Slashdot Mirror

DrSkwid writes "The OSI have approved the revised license for the plan 9 operating system according to attendees returning from this year's Usenix Bof."

tha_mink asks: "I am currently working for a number of clients that have very similar needs for a cost-effective POS system that may be integrated online. (read : cheap if not free) These are all small business clients with small budgets and so I would like to suggest something Linux-based, with a nice GUI, and a database I can get at through the web (PostgreSQL would be great). I have searched for and read the past Slashdot articles on the subject only to find that they are old and out of date. I have also done numerous google searches only to find that there is not a clear leader. My clients don't really need things like payroll and purchasing but inventory control, accounting, and customer storage are important. So I ask: What systems are available to fulfill the needs of small business without breaking the bank and without requiring any software from Redmond?"

tha_mink asks: "I am currently working for a number of clients that have very similar needs for a cost-effective POS system that may be integrated online. (read : cheap if not free) These are all small business clients with small budgets and so I would like to suggest something Linux-based, with a nice GUI, and a database I can get at through the web (PostgreSQL would be great). I have searched for and read the past Slashdot articles on the subject only to find that they are old and out of date. I have also done numerous google searches only to find that there is not a clear leader. My clients don't really need things like payroll and purchasing but inventory control, accounting, and customer storage are important. So I ask: What systems are available to fulfill the needs of small business without breaking the bank and without requiring any software from Redmond?"

You asked nmap creator Fyodor many excellent questions, and his answers (below) are just as excellent. You'll want to set aside significant time to read and digest this interview, because Fyodor didn't just toss off a few words, but put some real time and energy into his answers.

1) Interesting stories involving nmap?
by Neologic

Nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?

Fyodor

The coolest use ever was undoubtedly when Trinity used it to try and save the human race :). But the use I find most gratifying are the Chinese students and residents who have written me about how they use Nmap to locate open proxies. These proxies allow for surfing the uncensored Internet, including the news, educational, pornographic, religious, open source software, government, political, search engine, and human rights sites that are blocked by the Great Firewall of China.

Many of the best features in Nmap came from the user community in ideas if not implementation. For example, the protocol scan (-sO) determines what IP protocols (TCP, UDP, GRE, etc.) a host is listening for. I had not thought of this, but the idea and patch came out of the blue one day in an email from Gerhard Rieger. On another day, a guy named Saurik sent a patch called Nmap+V that allows Nmap to do basic service/version fingerprinting against open ports. It has attracted a cult following, and I plan to add similar functionality to Nmap this year. The initial Windows port by eEye arrived similarly. Despite all these great suggestions, certain other user-contributed ideas are not on the agenda.

Then there are a small handful of users who detect problems nobody else would ever notice, like 4 byte/host memory leaks. They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years. They can't be spammers, as they are intelligent and also use more sophisticated scan techniques than you would need to just find SMTP servers.

2) Recent increases in anal-retentiveness...?
by Zeriel

There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kicked out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?

Fyodor

That is an excellent question, and one that concerns me as well. But first, I think your final statement is too extreme. I would guess 90% of network scanning is non-controversial. You will rarely be badgered for scanning your own machine or the networks you administer. The controversy comes when scanning other networks. There are a lot of (good and bad) reasons for doing this sort of network exploration. Perhaps you are scanning the other systems in your {dorm, department, cable LAN, conference LAN} to look for publicly shared files (FTP, SMB, WWW, etc.). Or perhaps your just trying to find the IP of a certain printer. Maybe you scanned your favorite web site to see if they are offering any other services, or because you are curious what OS they run. Perhaps you are just trying to test connectivity, or maybe you wanted to do a quick security sanity-check before handing off your credit card details to that ecommerce company. You might be conducting Internet research, or be bored on a rainy afternoon. Or are you conducting reconnaissance in preparation for a breakin attempt?

The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first. I've seen a few people with non-administrative roles land in hot water after deciding to "prove" network insecurity by launching an intrusive scan of the entire company or campus. Admins tend to be more cooperative when asked in advance than when woken up at 3AM by an IDS alarm claiming they are under massive attack.

