, then you're in the same kind of trouble.
What I'm trying to stress here is that either you block access from unknown/unexpected addresses or you don't, just as you use an established secure login protocol or you don't. Pretending to block unknown IPs while having a VPN endpoint accesible to anyone is not restricting access to your servers to known addresses, it's having access from everywhere and trading SSH's set of vulnerabilities for your VPN's.
If you assume SSH has some problem, then it's a good idea to do what you've done. Then again, if that is the case, you shouldn't leave it open even to a few addresses (since that fault might be exploited by anyone capable of impresonating/pwning one of these hosts). That VPN is handy if you have services other than SSH, though. On the other hand, SSH is supposed to be designed to work in a hostile environment. If there is a problem with SSH you should probably report it to the appropiate persons, so it can be corrected.
IMHO, you're deceiving yourself into thinking you're restricting using IP addresses when you're not.
PS: I run OpenSSH on port 22, RSA/DSA keys only, non-root, and have another set of security measures in order to escalate (once you get to a non-root account).
My palm pilot IIIxe can go on for a couple of weeks with just two AAA cells.
As you say, the laptop would not RUN for more that 150 hours (and my palm would not, too). However, my palm can stay on for that much time because it's not running all the time, being instead on an idle state that keeps the display powered and displaying whatever was put there. There's no reason to think that a similar kind of computer, using e-ink or something that needs no power to maintain the screen's contents would not last long on a AA cell, provided you do not use it for number crunching or something like that.
Instead of thinking of a PC, you should be thinking of a PDA.
Actually, gun types are considered such simple devices that little boy (the hiroshima bomb, gun type) was untested by the time they dropped it. The big problem with its production is refining the weapons grade U235. They are also inefficient and unsafe, too. In fact, a big problem of gun types is that something (like an accidental detonation) might accidentally smash those two pieces of fissile material together, so it can't be that hard to do it right. In fact, I don't think "too fast" is a problem ("too slow" is, though). And you can't do it with plutonium from a reactor, it will blow itself too early and you'll get a fizzle.
Apparently, North Korea is/was building an implosion device, and they did not do it right. In an implosion bomb, you need to have almost perfect timing, or it won't go off (of it will fizzle if your timing is not off by much). Instead of getting 20 kilotons, they got only 1 before it blew itself apart. On the other hand, PU239 can be made with a breeder reactor with relative ease.
So, basically, smacking two bits of metal is easy, provided you have them. Imploding a ball of metal is harder, but the metal is easier to obtain.
That filter already exists. Solar cells work fine on the moon. That means you can use it to recharge batteries, and use those batteries to power lamps suitable for growing plants. It's a clumsy way, but doable.
ms is not an SI unit. Seconds (s) are an SI unit. Prefixing it with the abbreviation of 'milli' is not the standard usage. Rather, you should append x10^-3 to the value before the unit.
2009-02-01 would be the first day of february of year 2009 AD. That's because
When using ISO-8601 you should RTFM (no sense in talking about something you don't know about)
Assuming you didn't RTFM, the particular ambiguity we're talking about is not present, as the date format used does not match the "little endian" or "middle endian" structure.
There's nothing to make you assume something different that "big endian" since it's very logical to do so, and the major languages that use that syntax (japanese and chinese) for the date all use YYYY-MM-DD format.
I guess blind people are S.O.L. as well. If synthesised reading aloud of a book is illegal, that alone takes away a powerful tool they use to interact with the world.
I'd say it's because of an optimization. Windows 2000 and XP have a less aggressive/advanced congestion control algorithm than Linux, the advertised window tends to be smaller and they don't take advantage of the "long fat pipe" options (at least not as much as Linux). Linux's stack also negotiates MSS and SACK and does path MTU discovery by default (it tends to use the DF bit a lot, so it needs PMTU discovery).
Usually if you have a Linux system and a Windows side by side on the same network, Linux tends to get most of the bandwidth, "displacing" the W2K system. Don't know about any of the newer MS stacks, though.
I suppose this difference in performance could also be caused by these differences in the stack.
