Was just going to say the same thing. I read it only a week ago. I highly recommend anyone who has said, "The Internet will bring about world peace/usher in a new age of global understanding/etc" to give it a read.
So let's take a von Neumann architecture, which has inherent security problems due to it using the same address space for data and code, and use it to replace the usual DSP (which is superior, in at least the security sense).
Most networking equipment these days have a separate "admin" interface from the rest of the "traffic" interfaces. The intent of that is you can secure the "admin" connection and only access admin functions (like APIs) through that.
Nobody ever made a mistake in either software implementation of this kind of access scheme, and nobody ever made a mistake in deploying such a system.
You pretty much nail it on the head, this is going to result in an increase in (scary!) vulnerabilities. If an attacker can take a wild guess as to where the IDS is (gee, there's a port configured to have all the data mirrored to it, I wonder if that's it:)), they can probably wreak some interesting havoc on the network that nobody will ever know about.
I sort of wish people would consider the security implications of ideas like this before going out and implementing them/forcing them on customers. At this rate, the Law is going to have to catch up and make Software Engineering certifications similar to electrical/power/civil engineering. Blech.
Unless Blockbuster filed for a patent like, "A method for placing media into solid-cornered transport containers." If this is the case, we're all screwed.
A few months ago, I would have agreed with you. I'm 27, and just got my ham ticket (KE7OZN). I have sort of been surprised at the renewing interest in it among youth though. Prime example: I just went to a ham radio meeting at the University of Idaho (W7UQ) and there were about 20 people in attendance. Only three of them (myself included) were over 25. There is also a nifty high school north of me that does a ham radio class; I've been hearing a lot of 14-18 year olds hopping onto the local repeaters and the kids seem pretty excited about it.
I think that a lot of the digital modes (a prime example being D-Star, which is 128kbps data around 1.3 ghz) are helping to renew interest, as are APRS and other internetty protocols (there was an article a few weeks ago on slashdot about people doing private balloon launches into the high atmosphere -- APRS is often used to track the things). Also, a lot of people don't know it, but the low end of 802.11 (channels 1-4 I believe) is primarily ham radio space, meaning people with home access points that interfere with hams on those channels have some legal obligation to leave the frequency. Even a Technician, the license where you essentially have to know how to spell your name, and know what the FCC is, can use 50 watts of power on those 802.11 frequencies, which is quite a bit of distance to talk 802.11!
I think that the world trade center attacks, hurricane katrina, the wildfires in southern california, and the flooding in oregon/washington have demonstrated that the Internet is great, but it just doesn't cut it when there are big disasters. All of these events have seen hams stepping up to the plate and succeeding where the internet can't. It's a big country, I doubt that cell phones and fiber will cover it all any time in this century (for an amusing and somewhat related story, check out ftp://ftp.arnewsline.org/quincy/News/news.txt , search for 'Catalina,' for another [tiny] ham radio rescue from a few weeks ago).
Yah, I would think that the FCC/FTC/some oversight body would make payphones a requirement for operating telephones in the US? They should be looking out for the public's best interest. It seems like payphones have a great public benefit, especially for the poor.
I wonder what it would take to start a private payphone business (using AT&T/Verizon service, and putting your own payphones into the wild). I can't see payphones as being very profitable...I wonder if Congress would ever consider funding such a thing...
This $1000 option looks at about 2 million KNOWN sites which vary between people.
I'd also like to point out that many of these 2 million known sites are covered by patents, so they probably can't even tell you that. My prime example is still the BRCA3 sequence, which is a breast cancer determinant in many folks, and whose discovery is covered by a patent.
I've written some of the articles on that wiki. The 323 displeases me on the whole, still. Check out my response to other posts in this thread.
My wish is that D-Link would just allow us to easily load our own firmware on the 323 (at which point, I think it would become a really great piece of hardware, and I would probably buy another one! D-Link, if you're listening...). As it is, you need to solder a serial port onto the tiny little 323's board in order to wedge your own firmware onto it (and you can't just solder a serial port, actually, you need to step down the voltage on the board's RX pin so that you don't fry the CPU).
