attrition.org · Domains · Slashdot Mirror

Heap memory corruption in Windows ASN.1 library by khz6955 · 2016-07-20 13:49 · Score: 1 · on Software Flaw Puts Mobile Phones and Networks At Risk Of Complete Takeover (arstechnica.com)

This flaw resides in a version of the library implemented on a specific platform, namely Windows running on x86 hardware. Makes a good case for not running your infrastructure on a software monoculture. This isn't the first such discovery, see Microsoft ASN.1 Library Length Overflow Heap Corruption from July 2003.

Re:They have a good point by Anonymous Coward · 2014-12-27 06:13 · Score: 0 · on N. Korea Blames US For Internet Outage, Compares Obama to "a Monkey"

Ok, so how was it unlikely that NK did the hack?

Technical fingerprints: the tools used in the hack were not unique to NK and the hackers' "C&C infrastructure" was public proxies. This renders worthless all of the FBI's proof against NK since it was based on no one else having these tools or IPs.

More technical fingerprints: Sony has been hacked by everyone for years. It can be assumed that multiple hacker groups were inside Sony at any time, and any one of them could have been the one to take over Sony's network and destroy their data.

Motive: One of the GOP hackers has been identified as a Sony sysadmin who said their motivation was equality. Sony had been caught paying a newly hired male executive $1 million more than a woman with the same job title a few months before that sysadmin lost their job at Sony. The stuff about North Korea came after the equality claim, after the media raised it as a possibility.

Re:It's a "used car", stupid. by Anonymous Coward · 2014-10-07 09:01 · Score: 0 · on Tesla Is Starting a Certified Preowned Program

Maybe they meant Certified Pre-0wned?

Amateur? SKiddie? Takes one to know one... by Shoten · 2014-05-13 08:05 · Score: 4, Insightful · on Journalist vs. the Syrian Electronic Army

Ira Winkler is a journalist now? That seems odd to me. Attrition.org has an excellent summary of all the different smells of bullshit that emanate from this guy. He also got thrown out of Microsoft after conning them into hiring him to teach a class on application security where he literally used little dinosaur figures to try and teach the class. He was feckless...and this was *before* Microsoft got as good at security as they are now, before they developed their own SDLC, etc.

Re:Steve Gibson is a... by Anonymous Coward · 2013-10-17 11:44 · Score: 0 · on New Standard For Website Authentication Proposed: SQRL (Secure QR Login)

This is less bile and more matter-of-fact: http://attrition.org/errata/charlatan/steve_gibson/

The man just does not have the mental fortitude to work in his chosen field. He gets by because his actual talent is in marketing.

Nmap didn't fail, Hakin9 did by WWWWolf · 2013-08-04 01:44 · Score: 5, Informative · on Pwnie Awards 2013 Winners: Barnaby Jack, Edward Snowden, Hakin9, Evad3rs

Hakin9 is a magazine that's not exactly too reputable.

It looks like someone took a paper "written" using SciGen and submitted it to them. Because they didn't read the paper at all, they didn't notice it was absolute bullshit courtesy of finest context-free grammars people could code.

Brilliant work - not only is SciGen great for busting less than reputable scientific publications that don't exactly value this "peer review" thing, but now it has busted security magazines too.

Re:Actually by nenolod · 2010-12-11 23:48 · Score: 4, Interesting · on Hosting Giants Teaming Against Small Businesses

Except they don't. Because it's impossible.

Bandwidth isn't something you can just oversell without consequence; if you have a massive overage from people actually using what they are paying for then you are probably out of business.

See, I think what happened here is that 100tb had a massive overage and found out that SimpleCDN was one of their big players and they are frantically trying to get the big guys off their bandwidth pool so that they can hedge against the overage while already having SimpleCDN's money. This would fit into my projections for the original business model of 10tb.com before they became 100tb. At least with 10tb there was some sign of it being at least somewhat realistic; with 100tb there is no way.

Or... let's think of it this way:

Say you buy a server from 100TB for $201.95/mo (baseline server with 100TB bandwidth). This works out to being ~303mbps 95% on a typical burst pattern (and likely much higher for streaming traffic!). The server probably costs $100/mo just to run, leaving $101.95 for bandwidth (in this example we're not making any profit mind you!).

This means that your ~303mbps 95% breaks down to $0.33/mbps.

Not even BANDCON can hit that price point and they go really, really low.

This business model does not make sense to me. There is very high risk and I see no way that they can hedge against overages if everyone actually opens up and uses all of their 100tb allotment. Maybe they are paying by GB instead of mbps but that makes no sense because then SoftLayer would be holding the bill and frankly I don't think they are that stupid.