You compared Nmap to P2P tools in having a "negative stigma". In both cases, one effective way to fight the stigma is to limit your own use to "legitimate" purposes. Use BitTorrent to download RedHat ISOs, but not Matrix Reloaded. Use Nmap to secure and monitor your computers, but not to attack other networks. And if you decide to attack other networks anyway, please be courteous and set the evil bit.

Now I'll admit that I don't always obtain explicit permission before scanning other networks. I don't believe (but IANAL) that a simple port/OS scan of a remote system is or should be illegal. Any machine connected to the Internet will be scanned so often that most admins ignore such "white noise" anyhow. But scan other networks often enough, and someone will eventually complain. So my advice would be:

1. Don't do anything controversial from your work or school connections. Even though your intentions may be good, you have too much to lose if someone in power (boss, dean) decides you are a malicious cracker. Do you really want to explain your actions to someone who may not even understand the terms "port scanner" or "packet"? Spend $10 bucks a month for a dialup or shell account. You didn't really violate this rule, as scanning your dorm subnet for just port 80 should not even be remotely controversial!
2. Target your scan as tightly as possible. If you are only looking for web servers, specify -p80 rather than scanning all 65,535 TCP ports on each machine. If you are only trying to find available hosts, do an Nmap ping scan. Don't scan a /16 when a /24 will suffice. The random scan mode now takes an argument specifying the number of hosts, rather than running forever. So consider -iR 1000 rather than -iR 10000 if the former is sufficient. Use the default timing (or even "-T Polite") rather than "-T Insane".
3. Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent Idle Scan technique. But remember there is always a trade-off. You will be harder to detect if you launch scans from an open WAP far from your house, with 17 decoys, while doing followup probes through a chain of 9 open proxies. But if anyone (such as Tsutomu Shimomura) does track you down, they will be mighty suspicious of your intentions.

I occasionally consider adding some sort of "notification packet" prior to a scan that would give hosts the chance to respond and opt-out. This would be like the /robots.txt directives currently used to control polite Web robots. Perhaps the format could even include a text string that IDS systems could log, like: nmap -sS -p- -O -m "Direct questions about this scan to ops at x3512" 192.168.0.0/16 nmap -sS -p- -O -m "mY n4m3 iZ Zer0 |<00L and I'll 0wn j0o%#@" targetcompany.com/24 Of course Nmap would have an option to omit the notification or to send it and ignore any negative responses. Some scanners, such as ISS Internet Scanner already send out NetBIOS popup messages to scanned hosts by default, and other scanners use syslog. I won't be adding any features like this to Nmap unless I see substantial demand and the obvious issues are worked out.

3) OS fingerprinting
by neoThoth

What are the latest advances in fingerprinting networked devices that seem most promising to you? I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture. What are the most elusive OS's that aren't on the NMAP OS fingerprint database?

Fyodor

There are a number of OS detection techniques I hope to add this year. One is to guess (or calculate) the initial TTL of response packets, since this varies by OS. Some operating systems also "reflect" your own chosen TTL under various circumstances. Then there are some newer TCP options, such as selective ack that I might test for. Explicit Congestion Notification (RFC 2481/3168) also shows promise. I'll probably add all of these at once later this year, after discussions with the Nmap-dev list. If you wish to participate, you can join that list by sending a blank email to nmap-dev-subscribe@insecure.org. There is also a low volume, moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 15,000 current members by mailing nmap-hackers-subscribe@insecure.org [archives].

While adding new fingerprinting techniques is fun and exciting, improving the signature database often ads more value. The DB now contains more than 850 signatures, from the Acorn RISC OS and Aironet wireless LAN bridge to the ZoomAir wireless gateway and Zyxel Prestige routers. We're talking gaming consoles, phones, PBX systems, PDAs, webcams, networked power switches, you name it! New fingerprints are submitted daily.

Application level fingerprinting (including HTTP) is coming. I usually regret stating dates, but I hope to develop this functionality within the next 3 months.

4) Stepping into a network security career
by Anonymous Coward

I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work throughout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?

