Blackadder: How did you manage to find a firewall that cost six billion dollars?
Baldrick: I had to haggle.
99 posts • joined 14 Jul 2009
Blackadder: How did you manage to find a firewall that cost six billion dollars?
Baldrick: I had to haggle.
They are getting this in early to soften the reaction. Soon they will be tracking eye movements,which will allow them to monitor how you respond to profiling and advertising stimuli.
Down the line they will probably be adding electroencephalogram (EEG) hardware, which on face value will allow users to control things 'with their minds!... cool dude!' but on closer inspection will be providing Facebook with a large and very deep dataset that could not get more personal.
The value to purveyors of goods / politics / religion / etc.. will be vast, and IMHO very dangerous.
Sounds like you have set up what I had in mind with the phrase 'Do-It-Right'.
Yes - although most companies don't MITM certain traffic (like banks etc) - they recognise that that would be seriously unethical.
That does present an ethical issue, however maintaining a whitelist of 'good banks/sites' creates it's own problems.
Sure you can setup a whitelist for current UK high-street banks, not that hard, but what if they change URLs/CAs (often banks use 3rd parties etc..) and what about discrimination against employees using overseas or boutique / sharia banking.
You are also trusting the 'good/private' sites to never be hacked, never have their DNS/CA hijacked, never spread malware, not provide a vector for data exfiltration etc..
The MITM policy should be clearly defined and can be made ethical by limiting functions to base URL logging, IPS/threat scanning & DLP scanning without logging non-flagged content (who wants to wade through that lot anyway?)
Yes, as I said without automation such tasks are a P.I.T.A. and generally therefore won't get done unless they are 'must do' tasks or linked to some KPI.
Also installing the cert is not really the issue, it's getting it signed securely without automation, as has already been mentioned is not that hard to set up an in-house PKI and automate signing host certs.
Did I mention, I am a big fan of automation.
I would tend to agree, although in corporate environments the only root CA the clients need to trust is the in-house root, or better still, an intermediate signed by the house root CA. Everything passing through the proxy to the Internet will be getting resigned with this for IPS/DLP and general BOFH activities anyway.
That way you only need to worry about external trusted CAs policy on the proxy.
Many appliance's have self signed certs (Network Hardware, LOMs etc), by implication you suggest that admin/trusted client machines are not restricted, the Do-It-Right approach would be to replace the appliance public key with one signed by the house cert/intermediary. OK, someone will need to login initially to configure that, and I admit without the proper automation it would be a serious P.I.T.A. to admin, the reason it is the exception rather than the rule in most estates.
But that is just for corporate environments, and the published trust log will be useful to both corporate admins (the proxy still needs to know who to (not) trust) and diligent home users.
There is a tendency to fixate on certain systems and languages in courses. CompSci is as to hardware and languages as Astrophysics is to telescopes.
I have a CompSci degree and work in systems and network engineering for over 15 years, and I was an enthusiast from an early age, so it is a subject I enjoy. While I can't say I use everything I learnt on the course day to day I find the mental disciplines and things like complexity theory (O notation) extremely useful.
Also people need to understand that completing a degree course does not mean you stop learning, in fact it is the opposite. You just gained a load of tools to help you learn, and you just started!
There is a tendency today to just throw more hardware a problems, which could be solved by thinking and improving the algorithm, for example using techniques to reduce the amount of I/O. As opposed to 'Needs more Cowbell!'.
If companies knew/considered the vast amount generally wasted over engineered systems they may see CompSci skills as more of asset.
Now I have not needed to configure a Cisco ASA for while, so things might have changed, but if I recall the firewall could be managed fine without the ASDM from the CLI.
The ASDM is a java applet that is downloaded to a web browser to provide a GUI like interface, but I always used the CLI / scripts to manage the firewall rather than the ASDM.
In most cases, not just Cisco, the version of software loaded on the flash almost always should be replaced with either a more up to date version or the 'estate approved' version, so I guess that was why it was not really a big issue for most folks.
+1 for Rockall
Lord Kennet said of it in 1971, "There can be no place more desolate, despairing and awful."
And that was before Theresa the Terrible takes up residence.
