If I ran an illegal site, or rather a site that was illegal in a country where lots of my customers were, I'd listen to my customers. I'd run everything with strong encryption.
Strong encryption in and of itself doesn't look suspicious. I run my own blog and I use SSL so people can sign in and look at entries I don't want to be publically visible. I use SSH for a ton of stuff. I use it to log in to my server when I'm at home on my LAN because it's conveniant. The first thing I do when I get to work is log in to my server with SSH so I can do e-mail and blog without anyone worrying about it.
Apart from the SSL blog stuff, this is pretty normal behavior for a lot of tech people. SSH is just too damn convenient.
And if I had anything illegal, I'd probably keep it on an encrypted partition that automatically unmounts if I don't log in for a while. And I'd probably make sure the unmount system call makes sure to overwrite the memory where the key is stored.
a) If your keys are stolen you can just update your DNS info with new keys, it'll only take a few days to propagate, and DNS security is reasonable to strong.
b) If a particular ISP is misbehaving, you can blacklist them, or filter them more agressively by other means. Once you know for sure who everyone is, blacklisting becomes much easier and much less damaging.
c) Cryptographic signing is well understood, large key sizes are practical, hardware acceleration is cheap, and signing/verifying a message is easier than running spamassasin on it.
d) DNS based authentication is the one thing I've heard that I can't reply to with this.
OpenBSD will always have the most up to date PF stuff.
What you'll notice with OpenBSD is that you're discouraged from messing with the kernel at all, and ports work better. Theoretically, you may notice it's slower, and you'll probably notice that the software isn't as up to date. Debian-stable should also be in consideration, depending on your needs, but its firewalling capabilities are well behind FreeBSD and OpenBSD.
You're giving something up if you commit to anything period. FreeBSD and OpenBSD have dramatically disjoint sets of stuff they're good at. I've never seen an OS good enough at everything (or even most things) to make it worth commiting to. Not if you can deal with multiple OSes on a day to day basis.
If you already know the regex library and perl or python, it's only a few hours work. It'll take you a few weeks to spend that much time writing entries for it.
If me signing a book about explosives out of the library wastes resources, it's not me doing it. It's policy makers who allow/advocate/fund that type of investigation. For every smartass doing it to rock the boat, there are many people that have legitimate reasons for it, or maybe they're just curious. The FBI et al is wasting resources on them too.
The answer is not to shut up and cooperate. The answer is to change policy such that resources aren't being wasted anymore.
Signing books out of the library shouldn't be a form of expression. It should be private. If someone expressing themselves by doing things that should be completely private, and that can not possibly cause anyone to come to harm is wrong, then I don't want to be right.
Thanks to everyone that still has a sense of humor. Yes, I was kidding. Barely.
My proposed solution is for everyone to behave suspiciously. This will increase the noise level and reduce the benefit of investigations like this.
Sign books about explosives out of the library. Go around calculating the heights of buildings. Do stuff that's perfectly 100% legal, but still suspicious.
On the server side security is an issue (also on the client side, clearly). If your code isn't clear and correct, the number of bugs is likely to be higher than average, and bugs lead to exploits. Your libraries may be well written, I don't know specifically. It's possible to do both, just hard.
Why would anyone need a lot of space for a router/firewall? I was using a 32MB PCMCIA card for mine.
It would be hard to cram it all into 32 mb. I'm more comfortable with a system that can build itself from source for patches and upgrades. I don't have other systems available that can build it from source, and it's just a home network, so I don't think I'm ever going to.
Mark my words, once somebody make a network card that does all the processing on-board (3com, are you listening?) Cisco will find most of their market slipping out from under them. Until then, tulip cards are great (man do I miss DEC) and even an old 200MHz system can handle multiple maxed-out 100Mbps interfaces.
nVidia has this feature in their new Athlon 64 chipset. It gets pretty close to wire speed on a gigabit network. They're not releasing the docs for it, so it won't be supported.
I also think that those features would be incompatible with PF.
There are holes that have been discovered long after the version in question was obsolete. But if you were to leave such a version in production, it would be vulnerable.
FreeBSD supports a bit more hardware, and usually sooner. Performance is no comparison (favors FreeBSD), neither is ease of use (favors OpenBSD).
