Slashdot Mirror

The unintellectual capacity for this thread has been breached. I'm appalled at the amount of people here who wish to flush *their* constitutional rights down the toilet. It's a right of the people. Who is the government (which derives its power from the people) to take it away, and why are people welcoming it? As I'm sure it has been mentioned in one of 900 or so posts before mine, "Those who would give up ESSENTIAL LIBERTY to purchase a little TEMPORARY SAFETY, deserve neither LIBERTY nor SAFETY." - Benjamin Franklin.

Also if not already mentioned, "Isn't it funny that those who preach nonviolence are the same ones who 'don't trust themselves' with a gun? Well, if they can't handle it, that doesn't mean we shouldn't. " -- Cancer Omega, 1997 From attrition.org/technical/firearms/index.html which reflects most of my opinions on gun control.

- scire

I am surprised no one has pointed you to this site for some good examples of how to use your information.

A case in point. Look at all the data thefts that have occured over the past few years of unprotected government databases.

One or two look like an "oops."
But hundreds? Either there is a disregard for public records, or perhaps the Government WANTS the data released -- so that a private sector company can do what they can't with the data, and there is plausible deny ability about the source.

http://attrition.org/dataloss/
http://www.gcn.com/online/vol1_no1/40840-1.html

but when you look at the civil sector, it's not much better;
http://www.privacyrights.org/ar/ChronDataBreaches. htm

Of course, ChoicePoint is a part of the BushCo government. They helped rig elections in Florida and more recently in Mexico.

That's a pretty pitiful attempt at a dodge.

An operating system (OS) is a software program that manages the hardware and software resources of a computer. A key component of system software, the OS performs basic tasks, such as controlling and allocating memory, prioritizing the processing of instructions, controlling input and output devices, facilitating networking, and managing files.

...

Security
Security as it pertains to the operating system is the ability to authenticate users prior to access, categorize the level of access the user has, and limit access based on a policy placed by administration. Typically an operating system offers (hosts) various services to other network computers and users. These services are usually provided through ports or numbered access points beyond the operating systems network address. Typically services include offerings such as file sharing, print services, email, web sites, and file transfer protocols.

At the front line of security are hardware devices known as firewalls. At the operating system level there are various software firewalls. A software firewall is configured to allow or deny traffic to a service running on top of the operating system. Therefore one can install and be running an insecure service, such as telnet or ftp, and not have to be threatened by a security breach because the firewall would deny all traffic trying to connect to the service on that port.
-- Operating System, Wikipedia

Dodge? I simply asked you to inform yourself of the basic definitions of the discussion--something you should have already familiarized yourself with if you want to have a productive discussion. An anti-virus clearly plays no role in the purpose of an OS, nor is it a key component in building a secure OS--unless perhaps you have a different definition of an OS that you'd like to share?

There's a hell of a lot of people on Slashdot who seem to think it can, however.

Are you familiar with ARGUMENTUM AD NUMERAM? You can't seem to build a logically sound argument as to why not packaging an anti-virus with Vista would make the OS inherently less secure. OS X does not come with a pre-packaged AV, nor do most Linux distros, FreeBSD, NetBSD, Solaris, nor pretty much all other OSes. The fact that it is something that would be packaged along side the operating system suggests that it's not an integral part of the OS or OS security.

So what is the definition of a secure operating system ? What OSes meet it ? What OSes don't ?

There's no such thing as a perfectly secure OS, but there are relatively secure OS's--these are operating systems that are secure by design (rational security policies), have relatively few exploitable bugs (few system vulnerabilities), and have secure default configurations (easy to secure by the average user). This doesn't entail protecting the user from himself. If an AV detects a virus, then chances are the OS has already been infected. If anything, AV's encourage users to be stupid about what they download since they think the AV will pick up all viruses and they will be more likely to proceed downloading and executing suspicious attachments. You can't build a foolproof system, the trick is to educate the user so they don't act foolishly.

