Half of those show as IIS 5.0/Windows 2000. There is no way that a Windows 2000 box has stayed online for 1700 days (over 5 years!!!) without being pwned and crashed. For large sites that do load balancing and such, Netcraft is a better indicator of SITE uptime instead of uptime for a single particular box.
FTA: "... the city found that the system serving as the distribution point... was a print server. However, an exact copy of the malware on that server may never be recovered, as city computer technicians quickly isolated and rebuilt the offending print server."
Ok, if I have a single workstation with "AntiVirus 2009", I will probably nuke it without a second thought. If one of my servers has been commandeered to serve as the command and control channel for a worm that just ate 800 of my PCs, I SURE AS HELL AM GOING TO GET A dd OR OTHER FORENSICALLY SOUND IMAGE OF THE MACHINE BEFORE I WIPE IT!!!!!!!!! For crying out loud, they contacted the FBI, but they just destroyed what could have been the single most important piece of evidence! Do they have a Best Buy in Norfolk? For $100 they could have brought the machine up on a clean hard disk and set the existing one aside for forensic examination without wasting the time of taking an image of the drive.
Also, they have no idea how the attack occurred, but they are sure it didn't come from the internet. Any evidence to back that up? It's one thing to say it probably didn't come from the internet because our logs show no traffic to support that possibility. It's ridiculous to make that same statement based on a gut feel.
If this article is accurate, these guys are playing amateur hour IT security. Their first action should have been to contact a qualified incident handler.
Can anyone find an actual translation of the amendment or a better summary? TFA sounds like it was written in a combination of management-ese and marketing-speak.
FTA: "...the image is of the computer geek surrounded by such things as computer games, science-fiction memorabilia and junk food...", followed by "...many women don't like the portrait of masculinity that it evokes..."
They are effectively shifting the work of verification to the recipient of the letter. If you are guilty, they found their mark. If you haven't done what they accuse you of, and you will probably be indignant enough to go through some effort to correct their "error". Sending out the letters without verification requires almost no work from them, has no risk, and sometimes gets them money. Verification would only add more work with no payback in reduction of risk or increase in monetary return.
I am surprised more people don't see this as a shakedown racket. Also, since the RIAA gets money in return for the cost of a trained monkey running mailmerge in Microsoft Word, I don't see why they haven't purchased an electronic copy of the phone book so they can simply send out letters to everyone in the country.
...you can quote the $250,000 fines the BSA can assess PER VIOLATION...
The BSA cannot assess anything. They have no legal authority to do so. What they can do is ask you to pay money in a settlement rather than engaging in a very long and expensive legal battle against them. If the case has very clear-cut evidence, paying $250,000 may well be cheaper, quicker and simpler than a court battle, even for a very small company.
This sort of feature could be very useful for those smaller shops and cheap shops who haven't yet created a dedicated Web tier, or for all those internal webservers which host the Wiki, etc.
If they are smaller/cheaper shops, they probably aren't playing around with heavy virtualization to begin with. If you are virtualizing your example box, you're doing it wrong.
But what if half the webservers drop off because the circuit which powers that side of the cage went down? And the 'redundant' power supplies on your machines weren't really 'redundant' (Thanks Dell)?
Get a better UPS setup. If you have entire racks of systems that fill a cage, and your servers all shut down because their power died, you're doing it wrong. Rather than plugging all of the servers into individual UPS systems, get a UPS that covers all the circuits for the cage. And a generator.
More than anything else, executives don't want to be surprised. Giving them the weekly page response numbers is fine, but what they really need is forward-looking analysis based on those numbers and your experience. Something like "looking at the current load capabilities of our web servers, we will probably need to spend some capital on additional web servers if we add more than 500 additional reporting sites. Looking at our current growth rate of adding 50 sites per month, it looks like that money will need to be spent in less than 10 months to support continued growth." What they REALLY hate is when you run into their office at 12:30 on Friday afternoon yelling "Our systems hit the wall with that last new customer. I need $25k NOW!" Also, you've covered your butt by notifying them about serious issues that could affect the business with enough time to plan.
