Slashdot Mirror

Two things.. one, almost all of these porn sites are not in the UK so basically won't give a shit.

Secondly, isn't it the case the those people who are most on a crusade against porn are the ones with the really sick and disturbing fetishes. Perhaps I could have 30 minutes with David Cameron's personal laptop just to check?

So it's not clear if those addresses belong to the FBI, the CIA, NSA, or anyone else.

Is this even "legal" on the Internet? Perhaps those IP addresses should be reclaimed and reassigned by ARIN since "nobody" is using them and IPV4 addresses are now in short (nonexistent) supply.

Correct, the IP address block (65.222.202.48/29) was allocated to a Verizon Business customer probably located in the Washington DC or Virginia area. Some neighboring blocks in the same /24 included the US government, some government contractors and some private commercial businesses. Given the geographical location and nature of the customers then it is almost definitely a government agency or contractor, but there's nothing else to be gleaned. I did an analysis analysis at the time when people were screaming that it was the NSA via a private firm called SAIC.

As for "legality".. the block is allocated to Verizon who break it down into smaller chunks for customers who may or may not wish to identify themselves in the WHOIS records. It is just 8 IP addresses in any case.

The block 194.28.112.0/22 is simply all evil (I've documented it here in the past), there's no reason to send traffic to it at all, blocking it is a good option.

..darn it, I screwed up the formatting. I recommended that people consider blocking the Dreamhost IP ranges altogether.

It got so bad at one point that I recommended that readers of my blog .

It got so bad at one point that I recommended that readers of my blog .

The malware site is hosted by Specialist Ltd in Transnistria, who are a totally black hat operation. They can get away with it because almost nobody recognises the existence of Transnistria, so it is effectively outside the reach of international law enforcement.

Still, griping aside it's good to see this hijack getting a higher profile. However, I had a note from someone who had come across a hijacked banner on Yahoo! just today, so it's clear that the banners are still out there.

Banner hijacks for this type of rich media ad are not a new problem. It's not a problem you generally see with good old fashioned GIF and JPG banners, or plain text ads.

Still, griping aside it's good to see this hijack getting a higher profile. However, I had a note from someone who had come across a hijacked banner on Yahoo! just today, so it's clear that the banners are still out there.

Banner hijacks for this type of rich media ad are not a new problem. It's not a problem you generally see with good old fashioned GIF and JPG banners, or plain text ads.

There's plenty of evidence around to nail Soloway for a long, long time.. but to be honest he's not even the worst spammer out there. I suspect the possibility of a plea bargain is quite likely, so that international law enforcement can get to the even bigger fish.

There's plenty of evidence around to nail Soloway for a long, long time.. but to be honest he's not even the worst spammer out there. I suspect the possibility of a plea bargain is quite likely, so that international law enforcement can get to the even bigger fish.

Some links about this ASUS bit:
writeup&discussion in french
another writeup, this one's in english
siteadvisor mention
dynamoo blog mention
ithome-tw blog mention

Obviously, don't go to the URLs of the unsafe sites (which are mentioned on a few of these pages) from a vulnerable browser/platform. Be warned.
-os

OpenBSD is the most secure operating system? Definitely not. OpenBSD would probably merit no more than a C2 Rating. In reality, most highly secure government computers are running Trusted Solaris.

Who decided to call this The Orange Book? I had always known the US Department of Defense Trusted Computer System Evaluation Criteria as The Orange Book.
We can't just make up titles. What if I started a new political party with a green flag as our symbol? Can we be the Green Party too?

To start, they used open records requests to get the details of people who recently voted, and details of those who recently died.

The goal was to find people who continued to vote after they died, which may sound funny, but is still happening.

The data the government data gave us was on magnetic reels. The data on the reels was stored in a fixed-width EBCDIC format. Talk about a dead format!

It turned out the local college still had a working magnetic reel reader, and was able to help me get the data out of EBCDIC into ASCII, but the project was cancelled anyway.

Sir, I don't think you're going far enough. We need to also think about the computing task of representing all the letters of the Alphabet, plus digits, and some punctuation characters. So, let's take this idea of yours, this BCD, and extend it....

Hear Hear!

cynical side notes:
There is no technical reason why I should not be able to walk into compusa, ask for a computer that by design doesn`t "get viruses" and not get laughed at. The orange book described what a secure computer system should look like, multics shows what a secure OS and computer system look like in reality... and they did so thirty f$%#ing years ago! (Also the morris worm was in 88) There is only one conclusion possible, everyone who can fix these problems once and for all has been abducted by aliens for twenty years now and noone noticed... or whatever. Their excuse better be good!

