Re:Article has a good page on cleaning systems
on
Anatomy of a Hack
·
· Score: 1
Yes.
I keep backups for a year and a half.
You know, minimum.
Re:Article has a good page on cleaning systems
on
Anatomy of a Hack
·
· Score: 2, Informative
You know, there's something that's really rather simple that secures your backups from being toyed with.
All of my backups end in.tar.gz.gpg.
Ah, simplicity of well thought out security. (Concerning backups, anyways.)
Shameless plug follows
A bit ago, I accidently nuked my home dir, so I made myself a backup script that scans $HOME for ".nobackup" files, and then archives everything but those directories containing those (I really don't need three copies of the kernel source in my backups, you know?). It.tar.gz compresses them into $HOME/.backups/, and if $HOME/.backups/gpgkey exists, will use gpg to encrypt your backup for you. More info here.
How about you learn the language before you speak out of what google news and fellow slashdotters tell you?
Saying that there was a worm that only affected PHP forums is only a half-truth, at best. It only affected a single PHP based forum, not every PHP forum made in existance. The flaw there was a hole in the software, NOT a hole in PHP. Have there been holes in PHP? Of course, there's hole in everything else, too. The exploit was not in PHP, it was in some software that's coded in PHP. Using your thinking, that's like saying C is a horrible language because if you don't know what you're doing, there's a chance of a buffer overflow.
From "A Note on Security in PHP": " A recent Web Worm known as NeverEverSanity exposed a mistake in the input validation in the popular phpBB message board application. Their highlighting code didn't account for double-urlencoded input correctly. Without proper input validation of untrusted user data combined with any of the PHP calls that can execute code or write to the filesystem you create a potential security problem. Despite some confusion regarding the timing of some unrelated PHP security fixes and the NeverEverSanity worm, the worm didn't actually have anything to do with a security problem in PHP."
The phpbb developers are not stupid, they are competent people. Yet, there was a hole. It happens, no one is perfect.
I'm quite certain that JSP/Tomcat can be just as insecure if you code it wrong. Same with ASP. Or, gasp, anything.
By the way, I'm a retard. The line, ".msi is the.rpm of the windows world,.rpm is the.msi of the windows world." should have read, ".msi is the.rpm of the windows world,.rpm is the.msi of the linux world."
Now, essentially every microsoft product comes in a.msi package..msi packages are not of the devil, as so many slashdotters make them out to be. Windows 2000 and higher supports them natively. You can install the needed app to support them down to Win95.
.msi is everywhere, know it or not. Using acrobat reader at your office/house? Sure, you download a nice little.exe, but that.exe extracts a.msi to a temp dir and runs that instead. Macromedia is installed via.msi. VMWare is installed via.msi. Yes, you're running a.exe, but that.exe is just extracting a.msi and running that. Openoffice for windows is now a strictly.msi installer, and hey guess what? firefox has a.msi package too, suprise!
.msi is the.rpm of the windows world,.rpm is the.msi of the windows world. Quit blasting it because you can't run it on your linux box, it's not like the windows users can run your.rpm packages either.
Oh, and before you call me a windows zealot and some moderator mods me down for being a windows zealot, RTFJ.
Bess....hasn't gotten much better (Stupid dog should have been a cow, hello...). It's also incredibly stupid, as 9 times out of 10, all you need is a proxy to bypass it.
You're right, of course. The guy I mention? His cPanel or hosting service has yet to break. He reminds me of that every time I tell him that he really should learn the inner mechanics of how it works.
"I'm just tired of having to/work/ to get my system to behave properly. This is something I shouldn't have to be wasting my time on."
You have a very good point. However, I just hope to provide some very good counter-points:).
About year to a year and a half ago, I knew someone who started his own web hosting business. When I say this, I mean he bought a reseller account from rackspace, charged people money, and then clicked around in cPanel to spawn their sites. It made him money, it worked.
He also knew jack NOTHING about what cPanel actually did. He would tell me how literate he was in linux, and look at me do X in Y seconds, and hey look at this I just added some anti-spam plugin to my mailserver. Every time he'd show off, I'd ask him, "cool, so, how'd you do this?" His reply was always "I clicked here, then here, and then here."
This is the ideal end-user experience, I agree with you completly. But, that doesn't mean that you should just know how to do it in the GUI, you also need to know how to dig way down in depth, bypass all of the nice check marks, and make it work. Why?
