Slashdot Mirror

No, but they have been cracked before:
http://www.attrition.org/security/commentary/ms16. html

It doesn't take a whole lot of imagination to come up with some very scary scenarios of what could have been put there instead of "Hacked by Chinese!" After all, how many people visiting Windows Update are running versions of IE without known run-arbitrary-code security holes?

Can't forget the MacII couch: here

Perfect example as to why open source is cheaper!

They finally got beaten... :( :( :( :(

It was a close match between Apple Faguar and Gaynu/linux, but Apple won thanks to mac porn. All linux could come up with was this

Kind've like this?

Nullsoft maker of the popular Winamp software is also maker of the Shoutcast streaming media server. It works with all copies of Winamp, iTunes, and a handfull of other players. It is efficient, configurable, and availible for Windows 95/98/ME/NT/2000/XP, Mac OS X, FreeBSD, Linux, and Solaris. Besides that, you reach that huge market share which refuses to use the bloatware that is RealPlayer. It works by running on a machine connected to the internet, and then you can connect to it with the ShoutCast Source plugin availible for Winamp availible here. You can do this eather from a dedicated computer, or the same one running the server. You choose wether you want to stream whatever Winamp is playing, or if you have another input you can choose to use the soundcard. How I am streaming MY online station is a program called QuicPix made by the same people who do the wonderful iMediaTouch automation system going out the soundcard, into a mixer with a CD player and microphone, and then going back into the same computer where winamp sends it to Shoutcast ALSO running on the same computer.

The Internet Sex Chart

whoops, sorry about that.

www.attrition.org/hosted/sexchart/

there.... is that okay now?

I guess he found the Sex Chart (http://www.attrition.org/hosted/sexchart/sexchart .9.30)

-dk

It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.

I bet you'd like to think you're right, but you're not.

Install a filter between you're brain and typing fingers, then come back, okay?

In case you don't know what tempest is.

Attrition.org has a BUGTRAQ mentioning it back in 1998. An experiment I tried earlier today caused about 25% of the pinged clients to disconnect.

the def

I swear I didn't know. I guess I was a... dammit!

The killer right now is letting them use Mozilla and Evolution through X from a server located outside the firewall: very secure and virusless (and cheap!)

You might want to be careful with this box that is outside the firewall. If someone can get into it, they can launch applications like xkey This will enable someone to do keyboard monitoring of anyone who's running an X application. Combine that with "netstat -anA inet | grep ESTAB" and you can easily determine some good IP addresses to target. What I'd be concerned about is someone sniffing my keystrokes in my mozilla sessions, getting by all the wonderful SSL encryption!

One way to combat this would be to use X forwarding through ssh as the X11 transport. That way you have to have access to the user's ~/.Xauthority file, which is typically set readonly for that particular user. Which means any local root exploits would grant someone access to all of your customer's keystrokes.

Something else you might want to look into is NSA's SELinux. I don't know much about it, but it seems like you could take advantage of the higher granularity of access controls to limit someone (other than the rightful user) getting access to ~/.Xauthority. Even root wouldn't be able to get access.

Anyway, that's a very cool idea you have. Just be careful.

Hmm. They need to fix some of their categories!
2600.com is listed as "Politics/Religion".
attrition.org's security page is listed as "Entertainment,Mature".
Plus, many security sites are listed as "Criminal skills".

Now you can get insurance to cover your doctors visit to take care of what you caught from your other eBay purchases.

Then again, the original ghetto slashdot has got to be Afrodot

I also like a president that will take the lens caps off his binoculars, instead of worrying that doing so would look bad for the photo op.

I'm Karma whoring here, but you're post reminded me of this: FreeBSD Girl

Be careful what you put in that Google search. The government may now spy on web surfing of innocent Americans, including terms entered into search engines, by merely telling a judge anywhere in the U.S. that the spying could lead to information that is "relevant" to an ongoing criminal investigation.

agent package spores president activate terminate Allah plastique stegonography

Is this yelling "fire" in a crowded theatre, or is it an illustration of how futile it is to try and filter out the overwhelming false positives generated by free speech?

While you're deciding, remember that intelligence agencies are spending your taxes to monitor you. Free speech might become a very expensive priviledge.

Yup, a DoS attack with enough punch to take down Yahoo. Originating from ... erm ... a dialup line. Hmmmm, sounds plausible to me.

It's called a smurf attack actually and it is quite plausible (or at least, was before most routers began blocking spoofed ICMP broadcast echo packets).

It's a pretty simple attack. Just spoof the source address of an ICMP echo packet to your target machine, and then broadcast it to a whole shit load of hosts. Each of the hosts will respond to the spoofed address and you will have N packets per packet you send where N is the number of hosts. Usually, one would pick a thousand or even ten thousand hosts and from a dialup, you could bring down an oc3 in a matter of minutes.

Very few people were stupid enough to actually use this because 1) Most routers tracked these broadcast packets so you were likely to get caught if the receiver complained and 2) This was such a devistating attack that you were likely to do enough damage for someone to complain.