Reminds me of "World of ptavvs", where a thrint crashes onto earth going at a not insignificant percentage of light speed (I'm thinking about 0.9c). He survives the crash and is found by humans a few million years later.
However, the hull of his ship was a conventional one, he was saved because he activated an emergency stasis field on his spacesuit.
At least in some types of jobs, like teaching at the university. Life insurance in case of death while working, and travelling to and from work is covered too.
Eavesdroppers (say, google marketing department) can still do traffic analysis to find out things about your company. It pays to have your own jabber servers.
"Crashlander" follows the story of Beowulf Shaeffer for a few years (it's actually a set of different short stories held together by a "glue" story). It is said in the glue story that matters got complicated, the UN got involved and eventually nobody went back due to bureaucratic reasons.
That "DRM that works well...." (defined as prevents the user from making a pirated copy and allowing anyhing else) is a theoretical impossibility.
A DRM that works well needs to know the intentions of the user (read his mind), and since it cannot do that, the DRM program must somehow classify the user's actions and block based on that. Any possible action taken by a user might be with a legitimate or illegitimate intention, impossible to distinguish just by examining the action. Therefore that DRM should do nothing (as doing something has a risk of blocking a legitimate operation).
At the same time, any code that runs slows a system down. The ideal DRM should be nonexistent (as even running a NOP would cause a slowdown). Of course, you might have meant a DRM that causes no more than a reasonable slowdown, in that case, it might be a valid point. It doesn't invalidate my first point, though.
Basically, your kind of DRM is a contradiction and cannot exist.
It's a load of the usual microsoft speech: they never admit anything unless they have "fixed" it or they need people to upgrade to something else.
It happened with windows millenium, with the first versions of XP, with COM, with the win9X security, etc. If you asked MS about windows millenium, NOW they'll tell you it sucks (and that you can buy an upgrade to vista for half the price, only for today!). Never mind they've been saying up to a certain point that it was the best thing ever made since sliced bread.
Interestingly enough, the product that's replacing the one they criticize (Vista SP1 replacing Vista release) is free. That's the only variation of the usual process.
We all know the truth here: Vista was released early and SP1 is the real release. With this "we were wrong" thing they change that so that they look better ("no, we didn't release experimental crap, we just were wrong but now we've fixed it, honest").
Knowing microsoft, wait for service pack 1 instead (and by SP1 I mean SP2, as SP1 is the real release). You'll get another "we were wrong" speech at that time, that's certain.
Some kind of . . . service quality protocol. Quality of Service, perhaps. We could call it that. But no such thing exists, of course, because if it did, we'd be using it by now.
What's to stop every file sharer from turning up the QoS for all packets?
Common sense. If they turn the priority way up, they will mess their own browsing. Stupid thing to do, any experienced downloader knows he should set the QoS bits to low-priority and high-througput, and set a cap.
It's not like virtually all web traffic goes through a specific "port" or anything.
Especially now that so many applications are tunneled over HTTP or HTTPS in order to coast through corporate firewalls.
That's stupid, I agree. It is just a huge arms race, and pointless too. But you won't be doing it at home for torrenting (in fact, you probably use another port, unless there's some sort of filter in place). The "everything on port 80" phenomenon happens mostly on offices, although some of it happens because inept designers leave no other choice (like doing RPC over HTTP == web services) because of the arm race.
Even without considering server name indication, it should be possible to activate TLS while indicating the virtual name by using the UPGRADE method in HTTP 1.1. That would require support in the web servers but not in the TLS suite (except for indicating which key to use).
The draft has been sitting there for 8 years, there really is no reason not to use SSL or TLS in every www connection.
Slashdot Mirror
I've commented about that SSH/VPN idea somewhere else here.
What is the advantage of having an extra VPN in terms of SSH usage?
(I know there are other advantages, but you seem to imply that's just to allow SSH access from everywhere but a list of known addresses)
Something interesting about your usage of tcp/2022. I did the same thing recently on an occasion when I could not use tcp/22, since it seemed an obvious choice. Probable most automated attacks only concentrate on tcp/22 (the obvious target and if you can move it, you probably know enough to secure it properly), but I've been wondering if someone might start considering scanning on 2022 or any other "obvious" choice.