They may not actually spend the money that you have recommended, but if you have a trail to document your recommendations, you may be able to avoid getting blamed when the web servers can't handle the load when that big new customer gets signed.
I follow a number of security-focused mailing lists, and about once every two or three months someone posts something like this: "Help! The plant mangers at $CRITICAL_INFRASTRUCTURE_SITE where I work want to have all the formerly air-gapped SCADA systems accessible via a web browser from any internet-connected PC so they can check the plant status from home, on vacation, while at conferences etc. I haven't been able to talk them out of it, can anyone help with a better argument?"
What reasoning do your propose to people who's response to the argument of "if we are hacked, the loss of life and bankruptcy of our company will come back to you" is met with "you IT guys are too paraniod"?
Until people start going to jail, profit and convenience will trump everything else.
No, I don't, I believe that falls under acceptable use. I don't neccessarily agree with the "Don't hack your Tivo" attitude either. I'm just trying to bring some clarification as to why the "don't steal from Tivo" folks try to also clamp down on the "repurpose my Tivo" folks.
The problem is that repurposing a tivo would require the exact same skills, tools and methods as cheating tivo by stealing their service. Short of personally knowing the requester, there isn't a real good way to distinguish the hacker (repurposing) from the cracker (stealing service).
There are a few newer models on the road with this type of functionality (OnStar vehicles?), but most road-going cars do not have such a feature.
It would create extra cost on the car, so unless the government mandates it as a safety feature or the the dealers can sell it as an extra-cost option, I wouldn't expect that to change.
Yes, that was an absurd statement. Our military has tried just as hard as anyone else's to keep its failures under wraps. The classic example is the air force bomber that crashed back in the 50's, killing the entire crew. The military said they couldn't release the crash report because the plane was carrying super-secret experimental instruments.
About 15 years ago, the report was finally made public. It turns out the plane crashed due to a known faulty system. It was known that the particular plane had not been upgraded, but the decision was made by the brass to continue flying the planes that had not been upgraded. Oh, and the plane was on a completely routine training flight, and was not carrying any secret equipment or cargo.
As the cyclons said, this has all happened before and it will all happen again. Our government is no less guilty than any other government.
Maybe some PHB equates packet loss with dropped calls, and told the engineers that packet loss would also equate to job loss. Not the first time a person in authority forces a bad configuration choice based on a complete misconception of a situation.
It sounds like you want to send an email to all your co-workers with a link to something cool online. The cool link will then teach them not to click on links in emails containing suposedly cool things. Your delivery mechanism is exactly that which you wish your users to avoid.
I'm starting to come around to the school of thought stating there will never be enough motivation for corporate users to learn this stuff, so it is futile to try.
Broadcast networks have existed for more than fifty years on a model that had massive overhead but was free to any user within range of the signal. Now, there is a way they can provide their same product via the internet with massively lower overhead, but they can't figure out how to make money like they used to? Or even make money at all? Did these guys all go to the school with an MBA program that taught them to find a stable company that looks like it would run on autopilot, and just cash the checks as long as the good times last?
Myst was just a slideshow of pre-rendered scenes. It looked epic for its time, but since it was basically a (very clever) hack around the lack of graphics horsepower of the time, it didn't contribute anything to the advancement of the art. I see it as an evolutionary dead-end.
Comcast already harrasses the 5% of their users that rack up the highest transfer totals. This is generally acknowledged to be about 90 gigs/mo. If SBC suddenly starts giving out 25 mb/s down, you could easily go over this limit in less than a day. What will SBC do when users start topping 1 terrabtyte of transfer each month? It's all well and good for them to say they are going to give me a gb/s 'net connection, but are they going to cancel my service for violating their purposefully vague terms of service when my transfer rates break their ROI calculations?
Slashdot Mirror
Half of those show as IIS 5.0/Windows 2000. There is no way that a Windows 2000 box has stayed online for 1700 days (over 5 years!!!) without being pwned and crashed. For large sites that do load balancing and such, Netcraft is a better indicator of SITE uptime instead of uptime for a single particular box.