Fyodor

Congratulations on your graduation! Unfortunately (for newcomers), the security field is one that often expects substantial experience and references. This is partly because these jobs require extraordinary trust, and also because of an aversion to mistakes. Everyone makes mistakes, but they can be extraordinarily costly in security and neophytes tend to make more of them. But don't lose hope! Talented security minds are still in very high demand, just be aware that you will have to work even harder to prove yourself.

Here are my suggestions for anyone starting out in network security, whether for fun or profit:

Step 1: Learn everything you can

1. You may wish to start with reading a general overview of security, such as Practical Unix and Internet Security 3rd Edition.
2. Reading alone won't teach you much. Hands-on experience is critical, so I would set up at least a basic test network. At the very minimum you should have a Unix box or two and a Windows machine (because these are very common in the real world). You can use very cheap machines, or even emulate a large network with virtualization software such as VMWare.
3. Next you should learn more about how attacks are performed. Take a look at the excellent and free Open Source Security Testing Methodology Manual (OSSTMM). This document aims to provide a comprehensive framework for security testing. But it mostly lists tasks to perform, without specifying how to do so. You will gain a lot from this manual if you research the tasks you don't know how to complete, and if you actually try performing the tasks on your test network. If this manual is too curt or hard to follow, you could try a more verbose book on vulnerability assessment, such as Hacking Exposed 4th Edition.
4. Now that you understand many of the general security ideas, it is time to get current. This is one area that has actually become easier in the last decade. The thinking used to be that vulnerability information should only be distributed to well-known and trusted administrators and security researchers through private digests such as Zardoz. This was a disaster for many reasons, and the full disclosure movement was born. In the last couple of years things have started to shift toward more limited ("responsible") disclosure and there is also a disturbing pay-money-for-early-disclosure trend. But information is still much more available than it used to be. Most of the news is carried on mailing lists, and I archive the ones I consider the best at Lists.Insecure.Org. You must subscribe to Bugtraq, and I would also highly recommend pen-test, vuln-dev, and security-basics. Read at least the last 6-12 months of archives. Choose other lists that correspond to your interests. SecurityFocus also offers a security-jobs list which is an excellent resource for finding jobs or just understanding what employers desire.

   There are two major reasons for reading Bugtraq. One is that you must react quickly to new vulnerabilities by patching your servers, notifying your clients, etc. You can get this by simply scanning the subject lines or advisory summaries for bugs that directly apply to you. But then you will miss out on another crucial purpose of Bugtraq. Actually understanding a vulnerability helps you defend against it, exploit it, and identify/prevent similar bugs in the future. When you are lucky, the advisory itself will provide full details on the bug. Check out this excellent recent advisory by Core Security Technologies. Note how they describe exactly how the Snort TCP Stream Reassembly vulnerability works in detail and even include a proof-of-concept demonstration. Unfortunately, not all advisories are so forthcoming. For bugs in Open Source software, you can understand the problem by reading the diff. The next step is to actually write and test an exploit. I would recommend writing at least one for each general class of bug (buffer overflow, format string, SQL injection, etc.) or whenever a bug is particularly interesting.

   Be sure to read the latest issues of Phrack and the research papers posted to the mailing lists. Send your comments and questions to the authors and you may start interesting discussions. Read well-regarded books on the security topics that interest you most.

   I can't emphasize enough that you should intersperse hands-on work with all of this reading. Install unpatched RedHat 8 (or whatever) and run Nmap and Nessus against it. Then compromise it remotely, maybe via the latest Samba hole. Start out with a prewritten exploit from Bugtraq, which isn't quite as easy as it sounds. You may have to modify the 'sploit to compile, brute force the proper offset, etc. Then break in again using a different technique, and your own exploit. Install Ethereal and/or tcpdump and ensure you understand the traffic on your network during both your exploitation and normal network activity. Install Snort on an Internet-facing machine and watch the attacks and probes you'll experience. Wander around your neighborhood with Kismet, Netstumbler, or Wellenreiter on your Laptop or PDA to look for open WAPs. Install DSniff and execute an active MITM attack on an SSH or SSL connection between two of your computers. Take a look at my Top 75 Tools List and ensure you understand what each does and when it would be useful. Try out as many as you can.