Apart from on-line, I tend to use cash for everything, apart from the privacy implications I know exactly how much I am spending based on a simple visual inspection of my on-person beer token container.
Yes, that cash usually comes out of an ATM, but all they know is I took out a hundred or two and (maybe) spent it!
802.1x has been around for a very long time (in relative tech time), as have many other technologies (anti-spoofing filters, IDS/IPS/DLP, firewalls, anti-malware, automatic security update patching etc..) that would improve security dramatically *if* deployed correctly, and monitored rather than just purchased as some sort of magic talisman,which is then left either not configured or poorly tuned, resulting in it then either not working or routinely ignored for being 'too noisy'.
Which sadly from what I have seen to be the 'normal' in far too many places.
Good security is more about attitude and culture than tech IMO.
(Also overly restrictive security that gets in the way of people doing their jobs, makes people do silly things, sometimes creating vulnerabilities!)
When opposing this mass surveillance I don't think arguments on cost (it's not their money), civil liberties (most people don't care, so politicians don't care) will work.
I know it is playing with fire, but maybe since I have no doubt this will easily cost upwards of £2 billion we make full use of the capability.
A new body, a combination of the Independent Parliamentary Standards Authority, Independent Police Complaints Authority and a general watchdog covering the entire public sector be given full access to the 'request filter' and given the mandate to pro-actively seek out and expose corruption and scandal. Maybe headed by some Joseph McCarthy / Matthew Hopkins zealot so we really get out money's worth.
Might focus our legislator's mind a little.
Most ISPs look at statistical flow data, which is based on a sample of traffic, maybe 1 in every 10,000 packets or maybe less on high speed links (10/40/100Gbps).
They do not see every packet and therefore can't track individual connections, what seems to be required by the proposed legislation is deep-packet inspection (as they want seem to want to examine the protocol and payload for URI logging) on every packet. I suspect politicians have seen some graphs of traffic classified by type, put 2 and 2 together and made 5.
The problem with DPI is that it will add a significant cost to the connection, a cost that is related to the speed of the connection.
Apart from the privacy nightmare this entails, it will result in the UK being stuck in the Internet slow lane, as your ISP now has to cover the costs DPI (which scale with throughput) they have to spend money on snooping instead of shipping traffic.
It will however push adoption of the likes of HTTPS and DNSCrypt (you still have an issue with which CAs to trust)
In short it will end up as an white elephant.
Indeed, or to use an analogy..
Ok, this plane has a 1% chance of exploding, but with get you there in 4/5 time and 1/2 the cost. Sounds like a good bet?
Fine, here is your itinerary, erm... please note the 30 flights (26% chance of high altitude fiery death), still happy with those odds?
How do you make a small fortune trading stocks & futures?
Well, first you start with a large fortune...
I think he would have more money if he stacked it in the corner and occasionally sprayed it for bugs. The only reason he has a fortune at all is he was given it, squandered most, but managed some lucky timing on property.
IANAL, but given the situation he would probably be best of keeping his mouth shut. (good idea when you don't know the legal situation)
Given the highly dickish (legal term?) attitude of the company in question, he could risk them interpreting his professional concern as blackmail, 'keep me on, or you will face a huge bill'.
Of course they would be very unlikely to win in court, but legal troubles are the last thing you want, especially when looking for employment.
Besides, as has been previously mentioned, the magnitude of an ISDN bill down the line would likely be the last thing on his mind.
In short not his problem, treating people with courtesy and respect is never a bad idea.
I think I preferred it when they were 'oblongs', but they became 'rectangles' when I left primary school. Shame.
If you are going to be good at anything in life, be a good liar. That way, you are good at everything!
The inefficiency of bureaucratic armies is great and slightly amusing, right up until they get their dream wish, which is to move from a "permitted unless proscribed" to a "prohibited unless licensed" model.
Then we are all fsck'd.
One of my favourite scenes in HHGTTG sums up how I think most of these meetings go.....
CHAIRMAN: Listen! I would like to call to order the five-hundred-and-seventy-third meeting of the colonization committee of the planet of Fintlewoodlewix. And furthermore -
FORD: Oh this is futile! Five-hundred-and-seventy-three committee meetings and you haven’t even discovered fire yet!