OpenBSD supports binary emulation of FreeBSD binaries, and I believe FreeBSD supports binary emulation of OpenBSD binaries. They should be almost completely source compatible. In practice you'll usually install something from ports and you won't care where it came from.
OpenBSD is missing a lot, which is why it tends to get used for firewalls that operate transparently. I don't think it's suitable as a general purpose OS. It's my favorite OS, but it's not good at everything.
FreeBSD is heading towards the ultimate webserver/workstation platform. OpenBSD is heading towards the ultimate router/firewall platform. In a lot of ways, these goals are mutually exclusive. They're both very well documented and easy to learn, so it's worth it to try them both out. I went from no experience to moderately skilled expert in about 4 hours on both of them, significantly less time than it took me for any Linux I've tried.
I haven't had a router in a few years, but when I did have a couple, they were rock solid. I always assumed that a big part of it was the fact that they didn't have any moving parts.
OpenBSD (and all the rest) don't need moving parts, except for the power supply fan. VIA Eden chips can run without a fan, and there are other chips from other architechtures with similar specs. The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.
Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.
Wouldn't the computer architecture make an OpenBSD router less stable?
Not necessarily, it runs on a lot of different architectures... Xeon's, Opterons, PowerPC, MIPS, etc. If you didn't have to patch, uptimes of years wouldn't be a problem.
Since the water is not in free fall, it has a terminal velocity. That's not terribly fast. Almost all of the energy not extracted by off grid hydro power and well intentioned paddle-boaters will be dissipated as heat before it gets to anyone downstream.
The effect might, might be measureable, but it would take some very expensive equipment to do it.
For LAN parties or anyone that doesn't want multiple computers sucking down electricity, it's a godsend. It'll be more secure than software-only firewall solutiions. About as secure as broadband router, I'd imagine.
I have an old computer doing firewall too. But I realize I'm in a minority on that.
and you're right.. it's taken a LOT of effort and energy.. and while maybe I don't mind doing so, I can see how this can be hindering to anyone trying to use technology as the means to an end instead of the end itself..
Yes. You've got it exactly.
but I do believe that it takes a group of such said people to make things so usable as OSX. Knoppix is a good example as well. Klaus Knopper wrapped himself around the linux installation process and put a lot of effort into that.. the end result being knoppix.. a install process that doesn't get any simpler..
They're trying and I applaud them for it. It's due primarly to their efforts that Linux was worth the effort for me last year, but it wasn't the time before that.
But it won't be a quick or easy process. Apple and Microsoft spend billions on it. It will take equivilant effort from open source developers. Trained developers.
Except that you have the power (directly or indirectly ) to fix the inadequecies of linux because of the freedom the GPL gives you. You DO NOT have that freedom with other non open source os's and products.
Partially untrue (the OS X kernel and many of the libraries are open source), but I'll concede the point for the sake of argument.
My respose would be, what if my priority is a computer that works without my having to put effort into it? That's what I want with my laptop. Apple takes my money and in return they promise that their product will work if used in the intended fashion. The GPL doesn't, and by deffinition can't, do that. You can get that from a vendor, but most of them won't support you if you start putting in local tweaks, so you're back to where you started.
What I need is a laptop that works without my having to put energy into it. That's another kind of flexibility, a kind that open source zealots sometimes don't want to see. I don't have the energy to fix the problems in my software and Linux. Therefore, I use OS X on my laptop. Note that, as I said, I use Linux on my desktop. There, it's the best tool. And it beat Windows when I compared them side by side for that job.
I'm not saying I favor OS X. I don't favor anything overall. I'm saying if you want me to use something, you've got to show me it's the best tool for what I need. I'm hardly a beginner with Linux, so I know it's not the best for some of the things I need.
So while everyone who uses OSX is smug and happy now, who knows what will happen to the roadmap two years down the road.. and if its something you don't like.. tough shit.
Hey, I don't care. If it's no longer the best for what I need, I won't use it.
Slashdot Mirror
blah
At work they make me change them every 30 days! There's no way I can memorize a good password that frequently.
If I ran an illegal site, or rather a site that was illegal in a country where lots of my customers were, I'd listen to my customers. I'd run everything with strong encryption.