So no, it's not possible to make up profit through volume on this when you keep in mind the risk you are hedging. It's just too much of a gamble for any sane business operator to even consider.

Re:Ironically... by WWWWolf · 2010-07-29 06:20 · Score: 1 · on Oracle's Java Company Change Breaks Eclipse

They once claimed that their database was unbreakable. It broke:

Once? Heck, that doesn't even begin to describe the problems Oracle has had with their frequent claims of superior security...

Re:Amazing by HungryHobo · 2010-03-15 03:01 · Score: 4, Informative · on Iran Hacks US Spy Sites

This still isn't a "cyberwar" this is just iran arresting human rights activists and calling them spies/traitor with a thin justification.

Anything governments try is still lost in the noise http://www.attrition.org/mirror/attrition/

That's a feature (CPO) by Anonymous Coward · 2010-03-08 05:38 · Score: 1, Informative · on Energizer USB Battery Charger Software Infects PCs

Actually, that's a feature also referred to as "Certified Pre-Owned".

In the context of Windows OS's by symbolset · 2009-12-26 21:05 · Score: 1 · on Groklaw Putting Comes v. Microsoft Docs Online

In the context of Windows OS's, W2k was "rock solid". That's equivalent to Dave Barry's assesment of the claim that XP is Microsoft's most secure operating system ever: the most articulate vegetable ever.

It's funny. laugh. Usually we laugh because we dare not cry. If you want to laugh at something, laugh at the odd spelling of laugh. Is that not weird? And what of weird, which is itself odd?

farm it out to the ultranationalist partisans by circletimessquare · 2009-04-28 15:58 · Score: 3, Interesting · on Should the US Go Offensive In Cyberwarfare?

that's what russia and china do

there is no need to encourage them, merely track them and get out of the way of any of their initiatives. and when the shit hits the fan and another government complains, the government can play dumb: it really wasn't their doing, there's no financing or chain of command. the only crime is one of omission: watching someone do something wrong and not stopping them. the nationalist partisans steer clear of their own nation's computers out of fealty (perhaps protecting them too), they obediently report to the government any stupendous finds (nuclear plant blueprints, warfare plans, etc.) simply for the renown, and in times of great duress, are predisposed to fall under the umbrella of government control. all at the same time, they are complete free of cost, and of the highest technical proficiency and motivation. their motivation is simply passion

this is already happening, for years. before 9/11 there was the hainan island incident:

http://en.wikipedia.org/wiki/Hainan_Island_incident

this spy plane bump and crash brought american partisans and chinese partisans at full war online. how do i know this? because one of my windows boxen in new york at the time got hacked. its front page was replaced with the chinese flag and the text "fuck poisonbox! hacked by chinese". i traced the attacking ip to a technical college near beijing. who is poisonbox? i researched it: he was an american partisan hacker(s) laying waste to various chinese servers at the time

i found an article about the proceedings still online from that era:

http://attrition.org/security/commentary/cn-us-war.html

there is no debate here, it's already happening, done by partisan hackers, in loose affiliation with their governments and the government's turning a blind eye to the hijinks

someone out there, perhaps reading this comment, has the makings of a great book or movie, with years of hardcore cyberwarfare already under their belt. they could be in any number of countries where ultranationalism rages (turkey, greece, israel, pakistan, india, etc.)

Re:hacking? Huh? by Verteiron · 2009-02-18 04:22 · Score: 4, Informative · on Researchers Hack Biometric Faces

Here's an up-to-date partial list of security researchers who have been threatened with legal action for releasing research on security vulnerabilities:

http://attrition.org/errata/legal_threats/

It should give you an idea of why people are concerned.

Re:Police state bullshit. by skeeto · 2008-10-16 04:17 · Score: 1 · on Every Email In UK To Be Monitored

This was devised long ago as something called spook words. In fact emacs has a spook function specifically for this purpose. Tag them on the end of your e-mail or IM or whatever. If enough people do this then they break the filters, kind of like spammers with Bayesian poisoning.

STARLAN ASIO ASO quiche world domination bemd Leitrim Crypto AG Croatian SP4 SSL Jiang Zemin CIA Centro afsatcom

Re:Prediction by MightyYar · 2008-07-30 07:01 · Score: 0, Redundant · on Windows Is Dead – Long Live Midori?

Laws only get you so far:
Behold

And that's just stuff people have bothered throwing up on attrition.org.

Re:Prediction by MightyYar · 2008-07-30 06:55 · Score: 1 · on Windows Is Dead – Long Live Midori?

Here's a site you might find VERY interesting.

