Linux-Advocacy Digest #742, Volume #32 Sat, 10 Mar 01 13:13:06 EST
Contents:
Re: RTFM at M$ (Bob Hauck)
Re: What does IQ measure? (The Ghost In The Machine)
Re: NT vs *nix performance (Tim Hanson)
Re: What does IQ measure? (The Ghost In The Machine)
Re: Linux Joke (Donovan Rebbechi)
Re: What does IQ measure? (The Ghost In The Machine)
Re: Mircosoft Tax (Donovan Rebbechi)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Bob Hauck)
Crossposted-To: alt.destroy.microsoft
Subject: Re: RTFM at M$
Reply-To: bobh = haucks dot org
Date: Sat, 10 Mar 2001 16:43:42 GMT
On Sat, 10 Mar 2001 00:44:06 GMT, T. Max Devlin <[EMAIL PROTECTED]> wrote:
>Said Bob Hauck in alt.destroy.microsoft on Sun, 04 Mar 2001 03:43:42
>> Smurf does not deny me service, necessarily, but some third party
>> victim.
> And all they can do is overwhelm someone else's connection, temporarily.
They can do so using my bandwidth instead of theirs. That's a problem
for me, in that people will send me nasty email thinking that I'm doing
it and I won't be able to easily find out who did do it.
>> I don't care if you can troubleshoot my network from outside. Really, I
>> don't.
>
> There is no "outside" or "inside"; just the network.
There is the network that I have administrative control over, and the
ones that I don't. Normal people take steps to control what happens at
the interface between the two.
Nice piece of arm-waving though.
> This is an issue of a local configuration versus an internetwork
> configuration.
Gee, do ya think?
> It would make more sense simply to stop spoofing entirely, as you've
> said. Still, I have this nagging feeling that it isn't really as
> possible to do that in practice as we might suppose.
It becomes harder as the size of the network increases. So, no, it
can't be stopped altogether, and hasn't been. To be really effective it
must be done at the very edges, which may cost some money to implement.
>> No, Smurf uses the address of the *victim* as the source of the
>> pings, and I am merely the "amplifier", not the victim.
> I did misunderstand the complete explanation. You are correct, of
> course. This probably explains why this bit of paranoid trivia has
> been maintained; you never find it out it doesn't do any good anyway.
But it does. It stops one annoyance. Yes, there are others, but you
can't just throw up your hands and say "well, we can't stop them all so
why bother".
> And chances are nobody actually knows how to use ping as an effective
> diagnostic tool these days, anyway, eh?
I am not advocating disabling all ICMP echo responses. I never have. I
can think of reasons to do it but am not conviced that it solves more
problems than it creates.
>> The reason to block pings to broadcast addresses is to prevent your
>> network being used as a smurf amplifier by script kiddies.
>
> Repeating the premise doesn't make it any less dubious, I'm afraid. Nor
> does it make sense to defend filtering internal broadcast destinations
> to prevent smurfs in order to support filtering all pings to begin
> with.
Please re-read my posts. I have not ever advocated filtering all
pings. As for the supposed dubiousness of filtering pings to broadcast
addresses, you are simply wrong. There is value to it, and pretty much
every router maker recommends it as does CERT.
> Well, it took more pondering than it should have, but I see your
> point. But filtering "broadcast pings" at borders as general paranoia
> (quite a good bit of which is, of course, good when you're considering
> security, but I'm considering more) wasn't so much the issue as
> general filtering on firewalls, or certainly complete denial of ICMP.
Ok, we're getting somewhere then. I don't advocate filtering all ICMP,
so maybe some more rethinking is in order.
>> You can't make forged packets "impossible", but you can make it so that
>> users can't send packets that appear to come from outside their subnet.
>
> No, you can't. Not without re-writing the rules of IP.
Sure you can, no rule rewriting needed. I'm getting the idea that you
don't do much hands-on configuring of routers. Virtually all routers
implement basic packet filtering. You should use that capability. In
the simple case of a border router with two interfaces you set up rules
with the effect:
if (packet has an RFC1597 or 127.0.0.0/8 address)
drop packet
else if (packet is outbound and source_addr is one of our networks)
forward packet
else if (packet is inbound and source_addr is not one of our networks)
forward packet
else
drop packet
The second "else if" clause prevents people outside from spoofing your
internal addresses. This catches things like connection hijacking and
spoofing tcp wrappers.
You'd also want to do this on each internal network (e.g. between your
dialup ports and your backbone). If you are truly paranoid, it is not
too hard to configure a Lucent Portmaster or similar terminal server to
filter each port individually (only allowing outbound packets from that
one IP).
