As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter.
How about: - make sure your users don't work as administrator but under an unprivileged user account - setup the system so that this unprivileged user account cannot write in %windir% and %ProgramFiles% - build the network in such a way that programs cannot directly "connect home" but can connect to the Internet only via well-defined proxy servers - setup mail so that incoming office documents opened from mail do not open in Office but in the free Office viewers instead
I am a longtime SuSE Linux Professional user, and I always wondered why they change the externally-visible kernel version number for each security update. This makes binary and externally compiled drivers (including nvidia and vmware drivers that I use) break on every kernel update, and probably unnecessarily, The chances that anything changes to the driver interface because of a security patch are probably very slim, and they could always change the version in case a major change is made.
But now, it is just an annoyance. I need to install their patch, reboot into textmode, re-make the vmware and nvidia drivers, and again reboot to go back to fully functional operation. And I know how to do this. A beginning user is happy to finally have such an install/compile procedure behind him, and not at all happy to see the whole thing break after YOU installed a kernel patch.
(not to mention the fact that it can take him quite some time to find out that the kernel patch is the reason, and how to fix it)
There is no real difference in the protocol. SNTP is just the use of a subset of the NTP protocol in a naive way to step-adjust an independently running system clock. Fine to get wristwatch time on your PC, fine to get a time reference for Kerberos. That is what they use it for,
To get submillisecond accuracy you need the real thing: NTP with PLL control of the clock. I have not seen XP do that, I don't know 2003.
Microsoft did not implement NTP. They first needed it to be simplified to "SNTP", which essentially is what they always did: send a query, receive the result, and put the timestamp in that result in the clock. A full NTP implementation includes a PLL that locks the clock to the consecutive incoming timestamps. This filters out jitter and ensures that the system knows about the inaccuracy of the clock oscillator. It uses this information during the intervals between incoming timestamps.
So, an NTP-controlled system smoothly advances time staying as close to real time as possible, while a Microsoft system has a sawtooth pattern and may even step the clock backward when a query happens to be delayed in the network. Don't use SNTP outside of a LAN.
Common PC hardware can't keep a clock within this accuracy
Why not? You must be thinking about the CMOS clock? Current PC hardware has high-resolution timers that can be synchronized to within microseconds using NTP.
*VNC works on the login screen when you install it as a service.
During workstation installs, we install it as a service but then later set that service to "Manual". You can then remotely start the service after the system has booted (via Manage and Connect remote computer) and take over the login screen.
TightVNC has a bug here: it disconnects when you login. But it remains active so you can connect again and see the logged-in desktop. Other versions remain connected through the login processing.
You are obviously a beginner. Calling other people stupid because they express concerns about basic security issues, and then referring to GRC to make some point, really shows it. I congratulate you with your belief in WPA and AES. But I expect that you considered WEP the same way before it turned out to be not so secure. And you completely disregard the fact that even a strong protocol can be weakened by its implementation. The firmware in the access point might have a bug that enables outsiders to circumvent the WPA using external attacks. When you think that is stupid or ridiculous, you clearly haven't seen anything in the network security world. And you are even posting it in a thread where an application proves to be vulnerable to just such an attack.
When you have learned a bit more, you will know that cracking the encryption algorithm is usually not the only way to attack a system protected by encryption, especially not when it was designed, implemented or is being used by humans.
What do you know about point-to-point wireless links? Not much, obviously. You are thinking that the MAC addresses we are disussing here are card addresses on the LAN, which is obviously something completely different. And even then, you again and again fail to recognize the situation where an attacker might copy the MAC of one of the stations, but then finds himself on the same channel with the rightful owner of the MAC. This probably will result in extra difficulties. That is what I wanted to ask about. But you obviously are not the correct person to ask.
Yes, it is installed. My experience is that the "poll full screen (ultrafast)" mode can use a lot of cpu in certain cases. Not always. I have not really identified the exact problem. So we usually do not enable this. Then it works satisfactorily in other versions, but in UltraVNC there often is a quite long lang before updates are shown when there is no user action.