Re:Data Loss Database? Been using it for years. by cez · 2008-07-15 16:56 · Score: 1 · on Open Security Foundation To Maintain DataLossDB

Not missing the joke... but just wanted to point out for those who don't know, attrition.org has been keeping track of "lost data" and who's lost it for years...

Good for them to go main-stream with it ;)

Another day, another data leak. by inotocracy · 2008-07-06 14:30 · Score: 5, Insightful · on German Survey Company Loses 41,000 Survey Records

When are these companies going to start getting fined for data leaks? I'd bet this sort of thing would be a lot less common if there was a huge price to pay, other than a useless apology note.

Re:Ira Winkler? by SomeoneGotMyNick · 2008-04-09 23:42 · Score: 1 · on Experts Hack Power Grid in Less Than a Day

There's a nice feature on Ira Winkler in attrition.org's charlatan file:

http://attrition.org/errata/charlatan.html#winkler Yes, that about sums it up. I used to work with the guy about a decade ago. Or at least I reported to him on occasion. He does know a lot of stuff, but as the Attrition article states, you don't necessarily have to ask first to find that out.

Ira Winkler? by drakyri · 2008-04-09 18:10 · Score: 4, Interesting · on Experts Hack Power Grid in Less Than a Day

There's a nice feature on Ira Winkler in attrition.org's charlatan file:

http://attrition.org/errata/charlatan.html#winkler

Read Attrition's Going Postal by willy+everlearn · 2008-01-18 13:12 · Score: 1 · on Down Time At Work — What Do You Do?

Absolutely the best reading anywhere.......Guaranteed!

http://attrition.org/postal/

Re:Any site that documents these breeches? by d0za · 2007-12-05 03:32 · Score: 1 · on Privacy Breach In Canadian Passport Application Site

Here are a few links for you:

By no means comprehensive, but plenty to show a manager.

I love this misguided attempt at security by spagetti_code · 2007-10-11 15:07 · Score: 5, Insightful · on Quantum Crypto in the Real World

Its kinda like when someone says they are using 4096 bit encryption for their SSL banking, and not realising their password is being stolen by a keylogger.

The biggest problem we face today is *not* the encryption. We have bags of good encryption technologies out there, from AES (symmetric) to a variety of Public Key techniques. The problem actually comes from the people and processes at either end of the encryption pipe.

Guess what - no-ones SSID has (probably) ever been stolen while in transit via SSL over the internet. The millions of SSIDs stolen to date have been theft of laptops or admins not securing their websites properly. Hopefully they will understand this, and spend an equal portion of their time/energy securing their endpoints.

Do your deed and fight back by Anonymous Coward · 2007-10-01 16:27 · Score: 5, Interesting · on Bloggers Who Risked All In Burma

To any skilled people reading and maybe remembering this

http://www.attrition.org/mirror/attrition/2000/08/01/www.myanmar.com/mirror.html

Bloggers and other cyber activists within Burma risk their lives by publishing any information counter to the government line, but they still do it because they believe that freedom of expression is worth that sacrifice.

You don't have to make such a sacrifice, but if you have computer skills, can breach firewalls, routers and web site security then you could greatly assist the people of Burma. By taking down official Burmese government propaganda and posting pictures, information about the protests, information about the lies of the Burmese junta, and news of the huge support being offered by the rest of the world - preferably in Burmese - then you could help free the people from this terrible regime.

If the information is removed, do it again - automate the attacks, do whatever you can to ensure that the Burmese can see the truth about their government.

You may have hacked for fun, or personal gain in the past - now you have a chance to hack for freedom.

Regime sites:

http://www.myanmar.com/
http://www.myanmar.com/news/index.html
http://www.mrtv3.net.mm/ (blocked from external access)
http://www.mofa.gov.mm/ (blocked from external access)
http://www.moha.gov.mm/ (blocked from external access)
http://www.mpt.net.mm/ (blocked from external access)
http://www.myanmar-information.net/
http://www.myanmar.com/myanmartimes/
http://www.mnped.gov.mm/ (blocked from external access)
http://www.myanmar.com/newspaper/kyaymon/index.html
http://www.myanmar.com/newspaper/nlm/index.html

Re:internet censorship in Myanmar brought to you b by Bert64 · 2007-09-29 20:19 · Score: 1 · on Internet Blackout in Myanmar Stalls Citizen Report

Actually, many of those sites have already been hacked in the past...
http://www.attrition.org/mirror/attrition/2000/08/01/www.myanmar.com/
A bunch of the government sites got defaced before that too, but i can't find the mirror sites.

Re:Makes sense not to report for a bit by d2d · 2007-07-29 02:26 · Score: 1 · on Intern Loses 800,000 Social Security Numbers

Makes sense for a very little while, perhaps, and is legally permissible in most states to wait a short while if an investigation requires it, but after that you have to warn people.