Note that you probably can't do this on a core network or at a place like
MAE-East. The performance hit of filtering might be too great in those
kinds of cases. All the more reason to filter at the edges.
> Which might well be a fine idea, but would involve much more than you
> believe, I think, as making the source IP of a packet at all important
> in routing decisions might have ramifications far greater than we
> might presume at first blush.
I'm not trying to solve the world's problems. I am just trying to
prevent my users from sending spoofed packets out onto the Internet. At
worst, I want to make it so they can only spoof my own address space.
This makes it much easier to track down who done the bad deed when it
happens and limits the amount of damage they can do to others.
> (though you do realize it would require a hard partitioning between
> what is a "trunk" and what is a "leaf node", something that IP doesn't
> currently do at all).
Why, yes, I do realize this. IP does not set policy. The protocols say
nothing about network topology. That is the network administrator's
responsibility. The topology of the network and the filtering applied
at the nodes is policy.
> The question is really whether its cost-effective, and there's no
> reason to think it would be.
You have to partition the network somehow (e.g. you really don't want
your dialup users on the same subnet as your servers) and you have to
buy routers to implement your parititioning. I suppose you might have
to buy more or higher-capacity routers if you want to filter
agressively, so there is a tradeoff to be made. That's setting policy.
>> This stops things like smurf because the kiddies packets with somone
>> else's source address on them get dropped at the next router.
>
> Indeed. I found it rather surprising when I finally realized how it
> would actually work. The spoofing of source address is simply outside
> the things I usually consider when trying to understand how IP works.
Yes, that is a common thing. People don't think about the security
implications up front. The bad guys think about little else, which is
why so many networks are easy to abuse.
>> You do this by filtering. For example, an ISP can put his dialup users
>> on their own subnet behind a filtering router that blocks outbound
>> packets with source addresess not on that subnet.
> Unfortunately, it would also have to be dynamic, or it doesn't really
> work at all.
If you want to filter to the individual IP (e.g. modem port), then yes
it has to be dynamic. Amazingly, modern terminal servers have provision
for this. And actually, just filtering to the subnet is good enough in
practice. The kiddies quickly realize that they can't smurf anybody but
their fellow dialup customers and the game becomes boring.
--
-| Bob Hauck
-| To Whom You Are Speaking
-| http://www.haucks.org/
------------------------------
From: [EMAIL PROTECTED] (The Ghost In The Machine)
Crossposted-To:
alt.destroy.microsoft,comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy,soc.singles
Subject: Re: What does IQ measure?
Date: Sat, 10 Mar 2001 16:47:03 GMT
In comp.os.linux.advocacy, Aaron Kulkis
<[EMAIL PROTECTED]>
wrote
on Fri, 09 Mar 2001 17:34:35 -0500
<[EMAIL PROTECTED]>:
>WesTralia wrote:
>>
>> Aaron Kulkis wrote:
>> >
>> > Brock Hannibal wrote:
>> > >
[snip for brevity]
>> > > I think you are confusing JD Salinger, the reclusive author of "Catcher
>> > > in the Rye", with Pierre Salinger, former white house press secretary
>> > > under JFK.
>> >
>> > whoops. :-)
>> >
>>
>> Double posting? That will cost you ANOTHER -5 IQ points.
>>
>
>Malfunctioning news servers have nothing to do with me, idiot.
>
>Failure to differentiate poster behavior from server glitch:
>
>-20 points
Not having taken the Stanford-Binet IQ test, I can't be sure, but
how does one get dinged -5 IQ points for bad Usenet posting anyway? :-)
[.sigsnip]
--
[EMAIL PROTECTED] -- unless they've updated it?
EAC code #191 33d:02h:18m actually running Linux.
Hi. I'm a signature virus.
------------------------------
From: Tim Hanson <[EMAIL PROTECTED]>
Subject: Re: NT vs *nix performance
Date: Sat, 10 Mar 2001 17:14:02 GMT
Scott Gardner wrote:
>
> On Fri, 09 Mar 2001 04:22:41 GMT, J Sloan <[EMAIL PROTECTED]> wrote:
>
> >Just a thought - it would have been very easy to buy 100%
> >linux compatible hardware, so you have to take some of the
> >blame if Linux isn't liking some of your hardware.