5. Take a vacation, or at least a weekend camping! You deserve it! The steps above would probably take at least 3-12 months full-time, depending on your motivation level and the depth and breadth of your research.

Step 2: Now apply your newfound knowledge

Now you have learned enough to be dangerous. At this point, you would have little trouble obtaining most certifications, after studying the specifics of each topic. If your main goal is to find a job quickly, perhaps adding these extra feathers to your cap might be worthwhile. But I think your best bet is to prove your knowledge by joining and contributing to the security community. While this does indeed help others, it isn't an entirely selfless act. It improves your skills, leads to important contacts, and demonstrates your knowledge and ability in a constructive way. The latter is important if securing a career is one of your goals. These steps should also be fun! If not, perhaps you should keep looking at other fields. Here are some ideas:

Start participating with insightful comment and answers on the mailing lists. This is very easy and serves as a great learning experience, way to meet people, and garners some name recognition. If a security manager with a stack of 60 resumes recognizes your name, that is a huge win!

When a new worm or a big new vulnerability comes out, everyone wants to know the details. If you stay up all night disassembling the worm/patch and write the first comprehensive analysis, many folks will find that valuable. And you will learn a lot. Let your first priority be quality - if someone beats you to it, just compare your results with theirs to see if you (or they) missed (or misinterpreted) anything. You can also post your own exploits, although that is more of a political hot potato.

Attending security conferences is a great way to learn, party with fellow hackers, and network (in every sense of the word). Much better is to speak at these conferences. This field changes rapidly so there are always new topics and technologies to discuss. You don't have to be a well-known expert with a long history - just learn your topic well and put in the effort for a quality presentation. You could present at Defcon, at one of the more commercial events, or at a smaller regional con like ToorCon, CodeCon, Hivercon, etc. Among other advantages (often free admission/travel/hotel), this is a great way to meet people with similar interests. I spoke at the latest CanSecWest and have submitted a proposal for the next Defcon.

Now that you've seen and understand a wide variety of software vulnerabilities from your Bugtraq research, start finding your own. You can start by downloading any PHP app from Sourceforge. Most of those are hopelessly vulnerable to Cross-Site-Scripting, SQL injection, and/or remote code execution by "remote include" directives. Many (if not most) Windows shareware daemons are also vulnerable to simple buffer overflows and format-string bugs. Notify the authors and then write an advisory. After a few of these "easy targets", try breaking some more widely deployed programs.

Write a security tool! I could list some suggestions, but by this point you will have many of your own ideas as to what is needed. Scratch an itch.

I hope this helps. If you want more suggestions, Ask Slashdot. From that story, I found this post particularly insightful, especially the emphasis on "people skills". I don't claim to have any, but understand the value :).

5) Have you ever been tempted to use your gifts...
by Tim_F

...in a negative manner?

Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

And if you haven't, why is that the case?

Fyodor

I never do script-kiddie style "hack any random vulnerable box on the Internet" cracking. But sometimes I will launch targeted attacks at specific companies. I'll usually start with just a web browser and various search engines to learn everything I can about my target. I need to understand what the company does, who it partners with, and whether it has any corporate siblings, subsidiaries, or parents. Beyond that, posts by individual employees can be a gold mine. Besides providing names and titles for social engineering and brute force password attacks, the IPs in the mail/news routing headers can be very valuable. One of the reasons I run my own mailing list archive is to maintain access to the raw mail folders which contain the routing info and X-no-archive posts that web archives strip out. Another advantage to locating employees is that you can send them trojan executable attachments, which can be a very effective way into the network.

Next I'll gather known IP network information on the companies via DNS, whois, regional registries like ARIN, routing info, Netcraft, etc. Then comes the scanning (I tend to use Nmap), application-probing, vulnerability discovery, and exploitation stages.

Of course, I only do this when the company is paying me to do so. Performing these pen-tests offers several advantages over blackhat activity:

1. You don't go to jail (If you've worded your contract carefully.)
2. Instead of having to keep your übertechniques secret to avoid prosecution, you get to demonstrate them to management.
3. They actually pay you for this! And you are helping to protect them and the privacy of their customers.

