Rolling your own firewall is almost always a bad idea. Hardening a full blown distro is a terrible place to start, and no place for a novice to "guess" that they have it locked down "enough".
There are numerous open source firewall distro's that have the advantage of being authored by people well practiced in security coding, pen testing, etc, and are continually crowd tested for loopholes and shortcomings.
It's your edge device for security - not exactly a place you want to take risks with.
Given that you get a stateful firewall as a facet of NAT, the main risk would be if your edge device was listening on the external interface with vulnerable services.
I appreciate the level of specific engineering that goes into purpose-built firewall distros, but "locking down" a device whose sole function is to perform NATing for a network is not terribly complicated.
While I sympathise with the sentiment, there's a couple of things to point out here.
Firstly, none of the firewall distros I've seen have really prioritised security all that much - they tend to prioritise fancy interfaces and rolling lots (often far too many) features into one box. I'm not aware of a single one of the commonly used firewall distros that enables selinux, for example (although I've not looked at all of them - I could have missed one).
Secondly, this is clearly a home product - not a device that's likely to be the focus of a large amount of determined attacks. As long as you don't allow password-based logins, and regularly apply security patches the likelyhood of being compromised is very small. Modern mainstream linux distributions aren't as horrendously insecure by default as you imply - the job of locking them down isn't a massively complex black art.
"I'm not aware of a single one of the commonly used firewall distros that enables selinux"
commonly used "for" firewalls distro is Debian and selinux "works" on vanilla Debian. Its a labor hog making it less efficient to enable selinux than to look for / fix other problems, but it can be done if you insist and are willing to spend less time securing more important areas (pretty much everything, unfortunately)
On the other hand I am also unable to find a "firewall distro" solely for FW work that does selinux as of last time I looked. Hard to prove a negative but it is possible to prove that if it exists, its well hidden. The marketplace for FW distros is focused on ease of use, security theater, and authoritarianism and credentialism so actual security related features are going to be a pretty low priority in the market, which is humorous / ironic.
They are absolutely not. Not compared to general purpose distros.
Just look historically at semi-relevant security holes and how long it took Debian to patch openssl (hours? minutes?) vs "one dudes spare time project" maybe weeks, or worse, never.
"have the advantage of being authored by people well practiced"
You'd like to think so, but other than hopes there seems to be no evidence...
"locked down enough."
It has a stateful firewall probably as part of the NAT function? Good enough. The rest of it is mostly security theater.
As far as I know, generally speaking doing things yourself, is what makes learn how to do them.
So if you don't play with firewall rules, block yourself a couple of times, do something stupid you'll never learn.
I could argue that doing copy-paste firewall rules from the internet might not be a good thing. Will give you the idea of security while there might be none.
What risk? You don't need to harden your distro if you're only using it for NAT. There's basically nothing to attack, save maybe the netfilter conntrack module's state machine. Here's all you need for your edge NAT device:
iptables -A INPUT -i ethwan -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i ethwan -j DROP
iptables -A OUTPUT -o ethwan -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ethwan -j DROP
iptables -A FORWARD -i ethwan -o eth0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ethwan -o eth0 -j DROP
iptables -A FORWARD -i eth0 -o ethwan -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o ethwan -j DROP
iptables -t nat -A POSTROUTING -o ethwan -j MASQUERADE
One (usually) don't roll their own firewall. One's provided with a robust solution and merely needs to configure it - that is, provide a description of their network. Because no matter how smart and well practiced software authors and distro builders are, they still don't know about your network and your needs. They only could provide tooling and examples to make some common concepts easily achievable.
And configuring your own firewall isn't rocket science that should be left to pros. Especially - as every sane guide out there suggests - if (for iptables) you start with DROP on INPUT and FORWARD chains and gradually open what's necessary.
I agree with this to an extent, a complete novice probably shouldn't take this sort of leap without understanding the configuration involved in securing down a Linux box. I wouldn't say it's out of the reach of most people familiar enough with Linux, though.