I need to spend some time to really debug this, because "it is slow" comments from users are often difficult to interpret. Sometimes it is slow because it uses too much CPU (can be seen in taskmanager), but other times it just seems slow because it does not send the update.
My original question was: would MAC address filtering on a point-to-point link that is ON all the time prevent anyone to connect because the duplicate MAC would cause trouble. You said yes, I think so.
I see this as similar to having two boxes with the same address on a wired LAN. Sure someone can change his MAC and IP address and be an imposter on a (supposedly non-switched) LAN, but he will not be accomplishing too much as all TCP connects he is trying to make will be fiercely rejected by the other system (RST replies to all established-state TCP packets that the system does not know about).
I was wondering if a similar thing would go on in a wireless access point. When the two endpoints identify eachother by their MAC, and use this in a similar way to TCP, it would be impossible to join with a new station with the same MAC because any exchanges between the access point and that station would also be received by the legitimate other side, and would result in connection resets, frame rejects, or whatever is appropriate for the linklevel protocol. This would make it impractical to connect because there is only one allowed MAC and that MAC is defended by the other side of the link. The damage would be limited to a DOS.
You may think that this is ridiculous, but you don't consider the possibility that the entire WPA layer could maybe be disabled because of some still unknown problem in either the protocol or its implementation in certain devices, just like the issue with the VNC server that the parent thread is discussing. At that point, and additional layer like MAC address filtering could save your system.
I believe in multiple layers of security. Of course there is WPA encryption (using the AES algorithm and a long key generated by/dev/random), but I like the idea of having those two boxes just linking to another and to nothing else. When MAC filtering offers that additional security that is nice. I am not turning off all security options but one, just because that one option is supposed to cover everything and thus all other options are not required.
In fact, it is security-wise much more important that nobody can gain access to this link and have bidirectional communication with the LAN behind it, than that someone might be able to snoop the traffic going across. And I think that will be the case in a vast majority of situations.
Our experience with *VNC has been that "better" is often subjective. We used the original VNC for quite a while then switched to TightVNC. It seemed "better", but on the Windows platform there were some situations where it had difficulty finding the need to redraw certain screen areas. (I am of course assuming that the 'poll full screen' option is not used, but limited areas of the screen are polled) Sometimes a click on a window bar is needed to refresh that window, sometimes it is enough to move the mouse around a little. The ancient version did allow you to refresh the screen by "painting" the area with the mouse cursor, but TightVNC usually refreshes an entire updated area when it is moved over by the mouse.
However, as there still were apps which did not work entirely satisfactorily (especially when extensive use was made of tooltips), we kept looking and it seemed that UltraVNC was promising. It was installed on a few systems and it worked ok, then rolled out to a lot of systems. Now, problems again appear, but in other situations. Sometimes it delays refreshing a bit long, and shortening the timer increases the CPU usage too much. Using the special video driver improves things a little, but it has proven difficult to find a really well-working setup that does not have annoying lag and does not overload the system either. One one system it was even replaced by RealVNC because of system load issues.
Fortunately all those servers and clients inter-operate, or else there would be a big mess by now. (also, we fortunately can automatically and silently install new or other versions on at least the client systems, so switching is not too hard)
I wonder what other people's experiences are. I don't define "better" as "having more toolbar buttons" or "having more added options like file transfer", but I am still looking for a better VNC in terms of good interactive performance without overloading the server system.
When I have a point-to-point link, where both sides have MAC filtering to allow only the other side's MAC, and both sides are always powered on, will MAC filtering prevent others to connect? I mean, will the duplicate MAC mean that just everyting refuses to work (limiting the damage to a DOS) or is it possible to connect two stations with the same MAC and still have useful two-way communication?
Remember that most sat dish owners in the UK will have pointed their dish at Astra2 (28.2 East). BBC World is not available there.
But this is not all that unusual. Here in the Netherlands there is a similar channel (BVN) that is available on Astra, Hotbird and other satellites all over the world but cannot be received on cable or terrestrial DVB. About the only difference is that satellite dish owners here usually have their dish pointed at Astra1 at 19.2 East so they can receive BVN.
Have you ever seen any effect of spammers knowing you are blocking them?
