'Share and Enjoy' isn't Microsoft's company song, but it could be.
Share and Enjoy
Share and Enjoy
Journey through life
With a plastic boy
Or Girl by your side
Let your pal be your guide
And when it breaks down
Or starts to annoy
Or grinds when it moves
And gives you no joy
Cos it's eaten your hat
Or had sex with your cat
Bled oil on your floor
Or ripped off your door
You get to the point
You can't stand any more
Bring it to us, we won't give a fig
We'll tell you, 'Go stick your head in a pig'.
"Seattle ranks 44th among US cities for rainfall with an average yearly rainfall of 36.2 inches (92 cm)."
Cardiff, UK: 1,065mm (41.9 inches).
Palmerston North, New Zealand. Annual rainfall is 963mm.
I *am* the best - that's why they haven't found my scripts.
Seriously, someone accidentally deleted/vmunix and/genvmunix on one of our DEC boxes. Works fine until you reboot. Did I mention it was at a remote site?
There is *everything* wrong with creating a standard user account upload with a password of upload and enabling ssh access. The guys had made no attempt to set up an account for uploading only.
Exactly! And it was endorsed by subversive organisations such as the United Kingdom's Ministry of Defence. Bunch of pansy, bed-wetting, bleeding-heart liberals.
Maybe if y'all would stop plugging in Linksys wireless access points which think they know better than our DHCP servers, asking for access to data on a server that's been turned off for six months and installing viruses via the no-click virus installation engine (formerly known as Internet Explorer 6) then we could get on with fixing the infrastructure instead of firefighing the whole damn time.
There's already the Ottowa Treaty, signed by most countries of the world - http://en.wikipedia.org/wiki/Ottawa_Treaty.
(Prominent non-signatories are India, Russia, China and the US. I'm shocked, shocked I say.)
You're right, in that you should ideally use distinct public and private views. If a machine is internal-only, it doesn't go in the public view of DNS.
I say disable it, because a) Cricket Liu says so, and he knows what he's talking about, and b) because it's one of the first things I do when I'm performing a pen-test. There's often a heap of useful (to an attacker) info in there, that can be turned off with two minutes of your time as an admin.
Well, really you should have public and private views and not include internal-only machines in the DNS view you offer to the public. That stops people doing a reverse-lookup against every IP you own.
(And not everyone has one contiguous IP block - so the attacker has to find them all to start with.)
Good question though. Can I ask in return, do you give out your organisation's phone book to people? Hackers can also build a mapping of phone numbers to people, but why make it easy for them? If you have a/16 with 5000 active IPs, why tell people where to look? (And that's ignoring TXT, HINFO etc.)
I used to work at a site which had around 5000 devices, maybe 50 of which were facing the public internet. Yes, it did significantly help with that site. We didn't name our db servers 1 through 6 by the way - or rather 1 through thirty-something.
By the way, security through obscurity does work. It just shouldn't be relied on as your only defence. (e.g. changing your SSH port to other than 22/tcp will cut down on the number of people trying to brute-force their way in. I do this *as well as* insisting on strong passwords.)
If your accounts server is called fin-vms1, and is only used internally, why advertise it's existence to the internet?
If you're server is handing out zones to anyone and everyone, you might want to check you're not offering recursion to everyone as well (see allow-recursion {}; ). http://www.oreilly.com/catalog/dns4/chapter/ch11.html.
Slashdot Mirror
Any sort of password/crypto cracking - using a brute-force search of the entire keyspace - parallelises very easily. See distributed.net for example.
'Share and Enjoy' isn't Microsoft's company song, but it could be.
Share and Enjoy
Share and Enjoy
Journey through life
With a plastic boy
Or Girl by your side
Let your pal be your guide
And when it breaks down
Or starts to annoy
Or grinds when it moves
And gives you no joy
Cos it's eaten your hat
Or had sex with your cat
Bled oil on your floor
Or ripped off your door
You get to the point
You can't stand any more
Bring it to us, we won't give a fig
We'll tell you, 'Go stick your head in a pig'.
