Slashdot Mirror

What did you expect from mi2g

These guys are media whores of the hightest degree. Add them to the fucktard list and let's carry on as before.

Some more reading (doesn't look like it was posted here yet)

Unqualified Liars

considering the source of the study, I wouldn't give it a lot of credence.

In an effort to pick up some of that informative karma, here's the link mentioned above. Summary, company claims to collect data from 1995, but didn't actually enter the security business until around 1999 when it slid into its current business of "security intelligence provider". Further it has a history of citing numbers of attacks and cost of damages without basis. Looks like a quality operation, if you ask me.

How hard is it to link the links! For the lazy:

first, second, third.

The first red flag I noticed was that they want you to pay for the results.
Thats not how it works. There are also many other reasons not to believe them. Boy, it must be nice to be able to make a living just making up statistics.

Mi2g
Second link leads to this page which shows what a crock this (company/report) is.

So now Red Hat is using the tired and cliche approach of getting PR by hosting a cracker contest. You would think that they'd have learned from previous examples. Just because a system hasn't been defeated in a cracker contest doesn't mean its secure. Security is a process not something you can shrinkwrap. The proper way to demonstrate the security of a product is through repeated, thorough code audits like some other software distributions are doing. Things must be looking dire indeed for Redhat if they're starting to make announcements of products like this ala another company we know and love.

The biggest only thing that is leading some to consider these jerks "heros" is thier disability. Reading the article, I find little to respect about thier "skilz" as it seems that most of thier tech-dependant exploits were performed using software not written by themselves. Knowing what script to run does not necessarily imply an understanding of how it works.

The sad thing is that it seems that those with little or no skill garner acolades if they also demonstrate an accompanying lack of restraint or outright dishonesty. While contientious tech explorers and practitioners go unnoticed by the media, loud mouthed script kiddies and clueless "experts" get to tout thier wares and mythical skills to the most respected security companies.

As to whether thier sentancing was apropriate, it seems a little light to me. In keeping with Mitnik's extended probation from computing equipment, these jerks should be sentanced to mittens and earplugs for the next five years.

The biggest only thing that is leading some to consider these jerks "heros" is thier disability. Reading the article, I find little to respect about thier "skilz" as it seems that most of thier tech-dependant exploits were performed using software not written by themselves. Knowing what script to run does not necessarily imply an understanding of how it works.

The sad thing is that it seems that those with little or no skill garner acolades if they also demonstrate an accompanying lack of restraint or outright dishonesty. While contientious tech explorers and practitioners go unnoticed by the media, loud mouthed script kiddies and clueless "experts" get to tout thier wares and mythical skills to the most respected security companies.

As to whether thier sentancing was apropriate, it seems a little light to me. In keeping with Mitnik's extended probation from computing equipment, these jerks should be sentanced to mittens and earplugs for the next five years.

Microsoft Security. What's it all about? Is it good, or it is whack?

I'd have to say whack. As is this report. Crowing about the lack of reported vulnerabilities means nothing when you have paid security firms not to report vulnerabilities! Of COURSE the vulnerabilities reported have decreased. But have the real vulnerabilities decreased? Thanks to Microsoft, we will never know.

Without subjecting themselves to the same review other operating systems undergo, they have no cause to crow about a perceived dearth of vulnerabilities, especially since many previously reported vulnerabilities persist and will not be patched (but are not included in this report since they are not newly reported).

Finding new vulnerabilities isn't hard. Remember ntcrash? Variations on that theme should discover new holes automatically over time.

This valuable informative post got modded down to -1 even though it is nothing but 100% informative, and I rarely ever post it. Therefore I will post it three times in case the apache-fanboy mods it down to -1 again

It probably got modded down because it's full of inaccuracies, falsehoods, and shoddy reasoning.

Sure, WebStar on MacOS 9.x might be really secure, but many of your arguments are spurious and stupid.

Because no mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.

Why?

A more interesting question would be, "Can you back that up?"

If you insist on "Why?" and we assume it to be true, answers like, "because it's such a minority of the servers that people attack other, more popular servers" are likely.

Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 tolwers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 7 years, even when paired up with its preferred web server app.

OpenBSD has had several holes. Of course, several of those holes are local exploits by non-root users. Those are serious holes, but to say that MacOS 9.x lacks them is stupid. Everyone on MacOS 9.x has root-like privledges. A more honest way of saying this is that OpenBSD has several local user holes available, but MacOS 9.x has an infinite number since there is no real local security.

