Been there, done that. pfSense isn't bad, really; just the implementation has some ugly hacks under the hood that make edge cases exceptionally painful, and pf itself (the filter for which pfSense is named) isn't the best for scalability. It's probably fine for most users though -- certainly better than your typical lowest-bidder, unpatched firmware image from who-knows-where.
I ran pfSense for years -- I guess about 5 -- and wrote an article about it not too long ago. Eventually moved to a low-power Atom 1U and VyOS (brand new community fork of Vyatta, which Brocade has essentially killed off). I'm very happy with the results.
...if you're familiar with the Cisco IOS CLI, Vyatta is another solution...
Vyatta/VyOS are actually a lot closer to JunOS syntax, FYI. Which is good, since recent IOS syntax makes less sense than ever.
If you're not the DIY type, there's also Ubiquiti, who has their own fork of Vyatta called EdgeOS. Ships standard on all their EdgeMAX routers.
You don't want to get blowed up, don't stand with the enemy. American citizenship has no bearing if you are actively engaged in planning WAR against the USA.
Also, don't attend any weddings, either. The trouble is that the state can just hit any random person or location they want, and come up with a justification later. Worse, this is happening in countries in which we have no formal declaration of war, which is a violation of the Geneva Convention. Violating that convention, being signed and ratified by US dignitaries, is also a violation of the US constitution.
Nobody at this point actually thinks their pathetic handgun is going to protect them against tyranny by a government armed with SWAT teams, drones, and nuclear missiles, do they?
Over my dead body. If another sysadmin or an engineer asks me to poke a single pinhole to a single IP, we have a discussion about the implications. More often than not, we can avoid that whole mentality and pull rather than push from the server in question. If I got such a request from an outside source, you can bet the scrutiny over the issue would be 10x more intense. In a situation where somebody was to fall for something like this hook, line and sinker, I'd argue such a person shouldn't have administrative access to things like corporate firewalls in the first place.
On the other hand, in my younger days I was a network engineer. I ran into more than a few networks of huge multinationals that were designed about as poorly as you could imagine. Oh they had expensive hardware, and plenty of engineers who loved to sign their correspondence with the usual alphabet soup following their name and title. But you can only explain how a static route works to a corporate network admin so many times before you start becoming cynical about the whole thing. I can easily imagine one of those guys opening up an IP range willy-nilly on a firewall, and not realizing it until long after the damage was done. You might be surprised how often this kind of thing happens.
In point of fact, I'm not in favor of the "bailout" either. Wallstreet got us into this mess, I say let them sink. Same goes for GM. They bought up and dismantled a lot of public transportation after WWII, it'd be poetic justice to nationalize them (at the expense of the shareholders) and use their workers and facilities to build public transportation.
On the topic of public works however, I see that as a totally different topic. You may not use parks, libraries, schools or museums either, but others do. Their impact on society is a constructive one. Open source is along that vein. And if you don't think you use open source, think twice. The webserver you're on is powered perhaps entirely by open source and the open standards built around it. The routers you use to connect to this server are almost all either running open source directly, or are based on some descendant of FreeBSD which is open source. Without OSS, the internet as you know it would simply not exist.
So when they throw money at banks and big industry, it's good. When they throw money at something that can potentially benefit everyone, it's bad? I don't get it.
To me, open source is a resource. The more of it we have, the more competitive we can be. Not just in the IT sector, but everybody who uses computers as part of their business process. It's like building a park or a library. Sure a few people make their living off of the implementation and upkeep of those resources, but the important part is the resource itself. It contributes in a much larger way than the salaries of those commissioned to work on them.
Yeah, I have the same experience on 3.0.4pre. Did they even bother to test it before shipping? I know Linux has a smaller desktop share and everything, but this is some pretty basic QA we're talking about. If Adobe's trying to improve PR with the OSS crowd, this certainly isn't the way.
Seriously, the data recovery people are in business to recover **accidentally** deleted or damaged data. Deliberately deleted is another story all together.
Disclaimer: I'm not intending to create a flame war here, merely proposing something to think about.
There are plenty of scenarios where one could accidentally zero their HDD's. It is indeed destructive, but there are much worse things to do to one's data (theoretically of course). I routinely zero drives which I know have been present in software RAID arrays before re-adding them to different arrays. This is to be absolutely certain that the disc will only have the superblocks its supposed to have and not leftover ones from memberships in old arrays. With this in mind, if after a 3:00am firefighter session somebody accidentally dd'd a healthy disc instead, things could get ugly. At that point, calling a data recovery company to recover data from a zero'd disc might be warranted.