"Seattle ranks 44th among US cities for rainfall with an average yearly rainfall of 36.2 inches (92 cm)."
Cardiff, UK: 1,065mm (41.9 inches).
Palmerston North, New Zealand. Annual rainfall is 963mm.
Wet is more than 2 metres/year. Quit whining.
I *am* the best - that's why they haven't found my scripts.
/vmunix and /genvmunix on one of our DEC boxes. Works fine until you reboot. Did I mention it was at a remote site?
Seriously, someone accidentally deleted
Ok, I'll admit I had to look at the parent to see WHICH bible-thumping lunatic you were talking about.
There is *everything* wrong with creating a standard user account upload with a password of upload and enabling ssh access. The guys had made no attempt to set up an account for uploading only.
...wanting to know why the hell anyone is still using NetSol.
The protocol is fine. It's the lusers who setup accounts like upload/upload and forget about them that are the problem.
Next election we can return a Labour government who will get rid of all this ID card silliness. Oh, wait...
That's right - when you order a pint of Bud in the US, you're in for a double disappointment.
NT SP4 trashed disk performance, and SP6 killed Lotus Notes[1]. Windows 2000 SP4 killed our domain controllers. Beware of even numbered service packs.
[1] Ok, some would see this as a feature.
Vista is the most secure OS at the moment, because no bugger wants to run it.
(Typing this from my dual boot ubuntu/vista laptop that spends all its time in ubuntu)
Exactly! And it was endorsed by subversive organisations such as the United Kingdom's Ministry of Defence. Bunch of pansy, bed-wetting, bleeding-heart liberals.
Maybe if y'all would stop plugging in Linksys wireless access points which think they know better than our DHCP servers, asking for access to data on a server that's been turned off for six months and installing viruses via the no-click virus installation engine (formerly known as Internet Explorer 6) then we could get on with fixing the infrastructure instead of firefighing the whole damn time.
Just sayin', that's all.
Huh? HUH?
There's already the Ottowa Treaty, signed by most countries of the world - http://en.wikipedia.org/wiki/Ottawa_Treaty. (Prominent non-signatories are India, Russia, China and the US. I'm shocked, shocked I say.)
Has anyone seen them in the same room together?
Rule #94 - just because something is a very bad idea, doesn't mean there isn't an implementation of it for GNU Emacs.
http://en.wiktionary.org/wiki/Luser_Attitude_Readjustment_Tool. LART early, LART often.
You're right, in that you should ideally use distinct public and private views. If a machine is internal-only, it doesn't go in the public view of DNS.
I say disable it, because a) Cricket Liu says so, and he knows what he's talking about, and b) because it's one of the first things I do when I'm performing a pen-test. There's often a heap of useful (to an attacker) info in there, that can be turned off with two minutes of your time as an admin.
Well, really you should have public and private views and not include internal-only machines in the DNS view you offer to the public. That stops people doing a reverse-lookup against every IP you own.
(And not everyone has one contiguous IP block - so the attacker has to find them all to start with.)
Good question though. Can I ask in return, do you give out your organisation's phone book to people? Hackers can also build a mapping of phone numbers to people, but why make it easy for them? If you have a /16 with 5000 active IPs, why tell people where to look? (And that's ignoring TXT, HINFO etc.)
No, it won't suit every site as is, but it's a useful default. You can always add people on a case-by-case basis.
I used to work at a site which had around 5000 devices, maybe 50 of which were facing the public internet. Yes, it did significantly help with that site. We didn't name our db servers 1 through 6 by the way - or rather 1 through thirty-something.
By the way, security through obscurity does work. It just shouldn't be relied on as your only defence. (e.g. changing your SSH port to other than 22/tcp will cut down on the number of people trying to brute-force their way in. I do this *as well as* insisting on strong passwords.)
If your accounts server is called fin-vms1, and is only used internally, why advertise it's existence to the internet?
If you're server is handing out zones to anyone and everyone, you might want to check you're not offering recursion to everyone as well (see allow-recursion {}; ). http://www.oreilly.com/catalog/dns4/chapter/ch11.html.