Regarding security programming, etc., I expose as little as possible to the world. Of the services that I do expose, I'm relying on pre-packaged software and the maintainers of Debian to keep it patched for me. I trust that those people mostly know what they're doing, and any code I write will mostly just be for internal automation.
Well if you really care about security you should run OpenBSD not linux. And it installs secure by default. Just grab the book of pf and write out your firewall rules.
What's my other practical alternative? Some $80 box at Best Buy riddled with security holes? While I agree that using something like pfsense is probably superior, its also fair to say that if you understand basic linux administration, you can roll out a firewall that's a lot more secure than the never updated boxes everyone else uses, and enjoy features like ssh forwarding, openVPN, etc.
> There are numerous open source firewall distro's that have the advantage of being authored by people well practiced in security coding, pen testing, etc, and are continually crowd tested for loopholes and shortcomings.
That's what I did at first, but what if there is none that does everything you need? Hacking it would be even worse than rolling your own.
Back in the mid-to-late 90s there were no home routers as they exist today. Just threw Openbsd on a machine with multiple interfaces and it worked just fine.
DynDNS is painting with an unavoidably broad brush. It's a student page at the CS department of NTU -- National Taiwan University. I'm sure the server has hosted something unsavory at some point, but this particular page is hardly threatening.
Yet strangely, hackers are finding this piece of news interesting. I wonder why? Could it be the idea of having a cat on a ship is interesting from a systems perspective? What's a ship's cat equivalent in a computer or human system? Some sort of roving troubleshooter?
Lots of things on HN have to do with neither hacking nor news. That's part of its charm, always has been. If PG can post about the margins of medieval manuscripts, then anything goes, so long as it isn't dumb. The only sin is to be uninteresting.
"Cutting the cord, in Comcast’s universe, just doesn’t save you very much money."
And this is why (in general) Americans are in debt. They don't understand that ANY savings, is savings. And that "just" saving 20,30,50 dollars a month adds up over 5-10 years.
I went thru this with my daughters a decade or so ago. We kept track of all the "Gee Dad, it's only 10 bucks" conversations. At the end of the year we reviewed what they accumulated, which was almost nothing, their items were either used up, no longer needed/wanted, broken, or tossed away. On the other hand, the $1400+ dollars, all stacked up in a nice pile of $20's looked like (and was to them) real money, a nice weekend trip, a new bike, a new laptop, etc. I'm happy to say my daughters did much better after that living experiment.
Unfortunately for most Americans, they just can't say no to the moment, and banks (and other service providers) are all to willingly to exploit their lack of judgement.
You miss what that sentence was actually leading to:
Comcast has carefully set up pricing to get you whether you watch shows the old-fashioned way, on a boob-tube fed with a cable, or whether you prefer to veg out with Netflix on your iPad
They aren't talking about "Oh it's only $10 more, so why not". They are talking about how you can't escape most of the Comcast Tax, even if you ditch cable. That's the whole theme of the article.
And this is why (in general) Americans are in debt. They don't understand that ANY savings, is savings. And that "just" saving 20,30,50 dollars a month adds up over 5-10 years.
Oh, clearly. It's that rather than the terms of student loans and such. Wouldn't want reality to get in the way of depression-era morality plays ... "up hill both ways, in the snow!!" if that makes you feel better.
I agree that financial ignorance keeps Americans in debt, but I don't think that blindness to savings is a major component.
Just look at JCPs recent situation - they tried to eliminate sales, implementing consistent, standard pricing on all merchandise (instead of the previous mark-up-to-mark-down method), and consumers hated it. The metrics were a disaster.
If the JCP numbers are any indication, consumers know the price of everything and the value of nothing - they'd rather pay more than they should after a fake 40% discount because "full price is for suckers", regardless of the actual quality:price value ratio.
The problem with cable pricing isn't that consumers are ignorant to the deals - they're most certainly eyeing price and discounts. It's that cable companies have established a false baseline to decrease the effectiveness of cord-cutting.
As a pricing strategy, it's nothing new. You can get 2 liters of soda for 99c, and a 12 oz bottle for 1.50. It's a psychological price bump - not based on value, but manufactured to steer the "savvy" (read: performing as expected) buyer to the "smart" (read: preselected) choice.
