Since I did a "show buffers all" on a 4948 and it reloaded the box. General rule I follow is that if you have to have root access to do something, it's not a vulnerability. This is just a TAC case/bug fix.
I hope there are better ways. That one would put any social networking site out of business. Step 1 starts with "Provide a digital signing key on a dongle" - any idea how to do that when your site has 150+ million accounts? Divide that number in half for spammers and bots, divide the remaining number in half for inactive accounts... you still have over 30 million dongles to produce. That was just one problem. With the first dozen words.
What they want is not feasible without a massive identity management infrastructure. The kind no one will pay for, trust, or use unless coerced into doing so.
I enjoy reading the repeated calls for age verification on social networking sites. Never does anyone making this demand suggest a feasible solution, they just pound their shoes on the table and say, "make it happen!" Even better are the calls for requiring parental permission for minors. Think for about 30 seconds about how one might accomplish that feat. Yeah.
My company almost bought a TON of Rackables. We're growing really fast and are building out multiple big DCs (>1k square feet) in the next year. These guys came in saying they could not only deliver a rack of servers on wheels, negating our data center operations team's need to rack everything, but also that they could double the number of servers we could fit in a rack.
The number of servers per rack is constrained by electricity. For a while we couldn't figure out how they fit 48 servers into the same amount of electricity that our current server vendor used to power 24 + 1 switch. That is until we pulled a server apart and saw that they are using LAPTOP CPUS. The servers don't perform nearly on par with normal ones. They were, and are, selling snake oil.
If you want to be a network engineer, there is a solid niche for you to hang your hat in. Just make sure you're talking about the right career path. Cisco, Juniper, Foundry (yuck), these are vendors a network engineer works with. You set up circuits, run around data centers, chase ARIN for IPs, etcetera. MCSA is a systems engineering certification. It will help you if you want to do M$ stuff, but if you want to be captain telco/network, then it will just get in your way because people will assume you know how to solve Microsoft problems and force you to do so. That will distract you from being a hardcore BGP ninja or whatever.
BTW, a solid network engineer in Los Angeles makes about 100k.
If the developer is just going to tell the truth then who cares if someone spot checks them? They presumably have nothing to hide. Oh to save time? How hard is it to jump into god mode and cruise around, or jump levels, or have the development company supply the ESRB with 50 pre-saves for them to choose from so they can start at different places?
What's with you guys? Is stopping a 17 year old from buying a stupid game that bad of a thing? He'll just get his 18 year old friend to buy it anyway. But the fact that he was stopped will stop senators from proposing far-reaching legislation.
Um, the equivalent for M-rated games is not Hustler or porno. That's the AO-rating. The equivalent would be something like the Alien series.
Are people skimming or something? This is not a debate about artistic mediums in general, this is about video games. No scope creep.
Why do you believe these ratings should be enforced for games, and not for other forms of media (music, movies, books, magazines...)?
Huh? Since when can a kid get into a porno? Can a 12 year old buy Hustler? If the less extreme forms of these mediums are not enforced then that's a different issue. Actually, this entire point is a different issue, we're discussing games ratings here.
There is just as much evidence of harm to children caused by exposure to these other forms. What's special about games?
From my initial post: "Do you permit anything through your firewall the moment your manager makes you toss up a stupid rule?" You appear to have glossed entirely over that. This is not a binary solution.
Finally, what part of "Congress shall make no law" is unclear to you and Sen. Brownback?
If you're going to make a point about free speech then make it. Don't allude to it and try to force me to make it for you as well as counter it. That's just lazy.
The government is not supposed to be in the business of rating video games, any more than it's supposed to be in the business of reviewing Sunday sermons.
This is a strange comparison, one you didn't bother to flesh out yet again, and a bold, opinionated statement. The government is supposed to be in the business of whatever the people tell it to be in the business of. That's a democracy. Keep pushing the all-or-nothing standpoint on this issue and we'll see a backlash that will gain sufficient political power to mop the floor with the/. types. You are on the side of censorship in the way that Pat Robertson is on the side of liberals.