In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.

BugTraq doesn't contain a listing of all possible attacks ever. It contains a list of exploits that people actual bothered to find. One possibility is that MacOS 9 was largely ignored by the security community as uninteresting.

Also interesting is this claim of two remote attacks. Untrustworthy source? Possibly, but no less trustworthy than Mr. Coward above.

...I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.

Highly sophisticated abstract-OS models? Moderators let that one slip by? MacOS 9.x is from the dark ages of personal computers. One buggy program could easily hang the system, muck about with other programs memory, and generally hose your system. While it had an elegant user interface, it's kernel is from the era of DOS.

2) No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

That's a bloody stupid claim "It's more secure because it's less secure." I'm going to demand that the military stops putting locks on their doors, after all it means that the guards will be more vigilant. The best security is defense in depth, having your web server run as a restricted user is part of a good security system. You can carefully write secure code even with additional defense.

3) Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usu

"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence."

Please, if you are going to quote people, REFERENCE THE QUOTE!

That quote came from Jeremy S. Anderson... (ref.)

This product is meant for educational purposes only. Any resemblance to real persons, living or dead is purely coincidental. Void where prohibited. Some assembly required. List each check separately by bank number. Batteries not included. Contents may settle during shipment. Use only as directed. No other warranty expressed or implied. Do not use while operating a motor vehicle or heavy equipment. Postage will be paid by addressee. Subject to CAB approval. This is not an offer to sell securities. Apply only to affected area. May be too intense for some viewers. Do not stamp. Use other side for additional listings. For recreational use only. Do not disturb. All models over 18 years of age. If condition persists, consult your physician. No user-serviceable parts inside. Freshest if eaten before date on carton. Subject to change without notice. Times approximate. Simulated picture. No postage necessary if mailed in the United States. Breaking seal constitutes acceptance of agreement. For off-road use only. As seen on TV. One size fits all. Many suitcases look alike. Contains a substantial amount of non-tobacco ingredients. Colors may, in time, fade. We have sent the forms which seem right for you. Slippery when wet. For office use only. Not affiliated with the American Red Cross. Drop in any mailbox. Edited for television. Keep cool. process promptly. Post office will not deliver without postage. List was current at time of printing. Return to sender, no forwarding order on file, unable to forward. Not responsible for direct, indirect, incidental or consequential damages resulting from any defect, error or failure to perform. At participating locations only. Not the Beatles. Penalty for private use. See label for sequence. Substantial penalty for early withdrawal. Do not write below this line. Falling rock. Lost ticket pays maximum rate. Your canceled check is your receipt. Add toner. Place stamp here. Avoid contact with skin. sanitized for your protection. Be sure each item is properly endorsed. Sign here without admitting guilt. Slightly higher west of the Mississippi. Employees and their families are not eligible. Beware of dog. Contestants have been briefed on some questions before the show. Limited time offer, call now to ensure prompt delivery. You must be present to win. No passes accepted for this engagement. No purchase necessary. Processed at location stamped in code at top of carton. Shading within a garment may occur. Use only in a well-ventilated are. Keep away from fire or flames. Replace with same type. Approved for veterans. Booths for two or more. Check here if tax deductible. Some equipment shown is optional. Price does not include taxes. No Canadian coins. Not recommended for children. Prerecorded for this time zone. Reproduction strictly prohibited. No solicitors. No alcohol, dogs or horses. No anchovies unless otherwise specified. Restaurant package, not for resale. List at least two alternate dates. First pull up, then pull down. Call toll free before digging. Driver does not carry cash. Some of the trademarks mentioned in this product appear for identification purposes only. Record additional transactions on back of previous stub. Unix is a registeredtrademark of AT&T. Do not fold, spindle or mutilate. No transfers issued until the bus comes to a complete stop. Package sold by weight, not volume. Your mileage may vary. This article does not reflect the thoughts or opinions of either myself, my company, my friends, or my cat. Don't quote me on that. Don't quote me on anything. All rights reserved. You may distribute this article freely but you may not make a profit from it. Terms are subject to change without notice. Illustrations are slightly enlarged to show detail. Any resemblance to actual persons, living or dead, is unintentional and purely coincidental. Do not remove this disclaimer under penalty of law. Hand wash only, tumble dry on low heat. Do not bend, fold, mutilate, or spindle. No substi

I prefer the older, more direct edition.