What outstanding remote exploits of that nature are there in Windows ?

http://www.google.com/search?q=windows+exploits http://attrition.org/security/advisory/ http://packetstormsecurity.org/alladvisories/advis ories/ ...or did you think e-mail attachments were the only threat to Windows? The constant stream of updates and patches tha

Suppose your normal mail is 90% spam and 10% legit (a pretty reasonable figure if your address is published on the web; my mail is two orders of magnitude worse than that). Then suppose that your spam filter is 90% accurate, in that it tags 90% of spam as spam, and only tags 10% of legitimate mail as spam. (Again, real spam filters usually have much lower false positive and false negative rates than this, after a bit of training.) Then for every one genuine 'rejected' message you send out, you'll send 81 completely bogus messages to forged 'From' addresses. Indeed, your server will be producing almost as much spam as it receives. And once people start getting spam from your mail server, they'll tag it as spam in their mail programs, and your domain and the keywords you use in your rejected messages will get associated with spamminess. You might even get onto a few blacklists. Legitimate mail from your domain will start to be filtered as spam by other people, and as for that one genuine rejection message you were so keen to send out... it's likely to be silently dropped into the recipient's spam folder.

Now I am doom-mongering a bit here. I do still get 'your mail was filtered out' messages from various people, and a lot of the time they don't get marked as spam because each one is different. I don't see any genuine ones, BTW, just bogus ones from worms spoofing mail from my address. The point stands that if you try to send a rejection message for every possible-spam you receive, almost all of them will be bogus and you will be pumping out almost as much sewage as you receive.

Antivirus companies used to be particularly bad at this; see Anti-Virus Companies: Tenacious Spammers.

Anyone remember the Blitzkrieg server, which seems like the solution to all of the world's security needs? The expression Bruce Schneier used was "just too bizarre for words". I don't know if this was an elaborate trolling attempt or an actual real honest scam to deceive the terminally dumb, but it's fun to read, still, just for the amazing technobabble and ludicruous claims.

...call these people?

An anonymous submitter noticed that the Web site of Richard "Dick" Armey, Majority Leader of the U.S. House of Representatives and a staunch defender of censorware and strict Internet regulation, is himself a victim of censorware. Netnanny, Surfwatch, Cybersitter, N2H2, and Wisechoice are among the "software solutions" which Armey advocates. All of them filter his site because it contains the word "dick."

Take a look that this link http://attrition.org/security/advisory/AusCERT/SA- 93.03.Suggested.Login.Banner take specific notice of the advice regarding the use of the word "Welcome" near the bottom.

You call double-digit hacks a growing trend? Where do these folks live, under a rock? Don't tell me you've never heard of Attrition.org? Just how many HUNDREDS of sites were defaced in the past?

The scientists were also able to apply this model to describe specific types of contacts to produce a distribution that again closely resembles real-life acquaintances. For example, to separate sexual contacts from all social contacts, the scientists assigned to the sexual contacts an intrinsic property that could then be used to model these distinct networks. In this case, the model reproduced the real sexual contact network found in a tracing study of HIV tests.

I wonder how it compares to the internet sex chart Similar properties? Or are the efneters of a different variety.

... because they have such an *excellent* security track record with Solaris.

Well, okay, some of those are NT.

"How did they manage to calculate such a number"

Its actually fairly easy to calculate this number.

First, pick a LARGE random number. This number should be roughly equivalent to the biggest number you can think of. Next, multiply this number by 4. Finally, divide by a suitable power of 10 so that the number doesn't seem too impossible.

More seriously...

I recommend people to check out attrition.org's Statistics section ( http://attrition.org/errata/statistics/introductio n.html )

One section I feel obligated to quote is:

"One of the largest things media outlets use to back their claims are statistics. It is absolutely incredible how many times a media outlet will quote a statistic and not credit where it came from. Further, they are fond of taking creative liberty with how they quote the article to suit their needs.

These stats cover damage to systems, percentage of intrusions, and everything else. There are simply too many instances of suspect statistics as they relate to the computer security industry to read, match and provide analysis of them all." (from http://attrition.org/errata/stats.html )

"How did they manage to calculate such a number"

Its actually fairly easy to calculate this number.

