What Happens When You Reply To ALL of Your Spam
Submitted by rene on Tue, 07/01/2008 - 21:54.bednarz writes "For Tracy Mooney, a married mother of three in Naperville, Ill., the decision to abandon cyber-sense and invite e-mail spam into her life for a month by participating in a McAfee experiment was a bit of a lark. The idea of the Spammed Persistently All Month (S.P.A.M.) experiment — which fittingly started on April Fool's Day — was to have 50 volunteers from around the world answer every spam message and pop-up ad they got. Mooney was game, especially since McAfee was giving a free PC to all participants. She told her story to Network World."
Read more of this story at Slashdot.
Priorities Fail
Submitted by rene on Tue, 07/01/2008 - 21:01.Thx My Very Own
Dear Recruiters: Please Don’t Call Us Asking For Advice On Where To Place Outgoing Executives - It’s Too Tempting
Submitted by rene on Tue, 07/01/2008 - 19:57.I’m just going to write this once, and point back to it in the future.
Access Fail
Submitted by rene on Tue, 07/01/2008 - 19:01.Thx Chuck S.
Engadget’s Ryan Block and Peter Rojas To Team On New Startup
Submitted by rene on Tue, 07/01/2008 - 18:54.Engadget’s editor-in-chief Ryan Block will be leaving parent company AOL shortly, sources say, to l
Geoff O'Callaghan: openssh crypto cipher performance
Submitted by rene on Tue, 07/01/2008 - 10:06.It was mentioned to me that when transferring files on an internal network that by selecting a different cryptographic cipher you could improve the file transfer performance. So, since I had a few spare minutes and elected not to scratch my bum I whipped up the following little script to test the theory.
I elected to scp a random ~700Mb file I affectionately called disc1.iso (it was actually just random data, but you get the idea) to my localhost. That is, I transferred the file from system A to system A. I’m not interested in getting the highest possible speed with this test, i’m more interested in the relative performance of the ciphers. Doing this creates a ‘relatively’ stable environment to conduct the comparisons.
I added my ssh key to allow myself to talk to myself - sort of like this blog really with the number of readers I have :-) Then I did the following (a man ssh shows the valid ciphers for protocol 2)
for c in 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr \
arcfour128 arcfour256 arcfour blowfish-cbc cast128-cbc ; \
do for j in `seq 1 1` ; \
do /usr/bin/time -a -o results.txt -f "$c,$j,%E,%U,%S" scp -c $c disc1.iso localhost:tmp/ ;\
done ; \
done &This creates a results file which in my case looks like this :
3des-cbc,1,1:12.67,35.41,3.53 aes128-cbc,1,0:56.18,9.52,4.09 aes192-cbc,1,0:54.58,9.86,4.16 aes256-cbc,1,0:55.73,11.46,3.89 aes128-ctr,1,0:59.78,13.43,4.14 aes192-ctr,1,1:04.33,14.67,4.19 aes256-ctr,1,1:01.07,15.31,4.08 arcfour128,1,0:57.75,7.10,4.50 arcfour256,1,1:18.06,7.80,4.56 arcfour,1,0:59.32,7.05,4.60 blowfish-cbc,1,1:01.19,11.62,4.46 cast128-cbc,1,1:26.57,22.31,4.14
Now, according to the man page aes128-cbc is the default cipher for Protocol version 2 so if I use this as the baseline then the relative performance becomes :
| Cipher | Relative Performance |
|---|---|
| 3des-cbc | 0.77 |
| aes128-cbc | 1.00 |
| aes192-cbc | 1.03 |
| aes256-cbc | 1.01 |
| aes128-ctr | 0.94 |
| aes192-ctr | 0.87 |
| aes256-ctr | 0.92 |
| arcfour128 | 0.97 |
| arcfour256 | 0.72 |
| arcfour | 0.95 |
| blowfish-cbc | 0.92 |
| cast128-cbc | 0.65 |
Based on those numbers I really wouldn’t bother trying to select a different cipher for the file transfer.
Note 1: This was performed on a run of the mill core 2 duo system running Ubuntu Hardy, you will possibly find that certain architectures have better results with certain ciphers possibly due to the instruction set being a better fit for a certain algorithm or in the case of higher end servers the availability and use of cryptographic hardware.