FTA: "... the city found that the system serving as the distribution point ... was a print server. However, an exact copy of the malware on that server may never be recovered, as city computer technicians quickly isolated and rebuilt the offending print server."
Ok, if I have a single workstation with "AntiVirus 2009", I will probably nuke it without a second thought. If one of my servers has been commandeered to serve as the command and control channel for a worm that just ate 800 of my PCs, I SURE AS HELL AM GOING TO GET A dd OR OTHER FORENSICALLY SOUND IMAGE OF THE MACHINE BEFORE I WIPE IT!!!!!!!!! For crying out loud, they contacted the FBI, but they just destroyed what could have been the single most important piece of evidence! Do they have a Best Buy in Norfolk? For $100 they could have brought the machine up on a clean hard disk and set the existing one aside for forensic examination without wasting the time of taking an image of the drive.
Also, they have no idea how the attack occurred, but they are sure it didn't come from the internet. Any evidence to back that up? It's one thing to say it probably didn't come from the internet because our logs show no traffic to support that possibility. It's ridiculous to make that same statement based on a gut feel.
If this article is accurate, these guys are playing amateur hour IT security. Their first action should have been to contact a qualified incident handler.
Dammit. Those music-stealers ruin everything.
From TFA: It’s surprising that Microsoft hasn’t made more noise about the use of Microsoft Office in space
Microsoft probably isn't making more noise about this because it is a TERRIBLE system.
Can anyone find an actual translation of the amendment or a better summary? TFA sounds like it was written in a combination of management-ese and marketing-speak.
FTA: "...the image is of the computer geek surrounded by such things as computer games, science-fiction memorabilia and junk food...", followed by "...many women don't like the portrait of masculinity that it evokes..."
YES! GEEKS ARE MASCULINE!!!
They are effectively shifting the work of verification to the recipient of the letter. If you are guilty, they found their mark. If you haven't done what they accuse you of, and you will probably be indignant enough to go through some effort to correct their "error". Sending out the letters without verification requires almost no work from them, has no risk, and sometimes gets them money. Verification would only add more work with no payback in reduction of risk or increase in monetary return.
I am surprised more people don't see this as a shakedown racket. Also, since the RIAA gets money in return for the cost of a trained monkey running mailmerge in Microsoft Word, I don't see why they haven't purchased an electronic copy of the phone book so they can simply send out letters to everyone in the country.
"Guideline" is incompatible with "require".
...you can quote the $250,000 fines the BSA can assess PER VIOLATION...
The BSA cannot assess anything. They have no legal authority to do so. What they can do is ask you to pay money in a settlement rather than engaging in a very long and expensive legal battle against them. If the case has very clear-cut evidence, paying $250,000 may well be cheaper, quicker and simpler than a court battle, even for a very small company.
But competing is HARD.
Getting legislation passed that legally mandates everyone do as you wish is EASY. And probably entails less cost and risk.
In many cases, the webserver IS the app server.
This sort of feature could be very useful for those smaller shops and cheap shops who haven't yet created a dedicated Web tier, or for all those internal webservers which host the Wiki, etc.
If they are smaller/cheaper shops, they probably aren't playing around with heavy virtualization to begin with. If you are virtualizing your example box, you're doing it wrong.
But what if half the webservers drop off because the circuit which powers that side of the cage went down? And the 'redundant' power supplies on your machines weren't really 'redundant' (Thanks Dell)?
Get a better UPS setup. If you have entire racks of systems that fill a cage, and your servers all shut down because their power died, you're doing it wrong. Rather than plugging all of the servers into individual UPS systems, get a UPS that covers all the circuits for the cage. And a generator.
More than anything else, executives don't want to be surprised. Giving them the weekly page response numbers is fine, but what they really need is forward-looking analysis based on those numbers and your experience. Something like "looking at the current load capabilities of our web servers, we will probably need to spend some capital on additional web servers if we add more than 500 additional reporting sites. Looking at our current growth rate of adding 50 sites per month, it looks like that money will need to be spent in less than 10 months to support continued growth." What they REALLY hate is when you run into their office at 12:30 on Friday afternoon yelling "Our systems hit the wall with that last new customer. I need $25k NOW!" Also, you've covered your butt by notifying them about serious issues that could affect the business with enough time to plan.