MANAGEMENT CONSULTANT: If you would care to look at the agenda sheet -
GUY: Agenda rock, yes…
FORD: Oh, go on back home or something will ya?
MANAGEMENT CONSULTANT: …you will see that we are about to have a report from the hairdressers fire development subcommittee today.
HAIRDRESSER: That’s me.
FORD: Yeah well you know what they’ve done don’t you? You gave them a couple of sticks and they’ve gone and developed them in to a pair of bloody scissors!
MARKETING GIRL: When you have been in marketing as long as I have, you’ll know that before any new product can be developed, it has to be properly researched. I mean yes, yes we’ve got to find out what people want from fire, I mean how do they relate to it, the image -
FORD: Oh, stick it up your nose.
MARKETING GIRL: Yes which is precisely the sort of thing we need to know, I mean do people want fire that can be fitted nasally.
CHAIRMAN: Yes, and, and, and the wheel. What about this wheel thingy? Sounds a terribly interesting project to me.
MARKETING GIRL: Er, yeah, well we’re having a little, er, difficulty here…
FORD: Difficulty?! It’s the single simplest machine in the entire universe!
MARKETING GIRL: Well alright mister wise guy, if you’re so clever you tell us what colour it should be!
- Hitchhikers's Guide to the Galaxy - Douglas Adams
Although sad to say the vast majority of people don't really understand the issues, many people do care or did care. I say did care, they probably still do, but are suffering from fatigue, the powers that be will keep resurrecting these proposals until the pass, ether in whole or as many parts to be assembled later by statutory instrument or generous legal interpretation.
Many that have had the 'pleasure' of seeing the physical inner workings of a UK ISP will know the technical capability has been well established for over a decade.
I repeatedly explain to the 'nothing to hide, nothing to fear' brigade, that I am not that bothered about my Internet activity being examined by the security services, it would be a rather boring waste of their time and our money. I do however want it to be possible for those with power, state authorities and corporations to be held to account when they break the law or act against the public's interest.
At present you have to be pretty dedicated / insane to be a whistle-blower, when it involves any part of government or secret sweetheart deals between big business and government, usually backed by the old revolving door. As HMRC has shown they are happy to use the apparatus of the state, sold to the public on the basis of protecting them from terrorism, to track down those telling the public of private tax deals.
The surveillance is here, it is not going away, it is going to get more pervasive and capable. All we can do is press our so called elected representatives for accountability. I have written to my MP three times over the years, always reasoned polite about the need for oversight.
I only ever received one response which was clearly a stock letter saying that 'there are threats the public are not aware of, and just accept that these powers, although vaguely defined are for my own good'
I must admit fatigue has begun to set in, my MPs clearly don't see it in their interest to fight the tide, and as we more ever closer towards more Corporatist government the best policy might be just to be mindful of what I say and don't draw attention to myself. I don't want to be secretly classified as a 'non-violent extremist' whatever one of those is.
Indeed, one of the big issues raided by the 'licence to hack' is that once a computer is compromised, it is just as easy to upload as it is to download.
As I think has been mentioned in Snowden documents the possibility to upload 'multimedia content' that will result in the target's reputation, social standing and even liberty been taken / destroyed.
I don't have to spell out that that means. Any state hacking needs the be subject to total monitoring and oversight be totally independent authorities, preferably working under double-blind conditions.
It seems to be that for just about every terrorist atrocity committed in the west, the perpetrators were known to the security services for some considerable time, warranted monitoring of targeted individuals and websites can be done within the existing laws and with considerably less legal/moral issues, monetary expenditure and technical problems than implementing ubiquitous surveillance of the entire population.
This is about something else, money, power and control.
You don't need a tin foil hat to see the money angle, the amounts of taxpayer money being funnelled into this will be huge, hopefully (in the eyes of the beneficiaries) replacing that of traditional military spending, which is proving increasing difficult to justify without actually fighting wars. Wars are proving to be more complex and problematic than they once were. Often it is the same security cleared defence contractors that will be supplying the surveillance infrastructure instead of weapons.