> >
>
> I've said several times that I can't blame LInux for my hardware
> choices, (especially for my Winmodem), but since I wasn't considering
> Linux when I built my computer, I now have a barrier to running Linux
> exclusively. Is it Linux's fault? No, but a lot of people are going
> to be in my same situation if the try to install Linux on a machine
> that they originally bought to run Windows. If people can't make a
> switch from Windows to Linux without losing a large part of the
> functionality of their hardware (as I did), then they are going to be
> justifiable frustrated in their efforts, and come away with the
> impression that Linux isn't quite "ready for prime time"
>
> Scott Gardner
It's going to keep happening until Linux gets a significant number of
preloads, imo. Hardware component vendors are just beginning to
consider Linux in their design decisions.
--
On Monday mornings I am dedicated to the proposition that all men are
created jerks.
-- Avery
------------------------------
From: [EMAIL PROTECTED] (The Ghost In The Machine)
Crossposted-To:
alt.destroy.microsoft,comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy,soc.singles
Subject: Re: What does IQ measure?
Date: Sat, 10 Mar 2001 17:20:38 GMT
In comp.os.linux.advocacy, Steve Mading
<[EMAIL PROTECTED]>
wrote
on 9 Mar 2001 00:40:57 GMT
<9898qp$6dm$[EMAIL PROTECTED]>:
>In comp.os.linux.advocacy Interconnect <[EMAIL PROTECTED]> wrote:
>: We would only read books by
>: Authors with the highest IQ. We would only consume entertainment produced
>: by Artists with the highest IQ etc..
>
>Not necessarily. Stupidity in and of itself can be highly
>entertaining to watch. Ever seen Plan 9 From Outer Space?
I might have picked the Three Stooges, myself. :-) Of course,
that's only an appearance of stupidity; apparently, Moe, Larry,
Curly, Shemp, and Curly Joe had to work with quite a bit of precision
to get the effect of an eyepoke down properly without injury, among
their many stunts. (Slapstick comedy didn't start with them, either.
There's Charlie Chaplin as well; judging from his stunts, he needed
to do some precision as well. Also, the Keystone Kops come to mind.)
But yes, I've seen Plan 9. It was terrible. The voiceover was
absolutely awful, the sets were -- well, was there more than one?
I think there was one car in the entire movie and one tree with leaves
(they might have had two without leaves) -- and the only good
thing I remember about it was that it was relatively short, about
1 hour or so in length (IMDB says 78 or 79 minutes, so obviously my
memory's off by a bit). It just *seems* longer.
:-)
Mind you, Prince of Space is up there. "Your weapons are useless
against me!" Did anyone else think that the badguy's ship needed
a less snazzy paint job? It looked a bit like a narwhal with an
inflamed tooth. The badguy's chicken laugh was interesting, too.
And then there was Attack of the the Eye Creatures (no, that's not
a misprint; some copies did have the double "the" in the title,
apparently!). And I even have a copy of "Killer Klowns from Outer Space"
(MST3k'ed) -- why anyone would even want to make a movie about such a
subject boggles the mind. I have another one with four gorgeous
black-robed women from outer space whose title escapes me (for that
matter, so does the video tape; I have a bad habit of not labeling them),
and I remember seeing a video tape for "Three Killer Bimboes"
in a store once; the entire idea strikes me as just silly. (That one
might have been a bad Charlie's Angels remake, but I can't say.
Of course, someone actually did make a Charlie's Angels movie recently,
so go figure...maybe we just like figures...)
Godzilla movies are pretty bad, too -- the whole notion of a monster
saving the city from another monster is a little weird. For that
matter, the whole notion of a monster is a little weird; Nellie would
starve in Loch Ness (not enough fish), for example.
OK, enough bad movies.
A comment here on IQ. IQ is to me a bit like slicing a human body
widthwise (metaphorically speaking, of course, or using a CATscan)
and then trying to measure the size of one's heart, brain, liver,
and kidneys, based on that one slice. I'm not sure that it can measure
all complexities of one's persona. It gets worse when one factors
in cultural biases into the mix -- although I can't think of any offhand,
I suspect that there might be some.
This notion can also apply to operating systems/environments, of course.
How does one determine which one is "best" for him? Answer: by doing
his own homework. One can pontificate at length as to the reliabilty
of Linux versus NT, or the functionality of NT versus Linux (note that
Linux is getting more and more functionality all the time, though),
or the scalability of either solution versus something like Solaris,
IBM mainframes, or high-performance database retrieval vendors such as
Tandems -- but in the end, it all boils down to whether the picked
solution can do the job required.
--
[EMAIL PROTECTED] -- insert random bad movie here -- too bad MST3K is no more
EAC code #191 33d:02h:21m actually running Linux.
The US gov't spends about $54,000/second. I wish I could.