It is not exploiting or "hacking" the host machines though. It surely isn't turning them into "zombies" either. It's a very lame exploit.

BTW: For those interested, here is a link. (Like I said before, this doesn't work any more and if you actually are dumb enough to use it, you will get caught very quickly).

Unless it happens to be the "dc-stuff" mailing list (Have some fun, mail to majordomo@dis.org), in which case you'll find that your account has been deleted by your ISP, your IP addresses will all entered into the "Do Not Remove" section of the RBL, your credit cards will all mysteriously get canceled, but not before they were used to buy hammers mail-order from NASA at $9,000 a pop, and you'll STILL somehow recieve messages from the list...

This is little more than a journalist's self-fulfilling prophecy. You get disinterested parties (the CIA isn't exactly it) saying that there's something big brewing, then you've got a story I'll listen to. Coming from a journalist on a slow newsday or a law organization that isn't a shining beacon of all that is good and great with democracy, however...

the sex chart is a 2d rendering of 1500 iinterconnected nodes. I belive they have a utility that gets fed a textfile describing the node relationships, and from that reners the text. This might be usefull to you.

Compare costs of a standard corporate LAN installation

Compare total number of servers using *nix, average server uptime etc.(get this info from www.netcraft.com)

Compare number of website break-ins (get this info from www.attrition.org)

Good luck!

Before you reply with the obvious Simpsons reference, please have a nice glass of Shut The Fuck Up.

As one of my profs loves to put it "No real science has the word 'science' in it". Physics, Chemistry as compared to Social Science or Dropping Mad Science.

And then there is Dijkstra's ubiquous quote/Attrition header "Computer Science is no more about computers than astronomy is about telescopes."

I know this is OT but what would you call CS if you couldn't use the S? Computers? Algorithmics? Fingering Finite State Machines? Gasp, Information Technology? (BTW I think Technology is about as appropriate as Science is as a root noun).

It's a little known fact that many ATM machines use OS/2... even the new ones. That means millions of people use OS/2 every day and don't even know it. The funny thing is that they WOULD know it if they used an M$ OS. How would you like the "blue screen of death" when you're in the middle of a transaction?

The ATM machines run by SparBanken in Sweden use Windows 95!!!!!!!!

And YES, I -have- seen the machines both crash (software) and blue-screened!

One can only hope they fired the SOBs who came up with -that- idea.

Good joke, but it was Mastercard (who sued Ralf Nader for using their ad format during the last prez election), check the attrition.org Mastercard spoof gallery for more.

problem_flowchart.jpg

Has nobody got a sense of humour any more? (Well, I know Mastercard haven't.)

Soon it wont be possible to satirise anything without getting a nastygram?

I'm on the list, and they did. From the e-mail:

Also, we feel obligated to disclose to you that we were compelled to disclose your email address to Microsoft during the discovery process as well as the content of many of your messages sent to us. We were not happy about doing this, but we had little choice. We have received assurances from Microsoft that they will not use or disclose your address for any purpose beyond this case.

While he's at it, he should also provide a link to a poll on his website, asking whether any of those people had been initially confused when researching the new OS.

Bad idea! Don't you remember how Microsoft engaged in blatant ballot stuffing for .NET on the ZDNet poll on web services? They'd just have all their employees give the "Palm Beach voter's excuse": "We thought we had signed up for the OS by Pat Buchanan .. er Bill Gates."

I'm on the list, and they did. From the e-mail:

Also, we feel obligated to disclose to you that we were compelled to disclose your email address to Microsoft during the discovery process as well as the content of many of your messages sent to us. We were not happy about doing this, but we had little choice. We have received assurances from Microsoft that they will not use or disclose your address for any purpose beyond this case.

While he's at it, he should also provide a link to a poll on his website, asking whether any of those people had been initially confused when researching the new OS.

Bad idea! Don't you remember how Microsoft engaged in blatant ballot stuffing for .NET on the ZDNet poll on web services? They'd just have all their employees give the "Palm Beach voter's excuse": "We thought we had signed up for the OS by Pat Buchanan .. er Bill Gates."

Unless he got a fake ID when he was a kid, Email looks to be older than 30:
http://www.attrition.org/gallery/computing/tn/emai l.jpg.html

I would have posted this earlier, but attrition.org was filtered from work by WebNot.

Oh yes, good 'ol Carolyn Meinel.

This bitch is a total waste of space. She claims to be some sort of computer security expert when in fact, she doesn't know shit about anything really.

"Want to hack your computer? Here's how you change your Windows 95 Startup screen! You did it? Congratulations! You're a HACKER!"

Read this and this, then decide if this phony is worth giving attention.

Oh yes, good 'ol Carolyn Meinel.

This bitch is a total waste of space. She claims to be some sort of computer security expert when in fact, she doesn't know shit about anything really.

"Want to hack your computer? Here's how you change your Windows 95 Startup screen! You did it? Congratulations! You're a HACKER!"

Read this and this, then decide if this phony is worth giving attention.

What other benefits do we get out of the mission?

Well... by sending more probes, we can rule out this [attrition.org]......

Let's just hope they haven't backdoored this one too..

