And above all: Top 25 Censored Stories Of 2008. I consider this to be one of the most important annual articles to be read.
-
WAR ON…… YARDSALES?!?!?!: When is a yard sale not a yard sale?
Get a life
-
COPYRIGHT, RIAA: Jammie Thomas: Her Story In Her Own Words (RIAA Lawsuit Victim)
Jammie Thomas, who the RIAA successfully sued for allegedly using Kazaa to share mp3s, gives her story in her own words, and corrects some misconceptions about her case.
-
NEWS vs. CENSORSHIP: Project Censored: Top 25 Censored Stories Of 2008
Every year they put this out, and it is always a fascinating read. I think TRUTH is very important, so this is an important yearly article because these are important stories that nearly everyone is missing.
-
11/11: Al Qaeda declares Cyber Jihad on the West, November 11th
Starting with 15 targeted sites, and expanding every day.Keep your eye out? Or another b.s. scare? We’ll find out soon.
I personally endorse Sygate as the best firewall.
November 4, 2007 at 9:15 PM
Personally, I prefer hardware firewalls and not software ones. With hardware, you’re ensured (mostly) that malicious traffic will never reach your network card’s interface.
Yes, this is a generalization. Yes, it’s possible to hack a hardware firewall. I still prefer the physical layer of protection they provide over the approach of attempting to stop malicious traffic within the CPU cycles of my own computer.
November 4, 2007 at 11:12 PM
I tend to agree. Since my router has a built in firewall, that’s my main layer of protection.
I still run a software firewall though as they do tend to have one advantage. Hardware firewalls tend to block only incoming traffic, not outgoing. Which means if you somehow happened to acquire some spyware, or a malicious virus/trojan that sends outgoing traffic, it’s going right through the hardware firewall.
I prefer to double bag it.
November 5, 2007 at 9:04 AM
Personally, I don’t like single points of failure, and how exactly is a hardware firewall going to ask me “do you want to allow this program access or not?” when a program tries to access? Or do I have to make configuration adjustments for each of the MANY programs I use? And.. how exactly do my IPs connect directly to the net if I have to go through a single box? NAT issues left and right! When I VNC in to a machine, how will it know which machine to forward my VNC request to? Or do I have to set up non-standard ports, so if it goes to 5900, it goes to one machine, if it goes to 5901, it goes to another one, etc. Then I have to remember those ports outside of my home too.
Nah, fuck that.
November 5, 2007 at 9:36 AM
@Clint:
Firewalls and NAT have come a long way:
http://www.microsoft.com/technet/prodtechnol/winxppro/support/upnp01.mspx
According to that, most home firewall/NAT devices shipped since 2001 have uPNP NAT traversal built in, and I imagine most modern network software has it coded in too. I know Soulseek has had uPNP functionality since 2003 or 2004.
Either way, it’s the safety of NAT/Firewall, physically separating you from malicious traffic, combined with the convenience of not having to set it up.
November 5, 2007 at 9:56 AM
Well, I’ll chalk this up to different philosphical approaches on using computers, but to me, functionality and convenience are far more important than security-past-the-point-of-diminishing-returns —
I’ve made the metaphor before: “I’d be safer if I wore a helmet while I drove my car, since that would statistically save lives. But I don’t, because I want to be able to drive around comfortably and without hassle”.
Thanks for the link Gauge — from the very page you linked to:
“Q: What is the problem with NAT?
A: Put simply: NAT can “break” many of the compelling new PC and home networking experiences, such as multi-player games (check), real time communications (check), and other peer-to-peer services (check), that people increasingly want to use in their homes or small businesses. These applications will break if they use private address on the public Internet or simultaneous use of the same port number. Application must use a public address and for each session a unique port number.
Large organizations have professional IT staff on hand to ensure their corporate applications can work with NAT, but smaller organizations and consumers do not have this luxury. UPnP NAT Traversal can automatically solve many of the problems the NAT imposes on applications, making this an ideal solution for small businesses and consumers.”
So basically, they are sort of saying the same things we both say.
Except that uPNP is simply a bandaid to be slapped on NAT, and nat was a bad idea anyway, only implemented due to a lack of IP addresses, and in fact NAT will go away with ipv6, though some people propose keeping it around.
From the wikipedia page:
“UPnP assumes that all local systems and their users are completely trustworthy, and that no local system is infected with any worm or trojan.
If either of these assumptions are not true then UPnP can be used to totally defeat a firewall by allowing incoming connections to arbitrary local systems on any port.[2][3]”
That should be scary to security-maniacs, actually. Especially if firewalls aren’t being run on individual machines, because something could spread from 1 machine in your lan to every machine, if you don’t have firewalls on each machine.
Anyway, I’ve used uPnP, and it saved me having to set up bittorrent when I had my router. It saved me 10 minutes perhaps. But HAVING NAT AT ALL cost me hours over the year or so I was under that horrible setup. Back to static IPs for me!
VNC’ing in? I was pretty strictly limited to one computer, despite spending 30+ minutes on the problem.