------------------------------
From: [EMAIL PROTECTED] (Donovan Rebbechi)
Crossposted-To: alt.destroy.microsoft
Subject: Re: Linux Joke
Date: 10 Mar 2001 17:57:26 GMT
On Sat, 10 Mar 2001 04:58:38 GMT, J Sloan wrote:
>Donovan Rebbechi wrote:
>
>> On Fri, 09 Mar 2001 04:42:28 GMT, J Sloan wrote:
>>
>> >Well that was silly - you should have checked out the facts
>> >about gcc-2.96 before swallowing the anti-redhat propoganda!
>>
>> Can't reach the server. (maybe their httpd was compiled with that alpha
>> compiler !!!) And I still stand by my comment.
>
>Well, again you are being quite silly.
>
>But I just checked the page and it's just fine.
>Perhaps there are issues with your ISP?
I can get the page now. Yes, the alpha compiler has some features that might
make it more standards compliant.
His arguments about binary compatibility are completely unconvincing.
Link everything statically ? Is this some kind of joke ? This gets messier
when you use a mix of static and dynamic linking (think about a program
that needs a bunch of dl modules, my head hurts just thinking about this
and statically linking everything to libstdc++)
Sure, each major release is binary incompatible with the others. But why
artificially create more binary incompatible versions than we have already?
Again, are Redhat going out of their way to be binary incompatible, I
almost wonder if they though to themselves "Well, it's time for a .0
release because that's what we do after a .2 release. We need to find some
way of being binary incompatible with everything else" ...
And this argument:
=====
Someone has to be the first to take a step like this. If nobody dared to make a
change because nobody else is doing it, we'd all still be using gcc 1.0, COBOL
or ALGOL.
=====
is just silly. By all means, take a first step -- when the production release,
3.0 comes out. (duh!) Taking a first step does not have to involve leaping
off the cliff.
--
Donovan Rebbechi * http://pegasus.rutgers.edu/~elflord/ *
elflord at panix dot com
------------------------------
From: [EMAIL PROTECTED] (The Ghost In The Machine)
Crossposted-To:
alt.destroy.microsoft,comp.os.ms-windows.advocacy,comp.os.ms-windows.nt.advocacy,soc.singles
Subject: Re: What does IQ measure?
Date: Sat, 10 Mar 2001 18:02:48 GMT
In comp.os.linux.advocacy, Anonymous
<[EMAIL PROTECTED]>
wrote
on Fri, 9 Mar 2001 19:40:36 -0700
<[EMAIL PROTECTED]>:
>aaron wrote:
>> Anonymous wrote:
>> >
>> > aaron wrote:
>> > > If you were to follow around one IQ-100 person all day, you would
>> > > be appalled by the vast number of incredibly stupid things they do
>> > > in the course of a day, and how many completely fucking obvious
>> > > connections they miss, how many winning opportunities they pass
>> > > up (because they either don't understand them, or they fail to
>> > > even recognize that the opportunity exists in the first place).
>> >
>> > now you know why i usually don't read your messages
>> > jackie 'anakin' tokeman
>> >
>> > p.s. windows is a pretty cool operating system
>> >
>>
>> Only in comparison to DOS.
>>
>> Compared to anything else, Windows is comparable to a Formula-1 body
>> slapped on top of a Ford Pinto with a sand-injection oil system
>> and water-contaminated brake-lines.
>
>amiga: dead
>beos: fringe
>mac: fringe
>os2: dead
>next: dead
>unix: user hostile
>windows: mainstream user friendly
>
>you were sayink?
And of course Windows is the best OS out there for everyone.
"Eat shit: 10 trillion flies can't be wrong".
[.signsip]
--
[EMAIL PROTECTED] -- insert random shit here
EAC code #191 33d:05h:33m actually running Linux.
Are you still here?
------------------------------
From: [EMAIL PROTECTED] (Donovan Rebbechi)
Subject: Re: Mircosoft Tax
Date: 10 Mar 2001 18:05:35 GMT
On Sat, 10 Mar 2001 08:09:04 -0800, Salvador Peralta wrote:
>T. Max Devlin quoth:
>I don't agree with some of the ( rather dated ) opinions that Don has
>regarding Linux versus microsoft. Windows is not easier to install,
I haven't done a default install of Linux for years, I always choose
"expert" mode, I suspect the default install is pretty easy. But
configuration is not so easy. For example, font management is still
a problem (though it's becoming slightly less of a problem)
I agree about the Windoze documentation being a joke. You can't learn
anything useful from their docs, you really need to buy a book (as
opposed to the Linux HOWTOs and guides which are very instructive)
--
Donovan Rebbechi * http://pegasus.rutgers.edu/~elflord/ *
elflord at panix dot com
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to comp.os.linux.advocacy.
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
