I just spent a few days shopping for laptops and you speak the truth. The lower end consumer laptops are all in the same ballpark. They all have the same resolution between 13-15", and you pay a $50-$100 premium to get the physically smaller laptop. Please all the consumer targeted models have glossy screens which look nice and crisp, but have serious glare any where outside of a dark room. At least Dell still sells some with the matte screen and 7200rpm drives in their small business lineup. I ended up with a Vostro 3350 i5/3gig/320 for $450 from an Amazon vendor, which is about $180 cheaper than I could get it direct from Dell even counting all the ridiculous coupon crap that Dell does.
That's bullshit. You can compile almost anything yld on Linux, run any X11 WM you wish, etc etc.
Good thing you posted AC because you are a laying sack of shit.
He might, you might,and I might be able to. The problem is that the overwhelming majority of consumers don't. Some are lucky if they manage to get an Office Suite installed without help. Walled gardens and lots of hand holding are appropriate for those folks. Linux which has a near 100% guarantee of having to go to a command line to fix something is not.
Not everyone can compile their own code, and damn few would even have a clue about where to find source code much less alter and compile it. The many-eyes reviewing the code theory is also bunk. I bet there are fewer than 100 people who know enough about the linux kernel to be able to contribute meaningfully to its development. Probably even fewer whom would be considered trusted enough to be allowed to contribute.
No surprise. Everyone always thinks that scaling is easy, and then spends months dealing with a long series of choke points and cache overflows. This is bearable if you can scale slowly, but not if all the traffic Is dumped on you from day one.
The question is, will it still suck in three months? Will their IT folks learn?
The scaling part was easy. They slapped in some blades and expanded the cluster.
What they goofed on was capacity planning. The Navy stopped using their CHART system and shifted over to using USAJobs. I think some other agencies standardized on using USAJobs at the same time as well. So the shear number of job listing went way up. Double the listing translates into much more than double the site visits.
All it is is data mining packets from skype nodes and comparing them to open torrent peer lists. This is not really surprising or scary to me. There are other 'researchers' who can link alot more data to you then this.
All the better reason to lock down your wireless network.
I have mine unlocked thank you. I have a Netopia Wireless router which advertises two SSIDs. One is wide open for visitors and only has access to the internet. The other SSID can access both my internal network and the internet. This avoids my daughters friends having to ask what the password is every time they visit, and gives me some plausible deniability if I ever get questioned.
Skype quality is extremely dependent on hardware and room acoustics. If we can compress, stream, and decode MP3s in real time, the technology is likely not the problem. Instead, I think people simply are unwilling to pay real money for a simple microphone. However, a lot of nicer webcams seem to come with very nice Mics.
Except we can buffer the MP3 stream to smooth out latency, jitter, packets arriving out of order, and retransmit dropped packets if need be. You can't do that with Voice over IP, as adding more than about 1/2-second.2 seconds latency is very noticeable.
I'm assuming you weren't very close to the project, seeing as there is no QNX 5.
Assuming the code was actually from QNX 4, I don't know why you expected it to be a simple recompile. QNX 6 was a completely new operating system rewritten from the ground up. Just imagine getting your old Mac OS9 programs to compile for OSX.
You're right, I think it was QNX4. I try to distance myself from that project given how over budget and way past schedule they are, but I keep getting asked to help with basic problems like networking. They really got in over their heads with the assumption that they could just upgrade QNX. I think they were envisioning more of a Windows 2000 to XP kind of upgrade. It didn't help that vendors kept claiming they had drivers for the hardware - the team wasted lots of time re-writing and debugging drivers instead porting the actual software.
I last booted QNX something like 10 years ago...back then it was realtime, unix based (I think?), and relatively promising. I remember it was even more responsive than Linux (which was was more responsive than Windows).