Now some people might ask how you gain these skills without practicing on other networks first. Cheap hardware and the evolution of free UNIX operating systems have made this much easier than in the past. See the previous answer for some suggestions. And remember that you can always work together with friends, or participate in hacking contests like Defcon's Capture the Flag.

6) You'll have seen a lot of breakins.
by Hulver

During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.

Fyodor

On the humorous front, one attacker was was running a public webcam during his exploits, so we were able to watch him crack into our boxes in real time :). I will resist the urge to link a screenshot. His rough location was determined when we noticed Mrs. Doubtfire playing on his TV and correlated that with public schedule listings. He was working with a Pakistani group, but was actually on the US East Coast.

In the "disturbing audacity" front, this year we found that a group of crackers had broken into an ecommerce site and actually programmed an automated billing-sytem-to-IRC gateway. They could obtain or validate credit card numbers by simply querying the channel bot! Expect a more detailed writeup soon.

7) What makes a honey net enticing?
by cornice

It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I think that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?

Fyodor

Excellent question, and I had many of the same concerns upon joining the project. Then I remembered that most of the attacks and real-world compromises are committed by these marginally skilled script kiddies. So there is still a lot of value in understanding their tools, tactics, and motives. Despite this apparent limitation, I have been surprised by some of the sophisticated things we have found. For example, the first known "in the wild" attack using the Solaris dtspcd vulnerability was caught by one of our honeynets and resulted in this CERT advisory. Then one of our Honeynet Alliance members had their Win2K honeypot compromised and joined into a botnet with 18,000 machines! Attackers on such a grand scale won't even know all of the companies they have compromised, much less whether any of the systems are honeynets.

I do believe baiting the "smart fish" might be possible, but I have never done this. Is not legally entrapment, as we aren't any sort of police force, but I am not very comfortable with the idea. If someone attacks my box that is just unobtrusively sitting on the network, I believe the attacker should have no expectation of privacy for his activities on the system. Things become more complex if I try to lure the attacker.

8) IPv6
by caluml

Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?

Fyodor

Finding a machine by by pinging a completely random 128-bit address will probably never be effective. Fortunately, we won't have to! Nmap does not even do that for 32-bit IPv4 addresses - it is smart enough to skip huge blocks of address space that are unallocated or used for private (RFC1918, localhost) addresses. We will also see patterns emerge for IPv6. For example, they may often be allocated sequentially so that finding one leads to many others. I am waiting until adoption rises and we start seeing these patterns emerge before I can implement them appropriately in Nmap. Certain new DNS features may also prove useful for locating IPv6 machines and networks.

9) standalones and small home nets
by zogger

it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.

Fyodor

I am afraid the focus by security companies on enterprise networks will continue, as that is where the money is. The good news is that securing small home networks is far easier. But that doesn't make it simple, nor mean that many people will bother. I would categorize the risks into 3 categories:

Traditional network server vulnerabilities: Your average home user doesn't need to run any network daemons or have any TCP/UDP ports open to the Internet. Most of the time they only have 1 IP, used either by a standalone PC or a NAT device (e.g. "broadband router") in front of their small network. This is a good configuration, as it limits what attackers can reach directly. But you need to be sure that the IP doesn't have any unnecessary ports open. You can verify this by running 'netstat' on the Windows or UNIX machine using the IP. I would also recommend confirming using a port scanner such as Nmap. Here are example commands:

nmap -p- -sS -T4 -v -O [your IP]
nmap -p- -sU -v [ your IP ]

The TCP and UDP scans could be combined into one execution, but are listed separately since the TCP scan may go much faster. Remote UDP scans are also less reliable against some heavily filtered hosts. You may have to rely on the netstat info or configuration details in this case.

Any open ports found should be evaluated with extreme prejudice. Unless clearly necessary, close Windows file sharing, external NAT device admin ports, and everything else found.