With regards to not being able to upgrade the kernel - you can install debian on it (and no I don't mean as a chroot, although that is also possible).
For the "better samba" article, take a look at the history. Reidmefirst is me;-).
Got a link with Debian instructions? The only set that I've found is here: link, which indicates that this hack is rather, well, hack'ish. In particular, you need to solder a serial port to the 323 main board in order to install debian as native. In my previous comment, I noted that one could change the firmware, but one had to hack the hardware first...;-).
I still can't recommend this NAS for someone that wants a reliable/cheap/easy NAS. If making it usable means soldering, hacking firmware, &c, it seems that it would be simpler to just build a system, install two hard disks, and install [flavor of linux/bsd of your choice].
As a bonus, it's debian based, so you can hack the OS as well to server up things light lighttpd, upgrade samba, or run subversion.
I also own a DNS-323, and I can't recommend it so much. The 323 is *not* debian-based, it runs busybox. You can install debian on your hard disks, chroot a shell to the debian install directory, and start services like a separate http server, ssh server, etc under debian. It isn't quite the same thing, however...
The kernel that comes with the 323 is a huge problem, and the chroot debian can't fix that. There is a hack to load a new linux kernel image on top of an already-running kernel (akin to the way that you used to use LoadLin to boot linux from DOS, if anybody was doing that way back when). This method of replacing the kernel is highly experimental though. As it stands, nobody knows how to create a custom firmware for the 323 and load it without hardware hacking -- the firmware update interface checks new firmwares for a digital signature from D-Link.
I should also point out that even the latest version of the 323 firmware, 1.03, disappears files. It has also been reported that it will not rebuild RAID-1 arrays correctly. To demonstrate the former bug you try to transfer a file bigger than about 20GB to the NAS. It will report to your operating system's SMB layer that it took the file fine, but the file just won't be on the filesystem. I have tried this using Windows XP, Mac OS X tiger and leopard, and my stock Feisty Fawn boxen, using two different switches. The 323 exhibits the same behavior to all of them. The earlier firmwares are also really notorious for dropping files if you transfer large numbers of small files in batches (like, say, backing up your filesystem).
Also, the 323 only supports ext2 as its underlying filesystem. This probably explains some of the problems that it has when working with terrabyte-sized arrays? Also, the 323 does not provide a safe way of running fsck (you can do it via the command-line if you set up ssh/telnet, but only if you are willing to fsck a mounted filesystem [eep!]). In any case, it has been over a year, and D-Link has not got the kernel right on the 323 (and all they have to do is compile a kernel > 2.6.6 and ship it in a firmware), so I would suggest avoiding it...
I actually like your explanation, and wish to subscribe to your newsletter (both a good explanation, and I think you're the only one who didn't use the word 'idiot' to refer to me somewhere in the course of it). Ever take the Carnegie Course?
I suppose the more verbose explanation would be: the airwaves are owned by the public. In order for private companies to gain (semi-exclusive) access to this public space, they have to agree to play by a few rules. One of those rules is that the goods and services that the cell carriers provide cannot be exclusive -- all players in the airspace must be able to provide the same stuff.
This exclusivity has me intrigued and curious about other aspects of DE's intellectual property law -- suppose that Vodafone does come up with some nifty new service/feature that uses the GSM portion of the spectrum, and they are able to provide a new service to their customers because of it. Would Vodafone be required to give competitors free use to patents for the new service? Or would such a service simply not be patentable in DE?
Next thing you know, some litigious bastard will suggest that AT&T should have to let us choose which phones to use on our landlines! You knew the deal when you signed up for service, it's only whiners who want to stop competition who suggest that renting your princess phone is too expensive.
That's a horrible argument. When AT&T did that, they were the only provider of phones in the US. If a customer does not like the phones that O2 offers, they can go to Vodafone in Germany (and vice versa) -- people have a choice. The best choice will take the market, of course...
