Okay, not an open port, but if you request a time update wouldn't an attacker be able to respond with a spoofed malicious packet? By sending out a request, the (stateful) firewall will usually allow a response back. I'm not an expert, so I'd be interested to see if someone more knowledgeable could explain that in more detail.
Yes, but often the easiest way to set up a time server is to sync with a time server on the internet (e.g. ntp.pool org). As far as I can tell, a big reason for people to use NTP is that they don't have a reliable atomic clock of their own, so they sync with other people who do.
I hadn't spotted the "restrict... noquery" mitigation (which luckily I already had in place), but wouldn't servers still be susceptible to spoofed packets from one of the trusted servers?
If you close all your NTP ports you're not going to be able to sync with a time source on the internet. Once you allow responses to your NTP queries, then you can be spoofed and compromised.
This is a major bug in NTPd, so if you're using it on Linux, you'll want to patch it too (or switch to openNTP which isn't affected). The big problem is that it can be exploited with a single (specially crafted) UDP packet, so it's easy for malicious actors to probe lots of machines with very little overhead.
I don't know why you're so bothered about it. If you don't like, you don't have to follow it (I don't). Look at it this way, the "paleo" people are testing if the paleo diet works and after several years we should get some free statistics on whether it makes any difference to health.
But yes, you're right about eating a balanced diet. That's the easiest, healthiest diet we know of for now (or maybe eat Japanese food; they seem to live a long time).
You don't necessarily need that. If we can figure out how to extend our lives by 15 years, then we've got another 15 years to wait for another advancement. Rinse and repeat.
Not quite. Maybe some people think that we should feel bad for going there, but not me (I think human culture is based on sharing whether allowed or not).
off-topic rant, but why are submissions about the NTP flaw disappearing? I heard about the latest CERT advisory for NTP and saw that there was a slashdot submission about it, but it later disappeared. I submitted a story earlier today (bored at work), and it's now disappeared from the "submissions" list. Here's the link if you're curious: http://slashdot.org/submission...
You might find that an advantage, but the genes only care about reproduction. Maybe if perfect skin helped you take care of younger relations, then it could be selected for.
It's quite likely that it would have some consequences (our bodies are very complicated systems), but it wouldn't have been subject to selective pressure if it only has a major affect after child-bearing age. There's no advantage (in terms of gene replication) in a 60 year old having perfect skin if they're not going to be having any more offspring.
If Sony were at all concerned about the safety of their employees' private data then they would have taken steps to protect it BEFORE they were hacked. Sony have an abysmal history of computer security and this latest travesty is them trying to close the stable door after the horse has bolted in an attempt to stop their chickens coming home to roost.
I think you're confused about isolator/insulator. Wires are commonly wrapped in insulation (e.g. rubber) to prevent them conducting. You can also put insulation into your walls to reduce heat loss.
An isolator is typically a mechanical switch that would completely disconnect an electrical circuit.
When you write $100.000 do you mean $100 or $100,000? I can't figure out why you've got three zeroes after the decimal point unless you're using it instead of a comma.
If the disks were members of a RAID set, then you'd have to steal them all at the same time otherwise you'd have inconsistent filesystems. With a bit of skill, you could probably read some data, but you'd be better off transferring data over a network as that wouldn't involve physical access to a server room (which typically have some kind of monitoring cameras installed).
Yes, they used faith rather than science, even though they were supposed to be conducting scientific experiments. Just because they were doing it wrong doesn't mean that you can extrapolate that to people who do it right.
Slashdot Mirror
That's reassuring, but I wonder why Apple have rushed out this update. How many OSX users run a public NTP server?
Okay, not an open port, but if you request a time update wouldn't an attacker be able to respond with a spoofed malicious packet? By sending out a request, the (stateful) firewall will usually allow a response back. I'm not an expert, so I'd be interested to see if someone more knowledgeable could explain that in more detail.