The power and control angle may seem a little more towards the metallic lined head-ware brigade, but it is not hard to see that the world economy is going to be seeing some rather significant 'rebalancing' as globalisation advances. Increased unrest is a likely outcome, so it will become increasing important to control the public narrative. To this end it will be necessary to monitor the public mood and to disrupt and eliminate elements that threaten the official narrative; campaigners, labour unions, activists, journalists, whistle-blowers etc.
That is why surveillance has to be ubiquitous and unaccountable, not targeted or accountable.
I too have fond memories of the Amiga, I loved how open the platform was (especially for the time). I spent many an hour writing code in 68000 and C and abusing the hardware, timing my code in raster lines, and my first Internet usage, with KA9Q then AmiTCP.
Today Linux is my weapon of choice, but it was the Amiga that set me on my way!
Is it sad that I remembered my favourite hardware register, 0xdff058, almost quarter of a century later without having to google?
From experience, IR cameras are great for finding hot spots, (they are also great for finding overloaded power lines), but generally not necessary, just about every enterprise class server/network appliance is packed with temperature, power draw and fan speed sensors.
Of course if you can't be bothered to poll them they are not a lot of use.
I would have thought a hybrid solution, using fibre to connect main nodes, as fibre can be run parallel to the mains cabling without issue, they could maybe share ducts.
Then power-line networking over the existing power lines from the main nodes to adjacent lamp post tributary nodes. May need isolation transformers (not sure what the efficiency loss would be) to isolate mains segments to prevent CDMA collisions killing throughput, there also be an issue with the lamp posts acting as RF antenna and leaking interference all over the place.
Noisy ballasts on the lamps may cause interference, but they could upgrade the lamp to a nice efficient low-noise LED unit while they are installing the cell.
I am sure there are things I have not thought of, I am not an expert in street lighting.
My experience is very similar to yours. I am in my early 40s, and while I am not that worried for myself, I see be problems ahead for the industry and the businesses that depend on us.
Although I never lose my rag with the poor sod that answers the phone when I have to call a NOC, it is deeply frustrating to endure delays and to jump through hoops and SLA games.
When I find a provider that values their frontline, I go out of my way to support the business case for using them, even at a premium, because it's in my and my employer's interest.
The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.
-- Douglas Adams, Mostly Harmless
There is always going to be a requirement for people that understand how it's actually working, although we are already seeing the entry level roles going either via automation or outsourcing. The big problem is how a young worker gets to establish skills and experience without those jobs.
I guess it's Christmas, title says it all.
Hmm, I don’t believe the ‘Intelligence Community’ when they wheel out the ‘we are here to save you from the paedophiles’ line.
Say, for example, an intelligence organisation uncovered conclusive evidence of paedophile abuse and even murder perpetrated by powerful individuals, are they going to ‘bring that person to justice’, or use what they know to control that person and the power the wield as an ‘asset’? Blackmail is major currency in intelligence.
On the other hand, say that individual is of no real consequence (as an asset, of course it is of major consequence to the victim(s)), would they bring them to justice and risk compromising their precious techniques?
While I support the idea of Net Neutrality in principle, I don’t believe it can be achieved with this kind of regulation. The problem is still basically last mile monopoly. It has clearly been shown in the article that these monopolies are able and quite prepared to spend huge sums on ensuring regulatory capture in their favour. (That this is possible and frequent is part of a much bigger problem with our political systems)
I think that the system in the UK where the incumbent was required to provide wholesale access to its last mile infrastructure, within a regulated price structure, while not being perfect has proved much more workable.
By allowing competition and more importantly customer choice, if telco X decides to go rent-seeking by hobbling its service it is likely to lose customers to rivals offering a superior service.
In many areas this has been surpassed by rival last mile infrastructure being built, but without that initial lowering of the barrier to entry, and the ability to provide ‘off-net’ coverage, those rival infrastructures would likely have never been built.
Real competition is the key.
Monopoly & Regulation (captured) vs. Competition
Maybe the sound subtle sound of a megaphone shoved into a nest of angry bees gave the game away?!
I think this is a case of the 'circular filing cabinet' being upgraded for the digital age.
I remember watching firms when I was a kid. They were set in the wild west, and there would be a bank/stagecoach/train loaded with dollars, then some guys in black hats would turn up an steal the dollars.