I have operated spamfiltering that refuses mail during the SMTP mail from/rcpt to phase and also at the end of the data phase, and I never noticed that it decreased the amount of similar spam. For example, I receive 5-10 messages a day stating that I won a lottery or have a rich Nigerian relative that passed away, and each of them is being refused at the end of the dataphase. The number of messages has not decreased. I think my address is on a CD-ROM, and refusing messages is not going to erase it from there.
Even mailinglists are usually run unmonitored these days. At work, I notice that whenever someone leaves and the mail address is deleted, daily or weekly mail message delivery attempts from all kinds of mailinglists can continue for months (getting 550 errors every time) until I try to do something about it. Almost noone removes mailing list subscribers because of 550 errors anymore. Often the envelope sender address does not even exist.
I fully agree with this. I administer a mail system for a few hundred users at work, and SpamAssassin does a very good job.
The only false positives I ever see are from users who send empty messages with no subject (only an attached document) from home to work, using a hotmail address. Because we get a lot of 419 spam sent from hotmail throwaway accounts, the bayes filter tends to learn that hotmail == spam, and the extra points from empty subject sometimes cause a false positive.
Normally formatted mail from outside users almost never gets caught in the spamfilter.
I am not in the USA. As far as I know, I have never sent a mail to an AOL user. But I have a domain name that has been added to a joejobber's list years ago. It is abused to send lots of SPAM, mainly in Russian language. This is the domain for which I have the TXT record now. But it still is not usable anymore, I have been forced to abandon this name. (there is an A record that points to an unreachable address, and no MX record. as soon as I enter an MX record, bounces come in at a high rate)
Having an SPF record apparently does not make joejobbers remove the address from their list. This makes me believe that SPF does not make a notible dent in the amount of SPAM accepted by mailservers, or else they would wash their source address lists.
The other two DNS services I use are for.nl domains at work. I prefer to register the names at locally wellknown companies.
I am using 3 different domain registration services that include DNS service, All of them offer a method to remotely edit the zone contents. None of them offer the possibility to insert TXT records using the remote editor.
This severly limits the usefullness of SPF.
I have no idea why TXT records are not supported. Queries about it to the people offering the service either result in no reply or some "we'll put it on the wishlist but it is low priority" (and it still is on the list after two years). On one of the services I got a TXT record inserted on request (which I can't edit myself) because a name is used very frequently for spoofed source addresses. It has not resulted in a noticable decrease in false bounces.
I think SPF is just one of those "it only works when everybody uses it" approaches... and most people aren't in the position to implement it.
There are already many other western countries that want to implement such laws, or already have.
It is very apparent that this "freedom" thing wears off very quickly. Twenty years ago, the governments that now want to listen-in on everything were pointing at the communist workd and telling us how bad the situation was over there. Citizens would be monitored by the STASI and nobody was able to move in freedom. You could not go on the street without your Ausweis. How bad were those communist governments made out to be, and how good was the western world where everyone was free.
Turns out that this freedom only was an excuse for the government to get support for the cold war. The communists had to be kept away, and freedom was the candy to give to the citizens.
Now that there are other (presumed) threats to the western world, and freedom does not fit in the plan as well as it did during the cold war, the who thing is discarded in a moment. Why do you worry about being tapped when you are not a terrorist? Why do you oppose against wearing an ID at all times? Freedom is no longer convenient to the men in power, and it is now simply taken away from us.
DFS is no fun... after you have carefully determined the channel with the lowest background noise level and enjoyed good communication for days, a sudden spike of interference (lightning?) makes the AP jump to another channel. This might be a noisy, busy channel, but the AP will stay there until it gets another spike, which may take days.
This probably is implementation-dependent. It could be a good thing when the AP attempts to go back to the selected channel after some time, and/or a number of channels could be manually locked out from use by DFS.
At work I run a point-to-point link between two buildings about 400m apart (a quarter mile), and I had some quite interesting experiences. Of course, as a ham I know a bit better what I am doing than the average consumer would, but the effect of antenna position and trees along the path still surprised me.