And mapping network drives? Don’t even get me started. Just didn’t happen during my whole NAT-year.
And running bittorrent on more than 1 computer at once (for convenience / harddrive space issues)? Forget it.
Better than spending 30 minutes on security is to simply be able to connect directly without spending 30 minutes, and have 30 more minutes of my life back.
Virii have indeed taken up some of my spare time in reacting to them, but having to deal with excess security takes up a lot of time too. When I switched to NAT, it was a full hour to get my FTP server working again. (There are some internals to the ftp serbver that have to be changed IN ADDITION to NAT, plus people had to start using passive mode and nobody could even get a directory listing unless they changed that). Overall NOT worth it.
I got other shit to do other than sharpen my tinfoil hat.
P.S. I did some googling, and VNC does not support uPNP. In fact, their own FAQ about dealing with NAT only addresses ONE computer: http://www.realvnc.com/support/faq.html#natrouter And does nothing to say how to set it up to go to multiple computers. (Yes, I have hopped 2 and even 3 computers deep, but that is unnecessarily slow.)
I have a feeling network drive mapping might be in the same boat. I doubt windows uses pnp to deliberately open up your drives to the network since that would be less secure and they are at least TRYING to be secure these days.
I can’t imagine setting up manual port forwarding for 5 computers. Actually, the “NET USE” command doesn’t let you specify a port anyway, so how would you get to your data at home?
Yea, NAT is great if you want to be in a closed box that can only be opened from the inside.
I don’t.
November 5, 2007 at 1:22 PM
I’ll address the uPNP being useless if you get a trojan or worm:
A trojan or worm can also be programmed to override a software firewall. Basically if you get trojaned, you have to hope that that particular one wasn’t programmed to circumvent whatever security methods you chose to implement.
About VNC, I don’t see the significant difference in setups. If you went with the router/firewall/NAT device, you would have to enter the forwarded ports and private side IP addresses into the setup, and of course set each VNC install to listen on a different port for each computer. If you went with the software firewall on each computer, you would have to allow the traffic for that program on each of the computers. Either way, it’s a one-time setup.
As for the NET USE command, yeah NAT would kill that pretty much. I cringe whenever I think about Windows drive shares being made public, even if it’s protected by a password.
I also gotta admit that I’m a bit biased against software firewalls due to a few months of bad experience with one several years ago. They’ve hopefully changed a lot since then, but I basically had to re-install Windows because of one when I switched my network address and it freaked out because all of the “rules” were previously made to work to protect a different IP address. Probably (hopefully?) wouldn’t happen with the modern software firewalls, and address changing like I did isn’t common, but still. I’d rather have a solution that doesn’t break my computer when I try to use it. :)
November 5, 2007 at 1:28 PM
The point being, I spent significant time on the VNC issue and never got it to work right. It’s a waste of time to create extra work for oneself.
The time spent was greater than the amount I spend on my average infected file, which is 0 if it says “cleaned” as the result.
And windows drives should always be public if you want access to your home stuff :)
How else can i run my sync.bat each and every day, automatically updating my scripts from home to work, automatically sending files from work saved in my ‘bring_home’ folder to my ‘brought_home’ folder at home, automatically updating my music playlists to be in sync with my lists at home (which are regenerated daily / everytime i run bedtime.bat). (It moves torrents to a different place, so I can drop a torrent in a folder here, and have the download completed, at home, before coming home.)
See, I’m actually using my home computer throughout the course of the day — because I can.
November 5, 2007 at 2:01 PM
Oh, and having to re-install windows due to changing an IP address sounds utterly ridiculous! Like, damn them for making so much work!
Did you try using the repair function with the install cd? GAH, it shouldn’t be that much of a hassle.
Then again, if it was ZoneAlarm, I’d believe it. ZoneAlarm is an utter piece of worthless shit, once infected by a virus. You can’t uninstall it without multiple reboots, including going into safe mode, which I *NEVER* have to do nowadays (less often than once a year). It ended up taking me an hour or so to get rid of it.
Never again! Not only is Sygate relatively painless to deal with, but you can save your rules to an external file and re-import them in other instances. Which is good, because I have 5 or 6 rules..
ZoneAlarm is teh suck.
November 5, 2007 at 2:36 PM
How’d you guess? It was Zone Alarm! I’m a chump!
Ok, now I’m beginning to think about how I would go about changing my home network from NAT to the way you have set up, and I’m drawing a blank. We have wireless devices in our house, lots of them (ok, 3 of them, but that could easily quickly go up), that we use on a regular basis. Either they would all need public IP addresses from our ISP, which I don’t think would happen, or I’d have to have a separate private subnet just for the wireless devices, one of which is a laptop. In that case, we’d have a half-NATed, half-static IP address setup.
Do you have a wireless network at home, and if so how do you set it up?