Later some dude(s) in a white hat(s) would come along and sort it all out.
Even redacted that much could still be re-identified if details of a few previous addresses where included. Include data such as time off work / hospital stays, more pieces of the jigsaw fall into place, the list goes on.
decimal point error, oops
500,000 / 43,000,000 = ~a fine of 1p per record (maximum)
I suspect this data is worth much more than that to insurers.
"He said if scattered pieces of such data could be assembled, like a jigsaw, to identify a specific individual, for example, then the firm responsible would face a fine of up to £500,000 from the Information Commissioner's Office."
Half a million cap on the fine, and no possibility of a custodial sentence. Compared to the value this data set has, half a million pound fine could simply be put down as the cost of doing business.
Once that data set has been re-identified and distrubuted, the damage is done.
500k puts the value of each record at arround 10p, I think the data is worth a bit more than that!
Indeed, but I was thinking of making it more aggressive. At the point of being denied your viewing due to insufficient bandwidth a pages to say, "Hey your ISP is crap, why not move to one of these..", but I guess that does the trick if people care to look.
Internet connectivity between participants is done several ways.
The most costly per megabit is to use a tier-1 transit provider. This method is great for getting access to "the whole internet'. It is relatively expensive because that transit provider has to build and maintain global infrastructure. Tier-1s may offer reductions in charges for a number of reasons, balancing flows that are of interest to their other customers and regional distribution models are typical.
The second is mutual peering, and is much cheaper. This is where two organizations agree to connect for their mutual benefit. This may be by directly connecting their networks or go via an Internet exchange point, such as the LINX, AMS-IX etc. Bandwidth on exchange points can be orders of magnitude cheaper than global tier-1 transit.
The third option is co-location, this is where a content provider places equipment in or near the subscriber provider's network.
Historically ISPs and content providers have worked together to keep their customer's cash flowing in and reduce their infrastructure costs, but as ISPs become content providers they have an interest in throwing up barriers to the competition. This is not a problem if there is a truly competitive market and subscribers can vote with the wallets, but in a monopoly situation consumer choice ends up being restricted.
I think Netflix would love to do that, but the major ISPs want Netflix to pay them major coin for the privilege. :(
I would be monitoring bandwidth by provider, and implement a form of session admission control.
If a provider gets congested, I would look at my database of alternative carriers in the area and serve up a splash page advising the customer that their provider has insufficient capacity for Netflix that would both protect existing streams and provide adverts for rival ISPs in the customer's area with click through to start the migration process.
Of course the US market may not have sufficient competition to support this, in which case we have a monopoly / cartel situation, and the network providers have their customers and the OTT providers by the short and curlies.
"but it'll be very naughty and against the law for anyone we give it to to misuse it"
But not so naughty that anyone will ever go to jail for misusing it :(
FSO and millimetre wave are interesting in that while they have the same latency as microwave, they offer much higher bandwidth. The trade off is that they don’t propagate as far as microwave before they need repeating, having a tower every 10km vs 30-40km.
Systems offering a combination of millimetre wave and laser are now available, they have the advantage that while they are both affected by atmospheric conditions, millimetre wave is badly affected by moisture (rain, fog) and laser is less affected by moisture, but is affected by scintillation (heat haze), since these conditions rarely occur together hybrid systems provide a much more reliable signal.
"What actually remains to be seen is what the taxman thinks about Ulbricht having these Bitcoins which, even before the value recently ballooned, were worth a substantial sum"
Indeed, it was the taxman that really cooked Al Capone's goose.
If asset foreiture works the same in the US as it does in the UK (PoCA), now 'The Assumption' has been made that Ulbricht led a 'Criminal Lifestyle', anything and everything in Ulbricht's possesion is subject to seizure.
Even if they fail to convict him of a crime, under the forefiture laws the burden now rests on Ulbricht to prove with documentation how the items and funds were aquired by legal means with the appropriate taxes paid in full.
This could be interesting from a Bitcoin perspective, because you need to prove where they came from to avoid forfeiture. I suspect this will be at legal method of choice for dealing with Bitcoins.
