Slashdot Mirror

Here in the US, the SQL Slammer worm of 2003 knocked about 13,000 Bank of America ATMs off-line. All of the ATMs and their back-end transaction servers were running Microsoft products.

-- http://en.wikipedia.org/wiki/SQL_Slammer
-- http://www.cotse.com/20032701.html

Other banks, like Bank One (now JP Morgan Chase), ran OS/2 on the ATMs, and OS/2 Warp Server with IBM DB2 on the transaction servers. Most of the banks who used OS/2 and DB2 to handle their ATM transactions weathered the storm nicely...

On one hand I am aware that a Windows based server is no comparision to a midrange
Application Server.
But since long many OSs have been supporting Multihoming for their comms resources. Link
So where is the innovation here?

I'm glad I do no business with them.

The Slammer worm caused significant outages in Bank of America's ATMs.

The Joe Job

The initial security advisories did include a "vendor response" section. Across the board that said "upgrade to 10.3", without any mention of a forthcoming patch for earlier releases.

That's the only thing that had Bugtraq up in arms: the lack of assurance that earlier versions would see a patch. And most of the people worried about that were worried because they want Apple to suceed as a Unix vendor, not because they want to see it crash and burn. (I don't know about the Slashdot comments, because I only read more than the highest rated couple of comments when I've got moderator points, but I'd guess that at least some of them were along the same lines.)

I don't know if it was merely a typographical oversight, or if Apple really didn't have any plans to release patches for earlier releases. In the first case they should have been more clear initially (and now they will), in the latter case they were making a huge mistake. I'm inclined to believe it's the former.

This is not the first time that Apple's security PR has been less than impeccable. They've rebounded pretty well each time, and I haven't seen them make the same mistake twice.

It's only reasonable to expect them to get harshly criticized, especially with Mac OS X: they're jumping from a very soft, easy-going market (desktop publishing and education) into an insanely security-conscious market (Unix enterprise servers). They're actually doing quite well, but there are still more entrance pains to come. The security community is, to an extent, xenophobic, and certainly disinclined to believe that a vendor with a relatively small amount of experience in the market can be relied upon to do the right thing. So Apple has to prove themselves a bit. So far, they're doing pretty well. It doesn't matter if you make mistakes like this, as long as you admit to them, patch things up, and then don't keep making them (hey Microsoft, you listening here?).

And Apple really is doing a good job: I've seriously considered bringing Mac OS X (and the related hardware) in as a replacement for aging Sun hardware running Solaris. Sun seems to be falling apart, and (especially with the G5) Apple seems to be a reasonable replacement in the mid-range compute + high I/O line of work without the vendor/service problems you get from Linux (which isn't so hot on the I/O front, since it's hampered by the IA32 architecture's crappy I/O design... other architectures don't matter, because Red Hat doesn't support them commercially).

didn't Bank of America lose about 14,000 ATM machines to the SQL Slammer worm?

moving data across a public network isn't safe or intelligent. Let's hope they open their eyes before this foolisness gets any further.

But of course some of the spammers get paid based on how many 'eyes' (or HTTP requests) are generated, so if they can just get through to an Outlook Express preview pane, it's worthwhile....until 'marketers' wise up.

By virtue of having my own domain name, outside of the United States, I now receive 1200+ spams a day (and noticeably increasing). People who advocate 'just hitting the delete key' make me fume. That's a lot of delete key. And a lot of time. I've now reached the point where false positives on spam detection by automated software are less likely than me hitting delete one too many times. Thanks to DNSBL I can reduce spam from 1200+ a day to 10 a day, and Paul Graham's Bayesian filtering reduces that down to 2 or 3 a week.

I'd like to share some recent observations I've made - I haven't seen this referenced elsewhere but maybe I don't know where to look (so feel free to point me where this is mentioned elsewhere).

First a minor observation that spam increases markedly on the weekends - because peop,e aren't around to close down open relays or spamming accounts?