Neither of the options that you describe would have addressed the "Hot Coffee" mini-game in Grand Theft Auto: San Andreas. It's content that a play-reviewer wouldn't have seen without knowledge of how to get to the content.
Again, this is not a binary solution. Just because your defense is not impenetrable you don't give up and do nothing. Or I don't know, maybe you guys do, but I still play the game. You compromise and reach a middle ground somewhere, or eventually the other side gains the sympathy of the independents and trounces you. We just watched this happen in our recent elections, were people not awake for that?
I read about this topic a lot on/., and I'm not quite sure why everyone is so emotionally charged about it. Ok, after R'ingTFA I agree that this bill may not be the right one due to the unfeasible requirement of the ESRB playing every minute of the game. Any remotely open-ended game would baffle these poor people and hold up releases for months. Also, the FTC makes me nervous after the Howard Stern treatment.
But it seems like every attempt at improving the accuracy or consistency of ESRB ratings is met with derision and anger. Any attempt at *enforcing* those ratings is clubbed down as fascism. Why? The ratings exist because kids shouldn't beat a virtual hookers' brains out with a bat. I'm ok with that. I know they'll see the violence elsewhere, but so what? Do you permit anything through your firewall the moment your manager makes you toss up a stupid rule?
I'm a social liberal, I live in West Hollywood, frequent the clubs, fall to the left on almost every issue, etc.. But this all or nothing approach is silly and stinks of NRA tactics. Yes, the NRA is effective, but I don't want to be like them. Reasonable adults compromise.
I would like to compromise some and get these politicos off our backs before they do something truly draconian, like ban red blood, or any blood for that matter.
- Allow ESRB raters to choose the spots of the game they will examine. No auditor comes in and says, "show me what you think I should see." That's just dumb. - Fine stores whose clerks don't card for MA+ games. This isn't fascist, it's simply obeying the law.
When you try and fill a 10g pipe with a single tcp session, the congestion avoidance mechanisms of tcp will prevent you from filling the pipe. Essentially the sender will ramp up the rate of packets very quickly initially until the receiver sends back a congestion notification. The sender will then cut the send rate *in half*, and climb it back up very slowly - 1 extra byte per round-trip if memory serves (don't quote me on that). This works great for 100m, but to climb from 5g to 10g takes about 30 minutes if you have a cross-US round-trip-time (RTT).
To get around this you can: 1. Patch your TCP stacks with a few high-performance modifications 2. Figure out - using the RTT, interface buffer sizes, and bandwidth - what the number of outstanding packets can be before the receiver sends back a "slow down" message. Then configure the sender to have a smaller packet queue.
It's tough to say if that was the problem here (I'm actually assuming it was not) since after a little digging I didn't see any details on their implementation. And no, I'm not interested in truly digging (I have a pesky job thingy to get back to).
Theo may be a jerk, but that's not the point here. The OpenBSD team does great work that gets ported to other platforms or just flat out embedded, but no one wants to lend a hand. This interview did not strike me as whiney or greedy; Theo never came across as wanting to get rich, with his grand aspirations of paying travel expenses for poor developers.
His request is very reasonable - everyone is benefitting, and those who are in a position to give a little back should do so. He didn't say fund the project, he said contribute a little. Jeez, anything really.
This whole Slashdot anti-Theo movement is lame, it's like watching jocks push the nerdy quiet kid around in high school, which is a bit ironic considering that many of us *were* those nerdy quiet kids. Stop trying to be part of the "in" crowd by bashing this guy and read the article with an objective eye.
Ok, I'm sick of seeing crappy advice confusing newcomers and normies. Here are some stupid tips to avoid taking seriously. I'll start it with this one.
1 - dumb. Use dial-up instead of Cable or DSL because being connected to the internet all the time is a security risk. 1 - smart. Go get Cable or DSL, your life will improve (barring bad service). If you want to nullify the increased threat from being constantly online, buy a router that does NAT for you. Now you aren't always connected, your router is, and it's providing statefull firewalling for you.