That's the point of this challenge; it's because they don't think it's possible and all the smart people already know it's not possible. This is just to dispel the myths. Data destruction can be trivially achieved with just dd and/dev/null.
... I think you meant/dev/zero, but I'm not intending to nitpick here.:) That said, I agree. The recovery of zero'd out data is pretty damn difficult at best, especially if you have no idea what you're looking for in the first place. A zero wipe is probably enough for just about everybody.
Besides, a paranoid multiple nuke scenario where you're overwriting random garbage over a hard drive for days at a time will wear it out and make it much less useful. If you're going to destroy it, might as well crush and incinerate it; much more secure than hashing anyway.
I think maybe what he's saying is that the fix isn't good enough. It's not very elegant as it breaks long-standing functionality in DNS, *and* it doesn't fully address the issue. Perhaps the gist of what he's saying is "let's think on this one a little harder before committing lame fixes and thereby shooting ourselves in the collective foot... again". (Of course, feel free to correct me if I'm wrong, Dan!)
I am running Pidgin 2.4.1, and didn't even notice; apparently this bug/feature is very low-impact on my usage habits. But it seems to me that the big problem is the attitude of certain central developers. "This is the way we're doing it, and if you don't like it, fuck off and die!" Open source is all about community. No community and the projects wither.
I mean, look at the Xfree86 project. They decided they knew what was best, and the dumb community could just go to hell if they didn't like it. Cue the X.org fork... do you even have any machines around which still run Xfree? I don't.
What you suggest is counter-intuitive for users -- having them want to reach google and get some other page? That's a terrible idea. You're right, it would be a terrible idea. That's also not what I'm suggesting at all. What I meant was to put a small link in an unobtrusive place stating that www.google.com is being proxied. Link goes to your blog page on that topic. This would be in the interest of keeping the "Open" in OpenDNS. If that kind of thing was put in place anywhere you get a DNS redirection back to an OpenDNS.com-hosted facade for whatever reason, "techies like me" will be able to recommend OpenDNS in good conscience.
I know it would probably add a little overhead, and maybe even a few headaches to implement. But maybe that's just another good reason why you shouldn't tamper with legitimate host entries like www.google.com.
No, we give everyone the CNAME. Now you're just arguing semantics. So the fact that you give them a CNAME with no A-record changes the point I was trying to make? Are you still intercepting lookups to www.google.com and resolving to your own servers, or are they really going to google? According to what I've observed, it's the former. That's the fundamental issue, not what type of DNS record you're using. Of course, you knew that when you posted your reply, so I'm getting off track.
If OpenDNS wanted to be truly transparent about the process, why not throw a little warning tag on your fake google front-end? You could even use the opportunity to link to the blog justifying why OpenDNS made that decision to begin with.
We put the CNAME in to be transparent to people like you who use host or dig. ...But you can silently feed a bad A-Record to people who aren't savvy enough to check. To them, it's just www.google.com. This is the slippery slope that so many/.'ers get worked up about on the topic of network neutrality.
You don't understand what we're talking about, I think. We're talking about resolving www.google.com, notwww.goofgles.com or some other typo. When you do a lookup against OpenDNS asking for 'www.google.com', they reply back with one of their own IP addresses instead of Google's real IP.
Just curious, but would you feel better if they appended an element to the page to give you a little message saying you typed the URL wrong? Good question. The answer is that I would be more likely to recommend OpenDNS to less technical people who don't know how to setup a local DNS cache. For me, I want vanilla DNS that will give me the straight dope, none of this fuzzy DNS B.S. In other words, I won't use DNS servers that don't give accurate forward lookups, no matter their intentions.
Still, the fact that they are hijacking the forward lookup without indicating that its hijacked is all wrong to me. If I can't trust OpenDNS to just resolve a site to the correct IP address, I don't really care about their justifications. It's simply no longer an option for me. I suspect a lot of others feel the same way.
;; ANSWER SECTION: www.google.com. 30 IN CNAME google.navigation.opendns.com. google.navigation.opendns.com. 30 IN A 208.67.219.230 google.navigation.opendns.com. 30 IN A 208.67.219.231
OpenDNS is actually substantially worse. At least Roadrunner is obvious about the fact that you're visiting their servers. With OpenDNS, it seemed they were actually proxying requests for well-known search engines that were *not* typo'd in order to grab stats. Try setting your DNS resolvers to OpenDNS, then dig (or 'nslookup' for you Windows folks) www.google.com. Do a whois on the resulting IPs, and guess who they're registered to... Google? Nope, OpenDNS! At least, last I checked -- that was also the last time I used OpenDNS.