Note 2: The seq 1 1 allows you to run the test multiple times, just change it to seq 1 10 to run each test 10 times. I just did it once for the purposes of putting it in the blog.
Ted Leung on the Air: DTrace on Linux?
Submitted by rene on Tue, 07/01/2008 - 06:53.I’ve been meaning to write a post about DTrace, and Tim Bray’s tweet finally got me moving. It looks like some people are trying to make DTrace a topic for this year’s Linux Kernel Summit. I hope they succeed. I also hope that those folks pushing for user level tracing have their voices heard. I was amused to read one of the messages which claimed that DTrace is:
DTrace is more a piece of sun marketing coolaid which they use to beat us up at every opportunity.
My experience at Sun thus far is that people generally don’t really appreciate the benefits of DTrace. It stems from a view that I also saw in the LKS threads, which is that DTrace (and tools like Systemtap) is a tool for system administrators, because it reports on activity on the kernel. That’s not how I look at it. DTrace is a tool for dealing with full system stack problems, which initially manifest themselves as operating system level problems. The fact that DTrace can trace user land code as well as kernel code is what makes it so important, especially to people building and running web applications. Because of all the moving parts in a complicated web application (think relational database, memcached or other caching layers, programming language runtime, etc), it can be hard to debug a web application that has gone awry in production. Worse, sometimes the problems only appear in production. Tools which cut across several layers of the system are very important, and DTrace provides this capability, if all the layers have probes installed. When a web application goes wrong in production, you see it at the operating system level - high usage of various system resources. That’s where you start looking, but you will probably end up somewhere else (unless you are ace at exercising kernel bugs). Perhaps a bad SQL query or perhaps a bad piece of code in part of the application. A tool that can help connect the dots between operating system level resource problems and application level code is a vital tool. That’s where the value is.
One of the cooler features of DTrace is that you can register a user level stack helper (a ustack helper), which can translate the stack in a provider specific manner. One cool example of this is the ustack helper that John Levon wrote for Python, which annotates the stack with source level information about the Python file(s) being traced. On an appropriately probed system, this would mean that you could trace the Python code of a Django application, memcached, and your relational database (PostgreSQL and soon MySQL). That would be very handy.
I’d love to see DTrace on Linux, because I have it on OS X and it’s in OpenSolaris and FreeBSD, but I’d also be happy to see SystemTap get to the point where it could do the same job.
Xandros Reportedly Buys Out Linspire
Submitted by rene on Tue, 07/01/2008 - 01:19.2muchcoffeeman writes "Former Linspire president and CEO Kevin Carmony — whose relationship with his former employer has turned acrimonious, to say the least — reported on his blog that Xandros and Linspire signed an agreement in principle for Xandros to buy Linspire June 19. Carmony includes a scan of the memo to Linspire shareholders announcing the deal, which requires the former Linspire company to change its name. According to the memo, the stockholders voted to change the company's name to Digital Cornerstone, Inc. Despite the wording of the Linspire memo to stockholders, this deal apparently came as a surprise to Carmony and other stockholders. Some here may remember that both Xandros and Linspire signed patent protection deals with Microsoft in 2007."
Read more of this story at Slashdot.
First Look: Intrepid Ibex Alpha Points to Ubuntu's Mobile Future
Submitted by rene on Tue, 07/01/2008 - 01:00.The newest alpha release of Ubuntu Linux -- codename Intrepid Ibex -- shows enhancements aimed at improving performance on low-power devices like mobiles and mini-notebooks. In Webmonkey.
GoDaddy VP Caught Bidding Against Customers
Submitted by rene on Mon, 06/30/2008 - 09:30.A GoDaddy Vice President has been caught bidding against customers in their own domain name auctions. The employee Adam Dicker isn't just any GoDaddy employee; he's head of the GoDaddy subsidiary that controls the auctions. Dicker won some of the domains he bid for, and pushed up the bid price on auctions he didn't win.
too hot fer chasin
Submitted by rene on Sun, 06/29/2008 - 23:00.
too hot fer chasin de cat
Google Gadgets for Linux Announced
Submitted by rene on Sun, 06/29/2008 - 20:58.Shared by Muthu Ramadoss
plz not to tell teh lolcatz.