They may not actually spend the money that you have recommended, but if you have a trail to document your recommendations, you may be able to avoid getting blamed when the web servers can't handle the load when that big new customer gets signed.
I follow a number of security-focused mailing lists, and about once every two or three months someone posts something like this: "Help! The plant mangers at $CRITICAL_INFRASTRUCTURE_SITE where I work want to have all the formerly air-gapped SCADA systems accessible via a web browser from any internet-connected PC so they can check the plant status from home, on vacation, while at conferences etc. I haven't been able to talk them out of it, can anyone help with a better argument?"
What reasoning do your propose to people who's response to the argument of "if we are hacked, the loss of life and bankruptcy of our company will come back to you" is met with "you IT guys are too paraniod"?
Until people start going to jail, profit and convenience will trump everything else.
No, I don't, I believe that falls under acceptable use. I don't neccessarily agree with the "Don't hack your Tivo" attitude either. I'm just trying to bring some clarification as to why the "don't steal from Tivo" folks try to also clamp down on the "repurpose my Tivo" folks.
The problem is that repurposing a tivo would require the exact same skills, tools and methods as cheating tivo by stealing their service. Short of personally knowing the requester, there isn't a real good way to distinguish the hacker (repurposing) from the cracker (stealing service).
I'm going to start up a new ISP: 1 terabit/second speeds!*
*speeds may vary for transfers greater than one bit
There are a few newer models on the road with this type of functionality (OnStar vehicles?), but most road-going cars do not have such a feature. It would create extra cost on the car, so unless the government mandates it as a safety feature or the the dealers can sell it as an extra-cost option, I wouldn't expect that to change.
I wish I could suck like that...
Yes, that was an absurd statement. Our military has tried just as hard as anyone else's to keep its failures under wraps. The classic example is the air force bomber that crashed back in the 50's, killing the entire crew. The military said they couldn't release the crash report because the plane was carrying super-secret experimental instruments. About 15 years ago, the report was finally made public. It turns out the plane crashed due to a known faulty system. It was known that the particular plane had not been upgraded, but the decision was made by the brass to continue flying the planes that had not been upgraded. Oh, and the plane was on a completely routine training flight, and was not carrying any secret equipment or cargo. As the cyclons said, this has all happened before and it will all happen again. Our government is no less guilty than any other government.
Maybe some PHB equates packet loss with dropped calls, and told the engineers that packet loss would also equate to job loss. Not the first time a person in authority forces a bad configuration choice based on a complete misconception of a situation.
It sounds like you want to send an email to all your co-workers with a link to something cool online. The cool link will then teach them not to click on links in emails containing suposedly cool things. Your delivery mechanism is exactly that which you wish your users to avoid. I'm starting to come around to the school of thought stating there will never be enough motivation for corporate users to learn this stuff, so it is futile to try.
Broadcast networks have existed for more than fifty years on a model that had massive overhead but was free to any user within range of the signal. Now, there is a way they can provide their same product via the internet with massively lower overhead, but they can't figure out how to make money like they used to? Or even make money at all? Did these guys all go to the school with an MBA program that taught them to find a stable company that looks like it would run on autopilot, and just cash the checks as long as the good times last?
Myst was just a slideshow of pre-rendered scenes. It looked epic for its time, but since it was basically a (very clever) hack around the lack of graphics horsepower of the time, it didn't contribute anything to the advancement of the art. I see it as an evolutionary dead-end.
I can't wait until "Math: The Musical!" is making the rounds off Broadway.
Comcast already harrasses the 5% of their users that rack up the highest transfer totals. This is generally acknowledged to be about 90 gigs/mo. If SBC suddenly starts giving out 25 mb/s down, you could easily go over this limit in less than a day. What will SBC do when users start topping 1 terrabtyte of transfer each month? It's all well and good for them to say they are going to give me a gb/s 'net connection, but are they going to cancel my service for violating their purposefully vague terms of service when my transfer rates break their ROI calculations?