The software, called BlackBerry BBX, bridges RIM’s current BlackBerry operating system and its newer QNX platform, co-Chief Executive Officer Mike Lazaridis said today. That should remove developer “roadblocks” and make it easier for them to build applications for RIM. Lazaridis didn’t say when the new BBX program will be available
Anyone have experience programming for QNX? If it's "just another unix" shouldn't porting to it be straightforward?
Yes and no, it's a no obfuscated obtuse set of APIs to program against. We can't even get stuff that worked in QNX 5 to compile under QNX 6. Two years ago one of teams decided to upgrade an existing system that ran QNX 5 and some proprietary hardware. They just planned an OS upgrade to QNX6 and swapping a few of the specialty cards out. It still doesn't work two years later. We could have ported the code over to Linux and been done a year ago. It really didn't help that mid-stream they got bought out and they started demanding money for support and licenses.
If RIM wants something stable, fast, and compiles fairly small then perhaps QNX is the way to go. They certainly won't get any outside developers to write software for them.
Serial numbers can be checked on the Apple web site. I'm not saying this is foolproof, but instead of sitting on your thumbs and feel sorry for yourself, why not look on eBay and Craigslist to see if you get lucky?
How often does an eBay post include the serial number? It sure as hell won't be listed as "Stolen Macbook Pro... lulz". How are you supposed to know that any MBP from Vancouver is the stolen one? It's not exactly Mayberry. There are nearly 580,000 people in the city and over two million in the metro area. I'm sure some other MBPs exist there.
They usually post the model number, a description, and typically a picture. Just search eBay based on the screen size and/or model, plus location of seller. Searching for Mac Book Pro within 50-miles of Vancouver WA turned up 14. Searching within 50-miles of Vancouver, BC was 7. Obviously if it was posted prior to being stolen you can skip that one. Then just ask the sellers for the serial number as you want to check if it's still under Apple warranty.
It would have to be a very carefully calibrated fiber. Photons travel slower in fibers than a vacumn, so you'd need to measure that speed very accurately.
It'll be long gone in a week. You looked for it on eBay yet? Check the local pawn shops too. If you find it at the pawn shop, they sometimes require the person hocking it to show ID (in case the merchandise is stolen) at which point you can call the cops. Whether they force the pawn shop to give you the stolen merchandise back in another issue.
There is NFSv4 with RPCSEC_GSS support. I never actually got it to work, nor have I read of anyone successfully getting it to work with a Windows client. Personally, the unix user-group-world permissions are very limited and pale in comparison to the fine grained permissions and inheritance that you can do under Windows. Sure you have the extended attributes under ext3, but linux doesn't expose them very well (need to set via command line) and there still is no means of changing them via file sharing. Perhaps the Samba can start focusing on getting permissions to work smoothly between windows and linux?
You might also want to read the law before you accuse them of being ignorant of it. They are absolutely correct that his actions violate the law. I doubt the police will pursue it unless there is some malicious intent shown.
Try clicking a few of the links in TFA next time. Or were you surprised that the summary actually included more than just a paraphrasing of the original article?
If you find a vulnerability, disclose it. Publicly.
And yes, I work in Information Security. Vulnerability Management even. Go figure.
At least be ethical and anonymously tell the company first and give them a chance to fix it themselves. If they ignore it, then consider a public announcement. Otherwise you're no better than the criminals, legally or ethically.
I still run into Unix and Linux admins who don't understand how NFS (non-)authentication works. It's a retarded system that blindly trusts the user to state their identity and group membership (uid/gid) and there are no credentials involved at all. These guys usually have norootsquash enabled which makes it even worse.
You discover that the lock on your apartment door is broken, so you check your neighbour and his is broken too, then you check everyone on the hallway and find out that they're all unlocked because the locks are broken, so you report it to the landlord.
Would you expect to be sued for trespassing on all of your neighbours?
If you just turned the knob and didn't open the door, then no. If you entered the apartment and wrote down descriptions of their furnishing to prove you'd been there, they'd probably charge you with trespassing. No different here. He should have just reported the vulnerability instead of writing a script to download personal information from other accounts.