Right now it seems that nobody is scanning for them, but is anyone else setting ssh servers on tcp/2022 or tcp/2222?
(maybe I should give nmap a try, but I lose nothing by asking I guess)
While a VPN is secure, so is SSH.
Your idea might have some merit, until someone decides to go for your VPN solution instead of SSH, then you're in the same kind of trouble.
What I'm trying to stress here is that either you block access from unknown/unexpected addresses or you don't, just as you use an established secure login protocol or you don't. Pretending to block unknown IPs while having a VPN endpoint accesible to anyone is not restricting access to your servers to known addresses, it's having access from everywhere and trading SSH's set of vulnerabilities for your VPN's.
If you assume SSH has some problem, then it's a good idea to do what you've done. Then again, if that is the case, you shouldn't leave it open even to a few addresses (since that fault might be exploited by anyone capable of impresonating/pwning one of these hosts). That VPN is handy if you have services other than SSH, though. On the other hand, SSH is supposed to be designed to work in a hostile environment. If there is a problem with SSH you should probably report it to the appropiate persons, so it can be corrected.
IMHO, you're deceiving yourself into thinking you're restricting using IP addresses when you're not.
PS: I run OpenSSH on port 22, RSA/DSA keys only, non-root, and have another set of security measures in order to escalate (once you get to a non-root account).
Funny, I've seen nothing about the U.S. invading another country in today's news.
It's not the music that is torture, it's the fact that loud music prevents a prisoner from SLEEPING.
It's sleep deprivation, a form of torture.
My palm pilot IIIxe can go on for a couple of weeks with just two AAA cells.
As you say, the laptop would not RUN for more that 150 hours (and my palm would not, too). However, my palm can stay on for that much time because it's not running all the time, being instead on an idle state that keeps the display powered and displaying whatever was put there. There's no reason to think that a similar kind of computer, using e-ink or something that needs no power to maintain the screen's contents would not last long on a AA cell, provided you do not use it for number crunching or something like that.
Instead of thinking of a PC, you should be thinking of a PDA.
It is insightful as in "Whooosh!"
(and no, that was not the sound of the shockwave made by an A-bomb exploding)
Actually, gun types are considered such simple devices that little boy (the hiroshima bomb, gun type) was untested by the time they dropped it. The big problem with its production is refining the weapons grade U235. They are also inefficient and unsafe, too. In fact, a big problem of gun types is that something (like an accidental detonation) might accidentally smash those two pieces of fissile material together, so it can't be that hard to do it right. In fact, I don't think "too fast" is a problem ("too slow" is, though). And you can't do it with plutonium from a reactor, it will blow itself too early and you'll get a fizzle.
Apparently, North Korea is/was building an implosion device, and they did not do it right. In an implosion bomb, you need to have almost perfect timing, or it won't go off (of it will fizzle if your timing is not off by much). Instead of getting 20 kilotons, they got only 1 before it blew itself apart. On the other hand, PU239 can be made with a breeder reactor with relative ease.
So, basically, smacking two bits of metal is easy, provided you have them. Imploding a ball of metal is harder, but the metal is easier to obtain.
That filter already exists. Solar cells work fine on the moon. That means you can use it to recharge batteries, and use those batteries to power lamps suitable for growing plants. It's a clumsy way, but doable.
Actually, the best way to get the attention needed be to rig the elections in the USA so that the communist party wins the presidential elections.
Hell, I'd do it if I could just to see the reaction of the US citizens. That would be the greatest joke ever.
No doubt. Try moderating and then posting as anonymous. Your mods will be reverted.
While it's not a unit it's perfectly legal to prefix it with the abreviation (the prefix, actually) of milli. There really is an ambiguity there.
Not the diameter, the circumference.
The earth's diameter is more like 12000 km (40000/pi).
2009-02-01 would be the first day of february of year 2009 AD.
That's because
When using ISO-8601 you should RTFM (no sense in talking about something you don't know about)
Assuming you didn't RTFM, the particular ambiguity we're talking about is not present, as the date format used does not match the "little endian" or "middle endian" structure.