If the/. syadmins are smart, and you know they are, direct root login is disabled anyway. You'd have to get perimeter access, then get a shell with wheel access in order to even try. Hell, I could give you all of my root passwords and my IPs right now and you still couldn't login with it.
I'm sure you have seen reduced spam as a result of greylisting, since many spammers currently won't retry. That said, the heavy-hitters all do. Additionally, the newer versions of automated spam scripts floating around have all improved on their greylist bypassing, as described in my earlier post on this thread. They simply move your MX to the end of their long spam list and hit you again later. So, while greylisting may be fairly effective for you presently, even the lesser spammers and zombie PC are adapting to greylisting. Over time, you'll see that method only continue to degrade in effectiveness. Also, you are adding a delay to each email. So while that is viable for you (I don't mind a delay either), for many companies it's not even an option.
Slashdot Mirror
...if you're familiar with the Cisco IOS CLI, Vyatta is another solution...
Vyatta/VyOS are actually a lot closer to JunOS syntax, FYI. Which is good, since recent IOS syntax makes less sense than ever.
If you're not the DIY type, there's also Ubiquiti, who has their own fork of Vyatta called EdgeOS. Ships standard on all their EdgeMAX routers.
You don't want to get blowed up, don't stand with the enemy. American citizenship has no bearing if you are actively engaged in planning WAR against the USA.
Also, don't attend any weddings, either. The trouble is that the state can just hit any random person or location they want, and come up with a justification later. Worse, this is happening in countries in which we have no formal declaration of war, which is a violation of the Geneva Convention. Violating that convention, being signed and ratified by US dignitaries, is also a violation of the US constitution.
Nobody at this point actually thinks their pathetic handgun is going to protect them against tyranny by a government armed with SWAT teams, drones, and nuclear missiles, do they?
Actually, there is a precedent. Ever heard of the battle of Athens?
Never has the term "Anonymous Coward" been more appropriate.
Is there any way I can volunteer to blacklist my own site before this gets out of hand?
Yes! Simply give me your IP range, open up your firewall to the following /24, and I'll get started on that immediately.
/. becoming more slow and unresponsive all the time, or is it me?
Off topic, but is the UI of
Over my dead body. If another sysadmin or an engineer asks me to poke a single pinhole to a single IP, we have a discussion about the implications. More often than not, we can avoid that whole mentality and pull rather than push from the server in question. If I got such a request from an outside source, you can bet the scrutiny over the issue would be 10x more intense. In a situation where somebody was to fall for something like this hook, line and sinker, I'd argue such a person shouldn't have administrative access to things like corporate firewalls in the first place.
On the other hand, in my younger days I was a network engineer. I ran into more than a few networks of huge multinationals that were designed about as poorly as you could imagine. Oh they had expensive hardware, and plenty of engineers who loved to sign their correspondence with the usual alphabet soup following their name and title. But you can only explain how a static route works to a corporate network admin so many times before you start becoming cynical about the whole thing. I can easily imagine one of those guys opening up an IP range willy-nilly on a firewall, and not realizing it until long after the damage was done. You might be surprised how often this kind of thing happens.
In point of fact, I'm not in favor of the "bailout" either. Wallstreet got us into this mess, I say let them sink. Same goes for GM. They bought up and dismantled a lot of public transportation after WWII, it'd be poetic justice to nationalize them (at the expense of the shareholders) and use their workers and facilities to build public transportation.
On the topic of public works however, I see that as a totally different topic. You may not use parks, libraries, schools or museums either, but others do. Their impact on society is a constructive one. Open source is along that vein. And if you don't think you use open source, think twice. The webserver you're on is powered perhaps entirely by open source and the open standards built around it. The routers you use to connect to this server are almost all either running open source directly, or are based on some descendant of FreeBSD which is open source. Without OSS, the internet as you know it would simply not exist.
So when they throw money at banks and big industry, it's good. When they throw money at something that can potentially benefit everyone, it's bad? I don't get it.
To me, open source is a resource. The more of it we have, the more competitive we can be. Not just in the IT sector, but everybody who uses computers as part of their business process. It's like building a park or a library. Sure a few people make their living off of the implementation and upkeep of those resources, but the important part is the resource itself. It contributes in a much larger way than the salaries of those commissioned to work on them.
Yeah, I have the same experience on 3.0.4pre. Did they even bother to test it before shipping? I know Linux has a smaller desktop share and everything, but this is some pretty basic QA we're talking about. If Adobe's trying to improve PR with the OSS crowd, this certainly isn't the way.