Under many US laws, he committed a crime. If the info he downloaded was subject to HIPPA or other regulatory laws, the company has the right to subpeona the computer he used so they can assess and properly report the information that he compromised.
The stipulations to delete all the compromised data and a pledge to not attempt to gain unauthorized access again is pretty appropriate. The statements about reserving the right to inspect his computer or seek damages are in the letter simply to make it clear that they have not absolved him of responsibility and may want proof that he indeed deleted all the data. With all that said, I think it's silly for them to ask to access his computer to verify the data has been deleted. They have no way of knowing if he made copies or even if that's the computer he used.
I'm trying to think the motivation behind this through, and all I can think of is that they don't want to use PDF documents for paginated information because PDF doesn't let you embed ads.
This idea would certainly make web-browsing feasible on e-ink screens, where each screen redraw is painfully slow and chews up battery.
That figure is the amount that I pay for data from my colo, but that assumes that the infrastructure already exists. If you have a cable network with 100Mb/s of bandwidth, then you can sell 10Mb/s connections to 10 people. If you've sold them to 5 people, then the cost of adding another customer is basically zero. You can probably get away with selling 10Mb/s connections to 100 or even 200 people if they have typical modest usage patterns, because each one will still be able to get 10Mb/s for the short periods that they saturate the line. If they start all using the connection at the same time, then you have no choice but to increase your overall network capacity. This means laying more fibre. The cost may still be under three eurocents per gigabyte, but that's amortised over the entire life of the new cable, which may be a decade (or more): the ISP has to pay for it all up front. This is where the increase in costs comes from. They have to make significant capital investments, they don't have a significant change in their operating expenses.
Which is exactly what's happening. The ISPs are badly oversubscribed because customers in the past were barely using the bandwidth they bought. They just wanted a faster download on occasion. Now they're all demanding streaming netflix in the evening hours and the telcos are having to increase the infrastructure bandwidth to keep up. This is especially true for cell service. You might have 4G speeds to the tower, but that tower is heavily oversubscribed
This is really their own fault for advertising high speed service and suddenly everyone is demanding that they provide it all the time.
HBSS isn't an antivirus program, it is a network security suite that has virus scanners as an optional component (looking at Wikipedia) and is the security system I mentioned in my post. They may or may not have had antivirus software running on the individual computers. My guess is they didn't, but TFA doesn't say and I might be wrong. Generally, antivirus shouldn't have been needed on the computers, and would drain resources and/or may cause technical problems, which is why I say they probably didn't. Or the virus might not be in their signatures, which would explain the infection.
The article did say that HBSS detected it, so it is natural to assume that it was the a/v component. But you are right, technically you can run HBSS with just the other components like HIPS and run a different a/v suite. NMCI for example is using Symantec antivirus, and HBSS with HIPS for the firewalling and app locking NMCI is working towards shifting over to the McAfee a/v suite though, since the promised support for Symantec within HBSS never materialized.
The use of HBSS is mandatory on all computers that are connected to DOD enterprise networks. It's optional, but encouraged for isolated enclaves.. Since they are running HBSS, then it safe to assume all those systems are probably networked together as the only feasible way to run HBSS framework is using the central management server.
First, you're assuming the article is quoting someone other than the end-user who is simply following a procedure. Second why destroy hardware? They tried a standard response for this virus, it didn't work, so they bc-wiped the drive and reinstalled from the standard install image. Where is the problem? How is this any different than what you, I, or any typical corporate environment would do?
Slashdot Mirror
I personally use Fedora, but just little side note. I would stick with Fedora 14.
You do realize that Fedora 14 will be end of life the first week of Dec right?