The fact that noone goes into compusa to ask for a computer that does not spend most of its time spreading worms and ddos might also be a small factor. This is ofcourse not going to change until the raporting on computer security moves on from spreading symantec FUD to doing real reviews of the stuff on the market. This would interfere with the megahurts/marchitecture "benchmarks" though...

To be fair this rapport isn`t all bad. It has the usual vaguely defined growing graphs, percentages only, no absolute numerbs and everything "Source: Symantec coorporation". You wont find those in honeynet and SANS data and analysis. Being ductape salesmen the symantecs of this world need their FUD...

However to the end the rapport has some real data from what looks like an impressive honeynet. You will have to go through the usual "number of rapported vulnerabilities" graphs comparing mozilla and internet explorer first though.

If you can't figure out the format of an XML file (with appropriate Schema or DTD) in 15 years, god help you.

Wow! It's easy to see you've not been in this game for fifteen years.

Let's see, it's easy to figure out the format of a file so long as it's in XML. Provided, of course, that you know the character encoding, of course. And that you've got a device that can actually read the media. And provided you can license the patent on the compression algorithm. And provided the XML doesn't include any binary sections. So, no problems, then.

http://www.dynamoo.com/orange/

It's not the first time this has happened either, see this article relating to an incident that happened back in September with Falk AG.

My dad loves floppy disks. He's one of those guys who's locked in a particular era of computing, probably around 1995, he loves WordPerfect and Lotus Notes, simple websites and lets the computer run overnight -- after closing all other programs -- for 1 meg downloads. (If you touch it, it might stop.)

He also won't, for the life of him, trust hard drives, zip disks, CD-Rs, dedicated network storagem or anything else to store his resume, which he updates and tweaks nightly. Not really in need of a job, being an international energy lawyer (i.e., oil man, and in *this* administration of all times), it's more of a hobby.

Luckily, there's something about the size and heft of the disk for him that makes it oh-so-magical, so I got him a DynaMO drive, which is a magneto-optical drive. I won't go into details (someone feel free to provide), but because of the way the media is written to the disk (not to mention the casing), they can take a beating, and much more than flash or other 'sensitive' media where scratches, low heat, or simply Murphy's Law can kill your data.

Pricey (~$200-250), but not considering you're writing books. Use some of your advance money and invest.

I've personally never heard of them, and I'm sure most others haven't either, so why should I trust them?

There have been many articles on Slashdot about Diebold for over a year. You must be new here (no pun intended). A lot of Slashdot's audience, estimated at around half a million readers a day, have heard of it.

A Slashdot favorite, you can read about it here, here, here and a synopsis here and another one here.

Basically, suing the customers backfired horribly and Mr Novak ended up being countersued and lost. A cautionary tale!

The binary is WRONG BTW. The correct values can be determined from the table here.

The entire industry needs to place a higher priority on building trustworthy systems, even though this means building systems that have fewer features and that take longer to deploy because of increased development times.

So now we're supposed to waste our time fiddling our thumbs about broken trust and rights "management" crap? This is the same stunt MS pulled by claiming Windows met "Orange Book" (from the NSA Rainbow Series of books) "security" standards. Of course, Access Control Lists don't do much if your OS is full of buffer overflows and similar exploits, and this is ignoring the issue that ACLs don't do much at all and don't do it very well anyway. This seems like an overly expensive way of distracting customers from the real security issues (ha! like that one-month code review jerk-off session really accomplished anything).

I can see only two benefits coming from this. Likely the grants those professors are receiving from MS will trickle down to some poor, hungry grad students who actually deserve it. Also, if the quote above has any relevance to MS's own development plans (but I'm not holding my breath), maybe people forced to use MS software will have to suffer through less feature bloat and mandatory-upgrade new versions.

If you're looking at a wholesale price for a 20Gb per month account of being around $500 to $1000, then that's $25 to $50 per Gb would be about a quarter of a cent to half a cent per page.

What are the qualifications/skills of the "independent" verifier? MCSE? Code monkey? Nick the Pig?