So if I get this straight, in Germany if Company A offers me $X dollars for my product, and Company B offers me $X+5, and I decide to do business only with Company B because I don't like Company A's deal, Company A can then sue me for anti-competitive practices? Sounds like I don't want to do business there...
The original article was posted at 5:23, and your response came at 5:24. Did you really type all of that up in just one minute, or does Slashdot not post the actual "submit" time as the time that a comment was posted? (Or was it pre-prepared, cut&paste:))
So when there is a chase in a populated area, the cops will leave a wake of disabled cars? That will be fun to clean up later...
Even more amusing, it sounds like this sort of device is *meant* to be used in heavily populated areas. In rural areas, there will be few roads, and ample time to set up a road block/run a tire slasher across the road, and little risk of injury to bystanders using either method. So really this little EMP gun is lose-lose: either it will be used in heavily populated areas and you're going to have a lot of dead cars in the vicinity of the end of the chase (and who is responsible for that? the police? the suspect?), or you're going to spend a ton of money on this thing to use it in the countryside, where a $50 set of tire slashers and an ounce of police coordination would do the trick just as well...
Uh, Fritz Lang did this in his 1927 movie Metropolis; separate classes of humans yadda yadda. The movie is one of my favorites, but I don't expect Dark City to be anything but drivel.
Okay sorry for the sarcasm. But my point is that nothing out of Hollywood is original. If you prescribe to Joseph Campbell, no story anywhere is really original. Watch it, or don't, I suppose it doesn't matter;-).
No, he's being disallowed from running in the Democratic primary. Which is effectively disallowing him from running. When was the last time you saw any significant attention paid to a primary race that wasn't Democratic or Republican?
While he wasn't running for Prez, there was Jesse Ventura. On the presidential side, big attention was paid to for Ross Perot (he even lead in the polls for some time) and Ralph Nader in recent history. Neither amounted to much, but Perot gave it a pretty good shot.
There's been a lot of make-believe going on that MacOS is immune to spyware/trojans because of its design, specifically the privilege escalation thing. This is proof that's not the case. You can put as many hoops up as you want, if the users want what's at the other end bad enough, they'll jump through them without looking to see if they are on fire.
Got a reference for the "MacOS is immune" line? I have never seen a person say that the OS is 'immune.' MacOS is more resistant, though, because of design decisions such as prompting users when they are installing executables, and only allowing executables and kernel extensions to be installed by a user with administrative privileges (and only after they authenticate with the system again). The OS has been doing this for a long time, and these security cues have begun to be duplicated by other software vendors because they are at least somewhat effective.
I agree that if a user wants something badly enough, they will do dumb things. Putting at least some sort of barrier in front them will greatly reduce their idiocy, though. Telling a user what's going on can't hurt, it can only help.
Besides, who wants to download a codec just to see porn? It's far easier to just move on to the next site...
As for the 'in the wild' remark, to me the term has a semantic edge to it that implies a virus/trojan that is self-replicating, or at least takes some steps to *try* to spread itself, even if that step is only to relay spam with links to the infected website. Writing the shell script "#!/bin/sh\nsudo rm -rf/" and then placing it on a website could probably be considered an "in the wild" unix trojan by a more relaxed definition, but I just call it what it is: a very stupid program.
1) Go to a porn site 2) Download a plugin from the porn site 3) Click "OK" that you are downloading a.DMG file. 4) Mount the.DMG 5) Go back to the Finder 6) Double-click the installer 7) Type in your account password 8) Click next a few times
Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...
That is incredibly clever, seems it should have been a part of the TCP/IP stack itself...
Heh, thanks, but I'm pretty dumb:P. It would probably work, though, especially if you handled RSTs in a similar way to fragmented packets (really it's like the oppposite of a fragment: if you get more stuff, then the RST was invalid, if you get nothing more, then the RST was valid). Scheduling the RST packet to get flushed if it is unused would be the only interesting part, but it could probably be handled similarly to fragmented packets whose other fragments never show up.