Secondly, spammers have started adding non-spammy words (eg capacitor) and constrcuted nonsense words (capacitorsggg) inside their messages. I can only see this as a direct response to Paul Graham's approach. I don't see it as working - the rest of the message is just TOO spammy - but it sugegst to me that spammers see such an apprroach as a threat. I've seen these words sprinkled at the start of plain text emssages and after the /body> /html> of HTML messages.

Thirdly, what I've recently noticed is that a spammer will connect to my mail server, say HELO, do a MAIL FROM: and then QUIT. Then they connect to my system again and use a HELO command that is my OWN IP address. They also include a fake Received header that makes it look as though the message originated from my own machine. Nice try you scummy spammers. SpamCop is smart enough to see through that ploy. I wonder how other system's will respond.

Fourthly, I've noticed that often when I complain to SpamCop I become the victim of a JoeJob. Currently I'm getting all the delivery failures coming back to random alphanumeric usernames at my domain. Sigh. Time to strip off my domain when I lodge SpamCop submissions eh?

(I added the link for dramatics)

>I'm sure you could find whole offices running OpenOffice or StarOffice or even still using WordPerfect and 123 just so they can stay away from MS products. But they aren't the IBM's or Fords or Bank of America's of the world.

Perhaps Bank of America will be changing its tune after 13,000 of its ATMs were put out of service by Microsoft bugs. Or perhaps they're just stupid and masochistic? Either way, if they're still paying for M$-ware, I'd take a second look at whether I want to invest my money in a bank that doesn't put its money where its mouth is.

Ford, well, beats the hell out of me what they run. :)

If you use a service like that provided by COTSE for e-mail, or have your own mail server, this is no longer a problem.

You see, with a whitelist, you never see spam -- ever -- unless it's been propogated by a "trusted" contact -- someone you've explicitly said you will recieve email from.

Email from unknown senders, even legitimate ones, will be bounced immedately, requiring the sender to prove (by responding to the bounce) that they are indeed a legitimate sender before you even get all worked up about recieving spam.

No they are not satelite and although a few people are trying to do them over VPNs it is for obvious reasons thought of as being a *very* bad thing.

You mean like running your ATM network from a system accessible by the general internet?

I liked COTSE Lookup tools 404. It's a lot longer and will have you rolling.

here...

Gerald

Other very common mistake is leaving a floppy drive set up as the first booting device, or not having password protected BIOS settings.

With e.g. Debian boot floppies or any other mini Linux and mini Unix distribution you can just insert a floppy, hit reset and wait a while until you got r00t and do whatever you want (like change the real root password in /etc/shadow on the main partition to whatever you want).

I'm talking about it, because it's much easier than trying to write a remote exploit, much easier than writing a local exploit and much easier than actually stealing the whole hardware. It's usually also much easier than social engineering.

It wouldn't be even hard to make a floppy which automatically do something to the system (like adding new users and adding them to every group, changing passwords, reading encrypted passwords for later cracking, leaving backdoors, etc.). When you have such a floppy, you only need few seconds to insert it, hit reset, come back after a minute when everything is done, take your floppy and hit reset again.

You can even prepare this floppy in a way, that when everything is done, your files from the floppy are deleted and "shutdown -r" is run. That way even when someone enters the room before you, he'll only find a normally working system with empty floppy in the drive. The chances are that no one will even go there to see what's wrong if the server was down for a minute and now it's OK, especially if it's a lunch brake or something.

Very dangerous and very easy if you can only go near a computer, and if it can boot the system from the floppy. And I've already seen servers without BIOS passwords and those set to boot in order of floppy,cd,hdd. It's very important and often forgotten issue, it's somewhere between physical and non-physical (logical?) security.

Learning to use the traditional remailer network takes some time and effort. And this time and effort pays off handsomely by providing the user with a highly secure method to communicate privately and anonymously. But many privacy-minded folks (and their ranks are increasing daily!) are looking for an easier and less time-intensive approach. Some are even willing to pay for it. To satisfy this niche there have arrived many new products and services that provide various combinations of anonymous email, newsgroup posting and Web-surfing with varying degrees of anonymity.