I just spent a few days shopping for laptops and you speak the truth. The lower end consumer laptops are all in the same ballpark. They all have the same resolution between 13-15", and you pay a $50-$100 premium to get the physically smaller laptop. Please all the consumer targeted models have glossy screens which look nice and crisp, but have serious glare any where outside of a dark room. At least Dell still sells some with the matte screen and 7200rpm drives in their small business lineup. I ended up with a Vostro 3350 i5/3gig/320 for $450 from an Amazon vendor, which is about $180 cheaper than I could get it direct from Dell even counting all the ridiculous coupon crap that Dell does.
That's bullshit. You can compile almost anything yld on Linux, run any X11 WM you wish, etc etc.
Good thing you posted AC because you are a laying sack of shit.
He might, you might ,and I might be able to. The problem is that the overwhelming majority of consumers don't. Some are lucky if they manage to get an Office Suite installed without help. Walled gardens and lots of hand holding are appropriate for those folks. Linux which has a near 100% guarantee of having to go to a command line to fix something is not.
Not everyone can compile their own code, and damn few would even have a clue about where to find source code much less alter and compile it. The many-eyes reviewing the code theory is also bunk. I bet there are fewer than 100 people who know enough about the linux kernel to be able to contribute meaningfully to its development. Probably even fewer whom would be considered trusted enough to be allowed to contribute.
Someone want to translate the summary? Or is this to be more evidence of lousy content and even worse editting? "as learnt" really?
No surprise. Everyone always thinks that scaling is easy, and then spends months dealing with a long series of choke points and cache overflows. This is bearable if you can scale slowly, but not if all the traffic Is dumped on you from day one.
The question is, will it still suck in three months? Will their IT folks learn?
The scaling part was easy. They slapped in some blades and expanded the cluster.
What they goofed on was capacity planning. The Navy stopped using their CHART system and shifted over to using USAJobs. I think some other agencies standardized on using USAJobs at the same time as well. So the shear number of job listing went way up. Double the listing translates into much more than double the site visits.
All it is is data mining packets from skype nodes and comparing them to open torrent peer lists. This is not really surprising or scary to me. There are other 'researchers' who can link alot more data to you then this.
All the better reason to lock down your wireless network.
I have mine unlocked thank you. I have a Netopia Wireless router which advertises two SSIDs. One is wide open for visitors and only has access to the internet. The other SSID can access both my internal network and the internet. This avoids my daughters friends having to ask what the password is every time they visit, and gives me some plausible deniability if I ever get questioned.
Skype quality is extremely dependent on hardware and room acoustics. If we can compress, stream, and decode MP3s in real time, the technology is likely not the problem. Instead, I think people simply are unwilling to pay real money for a simple microphone. However, a lot of nicer webcams seem to come with very nice Mics.
Except we can buffer the MP3 stream to smooth out latency, jitter, packets arriving out of order, and retransmit dropped packets if need be. You can't do that with Voice over IP, as adding more than about 1/2-second.2 seconds latency is very noticeable.
http://www.voip-news.com/faq/voip-service-level-faq/
I'm assuming you weren't very close to the project, seeing as there is no QNX 5.
Assuming the code was actually from QNX 4, I don't know why you expected it to be a simple recompile. QNX 6 was a completely new operating system rewritten from the ground up. Just imagine getting your old Mac OS9 programs to compile for OSX.
You're right, I think it was QNX4. I try to distance myself from that project given how over budget and way past schedule they are, but I keep getting asked to help with basic problems like networking. They really got in over their heads with the assumption that they could just upgrade QNX. I think they were envisioning more of a Windows 2000 to XP kind of upgrade. It didn't help that vendors kept claiming they had drivers for the hardware - the team wasted lots of time re-writing and debugging drivers instead porting the actual software.
I last booted QNX something like 10 years ago...back then it was realtime, unix based (I think?), and relatively promising. I remember it was even more responsive than Linux (which was was more responsive than Windows).