The folks at Kernel Trap were supposed to write a followup to this story about it, but I can't find the promised followup. Ohwell. Back to work.
isn't iptables a stateful host packet filtering firewall?
I guess that it is depending upon the definition of 'stateful.' I'm probably not using the word correctly. I haven't seen/figured out a way to make iptables match a pattern on a packet, and then defer the decision to be made on that packet for a certain period of time (meanwhile some other pattern may affect that decision). In this sense, I do not consider iptables to be stateful, unless I'm misunderstanding its capabilities.
The only mention of timing in the iptables manpages concern limiting the lograte. There may very well be a way to make a rule like the one that I'm suggesting above, but I simply don't see it. If you do, please please post for we humble dorks to read, I'd love to put a rule like that in my firewall (I'm on Time Warner, but you never know...).
Assuming that Comcast is injecting a RST with a valid sequence number (next in an open connection), it would be impossible* to distinguish between a generated RST and a real one. If they are indeed resetting your connection, and your kernel's tcp stack is not written by a 3-year-old, then they are most certainly using a valid sequence number.
Ignoring all RSTs would eventually fill your TCP stack with open connections and cause your kernel to barf. I *think* that RST is pretty uncommon on a decent network, though. Someone else chime in. So you could maybe ignore RST's and go for days and days without needing to reboot? One could also write a kernel module that killed any connection with no traffic after X hours. So yeah, it could be made to work...
It is a bit frightening that this is happening to begin with. You are paying for the Internet, not some subset/crippled form on the Internet...
Reid
* Okay, not impossible...you might be able to determine its fakeness based on timing (the RST would have to be injected in between the average time between two normally-spaced packets), but iptables isn't that good...If you had a stateful firewall, you could queue the RST for a few seconds, and if no more normal (ACK+NOFIN+NORST) traffic comes in on the stream for a few seconds, only *then* accept the RST and pass it up to your computer.
I mean, this guy is braindead for calling for tech support to use his stolen goods - but at least through his stupidity & security measures they caught him. If I was an ass, I could easily crank off what I wanted to without anyone being the wiser.
Actually, almost every printer worth its salt (any color printer that could print money/fake ids/whatever) these days puts a watermark on every document they print. The Secret Service, when they found a fake ID printed with your (company's) printer, would just look up the watermark ID, call the manufacturer, and find out it was printed at your work. A simple check of the printer's logs/q&a session with your network administrator would probably reveal that it was you who did the printing...
At least if the guy had stolen the printer and not been caught, the SS folks would have had to resort to 'human interactive' methods to track down the fake ID producer. Given this guy's IQ, even if he had gotten the printer working successfully he probably would have been caught (some college student with a fake ID would probably rat on whoever he bought it from in a bargain to get terrorist charges slapped on his record).
You are wrong. Sorry;-). It isn't your fault, though, the media really didn't make it clear. Here is all of the evidence:
Take a look at the NTSB report about flight 93: http://www.ntsb.gov/info/Flight%20_Path_%20Study_UA93.pdf . At Between 9:58 and 10:00am, the plane was at/below 5,000 feet (and never went much above 5,000 feet). From the Mousaui trial/wikipedia article that you linked to, "Only two phone calls, one by Edward Felt and one by flight attendant CeeCee Lyles, came from cell phones -- both at 9:58 a.m, shortly before the plane crashed.[14]" Note that the plane was below 5,000 feet at that time. From the Mousaui trial and wikipedia article, every other phone made on flight 93 was done using a credit card phone (read the flight 93 section on Telephone Calls).
The evidence is all there, cell phones don't work at altitude. Most people don't read the evidence, though, sadly. I'll stand by my point: cell phones on planes are useless (and dangerous).
Slashdot Mirror
Was just going to say the same thing. I read it only a week ago. I highly recommend anyone who has said, "The Internet will bring about world peace/usher in a new age of global understanding/etc" to give it a read.
