Those are reasonably good descriptions, but you don't need port knocking for this. Just stuff the key in the SYN packet. Don't accept if it doesn't have the magic word. Same effect, no magic cookie, no open port. This only yields to latency analysis, which isn't reliable over anything but a local LAN.
The only advantage of portknocking is that it's a hack that's doable in userspace without a modified net stack (you may be able to fashion raw packets, but good luck reading them). But enabling the userspace hack would mean poking so many holes in your firewall that you'd degrade the security of the system that you're trying to lock down with this hack.
I'd really like to use and support an Open Source removal tool - I want to see the source, etc. - in my co.'s environment. Is there such an animal?
No, but there are open source virus scanners. Spyware is just a different type of malware that any virus scanner should be able to handle. You just need the definition files.
If you want to get clever, you could reverse-engineer Spybot or Ad-Aware's definition file format... Seems a little bit like leeching tho.
Good point, and I agree with your post, but I think it goes deeper than that. Here we have two big internet engines (Google and Slashdot) piling hits on small research servers that can't take them.
Think even bigger. This is from a fellow in the anti-spam community who can be kind of... strident... but he makes a some good points:
ISPs are selling more than they can directly provide. They're selling the good will (read "routing") of millions of other networks. Their reputation for cooperation and regard for those networks IS their product.
That good will, or perhaps better phrased "good faith" really becomes a commodity when it comes to peering arrangements. No one company can bring you the whole global reach of the internet without having their traffic carried by their competitors, in return for carrying their traffic. The arrangements for this peering are often ad-hoc, but when the sides are mismatched, they can be secret, penalizing, and even abusive. When they are a match between large equals, they can resemble a cartel.
When your network spews DDOS, spam, hijacked AS announcements, and other such abuse, you generate a shitload of traffic outbound that others have to then carry for you. You hurt your own standing in peering because other networks get implicated in delivering your junk, and you hurt the cohesion of internet exchanges. You erode the trust that the internet is built on, and move it closer to something like the telco situation -- just keep in mind that there aren't as many regulations compelling ISP's to peer on equitable terms as there are for telcos.
Full dominance by a single ISP is probably unpalatable politically, but the possibility of a duopoly or a small oligopoly dominating the world ISP market is much closer than you might think. Irresponsible management is just one way to accellerate that trend, because any regulations that come about through legislation or fiat from network providers are damn sure not going to benefit the little guy.
Good explanation of inheritance behavior severoon. It bears noting that C++ behaves this way as well. I'm not certain whether C++ allows you to define a cast operator to get around this (I think those are only for primitives), though you can certainly define a constructor. In Java, you'll need to write your own conversions. Usually this is a good thing, and if you really need common behavior, you should still be able to use an interface -- that's what it's there for.
What, exactly, is wrong with the `make it computationally expensive to send email` solution Microsoft and others have proposed?
The fact that spammers have mastered distributed computing by using millions of zombie machines to send email. You add a little latency to each one of those while you basically shut down a legitimate mailing list or just a busy outMX that doesn't steal everyone else's resources.
In fact, widespread deployment of this scheme would increase the volume of spam relative to legitimate mail.
"Me Too" for TA. Smooth fluid animation, dozens of units, an intuitive control system, an expandable and hackable system, and my god the awesome music... Nothing quite like seeing hundreds of twisted burnt metal wrecks amidst the scorched landscape after a fierce battle while the Mahler-esque orchestra blares bombastically. Starcraft had nothing on TA.
You know this is one of the better descriptions of portage/Gentoo I have heard. If I had the time/resources I would re-write portage using a bette langauge and more sane feature set.
Whenever a URL with an "xxx[:yyy]@" prefix is clicked or entered, why couldn't they pop up a login dialog box, specifying the name of the site (WITHOUT the xxx[:yyy]@ prefix), filling in the user name and password (i.e. the "xxx" and "yyy" in the appropriate fields), and asking for confirmation of the site to be visited ?
Because that wouldn't protect very well against domains that look similar, nor would it matter to the legions of users that click "yes" on every dialog that comes about.