Submitted by rene on Sun, 06/29/2008 - 19:00.
plz not to tell teh lolcatz.
Open Wireless and the Illusion of Security
Submitted by rene on Sun, 06/29/2008 - 09:00.Bruce Schneier is something of a legend in the computer security community. He's the author of the classic, oft-cited 1994 book Applied Cryptography, as well as several well-known cryptography algorithms.
The cheeky Norris-esque design above is a reference to the actor names commonly used in examples of shared secret key exchange.
What I find most interesting about Bruce, however, is that he has moved beyond treating computer security as a problem that can be solved with increasingly clever cryptography algorithms:
Schneier now denounces his early success as a naive, mathematical, and ivory tower view of what is inherently a people problem. In Applied Cryptography, he implies that correctly implemented algorithms and technology promise safety and secrecy, and that following security protocol ensures security, regardless of the behavior of others. Schneier now argues that the incontrovertible mathematical guarantees miss the point. As he describes in Secrets and Lies, a business which uses RSA encryption to protect its data without considering how the cryptographic keys are handled by employees on "complex, unstable, buggy" computers has failed to properly protect the information. An actual security solution that includes technology must also take into account the vagaries of hardware, software, networks, people, economics, and business.
This is the programming equivalent of realizing that Peopleware is ultimately a much more important book than The Art of Computer Programming. The shift in focus from algorithms to people is even more evident if you frequent Bruce's excellent blog, or read his newest books Practical Cryptography and Beyond Fear.
As much as I respect Bruce, I was surprised to read that he intentionally keeps his wireless network open.
Whenever I talk or write about my own security setup, the one thing that surprises people -- and attracts the most criticism -- is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet.
I've advocated WiFi encryption from the day I owned my first wireless router. As I encountered fewer and fewer open WiFi access points over the years, I viewed it as tangible progress. Reading Bruce's opinion is enough to make me question those long held beliefs.
It's a strange position for a respected computer security expert to advocate. But I think I get it. Security is a tough problem. If you take the option of mindlessly flipping a WPA or WEP switch off the table, you're now forced to think more critically about the security of not only your network, but also the fundamental security of the data on your computers. By advocating the radical idea that your wireless network should be intentionally kept open, Bruce is attempting to penetrate the veil of false algorithmic security.
I may understand and even applaud this effort, but I don't agree. Not because I'm worried about the security of my data, or any of the half-dozen other completely rational security arguments you could make against intentionally keeping an open wireless network. My concerns are more prosaic. I desperately want to protect the thin sliver of upstream bandwidth my provider allows me. Some major internet providers are also talking about monthly download caps, too. Bruce's position only makes sense if you have effectively unlimited bandwidth in both directions. Basically, I'm worried about the tragedy of the bandwidth commons. As much as I might like my neighbors, they can pay for their own private sliver of bandwidth, or knock on my door and ask to share if they really need it.
So, to me at least, enabling wireless security is my way of ensuring that I get every last byte of the bandwidth I paid for that month.
It's worth realizing, however, that wireless security is no panacea, even in this limited role. Given a sufficiently motivated attacker, every wireless network is crackable.
With that in mind, here are a few guidelines.
- WEP = Worthless Encryption Protocol
WEP, the original encryption protocol for wireless networks, is so fundamentally flawed and so deeply compromised it should arguably be removed from the firmware of every wireless router in the world. It's possible to crack WEP in under a minute on any vaguely modern laptop. If you choose WEP, you have effectively chosen to run an open wireless network. There's no difference.
- WPA requires a very strong password
The common "personal" (PSK) variant of WPA is quite vulnerable to brute force dictionary attacks. It only takes a trivial amount of wireless sniffing to obtain enough data to attack your WPA password offline -- which means an unlimited amount of computing power could potentially be marshalled against your password. While brute force attacks are still for dummies, most people are, statistically speaking, dummies. They rarely pick good passwords. If ever there was a time to take my advice on using long passphrases, this is it. Experts recommend you shoot for a 33 character passphrase.
In the end, perhaps wireless security is more of a deterrent than anything else, another element of defense in depth. It's important to consider the underlying message Bruce was sending: if you've enabled WEP, or WPA with anything less than a truly random passphrase of 33 characters, you don't have security.