I have provided URLs for some of these services below. I have categorized them into two groups: free of charge and fee-based. Noteworthy amongst these is the fee-based Freedom Software by the Montreal-based Zero Knowledge Systems (ZKS). Launched in December 1999, Freedom is a 'privacy system' not unlike the traditional remailer network . It allows users to send email, post to newsgroups, chat and surf the Web in total privacy without having to trust third parties with their personal information. Freedom users create multiple digital identities - "nyms" - with which their online activities are associated. All data packets Freedom users send are encrypted and routed through a global privacy infrastructure called the Freedom Network, which is hosted by participating ISPs and other independent server operators. A 30-day free trial is available.

The package has been criticized <http://cryptome.org/zks-v-tcm.htm> for not being open-source. But that is changing. The source code of the kernel module of the Linux version of Freedom <http://opensource.zeroknowledge.com/> has been released; and the release of the Windows version source code is "coming soon."

Free of Charge
GILC Web-Based Remailer <http://www.gilc.org/speech/anonymous/remailer. html>
Hushmail <http://www.hushmail.com>
Safeweb <http://www.safeweb.com>
Zixmail <http://www.zixmail.com>
Anonymouse <http://anonymouse.is4u.de/>
COTSE <http://www.cotse.com/home.html>
Somebody.net <http://somebody.net/>
ANON.XG.NU's Web-Based Remailer <http://anon.xg.nu/remailer.html>
Chicago <http://xenophon.r0x.net/cgi-bin/mixnews-user.c gi>

Fee-Based
ZKS Freedom <http://www.freedom.net>
SkuzNET's The Internet Mail Network <http://www.theinternet.cc/ http://www.mailanon. com/>
IDcide <http://www.idcide.com>

If you need to forward any port, use ... available for UNIX and Windows:

explanation [taken from their page]
[If] you have a firewall that does not allow telnet (23), but it does allow http (80). Set leapfrog up on the other side of the firewall to listen on port 80 and send to 23, then telnet to port 80 of the leapfrog machine and you will ricochet to the machine you wish to connect. You will have the Leapfrog machines' IP and MAC addresses. It supports unlimited users (well, limited by memory).

I would suggest you read
Flawed outbound packet filtering in various personal firewalls

Cotse's Abuse Policy, actually, very strict. And they abide by it!

The reason that people like Colin get all flustered over an actual privacy advocate site; They cannot obtain the IP address and personal information on the people they wish to stalk and harrass. It has nothing to do with flames and/or trolls, for god sakes, how friggin easy is it to use a kill file? Evidently, it's over Colin's head.

--
Colonel Flagg
http://www.geocities.com/pentagon/1475/

"Big Brother is watching you, Little Brother is too. When Big Brother goes to sleep, Little Brother goes through his stuff." - Unknown Author

"...Pepper spray works nicely, unless your assailant uses it as a condiment." - CF, 2001

Cotse's Abuse Policy, actually, very strict. And they abide by it!

The reason that people like Colin get all flustered over an actual privacy advocate site; They cannot obtain the IP address and personal information on the people they wish to stalk and harrass. It has nothing to do with flames and/or trolls, for god sakes, how friggin easy is it to use a kill file? Evidently, it's over Colin's head.

--
Colonel Flagg
http://www.geocities.com/pentagon/1475/

"Big Brother is watching you, Little Brother is too. When Big Brother goes to sleep, Little Brother goes through his stuff." - Unknown Author

"...Pepper spray works nicely, unless your assailant uses it as a condiment." - CF, 2001

Usenet can easily be made useful until you get people like cotse.

I now just filter out everything that is posted from a cotse address because they simply won't stop their users from posting hipcrime floods, binary floods, massive crossposting etc. Their abuse teams simply pass your email address on to the "troll".

I'm in the process of persuading my ISP to drop everything from cotse.com.

First, I must disclaim I have a COTSE webmail account. This is because I know Steve, the guy who runs the site.