Of course I don't know of any technical fix that protects against attacks from similar looking domains.
Or at least allow a configurable option such as "Disallow username/password in URLs / Prompt with Dialog Box / Allow" (with the default set to Disallow).
Because that would be sensible, and in line with the rest of the "Advanced" security options, which would let home users set policy, allow policy to be pushed (and locked) from a domain controller, and allow per-zone exceptions so you could specifically trust some sites with the full url scheme. In other words, it would make too much sense, and Microsoft is ever quick to ensure that no good underlying technology of theirs escapes being crippled by dumb, insecure, and inconsistent shells.
Microsoft also uses Sun servers internally. Not for development mind you, but to run their database and email servers. Enterprise 10,000's running iPlanet, exchange simply can't handle the load of 55,000+ users.
I'm neither the first nor the last to call BS on your claim: iPlanet uses rather distinctive headers, as does Exchange. I've not seen one single iPlanet email from Microsoft, and I look at a LOT of email from various places (including Sun and MS) in my line of work. I used to work for Sun too (Americas RC), and I can't remember anyone I talked to there ever making this outrageous claim. Sun eats its own dogfood, and so does Microsoft -- MS coined the damn phrase.
And later on (MILD SPOILER) you're fighting in a nebula, so you can't see anything, which works wonderfully.
Which of course is another bit of space opera along with "constant thrust = constant velocity". A real nebula looks pretty much like outer space from the inside or even relatively up close. Maybe an actual protostar would be a little "soupy".
Aside from that, it's a damn fine game... Don't know that I'd pay fifty bucks for it now tho.
It would be very nice if windows users, by default, can just run as User and have a nice GUI to do a runas Administrator with big warnings about how theyre about to install software, etc
Windows in fact does exactly this when running setup programs. With the advanced fine grained system objects with individual ACL's combined with token based security for processes, windows uses... exactly none of this, and pops up "run as" prompt for any program named setup.exe.
It's like Microsoft pays people specifically to fuck up all the good work the kernel engineers do...
If, on the other hand, you're sending out 100+ resumes to places you're not qualified for, all you're doing is wasting everybody's time, yours included.
How are you supposed to know if you're qualified for the job when the job description for a job that actually requires knowing how to point a mouse and click requires 30 years experience, a PhD from a top university, and personal letters of recommendation from the descendants of Charles Babbage, Alan Turing, Carl Sagan, and Albert Einstein?
I apply for every damn thing. They fuck around with me enough, I don't have a shred of pity for their wasted time.
Really? The spammers aren't using their own CPU's, they're using proxies and relays (if a relay was smart enough to require the hashcash, they wouldn't be open in the first place) and virus infected hosts. You'll introduce latency into the equation, but at no significant cost to bandwidth.
In fact, widespread adoption would simply speed up spam delivery relative to legitimate mail that would need to jump through these hoops.
So, in essence, AOL has decided that it's customers can no longer send mail from their AOL email address, unless they're logged into AOL.
Maybe you could try RTFA. Nothing in SPF prevents you from using any From: address you want, hell you can even forge the envelope-sender if you feel like it. What you can't do is forge a Received: line.
Now if a mail admin wants to drop any mail with a domainpart of @aol.com that wasn't from an AOL server, that's their business, AOL isn't doing it anyway. In fact, AOL isn't instituting one iota of new policy, they're publishing funky TXT records that only advise receivers. And if you bothered to read anything about SPF, you'd know that.
Besides, with the GNU toolset on the FreeBSD kernel, you can set up a jail on the FreeBSD side, and then if you want both you can have both. There are differences, it's annoying sometimes, I'm sure some people want both.
Are you aware that/compat/linux will work just fine in a jail, and that the Linux distribution in there (you get your choice of redhat or debian) runs a rull suite of GNU utilities? And it's all at native speed, not emulated, it's going through the same syscall mapping layer that BSD itself uses.
