Slashdot Mirror


User: billstewart

billstewart's activity in the archive.

Stories
0
Comments
7,948
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 7,948

  1. Only weird applications still need token ring on Does Anyone Still Use Token Ring? · · Score: 4, Insightful
    Sometimes you've got old IBM equipment that was working fine in the early 90s and you didn't replace for Y2K, and because you don't want to touch the computers, you don't need to change the routers. Or sometimes you've got a building cable duct full of asbestos so you don't want to touch it, but there's too much metal in the building for wireless to work reliably. Basically, token ring was old a decade ago.

    I've had one customer for whom token ring on Shielded Twisted Pair wiring was the right choice even after Cat5 Ethernet cards were cheap - they had lots of Big Electrical Equipment, and the alternative would have been to do fiber, which was cost-prohibitive back then, plus they didn't really need high data rates.

    Performance differences weren't really all that significant for the different technologies, except for obvious base-rate differences (100 Mbps >> 16 Mbps > 10 Mbps > 4 Mbps.) Even if they were, Full-Duplex Ethernet (which is pretty much universal these days if you use switches instead of hubs) doesn't have the same issues that half-duplex does.

  2. Banks and Credit Cards Should Bait Phishers on Certified Email Not Here to Reduce Spam · · Score: 1
    There are too many suckers and too many people who occasionally make mistakes to ban them all.

    But banks and credit card companies should be playing the other side of the game, baiting the phishers.

    • You get a phishing mail and forward it to the bank.
    • The bank clicks on the website and fills in the blanks with a fake account number.
    • When the account gets used, reject the transaction and trace the user.
    • If you find a frequent user that you can trace adequately, bust them.
  3. Goodmail and AOL on Certified Email Not Here to Reduce Spam · · Score: 1

    You don't actually pay AOL, you pay Goodmail. Goodmail's web site says that they've got very strong policies against spammers and that they respond to complaints, so if you're a spammer, not only do you have to pay them too much money per message for typical spams to be profitable, but they'll bust you if they get too many complaints.

  4. Windows Reinstaller + Knoppix on Useful Apps for First-Time Windows Users? · · Score: 1
    One of my neighbors just had her Windows machine get thoroughly wedged, to the extent of needing to use the Re-Install Windows utility that her PC manufacturer provides. She didn't trust it to be a non-destructive re-install, so I brought over a Knoppix disk and a USB disk drive, and we backed up her data safely. Fortunately the Windows reinstall went fairly safely - no user files got lost, though a few utilities, Start Menu items, etc., got trashed, Adobe got de-updated to Version 3.0, etc.

    This *was* Win98SE - it's worked pretty well for most of what she wants to do, and upgrading to XP would mean giving $100 to Bill Gates and $50-100 to memory chip vendors, and she hasn't felt motivated to do that as opposed to waiting until she gets a job and then buying a more current machine. But she and I don't expect that XP reinstalls would be that much cleaner.

  5. Filtering DNS or NTP can be easy on D-Link Firmware Abuses Open NTP Servers · · Score: 1
    • First of all, he doesn't need to permit traffic from a continuously updated list of all of Denmark, though that could work. He's got a couple thousand users, each of whom went to non-zero effort to point their NTP to his server, and he _could_ ask them to click a webpage with their addresses to update the list. Alternatively, BGP isn't really that hard to do, and you can set it to reject anything more than one or two hops away (depending on how the IX is set up.)
    • You don't have to identify strangers too precisely - if you get rid of most of them, that's good enough, and probably most of the D-Link users are coming from the US, not Europe, so pretty crude is good enough.
    • Second, on Cisco routers, there's a fast easy way to do simple filtering without burning up the CPU, which is uRPF. It basically rejects any packet that comes from an IP address that's not in the router's routing table. Juniper's got some similar mechanism, and you could probably do it with Zebra/Quagga/OpenBSD routers easily enough as well.