2 - dumb. Never run anything you want secure on Windows. Use Linux, or even better OpenBSD. 2 - smart. OpenBSD rocks on security, but if you have no bloody idea how to use it you'll do something dumb that will compromise security or, more likely, uptime. Use the OS you know how to configure, and learn how to configure is securely and properly. You can research new OSs from your now-secure platform.
Has anyone thought that declining sales of CDs might be tied to a general trend in wealth distribution? Specifically that as wealth becomes more concentrated in the US (not sure what the trends are in EU, Japan and other traditional CD consumers), there is less disposable income for most of the populace to throw away on CDs?
I stopped using CDs years ago. I now have a 200 gig external hard drive, and when that gets too small I'll buy a 500 gig one. If I want to pirate something I'm going to damn well do it, and I'll do it 30 gigs at a time while I go eat a burrito with my friend.
These clowns need to start charging much lower prices like the guys over at allofmp3.com. They don't have to match those prices, but $1/song is stupid.
I WANT TO PAY FOR MUSIC! And I'd rather have it be completely legit than have to go to some quasi-legal Russian site. But they can shove their high prices where the sun don't shine.
Bad things happen to better people than this guy all the time, so while I don't support murdering spammers (no indication on whether this was even spam-related) I'm pretty ambivalent about it.
My wife is a psych major, so I've been regaled with stories of how people who are severely depressed undergo shock treatment. Yes, the shock treatment from yesteryear's mental wards, like in One Flew Over the Cuckoo's Nest. Apparently it actually works quite well.
A drawback is the loss of long-term memories - for good. But they have patients on tape saying they don't care; before the shocks they couldn't get out of bed because they were so depressed.
Save it. Does anyone actually *watch* the garbage put out by the MTV types anymore? If you want to check out a new band then you would just get the song, not the video. So far I see 2.5 uses for this thing:
1. Portable movie library for hotel rooms, trips to your friends' houses, etc.. 2. Trading movies/porn. 3. Airplane movies... maybe.
Depending on the price and what DRMish restrictions they force on consumers this thing may not be worth it.
Ok, Visa and Mastercard have a set of thresholds and guidelines for data security, retention and the like. How it works in a nutshell is once a business, be it your local cable provider or some card processing company or whatever, hits some number (not sure what that is) of transactions or money, they have to conform to a set of "best practices" defined by Visa/Mastercard (the two have agreed to the same set of requirements). Look here for more info or just google for "visa cisp".
Essentially they are just that: best practices. I just did an audit prepping a company for Visa CISP certification and most things they require are pretty standard like password complexity, physical security, encryption used over public links, etc.. However the security all revolves around the credit card number so it's a little more focused than a normal security gig.
Also, Visa/Master require that vendors store as little info as possible in as few places as possible, and that they encrypt it in storage. Specifically no one is EVER supposed to store the CVV/CVC code or any portion of the magnetic stripe info. Also specific to this set of requirements, a subpoint of it being CC#-centric, is that even non-mission-critical systems have to have the same high level of security if they store CC info. So no one gives a shit if you are doing "research" or just processing sales, you HAVE to protect the numbers, ideally by encrypting that field in Oracle or something equivalent so when FedEx loses your backup tape it isn't a disaster.
One last caveat is that the program is still ramping up. It started about 4 years ago but most companies are struggling to implement the reqs still, and Visa is very understanding since if they are too stringent and cut off the offending vendor they lose revenue.
How do you compare Linux and the BSDs and keep the debate from turning into a friendly-fire flame-fest nightmare between bigots on both sides of the line?
That's easy. Don't discuss it with people who can't handle a calm and rational exchange of ideas. If you find the person starting to raise their voice, interrupt you, or become more and more emotional just politely change the subject and/or walk away.
Slashdot Mirror
Wrote a 1-pager on it: http://packetpushers.net/managing-your-job-versus-managing-your-career/
He didn't hear your mom complaining.