November 5, 2007 at 2:45 PM
It sounded like Zone Alarm hell to me! I believe that’s what was running on “Fire” when Carolyn changed it to an invalid IP address while I was at work, realized it was invalid, then didn’t bother to change it back. Computer crashed, wouldn’t boot, wouldn’t accept windows installations again, not even after formatting the drive. It was probably multiple problems happening at once — after all, this machine ONCE had TWO monitors and TWO video cards, but at some point, ONE died without me realizing it, so in all rights the computer would have ceased operation long sooner, but I had “redundant video cards”. In a sense, that’s a better setup than a single card with 2 ports. In a sense…
November 5, 2007 at 2:56 PM
I have 5 public static IP addresses. I’ve pretty much always had those many. Sometimes I’ve paid more, sometimes I’ve negotiated, and at least once I gamed the system and strongarmed them into giving me 5 free static ips for life, by threatening to reneg on my signup.
See, when you signup, you have 24 hours to cancel, during which they are stuck with $100s of fees. THAT is the moment you negotiate hard :) I think w/my current ISP I talked them down a lot. $5/mo per IP is so completely not worth it at all. I even think $1/mo per IP almost feels like a bit of a ripoff.
I demand IPs.
You can’t play Quake online with multiple computers behind NAT either.
I mean, you could possibly set up some port forwarding junk. And then set it up in reverse if you want to run a server.
I don’t like dealing with stuff! Stuff should work! IPs make that easier.
And yea, we only have 5 IPs, and typically have 3-4 computers. That leaves us 1 more IP for our router, which technically does wireless — although EVERY wireless device AND it’s replacement has eventually died, leading me to the conclusion that wireless is a waste of time.
The amount of time it cost us to earn the money to purchase our wireless devices, coupled with the amount of time spent troubleshooting them, does NOT add up to the amount of time “Saved” by being able to computer in, say, the bathroom, or the amount of time/money “saved” by not having to run ethernet cable to obscure rooms where I don’t really need internet. THough it was funny that one time Carolyn paused the music from the bed, it wasn’t $60-worth-it funny.
So yea, I would use NAT for wireless too, ONLY due to not having enough IP addresses.
But, at the same time, neither Carolyn nor I think wireless is worth spending ANY extra money or effort on. It’s just another shiny bauble to sell.
It still makes sense for laptops, though. But I also feel the same way about laptops — equal computing power on a laptop costs more, making you spend more time to earn the money. I think the time is more efficiently spent walking over to your non-portable, wired computer. I’m fiscally conservative in that sense…
Which is why above, I said — a lot of this is really a person’s personal philosphy about how they want to use their computers.
I want the most functionality, especially *possibilities* (i.e. those things I haven’t thought up yet), and I especially want the most integration (I can pause my house-music at the command-line here at work the exact same way as at home), and I especially especially want the least money spent :)
November 5, 2007 at 3:58 PM
I still prefer hardware firewalls, though in Clint’s case, I probaly wouldn’t implement it either. Running static IP’s means either haing a separate firewall for each computer, or a high end corporate router that supports multiple public IP’s. Either way, lots of $$$.
As far as wireless goes, never really had any major issues with it. I may have to reboot the router every once in a while(after my cable modem goes out due to a brown out), but that’s about it. I like watching TV and being able to be on the computer at the same time. And with the setup we have at home, setting up a desktop in our living area would just be impractical.
Plus I like being able to compute in the bathroom :)
November 5, 2007 at 4:04 PM
semi-related: They have RSS-enabled toilet paper for sale at ThinkGeek.com!
November 7, 2007 at 10:02 PM
More on why:
“UDP can go through NAT under very specialized circumstances involving configuring a UDP port on the firewall to foward to a machine behind the firewall. UDP can not ‘ad-hoc’ through NAT the way TCP can.. NAT works by using the little-known fact that a outgoing TCP session has a source port as well as a destination port – by doing a little bit of mapping, this enables one IP address to have 64k connections. UDP is stateless – there isn’t a binding between the source and destinition, there’s no ’start’ and ’stop’ packets, no three-cornered handshake – you can send UDP from behind a NAT pretty easily, but getting UDP *back* to a host behind the NAT – without knowing which host should get it – is a little trickier. There’s not actually any good way that doesn’t involve manual configuration for traffic to come from the outside in with a NAT anyway.
This is especially problimatic for services that use a fixed UDP port – because it means only one computer behind the NAT can participate in those services. Microsoft’s Netmeeting is one example, or used to be anyway. Most streaming audio systems are another example. Fortunately most p2p and game software let you set the port, so multiple workstations can participate in a game of c&c generals or leech using emule.. ;-)”
I dislike unnecessary complications.
This guy (and old bbs friend)’s blog – very interesting insanity, hehe.
November 7, 2007 at 10:03 PM
(and like beating dead horses. mmm, horse meat)
November 8, 2007 at 1:00 AM
I prefer dinosaur meat. Much more tender when thoroughly beaten.
But yes, with UDP, that’s pretty much the nature of firewalls. Which is why I wouldn’t implement it in your setup. And yes, I had to go through the manual configuration of my router to get P2P working optimally, but it only took about 2 minutes. But then again, I also only have the need to use it on one computer.