The software, called BlackBerry BBX, bridges RIM’s current BlackBerry operating system and its newer QNX platform, co-Chief Executive Officer Mike Lazaridis said today. That should remove developer “roadblocks” and make it easier for them to build applications for RIM. Lazaridis didn’t say when the new BBX program will be available
Anyone have experience programming for QNX? If it's "just another unix" shouldn't porting to it be straightforward?
Yes and no, it's a no obfuscated obtuse set of APIs to program against. We can't even get stuff that worked in QNX 5 to compile under QNX 6. Two years ago one of teams decided to upgrade an existing system that ran QNX 5 and some proprietary hardware. They just planned an OS upgrade to QNX6 and swapping a few of the specialty cards out. It still doesn't work two years later. We could have ported the code over to Linux and been done a year ago. It really didn't help that mid-stream they got bought out and they started demanding money for support and licenses.
If RIM wants something stable, fast, and compiles fairly small then perhaps QNX is the way to go. They certainly won't get any outside developers to write software for them.
Serial numbers can be checked on the Apple web site. I'm not saying this is foolproof, but instead of sitting on your thumbs and feel sorry for yourself, why not look on eBay and Craigslist to see if you get lucky?
How often does an eBay post include the serial number? It sure as hell won't be listed as "Stolen Macbook Pro ... lulz". How are you supposed to know that any MBP from Vancouver is the stolen one? It's not exactly Mayberry. There are nearly 580,000 people in the city and over two million in the metro area. I'm sure some other MBPs exist there.
They usually post the model number, a description, and typically a picture. Just search eBay based on the screen size and/or model, plus location of seller. Searching for Mac Book Pro within 50-miles of Vancouver WA turned up 14. Searching within 50-miles of Vancouver, BC was 7. Obviously if it was posted prior to being stolen you can skip that one. Then just ask the sellers for the serial number as you want to check if it's still under Apple warranty.
It would have to be a very carefully calibrated fiber. Photons travel slower in fibers than a vacumn, so you'd need to measure that speed very accurately.
It'll be long gone in a week. You looked for it on eBay yet? Check the local pawn shops too. If you find it at the pawn shop, they sometimes require the person hocking it to show ID (in case the merchandise is stolen) at which point you can call the cops. Whether they force the pawn shop to give you the stolen merchandise back in another issue.
There is NFSv4 with RPCSEC_GSS support. I never actually got it to work, nor have I read of anyone successfully getting it to work with a Windows client. Personally, the unix user-group-world permissions are very limited and pale in comparison to the fine grained permissions and inheritance that you can do under Windows. Sure you have the extended attributes under ext3, but linux doesn't expose them very well (need to set via command line) and there still is no means of changing them via file sharing. Perhaps the Samba can start focusing on getting permissions to work smoothly between windows and linux?
They can't simply look at their server logs and see what pages were served up to his IP address?
You might also want to read the law before you accuse them of being ignorant of it. They are absolutely correct that his actions violate the law. I doubt the police will pursue it unless there is some malicious intent shown.
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308h.html
568 accounts to be exact.
http://i.haymarket.net.au/News/20111014034645_FSS-Solicitors_Redacted.pdf
Try clicking a few of the links in TFA next time. Or were you surprised that the summary actually included more than just a paraphrasing of the original article?
If you find a vulnerability, disclose it. Publicly.
And yes, I work in Information Security. Vulnerability Management even. Go figure.
At least be ethical and anonymously tell the company first and give them a chance to fix it themselves. If they ignore it, then consider a public announcement. Otherwise you're no better than the criminals, legally or ethically.
I still run into Unix and Linux admins who don't understand how NFS (non-)authentication works. It's a retarded system that blindly trusts the user to state their identity and group membership (uid/gid) and there are no credentials involved at all. These guys usually have norootsquash enabled which makes it even worse.
You discover that the lock on your apartment door is broken, so you check your neighbour and his is broken too, then you check everyone on the hallway and find out that they're all unlocked because the locks are broken, so you report it to the landlord.