There's nothing to make you assume something different that "big endian" since it's very logical to do so, and the major languages that use that syntax (japanese and chinese) for the date all use YYYY-MM-DD format.
You tell that to Dmitry Sklyarov.
I'd say it's because of an optimization. Windows 2000 and XP have a less aggressive/advanced congestion control algorithm than Linux, the advertised window tends to be smaller and they don't take advantage of the "long fat pipe" options (at least not as much as Linux). Linux's stack also negotiates MSS and SACK and does path MTU discovery by default (it tends to use the DF bit a lot, so it needs PMTU discovery).
Usually if you have a Linux system and a Windows side by side on the same network, Linux tends to get most of the bandwidth, "displacing" the W2K system. Don't know about any of the newer MS stacks, though.
I suppose this difference in performance could also be caused by these differences in the stack.
Reminds me of "World of ptavvs", where a thrint crashes onto earth going at a not insignificant percentage of light speed (I'm thinking about 0.9c). He survives the crash and is found by humans a few million years later.
However, the hull of his ship was a conventional one, he was saved because he activated an emergency stasis field on his spacesuit.
At least in some types of jobs, like teaching at the university.
Life insurance in case of death while working, and travelling to and from work is covered too.
Eavesdroppers (say, google marketing department) can still do traffic analysis to find out things about your company. It pays to have your own jabber servers.
"Crashlander" follows the story of Beowulf Shaeffer for a few years (it's actually a set of different short stories held together by a "glue" story). It is said in the glue story that matters got complicated, the UN got involved and eventually nobody went back due to bureaucratic reasons.
That "DRM that works well...." (defined as prevents the user from making a pirated copy and allowing anyhing else) is a theoretical impossibility.
A DRM that works well needs to know the intentions of the user (read his mind), and since it cannot do that, the DRM program must somehow classify the user's actions and block based on that. Any possible action taken by a user might be with a legitimate or illegitimate intention, impossible to distinguish just by examining the action. Therefore that DRM should do nothing (as doing something has a risk of blocking a legitimate operation).
At the same time, any code that runs slows a system down. The ideal DRM should be nonexistent (as even running a NOP would cause a slowdown). Of course, you might have meant a DRM that causes no more than a reasonable slowdown, in that case, it might be a valid point. It doesn't invalidate my first point, though.
Basically, your kind of DRM is a contradiction and cannot exist.
With spammers there might not be a silver bullet, but don't worry (lead is good enough).
It's a load of the usual microsoft speech: they never admit anything unless they have "fixed" it or they need people to upgrade to something else.
It happened with windows millenium, with the first versions of XP, with COM, with the win9X security, etc. If you asked MS about windows millenium, NOW they'll tell you it sucks (and that you can buy an upgrade to vista for half the price, only for today!). Never mind they've been saying up to a certain point that it was the best thing ever made since sliced bread.
Interestingly enough, the product that's replacing the one they criticize (Vista SP1 replacing Vista release) is free. That's the only variation of the usual process.
We all know the truth here: Vista was released early and SP1 is the real release. With this "we were wrong" thing they change that so that they look better ("no, we didn't release experimental crap, we just were wrong but now we've fixed it, honest").
Knowing microsoft, wait for service pack 1 instead (and by SP1 I mean SP2, as SP1 is the real release). You'll get another "we were wrong" speech at that time, that's certain.
Common sense. If they turn the priority way up, they will mess their own browsing. Stupid thing to do, any experienced downloader knows he should set the QoS bits to low-priority and high-througput, and set a cap.
That's stupid, I agree. It is just a huge arms race, and pointless too. But you won't be doing it at home for torrenting (in fact, you probably use another port, unless there's some sort of filter in place). The "everything on port 80" phenomenon happens mostly on offices, although some of it happens because inept designers leave no other choice (like doing RPC over HTTP == web services) because of the arm race.
Even without considering server name indication, it should be possible to activate TLS while indicating the virtual name by using the UPGRADE method in HTTP 1.1. That would require support in the web servers but not in the TLS suite (except for indicating which key to use).
The draft has been sitting there for 8 years, there really is no reason not to use SSL or TLS in every www connection.