So let's take a von Neumann architecture, which has inherent security problems due to it using the same address space for data and code, and use it to replace the usual DSP (which is superior, in at least the security sense).
Ah, nothing like ubiquitous insecurity...
Most networking equipment these days have a separate "admin" interface from the rest of the "traffic" interfaces. The intent of that is you can secure the "admin" connection and only access admin functions (like APIs) through that.
:)), they can probably wreak some interesting havoc on the network that nobody will ever know about.
Nobody ever made a mistake in either software implementation of this kind of access scheme, and nobody ever made a mistake in deploying such a system.
You pretty much nail it on the head, this is going to result in an increase in (scary!) vulnerabilities. If an attacker can take a wild guess as to where the IDS is (gee, there's a port configured to have all the data mirrored to it, I wonder if that's it
I sort of wish people would consider the security implications of ideas like this before going out and implementing them/forcing them on customers. At this rate, the Law is going to have to catch up and make Software Engineering certifications similar to electrical/power/civil engineering. Blech.
Reid
Unless Blockbuster filed for a patent like, "A method for placing media into solid-cornered transport containers." If this is the case, we're all screwed.
Reid
A few months ago, I would have agreed with you. I'm 27, and just got my ham ticket (KE7OZN). I have sort of been surprised at the renewing interest in it among youth though. Prime example: I just went to a ham radio meeting at the University of Idaho (W7UQ) and there were about 20 people in attendance. Only three of them (myself included) were over 25. There is also a nifty high school north of me that does a ham radio class; I've been hearing a lot of 14-18 year olds hopping onto the local repeaters and the kids seem pretty excited about it.
I think that a lot of the digital modes (a prime example being D-Star, which is 128kbps data around 1.3 ghz) are helping to renew interest, as are APRS and other internetty protocols (there was an article a few weeks ago on slashdot about people doing private balloon launches into the high atmosphere -- APRS is often used to track the things). Also, a lot of people don't know it, but the low end of 802.11 (channels 1-4 I believe) is primarily ham radio space, meaning people with home access points that interfere with hams on those channels have some legal obligation to leave the frequency. Even a Technician, the license where you essentially have to know how to spell your name, and know what the FCC is, can use 50 watts of power on those 802.11 frequencies, which is quite a bit of distance to talk 802.11!
I think that the world trade center attacks, hurricane katrina, the wildfires in southern california, and the flooding in oregon/washington have demonstrated that the Internet is great, but it just doesn't cut it when there are big disasters. All of these events have seen hams stepping up to the plate and succeeding where the internet can't. It's a big country, I doubt that cell phones and fiber will cover it all any time in this century (for an amusing and somewhat related story, check out ftp://ftp.arnewsline.org/quincy/News/news.txt , search for 'Catalina,' for another [tiny] ham radio rescue from a few weeks ago).
Cheers,
Reid
Yah, I would think that the FCC/FTC/some oversight body would make payphones a requirement for operating telephones in the US? They should be looking out for the public's best interest. It seems like payphones have a great public benefit, especially for the poor.
I wonder what it would take to start a private payphone business (using AT&T/Verizon service, and putting your own payphones into the wild). I can't see payphones as being very profitable...I wonder if Congress would ever consider funding such a thing...
Reid
This $1000 option looks at about 2 million KNOWN sites which vary between people.
I'd also like to point out that many of these 2 million known sites are covered by patents, so they probably can't even tell you that. My prime example is still the BRCA3 sequence, which is a breast cancer determinant in many folks, and whose discovery is covered by a patent.
I've written some of the articles on that wiki. The 323 displeases me on the whole, still. Check out my response to other posts in this thread.
My wish is that D-Link would just allow us to easily load our own firmware on the 323 (at which point, I think it would become a really great piece of hardware, and I would probably buy another one! D-Link, if you're listening...). As it is, you need to solder a serial port onto the tiny little 323's board in order to wedge your own firmware onto it (and you can't just solder a serial port, actually, you need to step down the voltage on the board's RX pin so that you don't fry the CPU).