Yes, but often the easiest way to set up a time server is to sync with a time server on the internet (e.g. ntp.pool org). As far as I can tell, a big reason for people to use NTP is that they don't have a reliable atomic clock of their own, so they sync with other people who do.
I hadn't spotted the "restrict ... noquery" mitigation (which luckily I already had in place), but wouldn't servers still be susceptible to spoofed packets from one of the trusted servers?
Really, what's one of those?
If you close all your NTP ports you're not going to be able to sync with a time source on the internet. Once you allow responses to your NTP queries, then you can be spoofed and compromised.
This is a major bug in NTPd, so if you're using it on Linux, you'll want to patch it too (or switch to openNTP which isn't affected). The big problem is that it can be exploited with a single (specially crafted) UDP packet, so it's easy for malicious actors to probe lots of machines with very little overhead.
You're right, I can see it now. It definitely wasn't there yesterday as I was looking for it to see if it would get submitted.
You don't have to be running a public NTP server to be affected.
The U.S. by the look of things. I think it'd be a bit heavy-handed to call it a proportional response though as Sony is a lot smaller than a country.
You're welcome. I just switched to openNTPD as I mainly use Ubuntu and they don't seem to have patched NTPd yet.
I don't know why you're so bothered about it. If you don't like, you don't have to follow it (I don't). Look at it this way, the "paleo" people are testing if the paleo diet works and after several years we should get some free statistics on whether it makes any difference to health.
But yes, you're right about eating a balanced diet. That's the easiest, healthiest diet we know of for now (or maybe eat Japanese food; they seem to live a long time).
You don't necessarily need that. If we can figure out how to extend our lives by 15 years, then we've got another 15 years to wait for another advancement. Rinse and repeat.
Not quite. Maybe some people think that we should feel bad for going there, but not me (I think human culture is based on sharing whether allowed or not).
off-topic rant, but why are submissions about the NTP flaw disappearing? I heard about the latest CERT advisory for NTP and saw that there was a slashdot submission about it, but it later disappeared. I submitted a story earlier today (bored at work), and it's now disappeared from the "submissions" list. Here's the link if you're curious: http://slashdot.org/submission...
You might find that an advantage, but the genes only care about reproduction. Maybe if perfect skin helped you take care of younger relations, then it could be selected for.
It's quite likely that it would have some consequences (our bodies are very complicated systems), but it wouldn't have been subject to selective pressure if it only has a major affect after child-bearing age. There's no advantage (in terms of gene replication) in a 60 year old having perfect skin if they're not going to be having any more offspring.
If Sony were at all concerned about the safety of their employees' private data then they would have taken steps to protect it BEFORE they were hacked. Sony have an abysmal history of computer security and this latest travesty is them trying to close the stable door after the horse has bolted in an attempt to stop their chickens coming home to roost.
Rihanna's "We found Dove in a soapless place".
I think you're confused about isolator/insulator. Wires are commonly wrapped in insulation (e.g. rubber) to prevent them conducting. You can also put insulation into your walls to reduce heat loss.
An isolator is typically a mechanical switch that would completely disconnect an electrical circuit.
Do you mean like the Call of Duty series?
When you write $100.000 do you mean $100 or $100,000? I can't figure out why you've got three zeroes after the decimal point unless you're using it instead of a comma.
If the disks were members of a RAID set, then you'd have to steal them all at the same time otherwise you'd have inconsistent filesystems. With a bit of skill, you could probably read some data, but you'd be better off transferring data over a network as that wouldn't involve physical access to a server room (which typically have some kind of monitoring cameras installed).
However, if you had two AIs and one of them was focussed on replication, I'd imagine we'd end up AIs competing for resources.
Don't forget leap years - 365 was quite accurate the last time Microsoft forgot about February 29th.
I'm disappointed that they edited out my original comment: "Office 365 (maybe an optimistic name)".
Yes, they used faith rather than science, even though they were supposed to be conducting scientific experiments. Just because they were doing it wrong doesn't mean that you can extrapolate that to people who do it right.