Since I did a "show buffers all" on a 4948 and it reloaded the box. General rule I follow is that if you have to have root access to do something, it's not a vulnerability. This is just a TAC case/bug fix.
I hope there are better ways. That one would put any social networking site out of business. Step 1 starts with "Provide a digital signing key on a dongle" - any idea how to do that when your site has 150+ million accounts? Divide that number in half for spammers and bots, divide the remaining number in half for inactive accounts ... you still have over 30 million dongles to produce. That was just one problem. With the first dozen words.
What they want is not feasible without a massive identity management infrastructure. The kind no one will pay for, trust, or use unless coerced into doing so.
I enjoy reading the repeated calls for age verification on social networking sites. Never does anyone making this demand suggest a feasible solution, they just pound their shoes on the table and say, "make it happen!" Even better are the calls for requiring parental permission for minors. Think for about 30 seconds about how one might accomplish that feat. Yeah.
I just kicked the WoW habit a couple months ago!
I've been Blizzard's bitch since 1994 and it sucks. I feel like Sharon Stone in Casino....
My company almost bought a TON of Rackables. We're growing really fast and are building out multiple big DCs (>1k square feet) in the next year. These guys came in saying they could not only deliver a rack of servers on wheels, negating our data center operations team's need to rack everything, but also that they could double the number of servers we could fit in a rack.
The number of servers per rack is constrained by electricity. For a while we couldn't figure out how they fit 48 servers into the same amount of electricity that our current server vendor used to power 24 + 1 switch. That is until we pulled a server apart and saw that they are using LAPTOP CPUS. The servers don't perform nearly on par with normal ones. They were, and are, selling snake oil.
If you want to be a network engineer, there is a solid niche for you to hang your hat in. Just make sure you're talking about the right career path. Cisco, Juniper, Foundry (yuck), these are vendors a network engineer works with. You set up circuits, run around data centers, chase ARIN for IPs, etcetera. MCSA is a systems engineering certification. It will help you if you want to do M$ stuff, but if you want to be captain telco/network, then it will just get in your way because people will assume you know how to solve Microsoft problems and force you to do so. That will distract you from being a hardcore BGP ninja or whatever. BTW, a solid network engineer in Los Angeles makes about 100k.
If the developer is just going to tell the truth then who cares if someone spot checks them? They presumably have nothing to hide. Oh to save time? How hard is it to jump into god mode and cruise around, or jump levels, or have the development company supply the ESRB with 50 pre-saves for them to choose from so they can start at different places?
What's with you guys? Is stopping a 17 year old from buying a stupid game that bad of a thing? He'll just get his 18 year old friend to buy it anyway. But the fact that he was stopped will stop senators from proposing far-reaching legislation.
Um, the equivalent for M-rated games is not Hustler or porno. That's the AO-rating. The equivalent would be something like the Alien series.
Are people skimming or something? This is not a debate about artistic mediums in general, this is about video games. No scope creep.
Why do you believe these ratings should be enforced for games, and not for other forms of media (music, movies, books, magazines...)?
/. types. You are on the side of censorship in the way that Pat Robertson is on the side of liberals.
Huh? Since when can a kid get into a porno? Can a 12 year old buy Hustler? If the less extreme forms of these mediums are not enforced then that's a different issue. Actually, this entire point is a different issue, we're discussing games ratings here.
There is just as much evidence of harm to children caused by exposure to these other forms. What's special about games?
From my initial post: "Do you permit anything through your firewall the moment your manager makes you toss up a stupid rule?" You appear to have glossed entirely over that. This is not a binary solution.
Finally, what part of "Congress shall make no law" is unclear to you and Sen. Brownback?
If you're going to make a point about free speech then make it. Don't allude to it and try to force me to make it for you as well as counter it. That's just lazy.
The government is not supposed to be in the business of rating video games, any more than it's supposed to be in the business of reviewing Sunday sermons.