I'm all for porting the GNU toolchain to BSD, and so are a lot of other people, which is why it's already been done and is available in ports. Are you seriously talking about porting bloatsome abominations like glibc or something? (Oh wait,/compat/linux again, been done)
It would also help if they came up with a friendlier name than "GNU/KFreeBSD"
Considering how little the FSF cares about how clumsy the "GNU/Linux" moniker is, I rather doubt we'll be seeing a different name anytime until the project dies from the awesome lack of interest from both BSD and Linux users.
Some tools in the GNU toolchain are indeed superior to their BSD counterparts and are the default on BSD because of this (tar) or simply because there's no credible alternative (gcc, gzip). Others are available through ports (gmake). So it's not like BSD is trying to achieve some ideal of ideological purity.
Anyway, I hope to start using the FreeBSD kernel soon.
Another thing I wanted to add about squeak is that even the visual, spatial, direct manipulation model it prizes is really somehow... flawed. I keep accidentally tearing morphs apart, can't get them back together, or they get "lost" somehow, and I can't get them back. Maybe it's people who "grew up" with it are used to it, but I now know how a baby feels when they play with something that comes apart, like one of those ring toys (you know the one, a bunch of plastic colored donuts on a white spike)
"Ooh, pretty. Hey look mommy pushed it and it rocks back and forth! How's it do that? Hey wow they separate, I can make them roll around, and they make cool banging noises on the floor! Hey where's it rolling to, it's under that couch now... Hey come back, I liked that color. Hey I can't get to it! WAAAAHHHH!!!"
Seriously, the frustration makes me want to cry sometimes. Mostly I just want to have a commandline for squeak that I can introspect, browse, and manipulate everything from if I want to, because I'm constantly getting lost in a GUI that seems designed to be as counfounding as possible.
squeak is nice, but the interface is nothing short of horrendous. a limited set of fonts, all ugly as sin, and tiny widgets that require precise aim, combined with a focus model nothing short of schizophrenic -- some places it's click, other places it's hover.
Once you get past the "look i can drag widgets in and tweak their properties" playground, squeak leaves you absolutely aimless and adrift, with an absolute lack of any API documentation whatsoever on real applications.
And frankly the squeak object browser is not all that hot -- I'll take the tree-based browser view that modern C++ and Java IDE's like eclipse provide over the dated and klunky listbox-based smalltalk browser any day.
Witness the plethora of DHTML/Javascript books out there -- that'd cover at least half of the BASIC book programs from the past. Books tend to come with CD's now, so there's no reason you couldn't include the language, a whole environment, hell a whole operating system (can you say knoppix) on that CD.
My theory, however, on the reason you don't see kids programming books anymore is that computers are no longer toys in themselves. When these books were "hot" (actually they never were, so let's say when they were being published) home computers were a relatively new phenomenom and a largely unexplored frontier. Now they're ubiquitous, and the joy of puttering around on the computer isn't really so interesting to most kids as tinkering with something already on the computer.
An updated LOGO type of language with 3d graphics instead of turtles, that might inspire interest again. At least something that can allow kids to create something as eyecatching and appealing as games from 5 years ago. Or just update some of these old saws to modern standards: Imagine rocky's boots on a modern 3d engine. Kids aren't interested because all the educators are still pointing them at computers and saying "this is a COMPUTER billy, can you say COMPUTER?", while the kid's thinking "please, I bet it has less than a gig of RAM and it's not even DDR".
There was much unhappy buzz at Sun when they switched from Sun (presumably Solaris on Sparc) to IBM. My guess is AIX on a big PPC box, being that IBM was not a Linux company at the time and Linux didn't/doesn't exactly take advantage of that kind of hardware either.
Slashdot Mirror
Those are reasonably good descriptions, but you don't need port knocking for this. Just stuff the key in the SYN packet. Don't accept if it doesn't have the magic word. Same effect, no magic cookie, no open port. This only yields to latency analysis, which isn't reliable over anything but a local LAN.
The only advantage of portknocking is that it's a hack that's doable in userspace without a modified net stack (you may be able to fashion raw packets, but good luck reading them). But enabling the userspace hack would mean poking so many holes in your firewall that you'd degrade the security of the system that you're trying to lock down with this hack.