You are lucky to have a ham band interference problem at all! Here in the Netherlands, we lost the top (2400-2450) part of 13cm last year, to protect those poor accesspoint owners that were trampled by the hundreds of watts ERP the hams were allowed to transmit there:-(
6cm will probably be next. Some of the 802.11a channels are in the ham band as well.
I have a 1TB disk array and a 6 Mbps Internet connection. Downloading DVD images from the ISP's news server easy and fast. Could easy download 2-3 per day if I wanted. 1 HD-DVD should be no problem. The ISP also provides streaming media servers and IP TV.
When 1TB IDE disks become the norm, 1-5TB capacity in a media center should be feasible. Welcome to the future!
I prefer a 1TB disk array over a stack of 100 DVDs anytime. No more large storage cabinets, no more sifting through piles of discs, all your data in a small box, accessible from the remote control. 1TB will be a single drive soon, anyway.
Downloading 10GB isn't really a problem anymore either, as long as it is cached at the ISP.
What I don't get is why this beta version of MSIE does not install as an independent program that still leaves the previous MSIE version accessible.
Who wants to try a beta test program that completely wipes (or better: hides) the stable version? How are we supposed to check websites, modify them to work on MSIE 7, and still test for compatability with MSIE 6?
It is not like it is completely impossible. You can quite easily install a.local version of MSIE 7, and it runs, but it fails in some small but critical areas (like the evaluation of [if lt IE 7] conditional comments). It should be possible to compile a version that can be used for a betatest and does not disturb the installed browser.
Maybe the reason for offering phone support is the large number of users that would not install a beta version over a stable version when it is unsupported?
With sendmail, there is the "GreetPause" feature. However, it implements only the simplest check (making sure that nothing is received before a single-line greeting message). This blocks open-proxy abusers and the simplest of SPAM mailers (those that connect and fire a batch of SMTP commands and the mail data without checking responses), but the typical botnet spam software usually knows about it and works around it.
Slashdot Mirror
As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter.
How about:
- make sure your users don't work as administrator but under an unprivileged user account
- setup the system so that this unprivileged user account cannot write in %windir% and %ProgramFiles%
- build the network in such a way that programs cannot directly "connect home" but can connect to the Internet only via well-defined proxy servers
- setup mail so that incoming office documents opened from mail do not open in Office but in the free Office viewers instead
I am a longtime SuSE Linux Professional user, and I always wondered why they change the externally-visible kernel version number for each security update.
This makes binary and externally compiled drivers (including nvidia and vmware drivers that I use) break on every kernel update, and probably unnecessarily, The chances that anything changes to the driver interface because of a security patch are probably very slim, and they could always change the version in case a major change is made.
But now, it is just an annoyance. I need to install their patch, reboot into textmode, re-make the vmware and nvidia drivers, and again reboot to go back to fully functional operation. And I know how to do this. A beginning user is happy to finally have such an install/compile procedure behind him, and not at all happy to see the whole thing break after YOU installed a kernel patch.
(not to mention the fact that it can take him quite some time to find out that the kernel patch is the reason, and how to fix it)
There is no real difference in the protocol. SNTP is just the use of a subset of the NTP protocol in a naive way to step-adjust an independently running system clock. Fine to get wristwatch time on your PC, fine to get a time reference for Kerberos. That is what they use it for,
To get submillisecond accuracy you need the real thing: NTP with PLL control of the clock. I have not seen XP do that, I don't know 2003.
Microsoft did not implement NTP. They first needed it to be simplified to "SNTP", which essentially is what they always did: send a query, receive the result, and put the timestamp in that result in the clock.
A full NTP implementation includes a PLL that locks the clock to the consecutive incoming timestamps. This filters out jitter and ensures that the system knows about the inaccuracy of the clock oscillator. It uses this information during the intervals between incoming timestamps.
So, an NTP-controlled system smoothly advances time staying as close to real time as possible, while a Microsoft system has a sawtooth pattern and may even step the clock backward when a query happens to be delayed in the network.
Don't use SNTP outside of a LAN.
A leap second was inserted on dec 31, 2005, but the last one before that was on dec 31, 1998.
Not really what I would call "roughly every year"...