On that note...

Well, after they drive the 4 miles to get to the stationary bicycles, once they get there, they find it hard to walk.

Maybe that's because the majority of web servers are running on Unix/Linux?

True, but according to statistics 56% of defaced webservers run Microsoft IIS, and (only) 34% Apache..

This is not brand new data, but it is the latest I can find ... And If Microsoft had some stats showing different results, you can be sure they would publish them..

The competition was about defacing 6000 webservers in 6 hours, so one would tend to conclude from the above that Microsoft IIS would be the primary targets..

I think this sums up what the RIAA thinks of its customers and the artists it (in)directly controls.

No!No!No!....
One last time :
*The* reason
;o))))))

...we all know the real reason a lot of people prefer PHP over Perl;o))))))

I also remember that problem with Apache. Here's the report and the code change involved for that particular bug.

The beauty of social software is that it opens up a whole new class of people I can say to: "Go away, or I will replace you with a very small shell script."

Just imagine it: half the managers and all of HR: whoosh! evaporating into a cloud of their own useless chatter, while they themselves are replaced by bots.

What a wonderful world it would be.

Ok, so these would best be considered "prototypes"

Pic1

Pic2

See also the response from Attrition, who got nastygrams due to their image archive. They didn't take it too kindly either...

Remember... Geeks actually get some (Fixed font recommended), even though it is mostly with the same handful of whores....

At least the two girls I've met (and thankfully not fucked) on that chart are no longer in the top ten. You people sicken me... Now, I'm going to go GIS for a picture of the (gotta be a) chick in #1 whom I've never even heard of. I hope that I'm not sickened to my stomach.

Since the mirror link in the archived slashdot story you posted is broken:

Mirror of the slashdot hack, courtesy attrition.org:

http://www.attrition.org/mirror/attrition/1998/09/ 09/www.slashdot.org/

Since the mirror link in the archived slashdot story you posted is broken:

Mirror of the slashdot hack, courtesy attrition.org:

http://www.attrition.org/mirror/attrition/1998/09/ 09/www.slashdot.org/

Attrition??? still up these days? From the days I used to *cough* see people deface things *cough* I used to send them links, I mean look there.

Scarier is that this Slashdot discussion is refreshingly civil compared to what I've encountered the last few days! Last Sunday I released a version of Nmap and included a very short peace plea at the top of the announcement. I received well over 50 replies. While a few people such as Ilan Meller of Israel and Amir Safayan from Iran for presenting reasoned cases for preemptive action against Iraq, most of the replies were the worst flamage I've seen in years!

For suggesting that perhaps Bush could have been a little more patient with the UN & weapons inspectors, one person said I am "obviously a terrorist". Another concluded that Nmap "is spyware to spy on the american people." Chet from Hotmail explained that we must attack because "the religion of Islam seeks to destroy the USA". Jason from CMITexas said "Stick it up your ass! .... You are another resentful European loser. I demand an answer now asshole!!!!" Another crazy Texan said "Iraq will bow to the most powerful nation in the world and you will stand by and observe. Your representatives are powerless against gods chosen nation. No country has the power or the intellect to do anything about it." Guys: I am a proud US Citizen residing in California -- please tailor your invective appropriately.

Fortunately I sent out a second mail yesterday which noted the flames above and also clarified my points. I was quite gratified that this one already has elicited more than 220 replies, with 95% being civil! Many still disagree with me, but at least they respected my right to have and express my beliefs. It restored some of my faith in humanity (or at least in Nmap users). I can appreciate alternative views too. What frustrates me are the people who believe Saddam is linked with Al Qaeda or a bigger threat to the US than North Korea only because Bush says so.

I wish I had time right now to go through the hundreds of mails and piece together some of the very best arguments on each side. But I guess /. has no dearth of comments already :). So I'll just leave you with a few links I found interesting or funny ;).

• A very relevant and insightful quote from Hermann Goering at the Nuremberg Trials.
• One of the few web site defacements I find amusing ;)

And on a completely different (and much happier) note, I am pleased to announce just-released version 3.20 of the Nmap Security Scanner. It is the first "stable" release since last July and contains hundreds of improvements (release notes))

--Fyodor

How is the sexual life of geeks, crackerz and other members of the Internet underground documented? Check this out. A Wired story about this too!

Wow, "fucking links". That sounds like fun. Is a fucking link the thing that connects people on a sex chart?