This is a strange comparison, one you didn't bother to flesh out yet again, and a bold, opinionated statement. The government is supposed to be in the business of whatever the people tell it to be in the business of. That's a democracy. Keep pushing the all-or-nothing standpoint on this issue and we'll see a backlash that will gain sufficient political power to mop the floor with the
Neither of the options that you describe would have addressed the "Hot Coffee" mini-game in Grand Theft Auto: San Andreas. It's content that a play-reviewer wouldn't have seen without knowledge of how to get to the content.
Again, this is not a binary solution. Just because your defense is not impenetrable you don't give up and do nothing. Or I don't know, maybe you guys do, but I still play the game. You compromise and reach a middle ground somewhere, or eventually the other side gains the sympathy of the independents and trounces you. We just watched this happen in our recent elections, were people not awake for that?
I read about this topic a lot on /., and I'm not quite sure why everyone is so emotionally charged about it. Ok, after R'ingTFA I agree that this bill may not be the right one due to the unfeasible requirement of the ESRB playing every minute of the game. Any remotely open-ended game would baffle these poor people and hold up releases for months. Also, the FTC makes me nervous after the Howard Stern treatment.
But it seems like every attempt at improving the accuracy or consistency of ESRB ratings is met with derision and anger. Any attempt at *enforcing* those ratings is clubbed down as fascism. Why? The ratings exist because kids shouldn't beat a virtual hookers' brains out with a bat. I'm ok with that. I know they'll see the violence elsewhere, but so what? Do you permit anything through your firewall the moment your manager makes you toss up a stupid rule?
I'm a social liberal, I live in West Hollywood, frequent the clubs, fall to the left on almost every issue, etc.. But this all or nothing approach is silly and stinks of NRA tactics. Yes, the NRA is effective, but I don't want to be like them. Reasonable adults compromise.
I would like to compromise some and get these politicos off our backs before they do something truly draconian, like ban red blood, or any blood for that matter.
- Allow ESRB raters to choose the spots of the game they will examine. No auditor comes in and says, "show me what you think I should see." That's just dumb.
- Fine stores whose clerks don't card for MA+ games. This isn't fascist, it's simply obeying the law.
When you try and fill a 10g pipe with a single tcp session, the congestion avoidance mechanisms of tcp will prevent you from filling the pipe. Essentially the sender will ramp up the rate of packets very quickly initially until the receiver sends back a congestion notification. The sender will then cut the send rate *in half*, and climb it back up very slowly - 1 extra byte per round-trip if memory serves (don't quote me on that). This works great for 100m, but to climb from 5g to 10g takes about 30 minutes if you have a cross-US round-trip-time (RTT).
e d_issues/ipj_9-2/gigabit_tcp.html
To get around this you can:
1. Patch your TCP stacks with a few high-performance modifications
2. Figure out - using the RTT, interface buffer sizes, and bandwidth - what the number of outstanding packets can be before the receiver sends back a "slow down" message. Then configure the sender to have a smaller packet queue.
Great article on this here:
http://www.cisco.com/web/about/ac123/ac147/archiv
It's tough to say if that was the problem here (I'm actually assuming it was not) since after a little digging I didn't see any details on their implementation. And no, I'm not interested in truly digging (I have a pesky job thingy to get back to).
Theo may be a jerk, but that's not the point here. The OpenBSD team does great work that gets ported to other platforms or just flat out embedded, but no one wants to lend a hand. This interview did not strike me as whiney or greedy; Theo never came across as wanting to get rich, with his grand aspirations of paying travel expenses for poor developers.
His request is very reasonable - everyone is benefitting, and those who are in a position to give a little back should do so. He didn't say fund the project, he said contribute a little. Jeez, anything really.
This whole Slashdot anti-Theo movement is lame, it's like watching jocks push the nerdy quiet kid around in high school, which is a bit ironic considering that many of us *were* those nerdy quiet kids. Stop trying to be part of the "in" crowd by bashing this guy and read the article with an objective eye.
Ok, I'm sick of seeing crappy advice confusing newcomers and normies. Here are some stupid tips to avoid taking seriously. I'll start it with this one.