I'd file it under "another cute perl hack".
I'd really like to use and support an Open Source removal tool - I want to see the source, etc. - in my co.'s environment. Is there such an animal?
No, but there are open source virus scanners. Spyware is just a different type of malware that any virus scanner should be able to handle. You just need the definition files.
If you want to get clever, you could reverse-engineer Spybot or Ad-Aware's definition file format... Seems a little bit like leeching tho.
> So am I missing something dramatically new here?
Those people paid for their pizza.
Think even bigger. This is from a fellow in the anti-spam community who can be kind of
That good will, or perhaps better phrased "good faith" really becomes a commodity when it comes to peering arrangements. No one company can bring you the whole global reach of the internet without having their traffic carried by their competitors, in return for carrying their traffic. The arrangements for this peering are often ad-hoc, but when the sides are mismatched, they can be secret, penalizing, and even abusive. When they are a match between large equals, they can resemble a cartel.
When your network spews DDOS, spam, hijacked AS announcements, and other such abuse, you generate a shitload of traffic outbound that others have to then carry for you. You hurt your own standing in peering because other networks get implicated in delivering your junk, and you hurt the cohesion of internet exchanges. You erode the trust that the internet is built on, and move it closer to something like the telco situation -- just keep in mind that there aren't as many regulations compelling ISP's to peer on equitable terms as there are for telcos.
Full dominance by a single ISP is probably unpalatable politically, but the possibility of a duopoly or a small oligopoly dominating the world ISP market is much closer than you might think. Irresponsible management is just one way to accellerate that trend, because any regulations that come about through legislation or fiat from network providers are damn sure not going to benefit the little guy.
... when a planet stops being a young planet. It starts getting thick around the middle.
Good explanation of inheritance behavior severoon. It bears noting that C++ behaves this way as well. I'm not certain whether C++ allows you to define a cast operator to get around this (I think those are only for primitives), though you can certainly define a constructor. In Java, you'll need to write your own conversions. Usually this is a good thing, and if you really need common behavior, you should still be able to use an interface -- that's what it's there for.
What, exactly, is wrong with the `make it computationally expensive to send email` solution Microsoft and others have proposed?
The fact that spammers have mastered distributed computing by using millions of zombie machines to send email. You add a little latency to each one of those while you basically shut down a legitimate mailing list or just a busy outMX that doesn't steal everyone else's resources.
In fact, widespread deployment of this scheme would increase the volume of spam relative to legitimate mail.
"Me Too" for TA. Smooth fluid animation, dozens of units, an intuitive control system, an expandable and hackable system, and my god the awesome music... Nothing quite like seeing hundreds of twisted burnt metal wrecks amidst the scorched landscape after a fierce battle while the Mahler-esque orchestra blares bombastically. Starcraft had nothing on TA.
I'd call it a tie with Myth.
You know this is one of the better descriptions of portage/Gentoo I have heard. If I had the time/resources I would re-write portage using a bette langauge and more sane feature set.
Like a language designed to calculate and traverse production rule dependencies with the ability to call arbitrary shell commands on those dependencies? Good enough for more than 10,000 ports.
All right, it's far from perfect, but for what it's designed to do, it's ideal. Maybe if there was an implementation of ant in C...
Whenever a URL with an "xxx[:yyy]@" prefix is clicked or entered, why couldn't they pop up a login dialog box, specifying the name of the site (WITHOUT the xxx[:yyy]@ prefix), filling in the user name and password (i.e. the "xxx" and "yyy" in the appropriate fields), and asking for confirmation of the site to be visited ?
Because that wouldn't protect very well against domains that look similar, nor would it matter to the legions of users that click "yes" on every dialog that comes about.
Of course I don't know of any technical fix that protects against attacks from similar looking domains.
Or at least allow a configurable option such as "Disallow username/password in URLs / Prompt with Dialog Box / Allow" (with the default set to Disallow).