The above comment is blatantly false. One by one:

• You can't run hipcrime through the COTSE interface.
• There's a limit on binary size. It was 4 MB with the last system, not sure what it is now.
• The remailers have a limit of 5 newsgroups per post.
• The abuse department at COTSE (not Steve) will cancel accounts. It has been done for high BI (aka, spamming). Steve just told me that anyone running hipcrime-like floods (if they could figure out how) or binary floods would quickly lose their account, if reported, or if anyone there noticed. John, the abuse desk head, just confirmed that for me.

Now, as for blocking COTSE content, there's a problem with that. All (well, most) of what the COTSE newsgroup poster is is a front end to a few mail2news remailers. So, you (or your ISP) could block those. But, people can post to newsgroups with an @cotse.com address without posting through COTSE, and that's probably the source of those hipcrime/binary/crosspost floods. The same people could use hotmail addresses, yahoo addresses, etc.

Also, for help with abuse issues, we've been working on a post authenticator, since so many people forge COTSE posts just to get COTSE in trouble (no joke). Of course, they can look in their recent posts and prove one way or another, but it takes a lot of time.

In my opinion, Steve and COTSE are doing a great thing by letting people make usenet posts anonymously. Some people use it to get around cancel bots run on their names, bizarre forms of censorship, or to say things that aren't safe to say with a name attached. Anyone who has ever needed privacy or anonymity thanks him.

Regarding 4 layers, they're in reference to the DoD model, for which TCP/IP was first defined, pre-OSI. Of course, you're right that they they used the wrong names for the layers (using the OSI layer names), whereas the correct DOD names are Process (OSI 5-7), Host-to-Host (OSI Transport layer 4), Internet (OSI Network layer 3), and Network (OSI 1-2).

The only reason I can recall this so well is having to teach Network+ classes.

http://packetderm.cotse.com/CIE/Topics/16.htm

Since qmail has already had one exploit in its history, why should we believe that the rest of DJB's software is any more secure?

To answer your rhetorical question, I don't think anyone believes that djbdns is inherently more secure than qmail (although it is a lot easier to configure qmail in an insecure way, if for no other reason than that it's capable of running programs from .qmail files). I trust both of them a lot more than I'd ever trust BIND, though, even if that isn't saying much at this point.

RFC's can be found at http://www.cotse.com/references.htm

We really aren't in that big of a hit for ip addresses yet. If you do a random sample of reverse dns lookups on the whole address space, you'll end up getting an idea of how many ips have been deployed by the number of ips with reverse setup on them. Out of a sample of 10,000, only ~250 actually have reverse dns setup. Err on the side of caution and say 5% and you still have plenty to grow. Nothing above 226.0. has been deployed yet and it's currently held for research/multicase and could be redesignated for public use.

Dan Berstein (Qmail) was the one who suggested the scan. Link here

Nonetheless, IPv6 is still a good idea because NAT breaks too many things. But we're nowhere near as desperate as they make it out to be.

It looks like the failure is just a function of javascript filtering. If you use a proxy that allows javascript, the page renders fine. The C.O.T.S.E. proxy has a switch for enabling/disabling javascript. Try it on www.neato.com and see what I mean. We maintain a pretty extensive list of anonymous surfing services at WebVeil. Check it out.

I dont know why people feel the need to do that to people that take there own time and money to provide some thing for them. I work at another page called www.cotse.com and we are all volunter, I know how these guys feel when people just kill the site for no reason. I hope they come back.

The whole damn thing is [AFAIK] available on the COTSE website. I saw it there the one time I browsed through it; entirely HTML, tho...no plain text

The big Linux vulnerability is that too much stuff runs as root. One buffer overflow vulnerability in a set-UID program and the attacker is in. Then they install a Linux root kit, and it takes a huge effort to clean up the system. Since Linux normally has a telnet daemon, it's remote controllable out of the box. You don't even need something like Back Orifice.

UNIX is not a secure operating system. Linux is not a secure operating system. Nothing Microsoft makes is a secure operating system.