Common PC hardware can't keep a clock within this accuracy
Why not? You must be thinking about the CMOS clock?
Current PC hardware has high-resolution timers that can be synchronized to within microseconds using NTP.
*VNC works on the login screen when you install it as a service.
During workstation installs, we install it as a service but then later set that service to "Manual". You can then remotely start the service after the system has booted (via Manage and Connect remote computer) and take over the login screen.
TightVNC has a bug here: it disconnects when you login. But it remains active so you can connect again and see the logged-in desktop.
Other versions remain connected through the login processing.
You are obviously a beginner. Calling other people stupid because they express concerns about basic security issues, and then referring to GRC to make some point, really shows it.
I congratulate you with your belief in WPA and AES. But I expect that you considered WEP the same way before it turned out to be not so secure.
And you completely disregard the fact that even a strong protocol can be weakened by its implementation. The firmware in the access point might have a bug that enables outsiders to circumvent the WPA using external attacks. When you think that is stupid or ridiculous, you clearly haven't seen anything in the network security world. And you are even posting it in a thread where an application proves to be vulnerable to just such an attack.
When you have learned a bit more, you will know that cracking the encryption algorithm is usually not the only way to attack a system protected by encryption, especially not when it was designed, implemented or is being used by humans.
What do you know about point-to-point wireless links? Not much, obviously. You are thinking that the MAC addresses we are disussing here are card addresses on the LAN, which is obviously something completely different. And even then, you again and again fail to recognize the situation where an attacker might copy the MAC of one of the stations, but then finds himself on the same channel with the rightful owner of the MAC.
This probably will result in extra difficulties. That is what I wanted to ask about. But you obviously are not the correct person to ask.
Yes, it is installed.
My experience is that the "poll full screen (ultrafast)" mode can use a lot of cpu in certain cases. Not always. I have not really identified the exact problem.
So we usually do not enable this. Then it works satisfactorily in other versions, but in UltraVNC there often is a quite long lang before updates are shown when there is no user action.
I need to spend some time to really debug this, because "it is slow" comments from users are often difficult to interpret. Sometimes it is slow because it uses too much CPU (can be seen in taskmanager), but other times it just seems slow because it does not send the update.
I think this contradicts what you said earlier.
My original question was: would MAC address filtering on a point-to-point link that is ON all the time prevent anyone to connect because the duplicate MAC would cause trouble. You said yes, I think so.
I see this as similar to having two boxes with the same address on a wired LAN. Sure someone can change his MAC and IP address and be an imposter on a (supposedly non-switched) LAN, but he will not be accomplishing too much as all TCP connects he is trying to make will be fiercely rejected by the other system (RST replies to all established-state TCP packets that the system does not know about).
I was wondering if a similar thing would go on in a wireless access point. When the two endpoints identify eachother by their MAC, and use this in a similar way to TCP, it would be impossible to join with a new station with the same MAC because any exchanges between the access point and that station would also be received by the legitimate other side, and would result in connection resets, frame rejects, or whatever is appropriate for the linklevel protocol.
This would make it impractical to connect because there is only one allowed MAC and that MAC is defended by the other side of the link. The damage would be limited to a DOS.
You may think that this is ridiculous, but you don't consider the possibility that the entire WPA layer could maybe be disabled because of some still unknown problem in either the protocol or its implementation in certain devices, just like the issue with the VNC server that the parent thread is discussing.
At that point, and additional layer like MAC address filtering could save your system.
I believe in multiple layers of security. Of course there is WPA encryption (using the AES algorithm and a long key generated by /dev/random), but I like the idea of having those two boxes just linking to another and to nothing else. When MAC filtering offers that additional security that is nice. I am not turning off all security options but one, just because that one option is supposed to cover everything and thus all other options are not required.
In fact, it is security-wise much more important that nobody can gain access to this link and have bidirectional communication with the LAN behind it, than that someone might be able to snoop the traffic going across. And I think that will be the case in a vast majority of situations.
Our experience with *VNC has been that "better" is often subjective.