Because that would be sensible, and in line with the rest of the "Advanced" security options, which would let home users set policy, allow policy to be pushed (and locked) from a domain controller, and allow per-zone exceptions so you could specifically trust some sites with the full url scheme. In other words, it would make too much sense, and Microsoft is ever quick to ensure that no good underlying technology of theirs escapes being crippled by dumb, insecure, and inconsistent shells.
The Observer has a record of stupid and ill-informed articles such as this
And slashdot has a record of reprinting them. Glorified link farm of inflammatory hype. Does slashdot even have staff writers, let alone reporters?
Microsoft also uses Sun servers internally. Not for development mind you, but to run their database and email servers. Enterprise 10,000's running iPlanet, exchange simply can't handle the load of 55,000+ users.
I'm neither the first nor the last to call BS on your claim: iPlanet uses rather distinctive headers, as does Exchange. I've not seen one single iPlanet email from Microsoft, and I look at a LOT of email from various places (including Sun and MS) in my line of work. I used to work for Sun too (Americas RC), and I can't remember anyone I talked to there ever making this outrageous claim. Sun eats its own dogfood, and so does Microsoft -- MS coined the damn phrase.
And later on (MILD SPOILER) you're fighting in a nebula, so you can't see anything, which works wonderfully.
Which of course is another bit of space opera along with "constant thrust = constant velocity". A real nebula looks pretty much like outer space from the inside or even relatively up close. Maybe an actual protostar would be a little "soupy".
Aside from that, it's a damn fine game... Don't know that I'd pay fifty bucks for it now tho.
How on EARTH did someone write this KB article without cracking up. Are they for real or what?
This one will crack you up even more: Don't use the word "begin" -- use "start" or "commence" instead. That's right, the parser doesn't need fixing, the English language does.
It's frightfully for real. How's MS's level of support looking now?
It would be very nice if windows users, by default, can just run as User and have a nice GUI to do a runas Administrator with big warnings about how theyre about to install software, etc
... exactly none of this, and pops up "run as" prompt for any program named setup.exe.
Windows in fact does exactly this when running setup programs. With the advanced fine grained system objects with individual ACL's combined with token based security for processes, windows uses
It's like Microsoft pays people specifically to fuck up all the good work the kernel engineers do...
If, on the other hand, you're sending out 100+ resumes to places you're not qualified for, all you're doing is wasting everybody's time, yours included.
How are you supposed to know if you're qualified for the job when the job description for a job that actually requires knowing how to point a mouse and click requires 30 years experience, a PhD from a top university, and personal letters of recommendation from the descendants of Charles Babbage, Alan Turing, Carl Sagan, and Albert Einstein?
I apply for every damn thing. They fuck around with me enough, I don't have a shred of pity for their wasted time.
> Nice deterrent for spam
Really? The spammers aren't using their own CPU's, they're using proxies and relays (if a relay was smart enough to require the hashcash, they wouldn't be open in the first place) and virus infected hosts. You'll introduce latency into the equation, but at no significant cost to bandwidth.
In fact, widespread adoption would simply speed up spam delivery relative to legitimate mail that would need to jump through these hoops.
So, in essence, AOL has decided that it's customers can no longer send mail from their AOL email address, unless they're logged into AOL.
Maybe you could try RTFA. Nothing in SPF prevents you from using any From: address you want, hell you can even forge the envelope-sender if you feel like it. What you can't do is forge a Received: line.
Now if a mail admin wants to drop any mail with a domainpart of @aol.com that wasn't from an AOL server, that's their business, AOL isn't doing it anyway. In fact, AOL isn't instituting one iota of new policy, they're publishing funky TXT records that only advise receivers. And if you bothered to read anything about SPF, you'd know that.
Besides, with the GNU toolset on the FreeBSD kernel, you can set up a jail on the FreeBSD side, and then if you want both you can have both. There are differences, it's annoying sometimes, I'm sure some people want both.
/compat/linux will work just fine in a jail, and that the Linux distribution in there (you get your choice of redhat or debian) runs a rull suite of GNU utilities? And it's all at native speed, not emulated, it's going through the same syscall mapping layer that BSD itself uses.