Somebody mentioned EROS. It's not really finished, and even if it was, you'd need applications for it. What's really needed, I think, is something with capabilities like EROS, a high-performance, secure CORBA-like model of interprocess communication, and support for high-volume transaction processing in the CICS sense. Then you'd need to tear apart things like BIND and Apache into a number of mutually mistrustful components. User-initiated transactions would run as separate processes, like CGI programs, but would launch faster using a CICS transaction model.

Oh, and you need a decent security model. For example, in a real secure system, there's no "root". If you're doing administration functions, you can only run a few trusted administration programs.

An article at COTSE News points to the proof of Saturday nights RSA Security hack. While the hacker made it look like everyone should distrust RSA Security, the reality is that everyone should distrust NSI. Is all of NSI sleeping in a cave? This information has been out in the media for some time now, and still people are able to exploit them. Something needs to be done...and NOW.

Go ahead and freak out about the recent DDoS attacks. However, a few of us are aware that backbone providers have figured it out.

Yes, the attacks lately have one common denominator - the media definition of "hacker." Perhaps the sites were attacked because of their involvement with the credit card stealing and ransoms.

Am I the only one that found Transmeta's patents in the US Patent database? http://members.cotse.com/newz/stupi d_media.html

The link you provided doesn't respond well. I think they've been slashdotted. So I did a search at Google for Hamsterdeath and found this. Enjoy!

One of the best Y2K Summaries I've yet seen is over at COTSE. In case it's changed by the time you get there, the text is included below.

All up, I think it really touches on exactly why Y2K was a "non-event." I'm going to send it to the head of the Small Business Association of Australia who proclaimed the other day that Y2K was all bullshit (condensed version of his words :)

Text Reads:
---
As y2k passes by uneventfully I'd like to give thanks to the unsung heroes. The people that sacrificed so much to ensure it passed uneventfully. These people worked sixteen hour days for weeks on end. They missed family functions during the holidays. They missed weekends and vacation. They missed the celebration. All to make this an uneventful and quiet y2k.

While the press ran around in circles proclaiming the end of civilization and the world, they were toiling to fix it. While fanatics warned to "Stock up for y2k", they worked at backing it up, just in case. While politicians all tried to out statistic each other, they were testing it. While everyone was out celebrating a once in a lifetime event, they were baby-sitting it.

COTSE wishes to thank the unsung heroes of the millennium: the administrators, the programmers, the test teams, and the operators. You are the people that kept it all together! You are the reason nothing happened!

Great Job!!!
---

Set your proxy to nrl.onion-router.net:9200.

Read about AT&T Crowds, about TAZ-WWW, see the Proxy Mate, see the COTSE anonymizer or look what fravia has to say about anonymity.
© Copyright 1999 Kristian Köhntopp

Well, I have to answer directly, IMO it isn't always a good idea to nmap the server. There is no important information to get anyway.
One could go to www.four11.com to search for (alternate) email adresses. You could try a zone transfer of the domain, sometimes funnily the names of their machines tell you something.
Watch the headers of the postings at dejanews (under "view original usenet format"). If you find an interesting post in dejanews, got to altavista and search in their usenet engine for the same message, they show you all headers if you push the "B" (retrive binary attachment, don't ask me...). Then you have normally the nntp-posting host, ergo the provider of the individual if he posted from home.
Voila, perhaps he has a nice homepage...
If you find some office documents on some pages, download the and view at the with an editor.
If you're lucky you get his home adress, telephone number and some porn websites he visited sometimes. Really, I found www.penthouse.com and others in some business documents...
Does anybody know how to do an _reverse_ whois search, i.e. person-record->domain-records this person owns?
Oh, and at altavista, try link:domainname, perhaps some staff members or companies have a homepage on which they link to the company you want to check out.

Some interesting links for this kind of stuff:
http://www.cotse.com/searchengineref.htm
The whole site is cool
and
http://www.cam.org/~intsci/,
perhaps a bit old, but most links work...