With regards to not being able to upgrade the kernel - you can install debian on it (and no I don't mean as a chroot, although that is also possible).
;-).
;-).
For the "better samba" article, take a look at the history. Reidmefirst is me
Got a link with Debian instructions? The only set that I've found is here: link, which indicates that this hack is rather, well, hack'ish. In particular, you need to solder a serial port to the 323 main board in order to install debian as native. In my previous comment, I noted that one could change the firmware, but one had to hack the hardware first...
I still can't recommend this NAS for someone that wants a reliable/cheap/easy NAS. If making it usable means soldering, hacking firmware, &c, it seems that it would be simpler to just build a system, install two hard disks, and install [flavor of linux/bsd of your choice].
reid
As a bonus, it's debian based, so you can hack the OS as well to server up things light lighttpd, upgrade samba, or run subversion.
I also own a DNS-323, and I can't recommend it so much. The 323 is *not* debian-based, it runs busybox. You can install debian on your hard disks, chroot a shell to the debian install directory, and start services like a separate http server, ssh server, etc under debian. It isn't quite the same thing, however...
The kernel that comes with the 323 is a huge problem, and the chroot debian can't fix that. There is a hack to load a new linux kernel image on top of an already-running kernel (akin to the way that you used to use LoadLin to boot linux from DOS, if anybody was doing that way back when). This method of replacing the kernel is highly experimental though. As it stands, nobody knows how to create a custom firmware for the 323 and load it without hardware hacking -- the firmware update interface checks new firmwares for a digital signature from D-Link.
I should also point out that even the latest version of the 323 firmware, 1.03, disappears files. It has also been reported that it will not rebuild RAID-1 arrays correctly. To demonstrate the former bug you try to transfer a file bigger than about 20GB to the NAS. It will report to your operating system's SMB layer that it took the file fine, but the file just won't be on the filesystem. I have tried this using Windows XP, Mac OS X tiger and leopard, and my stock Feisty Fawn boxen, using two different switches. The 323 exhibits the same behavior to all of them. The earlier firmwares are also really notorious for dropping files if you transfer large numbers of small files in batches (like, say, backing up your filesystem).
Also, the 323 only supports ext2 as its underlying filesystem. This probably explains some of the problems that it has when working with terrabyte-sized arrays? Also, the 323 does not provide a safe way of running fsck (you can do it via the command-line if you set up ssh/telnet, but only if you are willing to fsck a mounted filesystem [eep!]). In any case, it has been over a year, and D-Link has not got the kernel right on the 323 (and all they have to do is compile a kernel > 2.6.6 and ship it in a firmware), so I would suggest avoiding it...
I actually like your explanation, and wish to subscribe to your newsletter (both a good explanation, and I think you're the only one who didn't use the word 'idiot' to refer to me somewhere in the course of it). Ever take the Carnegie Course?
I suppose the more verbose explanation would be: the airwaves are owned by the public. In order for private companies to gain (semi-exclusive) access to this public space, they have to agree to play by a few rules. One of those rules is that the goods and services that the cell carriers provide cannot be exclusive -- all players in the airspace must be able to provide the same stuff.
This exclusivity has me intrigued and curious about other aspects of DE's intellectual property law -- suppose that Vodafone does come up with some nifty new service/feature that uses the GSM portion of the spectrum, and they are able to provide a new service to their customers because of it. Would Vodafone be required to give competitors free use to patents for the new service? Or would such a service simply not be patentable in DE?
Cheers, and thanks,
Reid
Next thing you know, some litigious bastard will suggest that AT&T should have to let us choose which phones to use on our landlines! You knew the deal when you signed up for service, it's only whiners who want to stop competition who suggest that renting your princess phone is too expensive.