Losses like this are a CONSTANT occurrence. See http://etiolated.org/ http://www.privacyrights.org/ar/ChronDataBreaches. htm, and http://attrition.org/dataloss. This stuff happens almost every single day. From etiolated: 76,357,930 records lost this year! A rate of over 7 incidents per week.

At least Ohio has been open about it. Companies like IBM, Disney, Johnson & Johnson have had breaches of potentially greater magnitude this year and haven't been a fraction as honest about it : http://attrition.org/security/rant/z/partialtruths .html (shameless self promotion of my rant, but worth a read)

I track this stuff as a hobby, and while Ohio is big...it aint that big in the scheme of things (and they are being somewhat up front about the whole thing).

Re:Makes sense not to report for a bit by d2d · 2007-07-29 02:26 · Score: 1 · on Intern Loses 800,000 Social Security Numbers

Makes sense for a very little while, perhaps, and is legally permissible in most states to wait a short while if an investigation requires it, but after that you have to warn people.

Losses like this are a CONSTANT occurrence. See http://etiolated.org/ http://www.privacyrights.org/ar/ChronDataBreaches. htm, and http://attrition.org/dataloss. This stuff happens almost every single day. From etiolated: 76,357,930 records lost this year! A rate of over 7 incidents per week.

At least Ohio has been open about it. Companies like IBM, Disney, Johnson & Johnson have had breaches of potentially greater magnitude this year and haven't been a fraction as honest about it : http://attrition.org/security/rant/z/partialtruths .html (shameless self promotion of my rant, but worth a read)

I track this stuff as a hobby, and while Ohio is big...it aint that big in the scheme of things (and they are being somewhat up front about the whole thing).

Re:I call bullshit. by mistahkurtz · 2007-07-22 08:01 · Score: 1 · on US Government Checking Up On Vista Users?

we're all forgetting one thing. most large organizations or corporations have problems with keeping track of 100% of the computers in the organization, let alone making sure that no outside machines have been brought in. we've all heard of some rogue machine, plugged into a network or running with a wireless nic, sitting in a 3rd basement janitorial closet for who knows how long doing who knows what, with an origin of who knows where... the DoD and Halliburton wouldn't be immune to this sort of thing. major organizations all over can't even keep track of the hardware they knew they had...let alone monitor what's happening with the hardware they don't know is there.

however, since none of us have access to the DoD, Halliburton, or this users computers or logs, almost any explanation is as likely as another.

Re:part of a larger contingency plan by toadlife · 2007-03-26 10:40 · Score: 1 · on What to Do When Your Security is Breached

For most companies, data breaches usually fall into the #7 slot.

Re:Sit down, son. (I might have known your mother) by anilg · 2007-03-02 21:53 · Score: 1 · on Vista Activation Cracked by Brute Force

Run ShieldsUP! from grc.com to make sure that you're invisible. http://attrition.org/errata/charlatan.html#gibson , http://www.grcsucks.com/ give detailed debunking of this charlatan

Re:That's Nothing by JoshRosenbaum · 2007-02-18 17:54 · Score: 1 · on Network Computing Editor Wins RSA Hacking Contest

I liked it better here:
http://www.attrition.org/postal/z/033/0871.html

Article giving details here:
http://www.networkworld.com/community/?q=node/9999

garbage by symbolset · 2007-01-07 16:04 · Score: 1 · on NYT Security Tip - Choose Non-Microsoft Products

So zdnet got trolled in 2004. Everyone here must be shocked! Information Week disagrees.

As do theregister, theregister, attrition.org, attrition.org, grok.org.uk,

Even mi2g's own research FTA:

The firm estimated that, with around 600 million Windows-based computers worldwide, this works out at between $281 to $340 worth of damage per machine.

Wow. That is a lot of money per Windows box, per year. To do as badly in sum, every linux box on the interweb would pretty much have to commit fusion.

"Windows computers in over 200 countries were infected. Judging by events which unfolded between January and April 2004, there could be a choppy cyber-sea ahead, made all the more complex by new and more dangerous malware families yet to emerge."
The top 10 malware programs of all time, according to mi2g, are MyDoom, Netsky, Sobig, Klez, Sasser, Mimial, Yaha, Swen, Love Bug and Bagle.

Of course, none of those programs run on OSX or linux.

"It serves the purpose of the vendors to blame the users or the virus writers and not themselves for designing 'Swiss cheese' software."

Well at least they got something right.

Don't you MS bloggers have anything better to do? Could you maybe have a look at that virgin Vista IP stack for us? We're a little worried you guys were trolling slashdot and not FIXING THE DAMNED BUGS.