We used the original VNC for quite a while then switched to TightVNC. It seemed "better", but on the Windows platform there were some situations where it had difficulty finding the need to redraw certain screen areas.
(I am of course assuming that the 'poll full screen' option is not used, but limited areas of the screen are polled)
Sometimes a click on a window bar is needed to refresh that window, sometimes it is enough to move the mouse around a little.
The ancient version did allow you to refresh the screen by "painting" the area with the mouse cursor, but TightVNC usually refreshes an entire updated area when it is moved over by the mouse.
However, as there still were apps which did not work entirely satisfactorily (especially when extensive use was made of tooltips), we kept looking and it seemed that UltraVNC was promising. It was installed on a few systems and it worked ok, then rolled out to a lot of systems.
Now, problems again appear, but in other situations.
Sometimes it delays refreshing a bit long, and shortening the timer increases the CPU usage too much.
Using the special video driver improves things a little, but it has proven difficult to find a really well-working setup that does not have annoying lag and does not overload the system either.
One one system it was even replaced by RealVNC because of system load issues.
Fortunately all those servers and clients inter-operate, or else there would be a big mess by now.
(also, we fortunately can automatically and silently install new or other versions on at least the client systems, so switching is not too hard)
I wonder what other people's experiences are. I don't define "better" as "having more toolbar buttons" or "having more added options like file transfer", but I am still looking for a better VNC in terms of good interactive performance without overloading the server system.
When I have a point-to-point link, where both sides have MAC filtering to allow only the other side's MAC, and both sides are always powered on, will MAC filtering prevent others to connect?
I mean, will the duplicate MAC mean that just everyting refuses to work (limiting the damage to a DOS) or is it possible to connect two stations with the same MAC and still have useful two-way communication?
Remember that most sat dish owners in the UK will have pointed their dish at Astra2 (28.2 East).
BBC World is not available there.
But this is not all that unusual. Here in the Netherlands there is a similar channel (BVN) that is available on Astra, Hotbird and other satellites all over the world but cannot be received on cable or terrestrial DVB.
About the only difference is that satellite dish owners here usually have their dish pointed at Astra1 at 19.2 East so they can receive BVN.
Spammers do not know your system is blocking them
Have you ever seen any effect of spammers knowing you are blocking them?
I have operated spamfiltering that refuses mail during the SMTP mail from/rcpt to phase and also at the end of the data phase, and I never noticed that it decreased the amount of similar spam. For example, I receive 5-10 messages a day stating that I won a lottery or have a rich Nigerian relative that passed away, and each of them is being refused at the end of the dataphase. The number of messages has not decreased. I think my address is on a CD-ROM, and refusing messages is not going to erase it from there.
Even mailinglists are usually run unmonitored these days. At work, I notice that whenever someone leaves and the mail address is deleted, daily or weekly mail message delivery attempts from all kinds of mailinglists can continue for months (getting 550 errors every time) until I try to do something about it. Almost noone removes mailing list subscribers because of 550 errors anymore. Often the envelope sender address does not even exist.
I fully agree with this. I administer a mail system for a few hundred users at work, and SpamAssassin does a very good job.
The only false positives I ever see are from users who send empty messages with no subject (only an attached document) from home to work, using a hotmail address. Because we get a lot of 419 spam sent from hotmail throwaway accounts, the bayes filter tends to learn that hotmail == spam, and the extra points from empty subject sometimes cause a false positive.
Normally formatted mail from outside users almost never gets caught in the spamfilter.
I am not in the USA. As far as I know, I have never sent a mail to an AOL user.
.nl domains at work. I prefer to register the names at locally wellknown companies.
But I have a domain name that has been added to a joejobber's list years ago. It is abused to send lots of SPAM, mainly in Russian language.
This is the domain for which I have the TXT record now. But it still is not usable anymore, I have been forced to abandon this name.
(there is an A record that points to an unreachable address, and no MX record. as soon as I enter an MX record, bounces come in at a high rate)
Having an SPF record apparently does not make joejobbers remove the address from their list. This makes me believe that SPF does not make a notible dent in the amount of SPAM accepted by mailservers, or else they would wash their source address lists.