/compat/linux again, been done)
Are you aware that
I'm all for porting the GNU toolchain to BSD, and so are a lot of other people, which is why it's already been done and is available in ports. Are you seriously talking about porting bloatsome abominations like glibc or something? (Oh wait,
It would also help if they came up with a friendlier name than "GNU/KFreeBSD"
Considering how little the FSF cares about how clumsy the "GNU/Linux" moniker is, I rather doubt we'll be seeing a different name anytime until the project dies from the awesome lack of interest from both BSD and Linux users.
Some tools in the GNU toolchain are indeed superior to their BSD counterparts and are the default on BSD because of this (tar) or simply because there's no credible alternative (gcc, gzip). Others are available through ports (gmake). So it's not like BSD is trying to achieve some ideal of ideological purity.
Anyway, I hope to start using the FreeBSD kernel soon.
What's stopping you now?
Another thing I wanted to add about squeak is that even the visual, spatial, direct manipulation model it prizes is really somehow ... flawed. I keep accidentally tearing morphs apart, can't get them back together, or they get "lost" somehow, and I can't get them back. Maybe it's people who "grew up" with it are used to it, but I now know how a baby feels when they play with something that comes apart, like one of those ring toys (you know the one, a bunch of plastic colored donuts on a white spike)
... Hey come back, I liked that color. Hey I can't get to it! WAAAAHHHH!!!"
"Ooh, pretty. Hey look mommy pushed it and it rocks back and forth! How's it do that? Hey wow they separate, I can make them roll around, and they make cool banging noises on the floor! Hey where's it rolling to, it's under that couch now
Seriously, the frustration makes me want to cry sometimes. Mostly I just want to have a commandline for squeak that I can introspect, browse, and manipulate everything from if I want to, because I'm constantly getting lost in a GUI that seems designed to be as counfounding as possible.
squeak is nice, but the interface is nothing short of horrendous. a limited set of fonts, all ugly as sin, and tiny widgets that require precise aim, combined with a focus model nothing short of schizophrenic -- some places it's click, other places it's hover.
Once you get past the "look i can drag widgets in and tweak their properties" playground, squeak leaves you absolutely aimless and adrift, with an absolute lack of any API documentation whatsoever on real applications.
And frankly the squeak object browser is not all that hot -- I'll take the tree-based browser view that modern C++ and Java IDE's like eclipse provide over the dated and klunky listbox-based smalltalk browser any day.
Bill Gates also forecasted that 640KB should be "enough for anybody".
For the millionth time, no he did not. He denies it, and no one has ever dug up a source for this quote.
Witness the plethora of DHTML/Javascript books out there -- that'd cover at least half of the BASIC book programs from the past. Books tend to come with CD's now, so there's no reason you couldn't include the language, a whole environment, hell a whole operating system (can you say knoppix) on that CD.
My theory, however, on the reason you don't see kids programming books anymore is that computers are no longer toys in themselves. When these books were "hot" (actually they never were, so let's say when they were being published) home computers were a relatively new phenomenom and a largely unexplored frontier. Now they're ubiquitous, and the joy of puttering around on the computer isn't really so interesting to most kids as tinkering with something already on the computer.
An updated LOGO type of language with 3d graphics instead of turtles, that might inspire interest again. At least something that can allow kids to create something as eyecatching and appealing as games from 5 years ago. Or just update some of these old saws to modern standards: Imagine rocky's boots on a modern 3d engine. Kids aren't interested because all the educators are still pointing them at computers and saying "this is a COMPUTER billy, can you say COMPUTER?", while the kid's thinking "please, I bet it has less than a gig of RAM and it's not even DDR".
Naw, everyone knows it runs Windows ME >:)
There was much unhappy buzz at Sun when they switched from Sun (presumably Solaris on Sparc) to IBM. My guess is AIX on a big PPC box, being that IBM was not a Linux company at the time and Linux didn't/doesn't exactly take advantage of that kind of hardware either.