First, pick a LARGE random number. This number should be roughly equivalent to the biggest number you can think of. Next, multiply this number by 4. Finally, divide by a suitable power of 10 so that the number doesn't seem too impossible.

More seriously...

I recommend people to check out attrition.org's Statistics section ( http://attrition.org/errata/statistics/introductio n.html )

One section I feel obligated to quote is:

"One of the largest things media outlets use to back their claims are statistics. It is absolutely incredible how many times a media outlet will quote a statistic and not credit where it came from. Further, they are fond of taking creative liberty with how they quote the article to suit their needs.

These stats cover damage to systems, percentage of intrusions, and everything else. There are simply too many instances of suspect statistics as they relate to the computer security industry to read, match and provide analysis of them all." (from http://attrition.org/errata/stats.html )

*postage paid by end user. Please include a stamped, self-addressed return box. 350 dollar processing fee required. Void in New York, California, and anywhere else those linux loving hippies live.

Make sure that these people are indeed contacting AOL in order to cancel the service.

Yet another mirror: http://attrition.org/misc/ee/lynn-cisco.pdf

This reminds me of the old 'Blitzkrieg Server' article in Signal magazine some years ago...
(Links follow for a brief description):

http://www.findarticles.com/p/articles/mi_m0CGN/is _n114/ai_20783335

http://attrition.org/errata/www/pd.001.html

But, I think that there may actually be room for active-response systems. Also, properly employed, they would be perfectly legal.

There is no reason that such tools be deployed in public networks. Some organizations have networks (including large and complex networks) that are completely and totally privately owned, and totally segregated from public networks. Such organizations may (subject to appropriate risk - reviews) make judicious use of passive and even active response systems.

There are other ways to communicate than IPv4. There are indications in messages that active-response systems can't work becaus of spoofing. Suitable integrity and encryption methods can be used to validate source and ip address data.

There may be more modest active-response methods that may be more generally useful. For example, if traffic is located from a hostile system, the source of the traffic may be back-tracked, and shut off near its source. Not easy - and not necessarily today - but there could be places where such approaches may be deployed.

Sam Nitzberg
dontspamthis_______sam@iamsam.com
http://www.iamsam.com/
http://www.nitzbergsecurityassociates.com/

And in other news... Longhorn will have a file system, we don't know what exactly or when but we are sure it will have one....

sorta sounds like...

this old joke

Thousands of people gripe about Windows having this "awful security hole" thanks to misinformation on GRC, and are generally so uptight about information they find on there that they'll cripple their internet connections, wreck the data on their harddrives, and so on...all in the name of being secure! (his entry on http://attrition.org/errata/charlatan.html links to http://www.grcsucks.com/ which describes some of the mania people will go through at Gibson's prompting)

So what happens if MS doesn't pander to them? They constantly get bad press from people who constantly spout off about "security" that they gleaned from the Gibber's site. What happens if MS does pander to them? A few people are upset, but most of the bad press on this issue goes away.

So what should they have done? Wait it out, and take the high road? They've tried that. Educate the users? We've tried that. What else?

When I was 13, I used to be in a hacking group known as ViRii on Undernet.

Around that time (early to mid 90s), there were several hacker group wars going on Undernet. I remember the +++ATH0 exploit among many dozens of other exploits at the time.

In mIRC, you could do: //raw NOTICE VictimsNick : $+ $chr(1) $+ PING +++ATH0 $+ $chr(1)

And their modem would hangup/reset.

There was a guy name VallaH i knew in my hacker group. He was the one who original discovered The Ping of Death in Windows 95. He also wrote jolt.c and many others. He was among the first people to find remote exploits in Windows 95. (Microsoft actually hired him that year to work on Windows NT network security, I was quite jealous at the time). The funny thing is, he only designed it to nuke Windows, but it also worked on early Linux 2.0 kernels, solaris and mac (since they all used mainly the same BSD tcpip code i'm guessing)

Vallah later lost his job at Microsoft due to his hacking past/present i'm guessing.