The sort-of-precursor to the CC, the DOD-5200.28-STD (Orange Book) specified exactly who needed to be in the testing team. For "Division C" (Windows NT 4.0 is rated C2):

10.1.1 Personnel
The security testing team shall consist of at least two individuals with bachelor degrees in Computer Science or the equivalent. Team members shall be able to follow test plans prepared by the system developer and suggest additions, shall be familiar with the "flaw hypothesis" or equivalent security testing methodology, and shall have assembly level programming experience. Before testing begins, the team members shall have functional knowledge of, and shall have completed the system developer's internals course for, the system being evaluated.

10.1.2 Testing
The team shall have "hands-on" involvement in an independent run of the tests used by the system developer. The team shall independently design and implement at least five system-specific tests in an attempt to circumvent the security mechanisms of the system. The elapsed time devoted to testing shall be at least one month and need not exceed three months. There shall be no fewer than twenty hands-on hours spent carrying out system developer-defined tests and test team-defined tests.

So, Safety Cap's point is well made - the method of testing and the personnel carrying it out is just as important as the technical criteria.

• Mandatory security and access labelling of all objects, e.g. files, processes, devices etc.
• Label integrity checking (e.g. maintenance of sensitivity labels when data is exported).
• Auditing of labelled objects.
• Mandatory access control for all operations.
• Ability to specify security level printed on human-readable output (e.g. printers).
• Ability to specify security level on any machine-readable output.
• Enhanced auditing.
• Enhanced protection of Operating System.
• Improved documentation.
• Example OSes are: HP-UX BLS, Cray Research Trusted Unicos 8.0, Digital SEVMS, Harris CS/SX, SGI Trusted IRIX.

• Notification of security level changes affecting interactive users.
• Hierarchical device labels.
• Mandatory access over all objects and devices.
• Trusted path communications between user and system.
• Tracking down of covert storage channels.
• Tighter system operations mode into multilevel independent units.
• Covert channel analysis.
• Improved security testing.
• Formal models of TCB.
• Version, update and patch analysis and auditing.
• Example systems are: Honeywell Multics, Cryptek VSLAN, Trusted XENIX.

• ACLs additionally based on groups and identifiers.
• Trusted path access and authentication.
• Automatic security analysis.
• TCB models more formal.
• Auditing of security auditing events.
• Trusted recovery after system down and relevant documentation.
• Zero design flaws in TCB, and minimum implementation flaws.
• The only B3-certified OS is Getronics/Wang Federal XTS-300.

• Formal methods and proof of integrity of TCB.
• These are the only A1-certified systems: Boeing MLS LAN, Gemini Trusted Network Processor, Honeywell SCOMP.

Being a Brit, the BBC was the first place I turned to for news and basically the whole thing ground to a halt and that was despite the BBC News outfit having upgraded systems substantially to cope with the 2001 UK General Election. Both the UK and US mirror were swamped and basically stopped working. Interestingly the US Mirror site was in New York, not far from the WTC, and despite the fact the power was lost in the entire area, the servers kept going for several days on backup generators until those generators died due to the dust.

It tended to be the second-tier news service like Ananova that could cope, simply because in times of crisis people will always turn to familiar names first.. the BBC, NBC, CBS, CNN etc.

I seem to remember that the low-graphics option came after 9/11, but it's only a partial solution to the problem.. several times since then the BBC have switched to low-graphics but there haven't been any events of the magnitude of 9/11 since then.

Look at it this way.. lets say the US has 50 million office workers with access to the Internet (a pure guesstimate) and they all try to access the same news sites within a window of 30 minutes. On 9/11 people were trying to download videos of the attacks so they could understand what was going on - don't forget that those now familiar images we all know now were completely unthinkable. This combination of huge numbers of users and very high demand for streaming video is almost impossible to keep up with.

In short, on 9/11 the web let us down and the only people who knew what was going on were those with access to televisions. The world has not moved on that much in the past 12 months, so basically the same thing will happen all over again if (God forbid) the same thing happens all over again..

Now, before we all laugh and say "doesn't it show that the certifications are stupid?" consider this.. maybe the certification system does work, and all those other certified products are equally flaky. I've got a list of some TCSEC-certified systems here and frankly it's a pretty unappealing set of OSes. If there were as many Unicos systems (rated B1) out there as there were Windows, I betcha they'd find holes in it soon enough. The fundamental problem with any popular OS is that there will be thousands of hackers and wannabees probing away at it. I don't think there are many people reverse engineering CA-ACF2 MVS in their bedrooms.