That's a horrible argument. When AT&T did that, they were the only provider of phones in the US. If a customer does not like the phones that O2 offers, they can go to Vodafone in Germany (and vice versa) -- people have a choice. The best choice will take the market, of course...
Reid
So if I get this straight, in Germany if Company A offers me $X dollars for my product, and Company B offers me $X+5, and I decide to do business only with Company B because I don't like Company A's deal, Company A can then sue me for anti-competitive practices? Sounds like I don't want to do business there...
Reid
Excellent review, but one question:
:))
The original article was posted at 5:23, and your response came at 5:24. Did you really type all of that up in just one minute, or does Slashdot not post the actual "submit" time as the time that a comment was posted? (Or was it pre-prepared, cut&paste
Reid
So when there is a chase in a populated area, the cops will leave a wake of disabled cars? That will be fun to clean up later...
Even more amusing, it sounds like this sort of device is *meant* to be used in heavily populated areas. In rural areas, there will be few roads, and ample time to set up a road block/run a tire slasher across the road, and little risk of injury to bystanders using either method. So really this little EMP gun is lose-lose: either it will be used in heavily populated areas and you're going to have a lot of dead cars in the vicinity of the end of the chase (and who is responsible for that? the police? the suspect?), or you're going to spend a ton of money on this thing to use it in the countryside, where a $50 set of tire slashers and an ounce of police coordination would do the trick just as well...
Reid
Uh, Fritz Lang did this in his 1927 movie Metropolis; separate classes of humans yadda yadda. The movie is one of my favorites, but I don't expect Dark City to be anything but drivel.
;-).
Okay sorry for the sarcasm. But my point is that nothing out of Hollywood is original. If you prescribe to Joseph Campbell, no story anywhere is really original. Watch it, or don't, I suppose it doesn't matter
No, he's being disallowed from running in the Democratic primary. Which is effectively disallowing him from running. When was the last time you saw any significant attention paid to a primary race that wasn't Democratic or Republican?
While he wasn't running for Prez, there was Jesse Ventura. On the presidential side, big attention was paid to for Ross Perot (he even lead in the polls for some time) and Ralph Nader in recent history. Neither amounted to much, but Perot gave it a pretty good shot.
Reid
There's been a lot of make-believe going on that MacOS is immune to spyware/trojans because of its design, specifically the privilege escalation thing. This is proof that's not the case. You can put as many hoops up as you want, if the users want what's at the other end bad enough, they'll jump through them without looking to see if they are on fire.
Got a reference for the "MacOS is immune" line? I have never seen a person say that the OS is 'immune.' MacOS is more resistant, though, because of design decisions such as prompting users when they are installing executables, and only allowing executables and kernel extensions to be installed by a user with administrative privileges (and only after they authenticate with the system again). The OS has been doing this for a long time, and these security cues have begun to be duplicated by other software vendors because they are at least somewhat effective.
I agree that if a user wants something badly enough, they will do dumb things. Putting at least some sort of barrier in front them will greatly reduce their idiocy, though. Telling a user what's going on can't hurt, it can only help.
Besides, who wants to download a codec just to see porn? It's far easier to just move on to the next site...
As for the 'in the wild' remark, to me the term has a semantic edge to it that implies a virus/trojan that is self-replicating, or at least takes some steps to *try* to spread itself, even if that step is only to relay spam with links to the infected website. Writing the shell script "#!/bin/sh\nsudo rm -rf
To get infected, you have to:
.DMG file. .DMG
1) Go to a porn site
2) Download a plugin from the porn site
3) Click "OK" that you are downloading a
4) Mount the
5) Go back to the Finder
6) Double-click the installer
7) Type in your account password
8) Click next a few times
Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...
That is incredibly clever, seems it should have been a part of the TCP/IP stack itself...
:P. It would probably work, though, especially if you handled RSTs in a similar way to fragmented packets (really it's like the oppposite of a fragment: if you get more stuff, then the RST was invalid, if you get nothing more, then the RST was valid). Scheduling the RST packet to get flushed if it is unused would be the only interesting part, but it could probably be handled similarly to fragmented packets whose other fragments never show up.