So, what happens when your nice point and click interface that just works, well, doesn't work? Are you stuck contacting tech support because you can't fix the problem without a shiny nice GUI and a configuration wizard? As I said, point-click-"hay it works" ('hay' being intentional;)) is what it should be.
But that doesn't make up for knowing HOW the system works, how to make it work for you, how to repair things when it breaks, and it definitely doesn't mean you can make the system work. It means you can use a system to make the underlying system work, but what happens when the underlying system breaks and your magic "it just works" GUI no longer works?
There is an advantage to mucking around in obscene config files for hours on end with little to no documentation. It's just that far too few people care to do so, and Aunt Tillie isn't going to. Aunt Tillie needs the cPanel, but Technician Bob needs to know how to fix it, should it ever break.
That's half the reason that I run gentoo, half the reason why I bought a soekris board, and half the reason why out of the 7 computers I own, only one runs X. If you want to be able to hold your ground when it comes to fixing Aunt Tillie's computer, you need to know a little more than point-click-tada. Personally, I can't think of a better way to learn How Stuff Works(TM) than by trying to configure squid over SSH using nothing more than the squid.conf comments.
The other half of the reason I did all of that is to keep myself entertained in my 60+ hours of free time per week:D
Doesn't mean that I don't run my own DNS, HTTP, FTP, Icecast, MySQL, POP3, SMTP, and IMAP off of my comcast home IP.
I also know someone who worked Comcast tech call center. He recieved note (some months ago) that they were beginning to monitor outbound SMTP, and accordingly block zombies to help with the spam problem, not by enforcing their ToS and killing off:25.
Comcast offers residential users up to 6mbps down for $65/month. If you have their base service for $55/month, they offer the bump up to 6mbps (from 4mbps) for $10 more. It'll also bump your upstream to 768k.
While you have a definite point, I believe that there may be a tad bit more to it than you make it out to be.
"whose mission is to provide content and research services to academia"
Also from that same page: "with 2004 revenues from continuing operations of $8.10 billion"
You think...that's it's possible...that this company is doing it RIGHT? That it's possible that they know what they're talking about?
I'm not claiming to know the answer. I don't use either service, but after reading your post, the obvious jumped out...
Of course they're an apparent competitor. I just have this feeling, though, that they may actually know what they're doing. It's possible that you're right, it's possible that you're wrong, it's just that I don't see evidence as to either for a post like yours to hit +5 Insightful (which it is) without some counter-balance to it.
If their entire goal is to provide a similar service, and they've made $8.10 billion....something tells me that they're doing something right, which may actually give base to their claims.
5 mods points, or clear things up....decisions decisions.
Against the law in Utah? Yes.
What happens if you're a Mormon praticing polygamy? Excommunication. (Source, via AC that no one will mod up in this thread.)
It's just just because it's a law, that all Mormons don't pratice it. I can say all in that statment, because as soon as you do, you're given the option to stop, or to be excommunicated. (This was not directed at you, TMM. This was just in general, and I know that I'm going to lose my karma bonus for this too, so I might as well go all the way as I do it.)
You're also correct that Utah has a higher percentage of polygamy per person than most other states. If all of those polygamists moved up from Utah to California, that percentage would drop to something that rounds out to 0.000000000001% instead of 0.00001%. I'm not saying that there's MORE polygamists in California than Utah, but I AM saying that due to Utah's relatively small population, people tend to think that Utah is a polygamist state. Guess what, it's not.
You're absolutely correct that if you google for any of those terms, up comes Utah. But, want to know why? People like you who keep that alive:P. No offense, but it's true. It's the word of mouth that goes on. It's all of those google sources, which typically say that Utah still pratices polygamy, or one way or another aligns the state of Utah with polygamy. That's the sole reason you, and tends of millions of others think that way.
It's only the polygamy state if you make it that in your mind. Likewise, in some people's worlds, the sky is green and the grass is red, but as long as you're in the majority, who cares, right?
2000 (and XP, 2k3, etc.)cmd.exe:
-As I mentioned, support for long file names. I don't know when, but in XP you can type in a path to cd to with spaces, without quotes, and without backquoting.