    • But the fun place to do the filtering isn't on the NTP packets - it's at the DNS server, so that people who aren't allowed to hit your NTP server never see its IP address at all.
      • Either crudely set up a router to uRPF-reject traffic from strangers (in which case you'll lose both the DNS and NTP requests),
      • or else use a DNS system that's set up to only give correct results to friends and not to strangers. It's easy to set up DJBDNS's dnscache to reject requests from strangers; if you want to point strangers to a different address instead, that's probably more work unless another package does that well.
  6. Paying would be much cheaper than stonewalling on D-Link Firmware Abuses Open NTP Servers · · Score: 1
    It looks like they'd need to pay him about $20K once and $10K/year for the service costs, or maybe $75K total for 5 years (he says $62K, but give him some slack here.) That's about 200 hours of lawyer time, or 300 hours of engineering-consultant time, or 1000 hours of operator-grunt time. So if they _wanted_ to do the right thing and set up their own DNS servers in Europe, it might cost them that much anyway, and if they didn't want to do it, he could cause them to spend more lawyer-money than they'd save by paying him.

    Given that it's their negligence costing him money, they ought to just pay him anyway, but if they want to do the right thing here, they also ought to pay him.

  7. Why Home Routers Need To Know The Time on D-Link Firmware Abuses Open NTP Servers · · Score: 1
    There are two reasons home routers and similar little boxes need to know the time:
    • Keeping logfiles accurately
    • Serving time to other home boxes
    Even if you haven't set things up to run on a common time source, it's really helpful to have logfiles with the correct time in them.
  8. Javascript makes AJAX inherently unsafe on Is Your AJAX App Secure? · · Score: 1
    It's important to make sure your AJAX code is well written, and maybe using SSL with it can help protect your code as well. But the big security problem is that if you're running AJAX, your user has to turn on Javascript in their browser, so if they view a web page that's written by somebody malicious and haven't turned Javascript back off first, they're toast. There are Firefox extensions that let you enable/disable Javascript on a per-site basis, and IE has some similar features, but if your users aren't forced to use them, they're probably running wide open.

    As far as _your_ applications go, your server does need to validate any input it gets and only accept correctly-formatted content. Your client should too, but if your server gets cracked then everybody who uses it is at risk. There's very little news there about AJAX that wasn't obvious 30 years ago when my college professors were telling their classes to assume that all input is potentialy malicious and malformatted and testing our homework projects to see what they did if fed bogus data - you still have to defend against that.

  9. compress /home/user/same-old-crap-again-v3.ppt on New 25x Data Compression? · · Score: 1
    "/home/user/same-old-crap-again-v3.ppt is the same proposal as /home/user/same-old-crap-again-v2.ppt except the shipping date slipped by a year!"

    Sure, I don't see 25:1 happening for arbitrary data types, but in the corporate market there is a lot of redundancy if you're clever enough to be able to identify it, especially for corporations that are large Microsoft Office + Microsoft Outlook users (which is to say "most large corporations".) A lot of the documentation is the same file attachments getting sent around to multiple people, often kept in Exchange mail servers as opposed to individual desktops, or documents that substantially re-use previous documents. Depending on how granular you want to be and how entrenched in the more bloated Microsoft formats you want your code to be, you may be able to find most of your document already in storage, as long as you've got indexing capabilities to look for it. Maybe you just look for hashes of whole documents, or maybe you look for documents with similar names and internal tags and start comparing pages.

    Video compression is well-known to use this kind of approach - you've got an initial frame with reasonably-high resolution picture, then you track the changes, usually by some model that breaks the picture down into objects that move a bit. ... And then there's music compression "It's the same old country song with the same three chords in G, she's left him and she ain't coming back, except there's this little 6-note riff at the end of the chorus when he says she took his dawg with her too."

  10. Intel MacOS runs on top of Virtual Server on Microsoft Providing Virtual Server Free · · Score: 1
    Hey, if it's still April 1, might as well go for the whole flying hog!

    So MacOS runs on top of Intel machines, then obviously it ought to run on top of _this_ machine. Once in a while you'll want to push the MacOS window aside and look at the Evil Empire OS server so you can run Windows-based games, but otherwise you get to run in MacOS. Imagine it as a demo disk that Just Installs, and while it's there it runs Reality Distortion Effect popups to remind you that you _could_ just junk Windows entirely and buy the real MacOS, which would run faster and could talk to the sound card.

    Of course, you could equally well imagine an environment that has native MacOS underneath and runs Windows in a virtual machine for the occasional times that you want it, but who'd want to do something silly like that :-)?