Except that Sadmind is a solaris / NT worm, not a Linux worm. Please study the facts before posting.

sadmind/IIS details

This is a call out to all the crackers out there for assistance. Deface as many websites as you can find that are pro-terrorist. Remind the world that THOUSANDS of people -- individuals with parents, spouses, children, friends ... people who love them -- have been KILLED by these fucking cowards. You did this when China was holding our spy-plane; this is millions time worse. I want to see attrition.org have to upgrade their disk space to hold the mirrors of these sites.

Portscan the hell out of networks that are on subnets located in the Middle East. Break into them and copy all of the data. Send it from that rooted university box to the CIA, FBI, NSA, whoever ... we may get lucky and find that one piece of info that breaks this thing wide open and finds out who orchestrated this travesty.

Shit, even a DDOS against these sites would be acceptable. JUST DO SOMETHING! THIS IS YOUR FUCKING COUNTRYMEN THAT HAVE JUST BEEN ATTACKED AND KILLED! Let's show these bastards whose boss.

Attrition.org has a pic of a bunch of enterprising individuals who taped off the entrance to a cubicle and filled it with foam peanuts Here's the pic

I think that if somebody wrote something similar to this for apache, we would get similar results. It wouldn't be _this_ bad, but still.. look at attrition and you can tell that there are a lot of people that don't secure their webservers (both apache and IIS). However, the graph showing the spike in NT defacements is pretty funny. They really should teach people in those classes that there is more to setting up a server than popping in the CD and clicking next a couple of times.

I think that if somebody wrote something similar to this for apache, we would get similar results. It wouldn't be _this_ bad, but still.. look at attrition and you can tell that there are a lot of people that don't secure their webservers (both apache and IIS). However, the graph showing the spike in NT defacements is pretty funny. They really should teach people in those classes that there is more to setting up a server than popping in the CD and clicking next a couple of times.

This won't break Microsoft's back .... consumers voting with their feet can only achieve that end.

Recently I was looking around for a new insurance company. Looking on the web I came across a couple of companies who would give me a quote if I provided them with some personal information. I was all set to deal with one site, whom I won't name, but I decided to first do a quick background check on them. Using netcraft I was able to tell they were running their site on IIS. That little bit of info told me that they weren't at all serious about keeping my personal information confidential.

Of course I decided not to pursue any business with them. But I also went a step further. I wrote them a quick email informing them that I would never do business with a company who was choosing to base their internet business on the most hacked application platform on the internet.

Let companies know that you won't do business with them if they use inferior products. Your quick and simple message to them will speak more loudly than a thousand rants on various message boards.

Would you rather see this be another self-fulfilling media prophecy (a la Attrition's dissection of the US/China "hacker war" that was supposed to be going on) or would you rather see the problems get fixed?
As I read it, there's already 22K infected hosts out there (as of 10-11 AM) that incidents.org has found; how many more haven't probed their servers yet? The A and B strains of the worm aren't as plodding in their search for new servers to infect, and there could be even more strains out there. Hopefully, some braindead admins out there have taken note of all the media coverage and will patch their machines before this ramps up any further than it already has.
Or would you rather journalists got their copy about the devastating effects of the worm done in advance rather than trying to prevent it?

Right, but most companies enjoy pulling shit like this in hopes of intimidating the user or their ISP into removing the "infringing content" without getting a court order (or getting the case dismissed).

Oh well.

It seems that some legal firms have found a new "make money - FAST" -scheme. IMO the interesting part is to see how long it will take, until the clients will realize that they'll be paying not only the huge legal costs but also the bad publicity caused by these cases.
Wendy R. Leibowitz summerized it well in her article.

As a sidenote: Attrition.org is also under fire because of the alleged trademake violation - they are hosting some priceless-campaing parodies and the lawyers of MasterCard still haven't got anything better to do...Link

Ville
My DeCSS archive:

...and if M$ had hired Doubleclick to pass everyone through doubleclick.net first, before sending them to any other MS-owned website, it'd also somehow be a Good Thing?!

What I wanna know: Is there an msid.msn.com cookie set on boot/install these days?

Next time you install W98, boot to raw DOS. Poke around the filesystem with a hex editor and examine the cookies. You'll find one set for whatever username and workgroup you entered at install time, pointing to our old friend http://msid.msn.com.

Under W98/IE4, deleting these files, rebooting, and re-entering Windows, the cookie data was restored automatically, even though this box had never been connected to any network.

Disclaimer: I wasn't able to reproduce this today on a W98SE/IE5 box. I know I did it under 98, because I ranted about it on Slashdot last year when the GUID-leak stories came out.

Can anyone confirm/deny this type of behavior on XP?

They've been doing this shit for a long time.

A DejaGoogle search revealed tracking through msid.msn.com as far back as 1997.

I think my "cookie kept coming back" had something to do with RegWiz, which created such a cookie before you even registered? (And in my case, even though I hadn't registered :)

So today they generate and use an MSID instead of the HWID. It's still all about tracking.

Speaking for myself, I firewalled msid.msn.com a few years ago and never missed it.