Once a court has granted a forefiture order unless you can either strike out 'The Assumption' by proving you are not a criminal (being found innocent of the charges helps, but may not be enough) and that everything seized can be accounted for legally, then sorry it belongs to the state now.
and while we are at it can we have a 16KB USB memory module a little larger than a pack a cigs that crashes the machine after hours of finger punishing code input, just because you gave it a funny look?
Nostalgia, it's just not as good as it used to be.
I had to arrange for a customer service/helpdesk number for a company I previously worked for, I knew most of the customers used mobiles, so I specifically avoided 0845/0800 numbers due the the take-the-piss rates charged by the mobile companies.
We needed a non-geographic number so we could switch call center in case of a business continuity event (i.e. building on fire etc..,) 0330 numbers are charged at normal call rate from landlines and mobiles and are included in bundled minutes, so seemed the natural choice.
"I don't remember exactly how, but essentially putting in massive buy and sell orders that you have no intention of fulfilling is a way to identify areas of weakness that can be exploited for quick profits."
The jargon term for this is flash orders (orders that only exist for milliseconds well away from the spread) , the intention being to either overwhelm the trading systems of other participants with data volume, or confuse their algorithms into thinking the markets is behaving differently than reality. In many jurisdictions flash orders are deemed a form of market manipulation and therefore banned.
Since flash order costs the exchange money in terms of having to build infrastructure able to handle this huge volume of orders that will never match, hence no commission for the exchange, most have introduced punitive charges of excessive volumes of unmatched trades. This mostly killed this behavior off before the regulators for involved.
"Over that time, markets have evolved dramatically through the processing power of today’s technology – with execution times measured in milliseconds and microseconds – as well as widespread retail investor participation in the markets, decimalisation, the exponential growth of daily trading volume, and the for-profit status of the securities exchanges."
Most people raging against HFT have a picture of electronic trading that is somewhat unrelated with reality.
The speed of transaction has been driven up by many factors that have little do with people making money from micro price movements. Admittedly HFT has seen a lot of purely parasitic trading in the past, however through regulation and exchanges changing their pricing structures to discourage huge volumes of un-matched trades being blasted through their infrastructure, this activity has declined sharply.
The move away from open out-cry exchanges (loud wide-boys in loud jackets trading by shouting and hand signals) to electronic trading had allowed more transactions to be completed per trading day. This has allowed decimalization of the market, so before when shares or instruments could only be trading in large lots, typically 100,000 of whatever you were trading.
Trades can now be performed for any volume and matched against a counter-party directly as a partial fill. This has been made possible by the speed and accuracy of electronic systems.
By removing the need to have chains of brokers to aggregate investor traders in lots, this makes it practical to facilitate direct market participation by small and retail investors.
Before if I wanted to invest in something, I would by unlikely to afford a standard lot (100,000) of whatever, so I would go to a broker, they would look at their house book, if they had the shares in their inventory they would sell me a number of shares at a price that results in a profit for them, otherwise they would buy a lot on the market and sell me the required quantity, they would of course change a premium on their purchase price to cover their commission and risk (they would be left holding the remaining shares).
Also instead of a few national exchanges there now a multitude of exchanges, MTFs and ECNs (all really the same thing at a basic level, but there are different regulatory rules).
These private exchanges need liquidity for attract customers, so they bring in traders called Market Makers, these folks are obliged to provide a bid/ask price within a certain spread for all the instruments they are contracted to 'make the market' for, an exchange will have multiple market makers all competing against each other for trader business so the real time competition between market makers has. dramatically reduced bid/ask spreads.
Most of the the responsibility for the credit crunch was down to misrepresentation of their credit risk by banks, and had nothing to do with electronic trading, high frequency or otherwise. Of course HFT is not generally understood, so it makes a good scape goat.
Banks begrudgingly accept it is there and they have no choice. HFT has already resulted in significant removal of middle men from the trading business, and threatens the banks oligopoly by allowing greater market participation.
Politicians always need something to blame other than themselves, so rather than admit to massive regulatory failure in credit markets, they would rather blame something few people understand.
In my view the benefits of high performance electronic trading out weight the downsides.
I await your down-votes.