Berkeley CSUA MOTD:2000:June:14 Wednesday <Tuesday, Thursday>
Berkeley CSUA MOTD
2000/6/14-16 [Computer/SW/Security] UID:18465 Activity:high
6/14    I have written a program that "pipes" port1 to port2 on a machine
        [so if you do say telnet foo 25 that can automatically send to
        to port 19, chargen].  Is there a way to grab all the unbound ports
        and map them to chargen, to deter people scanning my machine?  Will
        that be an expensive program to run?  I don't want to launch one
        version of the process for each port.  Thanks!
        \_ Why are you even doing this?  You're reinventing the wheel.
           Just use the IP firewall rules built into your OS to port
           forward a range of ports.
                \_ I want to turn this on and off.  Also not all OSes support
                IP firewall.  Would like to do this at the application level.
                Can you tell me how to listen on all the unbound ports like
                \_ Sheesh, get a real os.  What are you using?  win 3.1?
                   \_ It's actually a vintage box; running a hacked-up
                      TCP/IP stack for CP/M. I'm using it as a low-load
                      web server
                \_ inetd doesn't listen on all unbound ports - it listens on
                   the ports listed in inetd.conf.  You could write a program
                   that looped through all possible port numbers and bound them
                   (if your OS supports opening 64k fd's in a single process)
                   but that would prevent any other app from being able to bind
                   a listening port.
                        \_ N0H0ZERZ!
                \_ If the ports are unused what's the big deal?  You can't stop
                   a scan.  And if you have insecure services running on other
                   ports, your program won't help that either.  What are you
                   trying to do?  What's the point?  Your program won't do
                   anything useful for you.
        \_ An easier thing to do is run FreeBSD 4.x and in /etc/rc.conf set
           tcp_restrict_rst="YES"  This will cause connections to ports with
           nothing listening to hang until timed out.  This pretty much kills
           portscanning.  --dbushong
                \_ Who cares?  Let em scan.  Security through obfuscation and
                   irritation is not security.  You're only slowing down the
                   \_ If you don't believe in "security through obfuscation"
                      you won't mind sharing all your passwords with me.
                        \_ That's different.  A password is obscure in a
                           way that in order to crack it, you need to
                           try a bunch of random combinations before you
                           can get it right.  Security through obscurity
                           is where a backdoor exists but you just hid it
                           somewhere.  It's the difference between a key
                           to your house and hiding that key under the mat.
                           The key is like the password.  Hiding the key
                           under the mat the the obscure part.  Obviously,
                           most prowlers will usually look under the mat
                           first before actually cracking the windows.
                        \_ A password is not obfuscation.  Hiding your buggy
                           service on a random port and making it hard to scan
                           is obfuscation.  Given a few extra minutes your
                           s00per sekret buggy service will turn up.  My ssh
                           passphrase won't.  You know I could give you my
                           ssh passphrase and it won't help you get into any
                           of the machines I run but you wouldn't undersand
                           why.  Damn, it's so sad there's no real ugrad
                           security classes.  It shows.
                        \- i was thinkign about writing a something to wedge
                        the iss scanner specifically. am trying to decide
                        whether to do it at a tcp level [long time outs etc.]
                        or generate random data on port 80, when talking to
                        nfsd, mountd etc. i am also thinking about using
                        xinetd. would be interested in more discussion on
                        this. --psb
2000/6/14-16 [Computer/HW/Drives] UID:18466 Activity:moderate
6/14    What's the difference between DVD ROM and DVD RAM?  Is DVD RAM a
        writable DVD?  In the same way CD-R/RW are writable?  -DVD ignorant
        \_ Like CD-RW, not like CD-R.  --PeterM
                \_ Thanks!
        \_ DVDRAM also comes in a casing, like a floppy or MD
        \_ DVD RAM vs DVD RW: FIGHT!