-They changed a LOT under the hood. Prime example: start up cmd.exe, and then start up command.com. They both exist on 2000 and higher. Here's a hint: command.com is slow. Very slow. They've changed quite a bit to migrate the entire OS enviroment from a DOS-based one to one that I'd consider using in this day and age. Command.com is an example of "holy crap they actually changed something" in terms of more than it's integrated toolset.
XP cmd.exe specific:
-Tab completion for paths and file names
You're right, it is awfully similar, as that's all that I can pull out of thin air. I once had a changelog of the changes over time, but that's disappeared on me. It's not so much the interface, though, as it is the differences in speed which say just what they actually changed under the hood. True DOS, the command.com, is still there for backwards compatability. If you try and just click the "X" to close it, it comes up with the End Program dialog. It's just that oldschool. (Read between the lines: yeah, you're right, but you only cited three things, and I could debate pretty much up to four;))
DOS:
cd C:\PROGRA~1
2k+ cmd.exe:
cd C:\Program Files
smelling like DOS,
Which is why you no longer have a true DOS enviroment... in case you haven't noticed, 2000 on up no longer uses DOS as it's initial bootloader. It's gone, and it's been gone for a bit.
and quacking like DOS.
Can't help you there, I'm still getting this weird error about not finding '/dev/hda' in this script I made... it doesn't seem to like "echo 000000000000 >/dev/{h,s}d{a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s, t,u,v,w,x,y,z}". Oh well, if by "quacks" you mean "errors", yeah, it's still the same.
In literally every aspect, though, DOS has been gone for a very, very long time.
Slashdot Mirror
Yes.
I keep backups for a year and a half.
You know, minimum.
You know, there's something that's really rather simple that secures your backups from being toyed with.
.tar.gz.gpg.
.tar.gz compresses them into $HOME/.backups/, and if $HOME/.backups/gpgkey exists, will use gpg to encrypt your backup for you. More info here.
All of my backups end in
Ah, simplicity of well thought out security. (Concerning backups, anyways.)
Shameless plug follows
A bit ago, I accidently nuked my home dir, so I made myself a backup script that scans $HOME for ".nobackup" files, and then archives everything but those directories containing those (I really don't need three copies of the kernel source in my backups, you know?). It
Well that was easy.
./pear upgrade XML_RPC ...
.........done: 25,310 bytes
server bin #
downloading XML_RPC-1.3.1.tgz
Starting to download XML_RPC-1.3.1.tgz (25,310 bytes)
upgrade ok: XML_RPC 1.3.1
How about you learn the language before you speak out of what google news and fellow slashdotters tell you?
Saying that there was a worm that only affected PHP forums is only a half-truth, at best. It only affected a single PHP based forum, not every PHP forum made in existance. The flaw there was a hole in the software, NOT a hole in PHP. Have there been holes in PHP? Of course, there's hole in everything else, too. The exploit was not in PHP, it was in some software that's coded in PHP. Using your thinking, that's like saying C is a horrible language because if you don't know what you're doing, there's a chance of a buffer overflow.
From "A Note on Security in PHP":
" A recent Web Worm known as NeverEverSanity exposed a mistake in the input validation in the popular phpBB message board application. Their highlighting code didn't account for double-urlencoded input correctly. Without proper input validation of untrusted user data combined with any of the PHP calls that can execute code or write to the filesystem you create a potential security problem. Despite some confusion regarding the timing of some unrelated PHP security fixes and the NeverEverSanity worm, the worm didn't actually have anything to do with a security problem in PHP."
The phpbb developers are not stupid, they are competent people. Yet, there was a hole. It happens, no one is perfect.
I'm quite certain that JSP/Tomcat can be just as insecure if you code it wrong. Same with ASP. Or, gasp, anything.
Out of all of the replies so far (to me), you're the ONLY one who actually said why it was retarded of them to use a .msi.
Good job.
Haha, point. Likewise, wine can be used.
.rpm of the windows world, .rpm is the .msi of the windows world." should have read, ".msi is the .rpm of the windows world, .rpm is the .msi of the linux world."
By the way, I'm a retard. The line, ".msi is the
Screw karma, I'm ticked.
.msi package. .msi packages are not of the devil, as so many slashdotters make them out to be. Windows 2000 and higher supports them natively. You can install the needed app to support them down to Win95.