You have the illusion of security.
And that is far more dangerous than no security at all.
|
[advertisement] Peer code review without meetings, paperwork, or stopwatches? No wonder Code Collaborator won the Jolt Award. |
24 Unforgettable Advertisements [PICS]
Submitted by rene on Sun, 06/29/2008 - 06:20.Collection of unforgettable advertisements from around the world.
Ubuntu 8.10 Alpha 1 released - code name "Intrepid Ibex"
Submitted by rene on Sat, 06/28/2008 - 21:40.Steve Langasek has announced the availability of the delayed first alpha release of Ubuntu 8.10, code name "Intrepid Ibex": "Welcome to Intrepid Ibex Alpha 1, which will in time become Ubuntu 8.10. Alpha 1 is the first in a series of milestone CD images that will be released throughout the Intrepid development cycle. The primary changes from Hardy
What Happened To Palm?
Submitted by rene on Sat, 06/28/2008 - 19:43.Ian Lamont writes "Palm's fourth quarter results came out a few days ago, and they were not pretty: Palm reported losses of 40 cents per share, for a quarterly loss of $43.4 million. It's the fourth straight quarter of losses, and it's clear that the company is not faring well in the rapidly evolving smartphone market. The Treo line is lagging after seven years, and while the Centro has done well, it's not well enough to compete with the likes of the iPhone 3G and RIM's surging BlackBerry line. New competition is on the horizon, with developers and manufacturers working on the Google Android platform and the recent news that Symbian is being open-sourced. What happened to Palm? What can the company do to effectively compete in the mobile market, and turn its fortunes around?"
Read more of this story at Slashdot.
Gate Fail
Submitted by rene on Sat, 06/28/2008 - 16:01.Thx Anneke
Your atensions
Submitted by rene on Sat, 06/28/2008 - 15:00.
Your atensions I needz it
race ya?
Submitted by rene on Sat, 06/28/2008 - 11:00.
race ya? on da count of 3!
Nvidia says no to free drivers, I say no to Nvidia
Submitted by rene on Sat, 06/28/2008 - 07:40.So in short, the deal is, you get the card, but the only way to use it is to rent a driver to which you have an incomplete access, thereby making your fruitful use of the card consistently dependent on Nvidia and, quite obviously, therefore limiting the control you as a supposed owner of the card really have over it
Meet the Man Who Could Destroy Photogragraphy
Submitted by rene on Sat, 06/28/2008 - 07:00.Julius von Bismarck's 'Image Fulgurator' projects stealth images into the photographs of strangers, while keeping those images invisible to human eyes. Depending on whom you ask, it's either a clever hack or an obnoxious intrusion. Naturally, we had to find out more.
5 Ways to Make Your Company Gen Y-Friendly
Submitted by rene on Sat, 06/28/2008 - 03:40.Facing a potential onslaught of baby boomer retirements and a smaller pool of Generation X employees to replace them, IT managers who want to create or sustain a Best Place to Work environment will need the additional help of another group of professionals: Generation Y.
IsoHunt Goes Secure, Adds SSL Encryption
Submitted by rene on Fri, 06/27/2008 - 23:30.ISPs and authorities increasingly use Deep Packet Inspection hardware to block access to BitTorrent sites, or spy on users’ browsing habits. To offer its users more privacy, isoHunt has now added SSL encryption, making it impossible for your ISP or the authorities to monitor your activities on the BitTorrent site.
Twitter Conversations Come To A Screaming Halt; Users Simply Move To Friendfeed
Submitted by rene on Fri, 06/27/2008 - 23:13.
A key feature of Twitter has bee
Elevator Pitches, Now Ready For Your Uploads
Submitted by rene on Fri, 06/27/2008 - 21:17.
Gates' Last Day At Microsoft
Submitted by rene on Fri, 06/27/2008 - 20:13.mrogers writes "Today is Bill Gates' last day as a full-time employee of Microsoft. After 33 years at the company, the one-time richest man in the world will be retiring at 52 to spend more time guiding the charitable Bill and Melinda Gates Foundation. What would you buy him as a retirement gift?"
Read more of this story at Slashdot.