Quoted from this archived email:

"My friend, I will call him Vallah. Lost his job at Microsoft working on network interoperability(sp?) for Windows 2000 when the FBI showed up with a warrent for the files on his machine at work. He has still not been charged with anything and most likely wont be... again, mainly becuase he hasn't done anything. Guilty by association and an infamous past."

I wasnt a hacker myself, more of a wannabe (script kiddie) hacker. I mainly just nuked other people on IRC and did channel takeovers, etc.. The fun lasted until I was around 15 (i'm now 22). Alot of the more serious hackers I was associated with ended up getting caught by the FBI. I have literally hundreds of old hacking stories from my early days with IRC. (Note that i'm now into computer security, not destructive behaviours like hacking).

I have one other story about a guy I knew around my age by the name of XaiL. He was 13 at the time, and he hacked nasa.gov using an old phf exploit. I used to talk to him on the phone long distance, he was a funny guy, sounded like a girl, he hadn't even started puberty by the sound of his voice. I do admit that the only hacking I ever did was using this same phf technique, long since patched. I'm not proud of my early days as a destructive script kiddie hacker, but at the time, it was so much fun.

I also had a very small part in writing the mIRC script known as 7th Sphere (my code was included in the last release, version 3.0, not the previous 2.666). At the time it was a hugely popular "war" script used by script kiddies to nuke, flood, do channel takeovers and many other evil deeds on IRC servers. It came with programs made by Rhad using VB, most notably was "click.exe", a program that let you instantly "nuke" any victim. If you do a google search for click.exe or "Rhadware", you will get the idea of how evil his programs were.

This incident is just another example which demonstrates the importance that KDE, Mozilla & Mozilla Firefox's open source culture places on security. Hasn't anyone at Mozilla and KDE ever heard about regression testing?

This incident is just another example which demonstrates the importance (or more accurately, the lack thereof) that Linux's open source culture places on security. Hasn't anyone at Linux ever heard about regression testing?

Open source has consistantly (sic) demonstrated that, regardless of what their press releases say, security is NOT one of their priorities. People need to start waking up and realizing this before they entrust their critical infrastructure to open source products.

See how stupid your comment is? No? Didn't think so.

"Eat a bowl full of dicks."

"Eat a bowl full of dicks."

From: Pete Gonzalez gonz@JEFFERSON.ML.ORG
To: BUGTRAQ@netspace.org
Date: Mon, 28 Sep 1998 02:36:40 -0400
Subject: Re: 1+2=3, +++ATH0=Old school DoS

I have a Diamond SupraExpress 56k modem (purchased a month ago) which
dials an Erol's account. I tried the exploit posted by Max Schau, and it
worked first try.

Also, it occurs to me that this vulnerability could possibly be used to
make the person's modem hang up and dial 911. :-)

Indeed.

This site says it better than I could ever say it.

Ahh now you make much more sense, and i see your gripe with the article (i will add it to my long list of gripes with the article).

A more useful test would be to observe how quickly the box would be compromised if the assailants were specifically targetting the box and knew exactly which OS it was running, what patch level, and had the correct tools available to use it.

Interestingly, what you suggest has already been tried and dismissed by the infallible moderators of slashdot. Case dismissed. NEXT! :)

Actually, while I was reading some of that stuff... made me so angry I thought "Let those ignorant Windows users keep on thinking that their beloved OS is uncompromisable. I don't need them enlightened anytime soon." Now I know why others do advocacy and NOT me :)

Saw this ages ago on attrition, seem to fit well

http://www.attrition.org/postal/dilbert_email.jpg

Mi2G are about as expert in computer security as your local nursery school, they are basically a fraud outfit that decieve companies by using FUD in order to transfer cash from company accounts to the chairmans pocket, and slashdot linked them up
and you wonder why no one subscribes and blocks slashdots adverts

in the security scene they are worthless

Register article

Even if signing the code would be secure it doesn't help a hell of a lot if the good burgers at Verisign hand out the keys to every pimply faced teenager walking in.