Heh, thanks, but I'm pretty dumb
The folks at Kernel Trap were supposed to write a followup to this story about it, but I can't find the promised followup. Ohwell. Back to work.
Reid
isn't iptables a stateful host packet filtering firewall?
I guess that it is depending upon the definition of 'stateful.' I'm probably not using the word correctly. I haven't seen/figured out a way to make iptables match a pattern on a packet, and then defer the decision to be made on that packet for a certain period of time (meanwhile some other pattern may affect that decision). In this sense, I do not consider iptables to be stateful, unless I'm misunderstanding its capabilities.
The only mention of timing in the iptables manpages concern limiting the lograte. There may very well be a way to make a rule like the one that I'm suggesting above, but I simply don't see it. If you do, please please post for we humble dorks to read, I'd love to put a rule like that in my firewall (I'm on Time Warner, but you never know...).
Cheers,
Reid
Assuming that Comcast is injecting a RST with a valid sequence number (next in an open connection), it would be impossible* to distinguish between a generated RST and a real one. If they are indeed resetting your connection, and your kernel's tcp stack is not written by a 3-year-old, then they are most certainly using a valid sequence number.
Ignoring all RSTs would eventually fill your TCP stack with open connections and cause your kernel to barf. I *think* that RST is pretty uncommon on a decent network, though. Someone else chime in. So you could maybe ignore RST's and go for days and days without needing to reboot? One could also write a kernel module that killed any connection with no traffic after X hours. So yeah, it could be made to work...
It is a bit frightening that this is happening to begin with. You are paying for the Internet, not some subset/crippled form on the Internet...
Reid
* Okay, not impossible...you might be able to determine its fakeness based on timing (the RST would have to be injected in between the average time between two normally-spaced packets), but iptables isn't that good...If you had a stateful firewall, you could queue the RST for a few seconds, and if no more normal (ACK+NOFIN+NORST) traffic comes in on the stream for a few seconds, only *then* accept the RST and pass it up to your computer.
Al Gore would win, even if he didn't show up...
I mean, this guy is braindead for calling for tech support to use his stolen goods - but at least through his stupidity & security measures they caught him. If I was an ass, I could easily crank off what I wanted to without anyone being the wiser.
Actually, almost every printer worth its salt (any color printer that could print money/fake ids/whatever) these days puts a watermark on every document they print. The Secret Service, when they found a fake ID printed with your (company's) printer, would just look up the watermark ID, call the manufacturer, and find out it was printed at your work. A simple check of the printer's logs/q&a session with your network administrator would probably reveal that it was you who did the printing...
At least if the guy had stolen the printer and not been caught, the SS folks would have had to resort to 'human interactive' methods to track down the fake ID producer. Given this guy's IQ, even if he had gotten the printer working successfully he probably would have been caught (some college student with a fake ID would probably rat on whoever he bought it from in a bargain to get terrorist charges slapped on his record).
Reid
You are wrong. Sorry ;-). It isn't your fault, though, the media really didn't make it clear. Here is all of the evidence:
Take a look at the NTSB report about flight 93: http://www.ntsb.gov/info/Flight%20_Path_%20Study_UA93.pdf . At Between 9:58 and 10:00am, the plane was at/below 5,000 feet (and never went much above 5,000 feet). From the Mousaui trial/wikipedia article that you linked to, "Only two phone calls, one by Edward Felt and one by flight attendant CeeCee Lyles, came from cell phones -- both at 9:58 a.m, shortly before the plane crashed.[14]" Note that the plane was below 5,000 feet at that time. From the Mousaui trial and wikipedia article, every other phone made on flight 93 was done using a credit card phone (read the flight 93 section on Telephone Calls).
The evidence is all there, cell phones don't work at altitude. Most people don't read the evidence, though, sadly. I'll stand by my point: cell phones on planes are useless (and dangerous).
Cheers,
Reid