.msi is everywhere, know it or not. Using acrobat reader at your office/house? Sure, you download a nice little .exe, but that .exe extracts a .msi to a temp dir and runs that instead. Macromedia is installed via .msi. VMWare is installed via .msi. Yes, you're running a .exe, but that .exe is just extracting a .msi and running that. Openoffice for windows is now a strictly .msi installer, and hey guess what? firefox has a .msi package too, suprise!
.msi is the .rpm of the windows world, .rpm is the .msi of the windows world. Quit blasting it because you can't run it on your linux box, it's not like the windows users can run your .rpm packages either.
Now, essentially every microsoft product comes in a
Oh, and before you call me a windows zealot and some moderator mods me down for being a windows zealot, RTFJ.
Should that fail, just do a VPN over port 80. Works like a charm, and there's oh so little they can do about it.
Bess....hasn't gotten much better (Stupid dog should have been a cow, hello...). It's also incredibly stupid, as 9 times out of 10, all you need is a proxy to bypass it.
The JS is simple enough. Just turn off style sheets and you can view all the content. It won't be pretty, but it works.
You're right, of course. The guy I mention? His cPanel or hosting service has yet to break. He reminds me of that every time I tell him that he really should learn the inner mechanics of how it works.
"I'm just tired of having to /work/ to get my system to behave properly. This is something I shouldn't have to be wasting my time on."
:).
;)) is what it should be.
:D
You have a very good point. However, I just hope to provide some very good counter-points
About year to a year and a half ago, I knew someone who started his own web hosting business. When I say this, I mean he bought a reseller account from rackspace, charged people money, and then clicked around in cPanel to spawn their sites. It made him money, it worked.
He also knew jack NOTHING about what cPanel actually did. He would tell me how literate he was in linux, and look at me do X in Y seconds, and hey look at this I just added some anti-spam plugin to my mailserver. Every time he'd show off, I'd ask him, "cool, so, how'd you do this?" His reply was always "I clicked here, then here, and then here."
This is the ideal end-user experience, I agree with you completly. But, that doesn't mean that you should just know how to do it in the GUI, you also need to know how to dig way down in depth, bypass all of the nice check marks, and make it work. Why?
So, what happens when your nice point and click interface that just works, well, doesn't work? Are you stuck contacting tech support because you can't fix the problem without a shiny nice GUI and a configuration wizard? As I said, point-click-"hay it works" ('hay' being intentional
But that doesn't make up for knowing HOW the system works, how to make it work for you, how to repair things when it breaks, and it definitely doesn't mean you can make the system work. It means you can use a system to make the underlying system work, but what happens when the underlying system breaks and your magic "it just works" GUI no longer works?
There is an advantage to mucking around in obscene config files for hours on end with little to no documentation. It's just that far too few people care to do so, and Aunt Tillie isn't going to. Aunt Tillie needs the cPanel, but Technician Bob needs to know how to fix it, should it ever break.
That's half the reason that I run gentoo, half the reason why I bought a soekris board, and half the reason why out of the 7 computers I own, only one runs X. If you want to be able to hold your ground when it comes to fixing Aunt Tillie's computer, you need to know a little more than point-click-tada. Personally, I can't think of a better way to learn How Stuff Works(TM) than by trying to configure squid over SSH using nothing more than the squid.conf comments.
The other half of the reason I did all of that is to keep myself entertained in my 60+ hours of free time per week
Doesn't mean that I don't run my own DNS, HTTP, FTP, Icecast, MySQL, POP3, SMTP, and IMAP off of my comcast home IP.
:25.
I also know someone who worked Comcast tech call center. He recieved note (some months ago) that they were beginning to monitor outbound SMTP, and accordingly block zombies to help with the spam problem, not by enforcing their ToS and killing off
Comcast offers residential users up to 6mbps down for $65/month. If you have their base service for $55/month, they offer the bump up to 6mbps (from 4mbps) for $10 more. It'll also bump your upstream to 768k.
Their business package can far exceed 8 megabits.
While you have a definite point, I believe that there may be a tad bit more to it than you make it out to be.
"whose mission is to provide content and research services to academia"
Also from that same page:
"with 2004 revenues from continuing operations of $8.10 billion"
You think...that's it's possible...that this company is doing it RIGHT? That it's possible that they know what they're talking about?
I'm not claiming to know the answer. I don't use either service, but after reading your post, the obvious jumped out...