2000/6/14-16 [Uncategorized] UID:18467 Activity:nil
        Master Rob Pike has spoken
        \_ pike off, taffer
2000/6/14-16 [Consumer/Camera] UID:18468 Activity:nil
6/14    Has anyone developed film onto KodakCD? How is the quality?
        \_ When you say "KodakCD", do you mean PhotoCD (their "pro" product),
           or PictureCD (their cheaper "home" product)?  With PhotoCD, you get
           back your images scanned at 5 different resolutions, the highest of
           which is 2000x3000. With PictureCD, you get a single 1024x1536 scan
           of each image. I've never used PhotoCD, but I've gotten a PictureCD
           with each roll of film I've developed while in Europe so that I
           have an easy way of sharing vacation pics on the Web. It works well
           for that -- decent resolution, decent contrast/color balance, no
           problems with added dust and scratches. I usually only have to do a
           crop and some minimal brightness/contrast twiddling for each image
           I want to share. Search for both product names on to read
           about the respective experiences of others.  -- kahogan
2000/6/14 [Computer/SW/Database, Industry/Jobs] UID:18469 Activity:very high
6/12    \_ uctt, are you a contractor? what do you do?
        \_ full time employee at my own startup now. never contracted in my
           life.  but i did spent some time in big 5 consulting managing
           various e-Commerce projects and our team of consultants from big
           5 was always much better than the employees in the client company
           (that's why they were paying us $275-$350/hr to be there) -uctt
                \_ No.  They were paying that so management could have someone
                   to blame when it all falls to shit.  No one pays you more
                   because you're more skilled.  They don't have a basis to
                   judge your skill level.
                        \_ of course that's a big part of it.  we'll take
                           the blame if it all "falls to shit".  it's called
                           taking RESPONSIBILITY and i'll take the
                           responsiblity for a project in exchange for the
                           big bucks that they have to pay us.  i've
                           met morons in consulting.  i've met a lot more
                           morons that work as full time employees for the
                           client. -uctt
                           \_ You know why that is, right? The companies
                              that don't need your expertise don't hire
                              you. If there's a better staff in house then
                              likely they'll go with that. Granted,
                              sometimes management does stupid things
                              anyway, but I bet this helps explain your
                              experiences. --dim
                                \_ Holy cow!  I find myself agreeing 100% with
                                   dim.  Hell has just frozen over.
                                   \_ I think it's a great idea to hire
                                      consultants when the current staff
                                      is better.  What's the matter with
                                        \_ Sorry, what was I thinking.  I'll
                                           call uctt right away to pay more to
                                           get less.
                        \_ that's why nearly all of the largest and *best*
                           companies in the world employs a large number of
                           consultants.  why doesn't sun, cisco, microsoft,
                           oracle, hp, ibm, etc... all just hire the best
                           talent and do all of their work in house?
                           certainly they have the money to hire pepole
                           right? why do they have consulting companies in
                           there if the consulting companies easily cost 2x
                           as much as their normal employees?  oh...b/c
                           you know something that bill gates, john
                           chambers, scott mcnealy, larry ellison, etc.
                           doesn't know right? -uctt
                           \_ Your definition of "best" is what?  You mean the
                              way IBM took a huge fall in the 80s?  The way
                              Sun, Oracle and others needed the DoJ to level
                              the playing field?  The way HP is falling apart?
                              Or that Cisco had to buy Arrowpoint because they
                              couldn't build their own load balancing switches?
                              You're confused.  Big != better.  The *best*
                              companies are the ones you've probably never
                              heard of.  You'll know who they are 5 years from
                              now.  These large but not best companies use
                              consultants because the *best* people wouldn't
                              work for them at any price.  I'd be ashamed to
                              have IBM or Oracle on my resume.  The *best*
                              people have all left these giant ugly slow beasts
                              for startups.  It's still happening today.  Don't
                              spend too much time convincing yourself how great
                              you are.  The day you meet the people working
                              for the *best* companies will be the worst day of
                              your life as your giant ego comes crumbling and
                              tumbling down and all of IBM's horses and all of
                              Oracles men won't be able to put it back together
                              again.  The emperor wears no clothes.  I know the
                              exact same thing your top 5 list of CEOs knows:
                              that their employees suck, they can't hire the
                              best so they have to pay vampires and leeches to
                              do it for them and just pass along the costs to
                              their customers.  It's people like you that make
                              software and hardware so expensive for no real
                              reason.  You're not a value-add.  You're a value
                                \_  who are you???  Preach it brother!  you rock.