The other two DNS services I use are for
I am using 3 different domain registration services that include DNS service, All of them offer a method to remotely edit the zone contents.
None of them offer the possibility to insert TXT records using the remote editor.
This severly limits the usefullness of SPF.
I have no idea why TXT records are not supported. Queries about it to the people offering the service either result in no reply or some "we'll put it on the wishlist but it is low priority" (and it still is on the list after two years).
On one of the services I got a TXT record inserted on request (which I can't edit myself) because a name is used very frequently for spoofed source addresses. It has not resulted in a noticable decrease in false bounces.
I think SPF is just one of those "it only works when everybody uses it" approaches... and most people aren't in the position to implement it.
There are already many other western countries that want to implement such laws, or already have.
It is very apparent that this "freedom" thing wears off very quickly. Twenty years ago, the governments that now want to listen-in on everything were pointing at the communist workd and telling us how bad the situation was over there.
Citizens would be monitored by the STASI and nobody was able to move in freedom. You could not go on the street without your Ausweis.
How bad were those communist governments made out to be, and how good was the western world where everyone was free.
Turns out that this freedom only was an excuse for the government to get support for the cold war. The communists had to be kept away, and freedom was the candy to give to the citizens.
Now that there are other (presumed) threats to the western world, and freedom does not fit in the plan as well as it did during the cold war, the who thing is discarded in a moment. Why do you worry about being tapped when you are not a terrorist? Why do you oppose against wearing an ID at all times? Freedom is no longer convenient to the men in power, and it is now simply taken away from us.
DFS is no fun... after you have carefully determined the channel with the lowest background noise level and enjoyed good communication for days, a sudden spike of interference (lightning?) makes the AP jump to another channel. This might be a noisy, busy channel, but the AP will stay there until it gets another spike, which may take days.
This probably is implementation-dependent. It could be a good thing when the AP attempts to go back to the selected channel after some time, and/or a number of channels could be manually locked out from use by DFS.
At work I run a point-to-point link between two buildings about 400m apart (a quarter mile), and I had some quite interesting experiences.
Of course, as a ham I know a bit better what I am doing than the average consumer would, but the effect of antenna position and trees along the path still surprised me.
You are lucky to have a ham band interference problem at all! :-(
Here in the Netherlands, we lost the top (2400-2450) part of 13cm last year, to protect those poor accesspoint owners that were trampled by the hundreds of watts ERP the hams were allowed to transmit there
6cm will probably be next. Some of the 802.11a channels are in the ham band as well.
I have a 1TB disk array and a 6 Mbps Internet connection.
Downloading DVD images from the ISP's news server easy and fast. Could easy download 2-3 per day if I wanted. 1 HD-DVD should be no problem.
The ISP also provides streaming media servers and IP TV.
When 1TB IDE disks become the norm, 1-5TB capacity in a media center should be feasible.
Welcome to the future!
I prefer a 1TB disk array over a stack of 100 DVDs anytime.
No more large storage cabinets, no more sifting through piles of discs, all your data in a small box, accessible from the remote control.
1TB will be a single drive soon, anyway.
Downloading 10GB isn't really a problem anymore either, as long as it is cached at the ISP.
What I don't get is why this beta version of MSIE does not install as an independent program that still leaves the previous MSIE version accessible.
.local version of MSIE 7, and it runs, but it fails in some small but critical areas (like the evaluation of [if lt IE 7] conditional comments). It should be possible to compile a version that can be used for a betatest and does not disturb the installed browser.
Who wants to try a beta test program that completely wipes (or better: hides) the stable version?
How are we supposed to check websites, modify them to work on MSIE 7, and still test for compatability with MSIE 6?
It is not like it is completely impossible. You can quite easily install a
Maybe the reason for offering phone support is the large number of users that would not install a beta version over a stable version when it is unsupported?
With sendmail, there is the "GreetPause" feature. However, it implements only the simplest check (making sure that nothing is received before a single-line greeting message). This blocks open-proxy abusers and the simplest of SPAM mailers (those that connect and fire a batch of SMTP commands and the mail data without checking responses), but the typical botnet spam software usually knows about it and works around it.