This advisory describes this spectacular goof in detail. I quote:

In mid-March 2001, VeriSign, Inc., advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run.

That's not even a very tough test. A tougher test would be to generate calls which are permuted slightly from valid ones.

It's getting to you can't even speak without infringing someone's bs copyrights : "drivers wanted" (VW), "do the right thing" (Quaker Oats), "just do it" (Nike), "hello, world" (SCO).

Registrant:
M B Research (UBERHACKER3-DOM)
P.O. Box 1520
Cedar Crest, NM 87008
US

Domain Name: UBERHACKER.COM

Administrative Contact:
Meinel, Carolyn (CM1773) cmeinel@TECHBROKER.COM
M/B Research
PO Box 1520
Cedar Crest, NM 87008
US
(505) 281-9675 fax: (505) 281-9675

Technical Contact:
Marchand, Bill (BMS103) bill@UnixHQ.org
Digital Information Solutions
P.O. Box 5612
Glendale, AZ 85312
US
Unlisted fax: Unlisted

Record expires on 03-Dec-2004.
Record created on 03-Dec-1999.
Database last updated on 30-Aug-2004 01:59:31 EDT.

This Web site is actually managed by the infamous Carolyn Meinel, whose tendency to sensationalize is well documented. YMMV.

Considering the source of the study, I'll pass on comment. I think this says enough.

Contrary to popular belief, mal_vu didn't really pass a Turing test -- she would have had to fool real people as well as FBI agents.

I disagree with your glowing commendation of everything LinkSys. These are the geniuses who's early model DSL routers would reveal the login password by clicking on "View Source" at the login page.

With my first LinkSys DSL router I found that Internet traffic would inevitably become sluggish or just stop working after several days of heavy use and would not behave normally until I cycled the power. When I mentioned this to a friend he told me that he had two LinkSys routers at his office plugged into lamp timers so they cycled power every night. I took it as a joke until I visited his office one day and saw the timers attached to the wall beside the routers!

I moved up to a newer LinkSys router to support a couple of laptops via wireless connection. The range was weak and connections would frequently drop when both laptops were used simultaneously.

I'm currently using a US Robotics (3COM) wireless DSL router that is giving me no problems at all.

I must admit, however, that Linksys has the first wireless DSL router I've seen with actual support for Wi-Fi Protected Access. I'm still waiting for a firmware upgrade on my USR box to support that.

And have a look here at 40 Reasons to Support Gun Control.

The chances are that you will not have the same experience with guns as the mugger anyways and prob. he will take your gadgets AND the gun.

Plus carring a gun is the best way of getting shot at.

This is implemented by my ISP (Road Runner NYC). Emails containing viruses are replaced by a text message warning that a virus was sent to the email address.

Yes. And they send a warning to the faked address in the worm e-mail, too! :-(

And I can't reach them to send them a link to Anti-Virus Companies: Tenacious Spammers ...

Paypal does have a habit of scamming its customers. Attrition.org has a good article about one person's experience here.

I'm really really surprised no one else has pointed this out. This is all a bunch of bullshit. This site is not a security site. It is an insane woman who is dillusional. All things should be taken with two pounds of salt. It is a site run by Carolyn P. Meinel. Read more here.[attrition.org]

You like looking at the IE error page? Weirdo ;P

Everyone should know that it is ATTRITION.org, anyhow (and, at least, the link is correct).

Mastercard has been at this for a while now. They went after atrition.org in July of 2001.

graham norton used to show all the parody versions, if i was mastercard id be stoked i was getting all that free advertising, sex and gore sell!

graham norton used to show all the parody versions, if i was mastercard id be stoked i was getting all that free advertising, sex and gore sell!

For the Attrition case, this page tells the whole story. Put simply, Mastercard ends up looking stupid.

HTML is broken, not google.

LaTeX - it's not just for bootie calls

You can read about some of the times it got hacked here. Hacked by Chinese anyone? The link lists over a dozen more.

Details can also be found here, including the credit card number and Bill's hard-to-guess password.

(But don't get too excited, the card expired long ago.)

- shadowmatter