Would you expect to be sued for trespassing on all of your neighbours?
If you just turned the knob and didn't open the door, then no. If you entered the apartment and wrote down descriptions of their furnishing to prove you'd been there, they'd probably charge you with trespassing. No different here. He should have just reported the vulnerability instead of writing a script to download personal information from other accounts.
Under many US laws, he committed a crime. If the info he downloaded was subject to HIPPA or other regulatory laws, the company has the right to subpeona the computer he used so they can assess and properly report the information that he compromised.
Here is the link to the law which he broke:
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308h.html
The stipulations to delete all the compromised data and a pledge to not attempt to gain unauthorized access again is pretty appropriate. The statements about reserving the right to inspect his computer or seek damages are in the letter simply to make it clear that they have not absolved him of responsibility and may want proof that he indeed deleted all the data. With all that said, I think it's silly for them to ask to access his computer to verify the data has been deleted. They have no way of knowing if he made copies or even if that's the computer he used.
I'm trying to think the motivation behind this through, and all I can think of is that they don't want to use PDF documents for paginated information because PDF doesn't let you embed ads.
This idea would certainly make web-browsing feasible on e-ink screens, where each screen redraw is painfully slow and chews up battery.
That figure is the amount that I pay for data from my colo, but that assumes that the infrastructure already exists. If you have a cable network with 100Mb/s of bandwidth, then you can sell 10Mb/s connections to 10 people. If you've sold them to 5 people, then the cost of adding another customer is basically zero. You can probably get away with selling 10Mb/s connections to 100 or even 200 people if they have typical modest usage patterns, because each one will still be able to get 10Mb/s for the short periods that they saturate the line. If they start all using the connection at the same time, then you have no choice but to increase your overall network capacity. This means laying more fibre. The cost may still be under three eurocents per gigabyte, but that's amortised over the entire life of the new cable, which may be a decade (or more): the ISP has to pay for it all up front. This is where the increase in costs comes from. They have to make significant capital investments, they don't have a significant change in their operating expenses.
Which is exactly what's happening. The ISPs are badly oversubscribed because customers in the past were barely using the bandwidth they bought. They just wanted a faster download on occasion. Now they're all demanding streaming netflix in the evening hours and the telcos are having to increase the infrastructure bandwidth to keep up. This is especially true for cell service. You might have 4G speeds to the tower, but that tower is heavily oversubscribed
This is really their own fault for advertising high speed service and suddenly everyone is demanding that they provide it all the time.
HBSS isn't an antivirus program, it is a network security suite that has virus scanners as an optional component (looking at Wikipedia) and is the security system I mentioned in my post. They may or may not have had antivirus software running on the individual computers. My guess is they didn't, but TFA doesn't say and I might be wrong. Generally, antivirus shouldn't have been needed on the computers, and would drain resources and/or may cause technical problems, which is why I say they probably didn't. Or the virus might not be in their signatures, which would explain the infection.
The article did say that HBSS detected it, so it is natural to assume that it was the a/v component. But you are right, technically you can run HBSS with just the other components like HIPS and run a different a/v suite. NMCI for example is using Symantec antivirus, and HBSS with HIPS for the firewalling and app locking NMCI is working towards shifting over to the McAfee a/v suite though, since the promised support for Symantec within HBSS never materialized.
The use of HBSS is mandatory on all computers that are connected to DOD enterprise networks. It's optional, but encouraged for isolated enclaves.. Since they are running HBSS, then it safe to assume all those systems are probably networked together as the only feasible way to run HBSS framework is using the central management server.
Once again, these computers did have antivirus. It was even mentioned in the ./ post that they were running McAfee HBSS.
First, you're assuming the article is quoting someone other than the end-user who is simply following a procedure. Second why destroy hardware? They tried a standard response for this virus, it didn't work, so they bc-wiped the drive and reinstalled from the standard install image. Where is the problem? How is this any different than what you, I, or any typical corporate environment would do?