It's just a little more disheartening when its application moves from soft drinks to the spread of human knowledge.
Convenience also in that few people want to consume 2 liters at one sitting, so not having a left over, partially filled 2 liter that you have to look after until you get to a place where it can be stored is often worth the addition 50¢.
So was the actual utility from all those "$10 items" zero? I've spent more than $1400 on "needless" food in a year but I feel as if I've gotten a fair amount of value from it. I'm sure I would not trade all those meals for half of the price of a great laptop.
Anyways, I think Comcast is getting at that they throw in Internet or TV for "free" with triple-play combos, so you literally aren't saving anything. In some cases, you actually pay more (for a limited time?) to decline services.
Honestly you frequently pay 'more' when you decline services. In my area Comcast at one point was charging more for just internet than it was for Internet+Cable+phone. It seemed that they were just looking to make sure that you were 'locked in' to all of their services.
Just so you know after introductory prices a few years ago it was cheaper to have the "basic" cable + internet than just internet from comcast. It may have changed since I don't live in their service area anymore.
This is the case still, at least it is for me. Comcast recently added two more straws to the camel's back though: a new "broadcast fee" for the "cost" of carrying broadcast channels, and encrypting even basic cable so you need another stupid box.
ATT Uverse is now available in my area, their internet is a little more than half what I'm paying for Comcast Basic + Internet, and since I can't watch the TV anyway because I refuse to use their box, I don't need any TV component of the service. I've heard mixed stories about Uverse but they seem to do better than Comcast in the Netflix rankings so I'll probably give them a try.
It's the same way for us (by about a dollar, I think). It used to be cheaper by almost $3/mo, but last year they raised the cost of "ridiculously basic" cable.
We don't even watch the cable TV that we "pay" (-$1) for, as our actual programming comes in via (free) over-the-air antenna mounted in the attic and recorded onto 2 TiVos.
There's a reason for that. Certain content providers (HSN, for instance) pay Comcast on a per customer basis. Comcast makes more money when you have the lowest tier TV package and it doesn't cost them anything.
Great idea and thanks for sharing. We've been trying different methods to teach savings but so far the pure excitement of "I want it!" has defeated all logic. We've been stuck making choices for him instead of him learning to make them on his own. Definitely going to use this the rest of the year. Will be easy to keep track of on the phone.
I've only found large enterprise IT support and cold-callers from 'Microsoft' who are wanting to 'remove the virus from my machine' use LogMeIn. TeamViewer seems to be the flavour of choice.
OMG not this again. This has to be the most overinflated topic in tech. Just do your thing, if you're good, nobody cares what sex you are, if you're bad, don't use your sex as an excuse.
"if you're good, nobody cares what sex you are..."
Part of the reason this is such a hot topic right now is because the above statement is not at all true. It is certainly applicable for some, but not enough to claim true equality in the system.
Yes, this is the myth that people tell themselves in order to ignore the fact that they had to work less to get to the same place because of their advantages in race, sex, economic or educational background, etc. Well illustrated.
EDIT: Perhaps more constructively, you have demonstrated exactly why "this again" -- because many people still don't understand that tech is not exceptional and is not a "meritocracy". The same biases that exist in all other walks of life exhibit themselves in the tech world but are often more insidious because people refuse to acknowledge them.
There are established behaviors people exhibit towards males who are good or bad. The author is noting that people tend to treat women differently, period.
YES. Women in tech would probably be treated more equally if they talked about ANYTHING other than being a woman. These types of posts do a serious disservice to women.
Show me a woman who has actually accomplished something of merit who also writes about gender inequality. Complaining about inequality is just an excuse for not producing anything of value.
Do you think I star repos on Github based on the sex of the author? NO! I star them based on their utility, elegance, etc.
Hm. I worked on the European space program. I contributed to a bunch of AAA games with fairly big names. I currently work on a fairly large OSS project. I think I can claim I created one or two things that have a tiny bit of merit.