Or do you just have a really fucking limited vocabulary?

Or are you just lacking in human interaction skills?

Or are you just a mindless git?

Or what?

[Note to mods: -1 Offtopic, -1 Flamebait, +1 ParentSubmittedByWanker]

That's nothing compared to this LAN Party!

The lowest quality brand of printer on the market has decided that people can't copy their cartridges!

What's next?

Will it be illegal to make generic versions of RC Cola?

Illegal to make work-alikes to "No-Ad" sunblock?

No one will be able to make anything that looks like a Ford Pinto? Or one of these cars?

What is this world coming to!

Well, at least I can still buy Tandy 5000 compatible computers.

Another good example- this guy's portable computer.

http://www.attrition.org/gallery/computing/vintage /digitaldataporn/tn/baked-apple-ad.jpg.html

Well.. i dont have an apple to bake.. but i still got my Windoze cd... ;)

Here, try this.

a nice cup of...

The last time Microsoft's networks were attacked was the recent attack of the Slammer worm. It seems they didn't patch all their SQL servers.

This website lists 23 defacements of Microsoft web sites since the beginning of 1999.

One of the most embarrassing attacks was in 2000 when Russian crackers got into the servers that housed Microsoft's source code and waltzed around in there for up to three months!

Microsoft uses their own products, and thus are subject to the same security holes as their customers. Their network security and the insecurity of their products are pretty much one and the same: a joke. Anyone in charge of Microsoft's non-security has no business being the deputy, let alone the man in charge, of our nation's computer security.

But then, this isn't an issue of ability. As the article makes clear, the qualifications for the job are more about agreeing with the president than about securing anything.

"At this moment, it has control of systems all over the world. And...we can't do a damn thing to stop it."
Miyasaka, "Godzilla 2000 Millennium" (Japanese version)

"Perhaps we can get a new section for Denial of Services, or perhaps, a wider umbrella would be a 'teenage HaX0r' section where we can put DDOSs, Web Defacements and Case Mods all together. (That way, people who have lives can choose the option not to display any of that shit on the front page)

We already have that.

"Can someone please explain why this was put under the topic of "BSD", and why such a thing was even mentioned in the "article" by Hemos?"

Golly, I sure can explain this. It's cause it's their site, not yours.

Hello, and welcome to last week.

hesiod says: Is he saying that "Gobbles" runs Bugtraq.org? Am I missing something here, or is he full of shit?

1. Gobbles are not stupid, they've come up with many innovative exploits, and are without a doubt very talented hackers. You may remember them from such classics as the linuxslapper worm (based on their apache-scalper code), or the nifty ettercap remote-root-via-irc exploit.
2. Obviously, the RIAA didn't hire them to "hack back". If the RIAA hired people to hack, they wouldn't talk about it on a fucking mailing list. (Furthermore, the bill that hinted at such "hack backs" wasn't ever passed.)
3. Gobbles is prone to making hilarious outlandish claims. Clearly, this is a simple mpg123 exploit preceeded with a very funny joke to make the RIAA look bad.
4. Yes, gobbles runs "bugtraq.org". That has nothing to do with the securityfocus mailinglist called bugtraq, however. It's just a domain name.

mpg123 has a vuln.
Gobbles are some funny guys.
The p2p networks are not 0wned.
(And, oh yeah, both the register and slashdot got trolled again. But thats not news anymore than "it's raining in seattle".)

GOBBLES always mentions something really unrealistic, but suddenly he proves it (emphasis mine)

No, he doesn't. (Hint: his "exploit" will work on any machine, even if it's not running a web server - try it on your workstation.. it's just Lynx pulling the file via the file:// method.)

This is not surprising, since it's clear that Gobbles does not like Theo, but it is significant if it is true.

Gobbles?

Jesus, then it's probably not real.. anyone remember his "security alert" about awhttpd? Basically, the "vulnerability" he described was Lynx retrieving the file from his local filesystem via a file:// URL-type.

A reply, showing just what an idiot this "Gobbles" is is here

oh please, this comes from the same guy that bought you Hewlett Packard 48 Series Calculators advisory.

its funny, laugh.

They stopped making their zine a long time ago... some of the ppl frmo F.U.C.K. formed www.attrition.org where you can find all the old copies of F.U.C.K.

Combine the technology behind these and these and well, who needs to scan your eyes...? Thought police anyone?