  11. I'd *love* to run this on the home desktop on Microsoft Providing Virtual Server Free · · Score: 1

    That'd let me run a VM server (theoretically don't care which OS), with a WinXP client on top for my wife to use with disk space that's really dedicated to her use, a WinXP client for me to use for iTunes and other Windows toys, and a Linux client or two that I can run a web server and generally develop on.
    I'm assuming that the desktop provides some convenient way to switch between VM clients? It's probably not easier than hitting Alt-Shift-F6 or whatever, but if it means not needing to re-render the whole Windows environment when my wife wants to use the machine, then it's faster than the current WinXP user switching.

  12. WTF does 180solutions Do? on An Interview with 180 Solutions · · Score: 1

    I gather from context that they do something in the spyware business, and Wikipedia has more detail, presented in a relatively neutral lawsuit-avoiding manner. But what do they really do? Pay people who trick\\\\\entice users into installing their software and collect money from ads that it displays? Is their software obvious and removable these days, or is it near-rootkit invisible?

  13. Where's the Torrent File? on Download-only Single Becomes UK Number One · · Score: 5, Funny

    Oh, wait, they're actually counting downloads people *paid* for? :-)

  14. WTF is it? The web page doesn't say on 10 Things Apple Did To Make Mac OS X Faster · · Score: 1

    After looking 3-4 levels deep into the web page, I still can't say what Quicksilver does or why I'd want it. It seems to be for the Mac, and it seems to be some kind of code launcher, but I can't tell what it really does or why it does something better than the native Mac tools.

  15. Laptops Shutting Down UnCleanly on 10 Things Apple Did To Make Mac OS X Faster · · Score: 1
    Sure, journaling file systems are useful if your desktop machine randomly shuts down when the power fails or somebody kicks the cord out, and laptops _do_ run out of power regularly. But if a laptop's going into low-power shutdown, it should detect that it's in trouble when it's down to (e.g.) 1% power and do a save to disk, rather than just running until the last possible second and choking. Windows laptops don't always restart cleanly from hibernation, but at least they _try_, and you can set them to do various levels of clean shutdown before they choke and die - I would have expected Apple to have gotten this right.

    Of course, nobody'd going to do a better job than some of the capability-based operating systems like EROS or its predecessor KeyKos - friends of mine had fun at trade shows in the 80s unplugging their hardware while it was running, plugging it back in again and having the same applications running from where they left off, much to the annoyance of the "fault-tolerant computer" vendors at the next booth who weren't willing to risk doing the same.

  16. Preemptive Kernel made a big difference in UI perf on 10 Things Apple Did To Make Mac OS X Faster · · Score: 1
    The pre-emptive kernel hacks (which were available as add-ons during some of the 2.4 period, but became mainstream for 2.6) were definitely a big improvement, and it's generally claimed that they make the biggest difference to GUI performance, so it's a bigger impact on *perceived* performance than on actual speed (unless you're doing millisecond-scale real-time hardware stuff.) So yeah, the g*p article saying 2.4->2.6 was a bigger jump than you're likely to see for a while is probably correct.

    Of course, the faster-than-Moore's-law changes in RAM and disk sizes and prices during that time period don't hurt either - my machines really did go a *lot* faster with 512MB of RAM and an uncrowded 120GB disk drive than 128MB and 2GB, and even though BitTorrent music downloading has made the disk drive no longer empty, it's still enough larger that it's usually much less fragmented and installations are a lot cleaner.

    The next big performance jump is likely to be use of Flash memory as disk cache - you can get 2GB for under $100 these days, and even crude steps like installing all of the OS and libraries onto flash is likely to be a big win, because you eliminate disk-rotation and disk-seek latency from your typical system performance - doing more intelligent things with caching programs or translucent file systems or possibly even putting journaling onto flash may be make a bigger difference, though especially journalling needs to be done carefully to avoid overuse of flash's write cycle limits (though I gather that's much less of a problem with newer flash technology than older stuff.)

  17. Compare WinME to 98SE, not 2000 on 10 Things Apple Did To Make Mac OS X Faster · · Score: 1
    WinME was yet another update to the Win95 chain of consumer-oriented operating systems that descended from Win3.1 and all that ugly backwards compatibility to make sure older Games still worked. Win2K was an update to the Windows NT chain of business-targeted operating systems, which was originally developed by a team led by Dave Cutler of VMS fame, which had an Actual Operating System kernel and a Win3.x/95 compatibility layer hacked on top of it.