And yet, I write about gender inequality - because it actually exists. I'd be very happy if it were a non-issue, but it isn't.
It's very rarely the big ticket items that are the problem, even if they grab all the attention, though. It's all the small things that say "you're not quite welcome here". The constant barrage of sexist jokes, followed by "present company excluded". The eternal "you're a programmer?" question at conferences. The media portrayal of computer scientists. And yes, the constant denial that there even is an issue.
Yes, I know the jokes are not meant to hurt. And the question is honest surprise. And media in general sucks. But at every step, women do get told they're "not part of the club". It grates, occasionally.
So please, do listen a tiny bit to the women who do talk about gender inequality. Don't assume a priori we're just doing it for the attention. I'd rather discuss the latest awesome CS paper, too - so please assume instead that we talk about a problem because there seems to be a problem.
Yes, there do exist some people who "complain" about gender inequality in instances when that is not quite the fundamental issue, but you're ignoring the entire picture. These are serious issues that actually do exist and that people are trying to change. Some people aren't as constructive as others, but ignoring the reality and weight of the issue is certainly not productive.
Don't feed the troll. "Controversial" is clearly not trying to have a legitimate discussion, which is probably why they felt the need to register a new user name.
Seems legitimate to me. You're the one not trying to have a legitimate discussion. That's why you would attack my username and not the content of my post.
Do you mean that not all of them have accomplished something of merit in the sense that their contributions to feminism were unimportant? Or do you mean that some of them detracted from the discussion?
I have to admit that I know very little about feminism, so I'm honestly all ears here.
It's not that they haven't accomplished anything in feminist discourse or that they weren't influential.
Rather, they contributed to the derailing of feminism into the contemporary postmodern feminism that dominates the public sphere. The one which gets uptight over private jokes between people at tech conferences.
Two 4TB Ext USB3 HD's and a Safety Deposit box at your Bank.
Cheap, more or less convenient (get four drives and rotate your backup drives), and secure.
Easier yet if you can pair the amount of crucial stuff to under 4TB, then it's just one drive that you can rotate monthly (weekly?).
If the only value your website offers is to bring eyeballs to ad's, then it's time for you to find a new vice.
If you want to serve up ads on you site, make sure they're relevant, they're absolutely 110% malware free, and respect my privacy. And unless you're willing to take responsible for when those conditions aren't met, then don't whine when I do everything technical to block out the useless malware laden offensive ads that you do serve.
The difference between net ads and tv ads are that tv ads cost enough money that people who buy tv ads spend time and energy in being very selective about their market demographics and the type of ads they run. Plus I've never had a tv ad infect my tv and stop it from going to any other channel but CMT.
If me and my eyeballs are going to be your product, then I want a little respect for my participation.
>Plus I've never had a tv ad infect my tv and stop it from going to any other channel but CMT.
Funny story...there's a regional sports network who shows a 5-10sec image of their logo at the end of ad-blocks. When the channel was watched through the cable boxes provided by our local TV provider, the box would freeze. Either the logo image would be stuck and only audio would continue or audio would stop and video continue.
Not exactly the network's fault (we figured out that the compression they used lead to a buffer overflow in the cable box's decoding logic and figured out how to encode crash inducing video) but it was still annoying.
Their broadcast wasn't malicious, they can't exactly guarantee that the decoding logic baked into the firmware of, what I'm sure, were knockoff-brand cable boxes won't cause something silly to happen.
But if you're using AdBlock, won't you likely be blocking my malware-free, privacy-protecting ads too? You wouldn't even know they exist...
I agree with your larger point though. For all the (legitimate) hand-wringing about ad networks tracking people and building profiles... they still suck at targeting ads. A lot. I think we're still in the Stone Age of ad matching algorithms.
It depends on how ads are blocked by the user, and it also depends on how you frame it. For example: I don't block advertising on Something Awful, because the ads there are both unobtrusive and occasionally quite relevant or interesting to me, even in terms of pointing me at things I didn't realize I had an interest in. I'll also usually unblock sites that detect that I'm running an adblocker and ask me politely to stop.