Strong encryption in and of itself doesn't look suspicious. I run my own blog and I use SSL so people can sign in and look at entries I don't want to be publically visible. I use SSH for a ton of stuff. I use it to log in to my server when I'm at home on my LAN because it's conveniant. The first thing I do when I get to work is log in to my server with SSH so I can do e-mail and blog without anyone worrying about it.
Apart from the SSL blog stuff, this is pretty normal behavior for a lot of tech people. SSH is just too damn convenient.
And if I had anything illegal, I'd probably keep it on an encrypted partition that automatically unmounts if I don't log in for a while. And I'd probably make sure the unmount system call makes sure to overwrite the memory where the key is stored.
"Boy am I ever glad I use SSH for everything."
Good points, but:
a) If your keys are stolen you can just update your DNS info with new keys, it'll only take a few days to propagate, and DNS security is reasonable to strong.
b) If a particular ISP is misbehaving, you can blacklist them, or filter them more agressively by other means. Once you know for sure who everyone is, blacklisting becomes much easier and much less damaging.
c) Cryptographic signing is well understood, large key sizes are practical, hardware acceleration is cheap, and signing/verifying a message is easier than running spamassasin on it.
d) DNS based authentication is the one thing I've heard that I can't reply to with this.
Good excuse to get one of these: http://www.soekris.com/vpn1401.htm
OpenBSD will always have the most up to date PF stuff.
What you'll notice with OpenBSD is that you're discouraged from messing with the kernel at all, and ports work better. Theoretically, you may notice it's slower, and you'll probably notice that the software isn't as up to date. Debian-stable should also be in consideration, depending on your needs, but its firewalling capabilities are well behind FreeBSD and OpenBSD.
You're giving something up if you commit to anything period. FreeBSD and OpenBSD have dramatically disjoint sets of stuff they're good at. I've never seen an OS good enough at everything (or even most things) to make it worth commiting to. Not if you can deal with multiple OSes on a day to day basis.
If you already know the regex library and perl or python, it's only a few hours work. It'll take you a few weeks to spend that much time writing entries for it.
I wrote my own software... This is slashdot... surely a good chunk of the people here can do the same.
If me signing a book about explosives out of the library wastes resources, it's not me doing it. It's policy makers who allow/advocate/fund that type of investigation. For every smartass doing it to rock the boat, there are many people that have legitimate reasons for it, or maybe they're just curious. The FBI et al is wasting resources on them too.
The answer is not to shut up and cooperate. The answer is to change policy such that resources aren't being wasted anymore.
Signing books out of the library shouldn't be a form of expression. It should be private. If someone expressing themselves by doing things that should be completely private, and that can not possibly cause anyone to come to harm is wrong, then I don't want to be right.
Thanks to everyone that still has a sense of humor. Yes, I was kidding. Barely.
My proposed solution is for everyone to behave suspiciously. This will increase the noise level and reduce the benefit of investigations like this.
Sign books about explosives out of the library. Go around calculating the heights of buildings. Do stuff that's perfectly 100% legal, but still suspicious.
On the server side security is an issue (also on the client side, clearly). If your code isn't clear and correct, the number of bugs is likely to be higher than average, and bugs lead to exploits. Your libraries may be well written, I don't know specifically. It's possible to do both, just hard.
So I'm told. I stand corrected.
It would be hard to cram it all into 32 mb. I'm more comfortable with a system that can build itself from source for patches and upgrades. I don't have other systems available that can build it from source, and it's just a home network, so I don't think I'm ever going to.
nVidia has this feature in their new Athlon 64 chipset. It gets pretty close to wire speed on a gigabit network. They're not releasing the docs for it, so it won't be supported.
I also think that those features would be incompatible with PF.
There are holes that have been discovered long after the version in question was obsolete. But if you were to leave such a version in production, it would be vulnerable.
FreeBSD supports a bit more hardware, and usually sooner. Performance is no comparison (favors FreeBSD), neither is ease of use (favors OpenBSD).
OpenBSD supports binary emulation of FreeBSD binaries, and I believe FreeBSD supports binary emulation of OpenBSD binaries. They should be almost completely source compatible. In practice you'll usually install something from ports and you won't care where it came from.