I think the motto should be: "Security Through Obscurity" - perhaps all those horrid proprietry OSes did have a point after all.

I ran VMS systems for years and it's a lot less friendly the *nix, but it's a hugely stable and coherent OS. In four years of running VAXes I had *two* occassions where the thing crashed unexpectedly, and both times Digital took away the dump tapes for analysis because they treated system crashes seriously.

In the business I work in, we use OpenVMS on Alphas to run our warehouse system. It's a solid, reliable and very dull OS which is exactly what we want.

And for security, OpenVMS is a DoD certified C2 product, with a variant (called SEVMS) which is certified B1. I have a list here which includes current-ish product links.

Look, the VMS vs Unix argument has been raging since 1978 when the VAX-11/780 came out. The fact that both these OSes are decades old means that they're both strong OSes and have a lot of life in them yet.

HOWEVER.. for everyone else it's a snooper's charter. For example, just why does the local council need access to my traffic records? Do I have something to hide from them.. well YES as an active participant in local democracy I sometimes find myself at odds with people in power. Do I want them (for instance) to collect the email addresses of people I correspond with and build up a list of everybody who's a member of the same political party as I am? Nope - that information is highly confidential. Do I want them to probe the URLs I'm looking at when I'm maintaining political websites or sites that are critical of the administration? Nope - remember, sometimes the password is either encoded into the URL, or the raw URL itself can often bypass authentication.

That's just an example of legitimate political activity that will potentially come under scrutiny by corrupt people in local government.. and believe me, there are plenty of those about.

To an extent, I trust MI5 and other bodies because I'm not a terrorist or drug smuggler, but do I trust all those other bodies that will be able to snoop on me? Absolutely not.. this WILL be abused, but don't count on the perpatrators ever being brough to justice.

I might just change by name to Winston Smith and get it over with.

In any case, to be a properly secure distribution you need DoD/NSA style certifications. The Common Criteria go part of the way there, but again certification is slow and really not universally accepted. (There's a flame bait for you CC fans).

Bottom line - true security requires seriously lengthy evaluation and certification. And even so, a product like NT 4.0 is still being found to have security holes to this day.

Sigh.. anyone fancy rewriting Multics for the Intel platform? :)

In any case, to be a properly secure distribution you need DoD/NSA style certifications. The Common Criteria go part of the way there, but again certification is slow and really not universally accepted. (There's a flame bait for you CC fans).

Bottom line - true security requires seriously lengthy evaluation and certification. And even so, a product like NT 4.0 is still being found to have security holes to this day.

Sigh.. anyone fancy rewriting Multics for the Intel platform? :)

The TCSEC certification process is important in that it's a real certification.. if you get a TCSEC rating of "B" or better you know you've got a kick-ass secure system, and the US Government says so. Certification is, and always will be, extremely time consuming and expensive.

Also, the most secure systems tend to be weird and wonderful, or hideously out-of-date. Check out the site ;) and have a look. Oh yeah, and don't expect Windows XP to get certified any time soon.

If you don't know about Snapnames, read about it here, but essentially it's a back-ordering service.

NSI are actually a Snapnames affiliate, so they get $7 per back-ordered name through their site. I guess they want the rest of the money too.

Hey look I wrote about it :) here, just a monthly diary entry. I just thought it was a significant moment in net history.

One thing it made me do though was change my news provider to Ananova, run by the UK's Press Association - the stories are posted much more quickly than anywhere else :)

1. There are actually government-approved products for automatic transfer of information from a low to high security environment. In general, these involve a "middleman" workstation running under a trusted operating system. The gateway machines to each network have privileges set so they can only read or write (as appropriate), and software on the middle system moves the data to the correct ingest directories. Data transfer from high to low always requires manual review. The "communication" is basically a file transfer, so a protocol such as TCP/IP which requires acknowlegement would not be possible.
   
   
2. I disagree with the statement "the fact that the high network wants certain data from the low network is sensitive itself." Please keep in mind that secure networks are found in secure areas, and interfaces are not in public view. The operators and maintainers of these secure systems are perfectly aware of the kind of data being sent -- it's the content of the data which exists at a higher level of security.
   
   
3. DoD classified networks never send classified information over the Internet per se, nor are they ever connected to any kind of unclassified network. There are approved encryption technologies for sensitive communications, but classified information must be transported in other ways from location to location.