1 - dumb. Use dial-up instead of Cable or DSL because being connected to the internet all the time is a security risk.
1 - smart. Go get Cable or DSL, your life will improve (barring bad service). If you want to nullify the increased threat from being constantly online, buy a router that does NAT for you. Now you aren't always connected, your router is, and it's providing statefull firewalling for you.
2 - dumb. Never run anything you want secure on Windows. Use Linux, or even better OpenBSD.
2 - smart. OpenBSD rocks on security, but if you have no bloody idea how to use it you'll do something dumb that will compromise security or, more likely, uptime. Use the OS you know how to configure, and learn how to configure is securely and properly. You can research new OSs from your now-secure platform.
Please, kind readers, add to this list.
We regret to inform you, but the ability to track Santa Claus has been deemed an unacceptable security risk and will not be allowed.*
No constitutional amendments were harmed (or consulted) in the making of this decision.
Has anyone thought that declining sales of CDs might be tied to a general trend in wealth distribution? Specifically that as wealth becomes more concentrated in the US (not sure what the trends are in EU, Japan and other traditional CD consumers), there is less disposable income for most of the populace to throw away on CDs?
Just a thought, not even a theory.
This week on /., "The Death of [fill in the blank]!" It's just one test, slow down and breath.
I stopped using CDs years ago. I now have a 200 gig external hard drive, and when that gets too small I'll buy a 500 gig one. If I want to pirate something I'm going to damn well do it, and I'll do it 30 gigs at a time while I go eat a burrito with my friend.
These clowns need to start charging much lower prices like the guys over at allofmp3.com. They don't have to match those prices, but $1/song is stupid.
I WANT TO PAY FOR MUSIC! And I'd rather have it be completely legit than have to go to some quasi-legal Russian site. But they can shove their high prices where the sun don't shine.
Bad things happen to better people than this guy all the time, so while I don't support murdering spammers (no indication on whether this was even spam-related) I'm pretty ambivalent about it.
My wife is a psych major, so I've been regaled with stories of how people who are severely depressed undergo shock treatment. Yes, the shock treatment from yesteryear's mental wards, like in One Flew Over the Cuckoo's Nest. Apparently it actually works quite well.
A drawback is the loss of long-term memories - for good. But they have patients on tape saying they don't care; before the shocks they couldn't get out of bed because they were so depressed.
Save it. Does anyone actually *watch* the garbage put out by the MTV types anymore? If you want to check out a new band then you would just get the song, not the video. So far I see 2.5 uses for this thing:
... maybe.
1. Portable movie library for hotel rooms, trips to your friends' houses, etc..
2. Trading movies/porn.
3. Airplane movies
Depending on the price and what DRMish restrictions they force on consumers this thing may not be worth it.
Can't wait to see them get some targeted worm that jacks up a group of hard drives. Security guy --short on trust. It's a requirement for the job.
Essentially they are just that: best practices. I just did an audit prepping a company for Visa CISP certification and most things they require are pretty standard like password complexity, physical security, encryption used over public links, etc.. However the security all revolves around the credit card number so it's a little more focused than a normal security gig.
Also, Visa/Master require that vendors store as little info as possible in as few places as possible, and that they encrypt it in storage. Specifically no one is EVER supposed to store the CVV/CVC code or any portion of the magnetic stripe info. Also specific to this set of requirements, a subpoint of it being CC#-centric, is that even non-mission-critical systems have to have the same high level of security if they store CC info. So no one gives a shit if you are doing "research" or just processing sales, you HAVE to protect the numbers, ideally by encrypting that field in Oracle or something equivalent so when FedEx loses your backup tape it isn't a disaster.
One last caveat is that the program is still ramping up. It started about 4 years ago but most companies are struggling to implement the reqs still, and Visa is very understanding since if they are too stringent and cut off the offending vendor they lose revenue.
That's easy. Don't discuss it with people who can't handle a calm and rational exchange of ideas. If you find the person starting to raise their voice, interrupt you, or become more and more emotional just politely change the subject and/or walk away.