I will, however, make a point of blocking ads on any site that decides to drop full-screen overlays, modal dialogs, javascript popovers, or any of that other crap that ad agencies seem to love these days. If your ad is interfering with my browsing experience, I'm not going to waste my time even considering interacting with it.
Ads done 'the best way' are unlikely to fall foul of ad blockers, no script, etc. Deliver your ads from the same domain, as static content, and you're likely to be fine. Bonus points for not slowing down the browsing experience, and altering the layout at random intervals for about a minute after page load (see theguardian.com)
You sure about that? EasyList, the most common block list, clearly intends to block ALL ads, even self hosted ones. it blocks by css class name, directory name, image dimension, etc. It's updated frequently as users report unblocked ads.
(Not to mention how incredibly hard it would be to sell ads set up like that.)
Doesn't that flag a lot of false positives (in fact, I have personal experience of an ad blocker that did exactly that by blocking images with numbers in the filename)? Conversely, there's no way that can block ALL ads, unless it literally blocks all ... content.
Yes, certainly. But it's still the most popular filter subscription. I think this suggests that most people using AdBlock want to block all ads, not just network ads.
Delivering ads from the same domain is impossible for small publishers. If you insist on using your own adserve, that means your numbers will decide the billing, whic leaves the possibility for fraud, which is unacceptable to the advertiser. Then you have the problem eith actually finding advertisers. A smal site can't dedicate resources for ad selling and relies heavily on networks for monetization.
Only if the model is payment-per-view as opposed to payment-per-click, or commission on referral sales
> then you have the problem [w]ith actually finding advertisers
Isn't there the same problem with the third-party model, unless you go for a completely automated solution like AdWords? Isn't there an opportunity for a middleman to match up publishers and advertisers? Couldn't an automated system still work on a same-domain basis via advertiser-provided APIs?
Clicks are nice and a lot of people focus on them, but it's not a viable option for a lot of publishers/industries. Brand advertisers are about sending messages rather than driving traffic to pages and converting people there. Around 70% of display advertising is not direct response orientated.
The typical adnetworks give you ad tags which you put on your site and the ads are served from their ad servers. Then there are a few companies [1][2][3] that are marketplaces faciiliating transactions between publishers and advertisers, but they still use their own platform to serve the ads. And then larger buyers give them adtags, served by their own servers. Nobody in their right mind will just wire you money for ad inventory and just take your word for the traffic unless you are a very large name and have a proprietery self-serve platform (AOL/yahoo style). And even on these platfroms a lot of advertisers still use their own adtags (a recent java malware attack through yahoo's network comes to mind).
[1] buyads.com
[2] buysellads.com
[3] blogads.com
PS: sry for typos and formatting, on the phone atm.
How long until Ads start showing up on your thermostat? Or on your smartphone controller app - want to change the temperature, please watch these short commercials and then we'll allow you to change your temperature settings.
"Feeling a bit warm, Sally's Soda is just three blocks away".
"Target is having a 15% off on all winter coats and jackets".
You don't put ads on sensors or detectors. That's just stupid. Especially when you put in all this effort to convince someone to pay $200 for it.
You use data to compose your internet shadow profile. Then you wait a bit for more MBA kids to crunch the spreadsheets that then figures out where you can be best distracted with an appropriately chosen ad.
And better yet, it's not even like the shadow profiles will ever disappear if Google goes kaput one day. Three other companies will be happy to take their place. Another dozen ad-tech companies after that.
This is where we are now. People being on the internet has ruined the internet. Complete ouroboros.
They could easily auction information to interested businesses. e.g., who struggles to keep their house cool through summer and might be receptive to a call, leaflet or door knock from someone selling insulation, window awnings, new cooling systems, etc. Sell the best candidate suburbs and streets to salespeople.
There are numerous open source firewall distro's that have the advantage of being authored by people well practiced in security coding, pen testing, etc, and are continually crowd tested for loopholes and shortcomings.
It's your edge device for security - not exactly a place you want to take risks with.