OpenBSD is missing a lot, which is why it tends to get used for firewalls that operate transparently. I don't think it's suitable as a general purpose OS. It's my favorite OS, but it's not good at everything.
FreeBSD is heading towards the ultimate webserver/workstation platform. OpenBSD is heading towards the ultimate router/firewall platform. In a lot of ways, these goals are mutually exclusive. They're both very well documented and easy to learn, so it's worth it to try them both out. I went from no experience to moderately skilled expert in about 4 hours on both of them, significantly less time than it took me for any Linux I've tried.
OpenBSD (and all the rest) don't need moving parts, except for the power supply fan. VIA Eden chips can run without a fan, and there are other chips from other architechtures with similar specs. The hard drive can be replaced by a flash IDE drive if your space requirements are small enough.
Cisco still wins on speed when all you're doing is routing, and in many other situations, but the firewall isn't that impressive.
Not necessarily, it runs on a lot of different architectures... Xeon's, Opterons, PowerPC, MIPS, etc. If you didn't have to patch, uptimes of years wouldn't be a problem.
OpenBSD is the Cisco killer.
It's now suitable for replacing a lot of the Cisco gear out there.
I doubt that someone like Google would send you a copy of their source these days - even if you asked nicely.
The next best thing.
search appliance
.................what?
Processor, chipset, memory, peripherals. That's exactly the same as a PC.
Actually, A PC would have all those nice peripherals on the chipset, not the PCI-X bus.
Groklaw isn't biased at all. I hope they publish their affiliation on the study.
I downloaded the source the moment I saw it.
Seriously. Every year major stuff happens that no one thought we'd ever see.
Since the water is not in free fall, it has a terminal velocity. That's not terribly fast. Almost all of the energy not extracted by off grid hydro power and well intentioned paddle-boaters will be dissipated as heat before it gets to anyone downstream.
The effect might, might be measureable, but it would take some very expensive equipment to do it.
For LAN parties or anyone that doesn't want multiple computers sucking down electricity, it's a godsend. It'll be more secure than software-only firewall solutiions. About as secure as broadband router, I'd imagine.
I have an old computer doing firewall too. But I realize I'm in a minority on that.
and you're right.. it's taken a LOT of effort and energy.. and while maybe I don't mind doing so, I can see how this can be hindering to anyone trying to use technology as the means to an end instead of the end itself..
Yes. You've got it exactly.
but I do believe that it takes a group of such said people to make things so usable as OSX. Knoppix is a good example as well. Klaus Knopper wrapped himself around the linux installation process and put a lot of effort into that.. the end result being knoppix.. a install process that doesn't get any simpler..
They're trying and I applaud them for it. It's due primarly to their efforts that Linux was worth the effort for me last year, but it wasn't the time before that.
But it won't be a quick or easy process. Apple and Microsoft spend billions on it. It will take equivilant effort from open source developers. Trained developers.
Except that you have the power (directly or indirectly ) to fix the inadequecies of linux because of the freedom the GPL gives you. You DO NOT have that freedom with other non open source os's and products.
Partially untrue (the OS X kernel and many of the libraries are open source), but I'll concede the point for the sake of argument.
My respose would be, what if my priority is a computer that works without my having to put effort into it? That's what I want with my laptop. Apple takes my money and in return they promise that their product will work if used in the intended fashion. The GPL doesn't, and by deffinition can't, do that. You can get that from a vendor, but most of them won't support you if you start putting in local tweaks, so you're back to where you started.
What I need is a laptop that works without my having to put energy into it. That's another kind of flexibility, a kind that open source zealots sometimes don't want to see. I don't have the energy to fix the problems in my software and Linux. Therefore, I use OS X on my laptop. Note that, as I said, I use Linux on my desktop. There, it's the best tool. And it beat Windows when I compared them side by side for that job.
I'm not saying I favor OS X. I don't favor anything overall. I'm saying if you want me to use something, you've got to show me it's the best tool for what I need. I'm hardly a beginner with Linux, so I know it's not the best for some of the things I need.
So while everyone who uses OSX is smug and happy now, who knows what will happen to the roadmap two years down the road.. and if its something you don't like.. tough shit.
Hey, I don't care. If it's no longer the best for what I need, I won't use it.