                                    - anonymous#1fan
                                        \_ Thanks.  Just calling it like I see
                              \_ Uh ... gee!
                              \_ so what are the best companies right now
                                 that i haven't heard of but i will hear
                                 about 5 years from now?  and why is it that
                                 most of the upper level executives in large
                                 corportations have worked in consulting at
                                 some point in their careers?  just name a
                                 few of these companies and we'll continue
                                 the discussion... -uctt
                                 the discussion...but i can tell you right
                                 now that either their executive staff is
                                 made up of former consultants, many of
                                 their developers are former consultants, or
                                 they just don't have enough cash for
                                 outside consultants....YET.  all of the
                                 successful companies have used consultants
                                 very heavily and they cannot all be wrong.
2000/6/14-16 [Health/Eyes] UID:18470 Activity:high
6/14    What do the 20's in "20/20 eyesight" mean?  Thx.
        \_ It means they're violating Starbucks' trademark, since they have
           'Venti' copyrighted, or whatever.  If any optometrist ever drinks
           coffee, they're opening up themselves to one hell of a suit.  -John
        \_ Isn't that new technology neat? -- ilyas
                \_ tell of us the stars....
        \_ a standard vision test is given at a distance of 20 feet.  if
           your vision is "20/30", you can read at 30 feet what a normal
           20/16, you can see at 16 feet what a normal eye sees at 20
           eye would see at 20 feet.  on the other end, if your vision is
                \_ you've got that backwards. someone who sees 20/30 can
           20/16, you can see at 20 feet what a normal eye sees at16
           your vision is "20/30", you can read at 20 feet what a normal
           eye would see at 30 feet.  on the other end, if your vision is
           20/16, you can see at 20 feet what a normal eye sees at 16
                \_ someone who sees 20/30 can
                see at 20 feet what the average person can see at 30 feet.
                fighter pilots need to see 20/15 or 20/10, so they can see
                at 20 feet what joe average can see at 10.
           \_ I see.  For near-sightedness, how does 20/xx translate to/from
              the number of "degrees" that some people use to measure near-
                \_ maybe you mean diopters. there's only approximate
                relations between 20/x ratings and diopters.
                   \_ I don't know.  I was told that my short-sightedness is
                      simply "550", and everyone in my home country seems to
                      understand it.
                      \_ That's probably meant as -5.50
        \_ To be slightly more precise, it's based on ability to discern
           alpha letters at that distance.  Your 20/20 may not be my 20/20.
                     \_ As opposed to... beta letters?
                     \_ As opposed to chinese, for example.  the eye chart
                        uses block letters, easy to discern.  There are "20/20"
                        Lasik patients who can't drive safely at night.
                        \_ As opposed to shapes, colors, 2d objects, 3d objects,
                           moving objects, unmoving objects, get the picture?
                           \_ You missed the point. No reason to pull the
                              non-existant term "alpha letters" out of yer ass.
                                \_ It wasn't my ass.  Thanks for being
                                   concerned for my ass though.
2000/6/14-15 [Uncategorized] UID:18471 Activity:very high
6/12    Take it to a newsgroup.
        \_ Waaah!  Do I 'win' if I got the last word in?
        \_ yeah!  i did get the last word in right before this guy erased
           it (obviously you didn't read it though). -uctt
Berkeley CSUA MOTD:2000:June:14 Wednesday <Tuesday, Thursday>