Of course they're an apparent competitor. I just have this feeling, though, that they may actually know what they're doing. It's possible that you're right, it's possible that you're wrong, it's just that I don't see evidence as to either for a post like yours to hit +5 Insightful (which it is) without some counter-balance to it.
If their entire goal is to provide a similar service, and they've made $8.10 billion....something tells me that they're doing something right, which may actually give base to their claims.
If you want to disable that, simply delete the desktop.ini file that appears in each "protected" directory.
That's all there is to it.
He lies not!
Proof.
Holy crap. Go Oracle.
Okay, so we know where you get your numbers. Do tell me though, where does CNN get their numbers?
5 mods points, or clear things up....decisions decisions.
:P. No offense, but it's true. It's the word of mouth that goes on. It's all of those google sources, which typically say that Utah still pratices polygamy, or one way or another aligns the state of Utah with polygamy. That's the sole reason you, and tends of millions of others think that way.
Against the law in Utah? Yes.
What happens if you're a Mormon praticing polygamy? Excommunication. (Source, via AC that no one will mod up in this thread.)
It's just just because it's a law, that all Mormons don't pratice it. I can say all in that statment, because as soon as you do, you're given the option to stop, or to be excommunicated. (This was not directed at you, TMM. This was just in general, and I know that I'm going to lose my karma bonus for this too, so I might as well go all the way as I do it.)
You're also correct that Utah has a higher percentage of polygamy per person than most other states. If all of those polygamists moved up from Utah to California, that percentage would drop to something that rounds out to 0.000000000001% instead of 0.00001%. I'm not saying that there's MORE polygamists in California than Utah, but I AM saying that due to Utah's relatively small population, people tend to think that Utah is a polygamist state. Guess what, it's not.
You're absolutely correct that if you google for any of those terms, up comes Utah. But, want to know why? People like you who keep that alive
It's only the polygamy state if you make it that in your mind. Likewise, in some people's worlds, the sky is green and the grass is red, but as long as you're in the majority, who cares, right?
Yeah, we understood every word of that. Completly coherent. ;)
Mobile friendly? Well, for reading...
Holy crap do I wish that I hadn't posted now. I'd mod that up as Funny in about a second.
Almost makes you wish that you posted as an actual user, not an AC, so you got the +1 initially, huh?
2000 (and XP, 2k3, etc.)cmd.exe:
;))
-As I mentioned, support for long file names. I don't know when, but in XP you can type in a path to cd to with spaces, without quotes, and without backquoting.
-They changed a LOT under the hood. Prime example: start up cmd.exe, and then start up command.com. They both exist on 2000 and higher. Here's a hint: command.com is slow. Very slow. They've changed quite a bit to migrate the entire OS enviroment from a DOS-based one to one that I'd consider using in this day and age. Command.com is an example of "holy crap they actually changed something" in terms of more than it's integrated toolset.
XP cmd.exe specific:
-Tab completion for paths and file names
You're right, it is awfully similar, as that's all that I can pull out of thin air. I once had a changelog of the changes over time, but that's disappeared on me. It's not so much the interface, though, as it is the differences in speed which say just what they actually changed under the hood. True DOS, the command.com, is still there for backwards compatability. If you try and just click the "X" to close it, it comes up with the End Program dialog. It's just that oldschool. (Read between the lines: yeah, you're right, but you only cited three things, and I could debate pretty much up to four
When it stops looking like DOS,
/dev/{h,s}d{a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s, t,u,v,w,x,y,z}". Oh well, if by "quacks" you mean "errors", yeah, it's still the same.
DOS:
cd C:\PROGRA~1
2k+ cmd.exe:
cd C:\Program Files
smelling like DOS,
Which is why you no longer have a true DOS enviroment... in case you haven't noticed, 2000 on up no longer uses DOS as it's initial bootloader. It's gone, and it's been gone for a bit.
and quacking like DOS.
Can't help you there, I'm still getting this weird error about not finding '/dev/hda' in this script I made... it doesn't seem to like "echo 000000000000 >
In literally every aspect, though, DOS has been gone for a very, very long time.
I don't need to. The AC's owned you enough to make me content :).
Yes, since we all know that A) Arguring with an AC proves anything B) Knowledge of a single language determines things such as intelligence.
Thanks for being the average "I'm better than you" slashdotter.
"If you're not going to contribute anything, quit your whining."