    NT3.51 was in theory much more stable than Win95 (except that it didn't include working power management drivers, because it pretended to be a "Server operating system, not a Desktop operating system", so it would blue-screen when your laptop ran low on battery and sent power-management interrupts, which was unfortunately strongly correlated with whether I caught the express train or the slower local train to work :-)

    Win2000 was fairly stable, though unfortunately some time around NT4 or Win2K they moved the graphics system into the kernel for performance reasons, so it could still die in ugly mysterious ways, but it was at least much nicer than older Win95-derived versions. WinXP actually works really well for me - it's fast and relatively stable, though it still dies every couple of weeks on my laptop: almost never with an actual bluescreen unless my hardware's acting cranky, but usually with something stalling the window system or the mouse when it's waking up from hibernation.

    WinME convinced me that I should have no guilty feelings about pirating Microsoft operating systems - I'd bought Win98SE because it promised that Internet Connection Sharing would let me actually share my Internet Connection (lies!), and I bought WinME because it promised that the new version of Internet Connection Sharing would let me actually share my Internet connection (this time for sure!) (lies again), and that it would be more stable (lies! though 98SE has been more stable than 98.) I had half a dozen lab machines with 98SE, and had no qualms about reusing it when the hardware died, especially since I was running Linux on most of those machines anyway. On the other hand, XP's copy protection looks sufficiently workable that I decided to buy a separate copy of XP for my mother-in-law's machine, which had a WinME version sufficiently infested with spyware, IE Toolbar "helpers", popups, etc. that it was much cleaner to wipe it out to bare metal rather than attempt to reinstall ME cleanly.

  18. Banks/EBay/Paypal not even using SPF/DKIM on Phishing Steals Spotlight at MIT Conference · · Score: 1
    Sure, phishers can try sending mail from mycitibank.com and c1t1bank.com, and occasional suckers will fall for it, and the general public doesn't understand digital signatures well enough for those to help. But most of the major phishing targets, such as banks, eBay, Paypal, eGold, etc. aren't even doing simple passive stuff like advertising SPF for their domains so your spam filter can at least discard the emails claiming to be from citibank.com at random zombie IP addresses.

    Aside from the email-protection activities, what the banks, paypal, etc. also ought to be doing are active poisoning attacks on phishers - when somebody gets an obvious phish from examplebank.phishersite.com and forwards, Examplebank ought to click on the links in the mail, put in a fake credit card number, and then nail anybody who tries to use the card. Once phishers start getting 99% of their phished credit card numbers being invalid and 1% leading to successful prosecutions, there'll be a lot less phishing. It won't kill it all, but if you get rid of the low-hanging fruit, you can at least cut back on a lot of the spam and discourage the dumber half of the phishing business.

  19. Entirely incorrect understanding of OTPs on Totally Random One Time Pads · · Score: 1
    If you've got a copy of a one-time pad and don't know the starting point, you can drag through it until you find the right starting point - various spy agencies were doing that in the 1950s mostly by hand, for instance in the NSA's Venona intercepts of Soviet traffic. It's a bit more complex here, because the signals are analog, so the digitization has some parameters to it that need to be determined, but it does actually get used digitally, so it's searchable.

    The reason OTPs work is that if each bit in the pad is independently a 50% probability of being 0 or 1 and you don't have access to the pad, there's no way to tell if the message was 0 or 1. But if you've got a copy of the pad, then the bits are no longer independent - from any given starting point, they're deterministic.

  20. You can afford to play ball on Pay-per-email and the "Market Myth" · · Score: 1
    Sure, it's annoying, but if you're in business to make a profit, you have to pay for business expenses. If this affects a significant fraction of your customer base, you need to decide if it's worth a penny to email them, and if it's not worth it, it's not worth it, or else you find some other way to get the recipients to pay for it. If you're Not in a profit-making business, e.g. a recreational or political mailing list where you've got no revenue source, it's much more annoying.

    What's really annoying for business is the possibility that recipients' ISPs will drop your email silently as opposed to giving you an error message that tells you they did it so you can find other ways of contacting them. Even if it's not worth a penny for every email you want to send to somebody, it _might_ still be worth a penny to send them mail saying "Hi, AOL's blocking our email to you, please give us another email address or else get them to whitelist us."