Seriously, the data recovery people are in business to recover **accidentally** deleted or damaged data. Deliberately deleted is another story all together.
Disclaimer: I'm not intending to create a flame war here, merely proposing something to think about.
There are plenty of scenarios where one could accidentally zero their HDD's. It is indeed destructive, but there are much worse things to do to one's data (theoretically of course). I routinely zero drives which I know have been present in software RAID arrays before re-adding them to different arrays. This is to be absolutely certain that the disc will only have the superblocks its supposed to have and not leftover ones from memberships in old arrays. With this in mind, if after a 3:00am firefighter session somebody accidentally dd'd a healthy disc instead, things could get ugly. At that point, calling a data recovery company to recover data from a zero'd disc might be warranted.
That's the point of this challenge; it's because they don't think it's possible and all the smart people already know it's not possible. This is just to dispel the myths. Data destruction can be trivially achieved with just dd and /dev/null.
Besides, a paranoid multiple nuke scenario where you're overwriting random garbage over a hard drive for days at a time will wear it out and make it much less useful. If you're going to destroy it, might as well crush and incinerate it; much more secure than hashing anyway.
Really?
You basically said:
No, but it's better than nothing.
I think maybe what he's saying is that the fix isn't good enough. It's not very elegant as it breaks long-standing functionality in DNS, *and* it doesn't fully address the issue. Perhaps the gist of what he's saying is "let's think on this one a little harder before committing lame fixes and thereby shooting ourselves in the collective foot... again". (Of course, feel free to correct me if I'm wrong, Dan!)
I am running Pidgin 2.4.1, and didn't even notice; apparently this bug/feature is very low-impact on my usage habits. But it seems to me that the big problem is the attitude of certain central developers. "This is the way we're doing it, and if you don't like it, fuck off and die!" Open source is all about community. No community and the projects wither.
I mean, look at the Xfree86 project. They decided they knew what was best, and the dumb community could just go to hell if they didn't like it. Cue the X.org fork... do you even have any machines around which still run Xfree? I don't.
I can really only think of one company that would be "terrorized" by open source...
Ironic, really. One would think Steve Ballmer would be the ideal anti-hero.
I know it would probably add a little overhead, and maybe even a few headaches to implement. But maybe that's just another good reason why you shouldn't tamper with legitimate host entries like www.google.com.
If OpenDNS wanted to be truly transparent about the process, why not throw a little warning tag on your fake google front-end? You could even use the opportunity to link to the blog justifying why OpenDNS made that decision to begin with.
You don't understand what we're talking about, I think. We're talking about resolving www.google.com, not www.goofgles.com or some other typo. When you do a lookup against OpenDNS asking for 'www.google.com', they reply back with one of their own IP addresses instead of Google's real IP.
We were talking about OpenDNS' intercepted/misdirected forward lookups to www.google.com (not typo'd), not about the typo correction feature.
Still, the fact that they are hijacking the forward lookup without indicating that its hijacked is all wrong to me. If I can't trust OpenDNS to just resolve a site to the correct IP address, I don't really care about their justifications. It's simply no longer an option for me. I suspect a lot of others feel the same way.
OpenDNS is actually substantially worse. At least Roadrunner is obvious about the fact that you're visiting their servers. With OpenDNS, it seemed they were actually proxying requests for well-known search engines that were *not* typo'd in order to grab stats. Try setting your DNS resolvers to OpenDNS, then dig (or 'nslookup' for you Windows folks) www.google.com. Do a whois on the resulting IPs, and guess who they're registered to... Google? Nope, OpenDNS! At least, last I checked -- that was also the last time I used OpenDNS.
If the /. syadmins are smart, and you know they are, direct root login is disabled anyway. You'd have to get perimeter access, then get a shell with wheel access in order to even try. Hell, I could give you all of my root passwords and my IPs right now and you still couldn't login with it.
I'm sure you have seen reduced spam as a result of greylisting, since many spammers currently won't retry. That said, the heavy-hitters all do. Additionally, the newer versions of automated spam scripts floating around have all improved on their greylist bypassing, as described in my earlier post on this thread. They simply move your MX to the end of their long spam list and hit you again later. So, while greylisting may be fairly effective for you presently, even the lesser spammers and zombie PC are adapting to greylisting. Over time, you'll see that method only continue to degrade in effectiveness. Also, you are adding a delay to each email. So while that is viable for you (I don't mind a delay either), for many companies it's not even an option.