  21. Re:No problem / Noscript on Ruby On Rails Goes 1.1 · · Score: 1

    That sounds like precisely what I want - I'll have to try it. Thanks!

  22. Hair's too thin for the ponytail these days on Sandals and Ponytails Behind Slow Linux Adoption · · Score: 1
    Actually I never did like wearing a ponytail - by the time my hair got long enough, it was usually too hot, and I'd started the male pattern baldness bit early.

    But I've got the graying beard down pat (currently in medium-length mode as opposed to ZZTop mode), and I'm wearing the black Tevas today to go with the black jeans, as opposed to the formal black Birkenstocks I wear to customers or the brown ones I wear with bluejeans :-)

  23. Suits vs. Sandals for Techie Audiences on Sandals and Ponytails Behind Slow Linux Adoption · · Score: 1
    Yup, been there, done that. I do Systems Engineer kinds of consulting, which means sales people drag me along to customers. For my customers in the Midwest, I'll wear a suit and tie until I see how they dress at work, and for banks it depends on whether I'm talking to the CIO or the working levels. But I wouldn't dream of wearing a tie to a typical Silicon Valley customer - as one of them said to me a decade ago "extra points because it's a Jerry Garcia tie, but we don't wear ties here". If anything, my job is to be the guy in the beard and sandals that the sales rep brings along to talk to the techies or look like an expert to management, and having me dress like a sales rep would defeat the purpose of having me there.

    I might wear a jacket, if the weather makes it appropriate, but if I do it's usually the tweed-professor-costume, not the 3-piece-banker costume, and I usually wear the formal black Birkenstocks instead of Tevas. At trade shows, the real costume choice is usually whether to wear a T-shirt from a project that's long-dead but interesting, or just a plain shirt, unless I've got booth bunny duty in which case I'll wear whatever color scheme and shirts the marketing people want to use so customers can tell staff from visitors.

  24. Re:Javascript is insecure - AJAX is security hole on Ruby On Rails Goes 1.1 · · Score: 1
    First of all I agree with you that client-side scripting can give you a huge amount of flexibility and improve application performance by letting you choose appropriate divisions of labor between the client and server sides of your network. I was working with people on problems like that in the early 80s back when graphics workstations were complex purpose-built boxes, Sun's NeWS did some really amazing things in the mid-late 80s (and because it was based on Postscript, it gave you really good control over what you drew on the screen, and what you saw really was what you got and what you wanted, and it was occasionally blazingly insecure and unstable as well), and Gosling used a lot of the lessons he learned from NeWS to develop Java.

    And while 95% of the Javascript out there really is bling, the new AJAX stuff has let people build some really cool stuff.

    But I disagree that Javascript has the same security models as Java - Java was built from the ground up with a security model that was critical to its deployability, while Javascript started out lightweight and had lots and lots of bandaids added to a fundamentally unsafe platform. Java has had the occasional implementation bug, which gets fixed, but the security model has been solid and secure - at the cost of being heavier-weight and sometimes slow. Javascript may be friendlier, and the bandaids do help a lot, but it's still simply Not Safe.

  25. Re:Laws hit ISPs because Foreign Spammers ignore t on Getting on Top of Spam Down Under · · Score: 1
    Sure, they've killed a few spammers who deserved it, and good for them! And they've chased a few others overseas, so they have to rent servers behind the Great Firewall of China or use zombies to send their dreck or even spend a few hundred dollars to start a corporation in the US or Panama or whatever so the AU government thinks they're foreigners and so their assets are harder to steal. But most of them can still operate, and thousands more spammers are waiting to take their place on the top 200 list. Perhaps Aussies are less interested in Nigerian Herbal Viagra than the rest of the world and spammers targeting them need to develop other products to separate fools from their money, and most of the phishing spam probably needs to target Australian bank customers instead of trying to get Australians to give out information on their US bank accounts, but that probably just means that you're less interested in the spam you get.

    But until the economics of the spamming game change significantly, the stuff won't go away, and the economics include the facts that worldwide communication is nearly free, worldwide money transfer is convenient, at least from modern Western economies, and suckers are born every minute.