Don't forget the wireless backdoor! Blocking the Internet link from your private machines is insufficient if anyone can hop on your open WLAN and attack your machines. WEP isn't perfect, but the 104-bit (so-called 128-bit) version should at least keep people from accidentally connecting to your network or sniffing your data. Be sure to set a good password and upgrade to recent firmware for your WAP and other network devices.

Subscribe to the security advisory lists for all the operating systems (and devices, if available) you run. Major vendors such as RedHat, Debian, FreeBSD, Mandrake, and Microsoft all offer these. Most even offer automatic updates if you desire that.

Client vulnerabilities: Once you close the services you don't need (ideally all of them), client vulnerabilities must be addressed. Keeping your web browser and mail reader up-to-date is particularly crucial. Also harden them as much as possible. For example, IE is full of holes but at least has a good interface for site-by-site security policies (Tools -> Internet Options -> Security). Go through and neuter the "Internet zone" settings by disabling ActiveX and Java. In the rare case that sites need this, find an alternative site or add them to the trusted zone. If your are really serious about security, neuter "trusted sites" and "local intranet" privileges as well. Many recent IE vulnerabilities trick the browser into using the wrong zones. Consider using a different browser. Also configure your mailer to disregard HTML and JavaScript.

Remember to pay careful attention to security warnings, whether they come from IE, Mozilla, your ssh client, or anything else. Don't just click OK. And don't shoot yourself in the foot when configuring your apps. It is hard to entirely blame the vendor when users tell P2P apps or Windows filesharing to share their whole drive without any password. Failing to change default passwords or enable basic restrictions on X Window or FTP servers is only slightly more forgivable. All of these errors happen frequently! The apps/devices should be secure by default, but you have the ultimate responsibility for protecting your data.

Malware: This is what I consider the biggest problem on desktops: people running applications they can't trust. Email borne viruses, worms and trojans are an obvious example. Be very careful what you click on. Unfortunately, it is very difficult to know what to trust. Mail is trivial to forge, and even the "proper" installers for many P2P applications infest your computer with loads of invasive spyware. Even Intuit TurboTax was caught writing to customers' boot information track.

What can you do? My honest suggestion is to run peer-reviewed open source applications on a free OS such as Linux or FreeBSD. You still have to be careful, but these problems are far less prevalent on UNIX platforms, which also have better tools and procedures to deal with them.

What if dumping Windows is not an option? Run NT/2K/XP instead of Win9X/ME, and try to run everything you can as an unprivileged (non-administrator) user. Be extraordinarily careful about what you install and run, and make frequent backups. You might also want to look into a personal firewall such as Zone Alarm (limited free version.

10) What is your favourite tool?
by Noryungi

I have just read your top 75 security tools list. Thank you for posting all this information, which I am going to study very carefully.

One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

Fyodor

I have far too many favorites among this great group to choose just one! But here are a few developers and tools that are particularly worthy of mention:

One of the people I most admire in the security field is Solar Designer. He is a guru in networking, security, and low level kernel/assembly/architecture details. He has also created many tools that security professionals use daily. Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community.

Among SD's tools is John the Ripper, my longtime favorite local password hash cracker. It has been around forever, but was written with a flexible and powerful interface while keeping extensibility in mind. So it is still as useful in these days of shadowed password files and MD5/Blowfish hashes as it was back in the days of crypt() and unprotected /etc/passwd. Lately SD has been working on the Owl secure GNU/Linux distribution, which can be installed on disk for hardened systems like firewalls, or booted and run from CD as an easy way to run security tools such as John and Nmap.

Another of those "brilliant yet still nice" security developers is Dug Song. Even after the seminal "Insertion, Evasion, and Denial of Service" paper by Ptacek and Newsham, many IDS vendors continued to ignore the problem. When Doug released Fragrouter (now fragroute), which implements some of these attacks, vendors finally took notice! He has also written the excellent libdnet library, but my favorite of his tools is DSniff, a suite of tools for advanced network sniffing and "monkey-in-the-middle" attacks. It even handles ARP poisoning and other techniques for sniffing hosts on a switched LAN.

While I'm on this topic, let me also give "mad props" to the Hping2 packet prober, Kismet wireless stumbler, Ethereal packet decoder, Netcat, recent THC releases, Snort IDS, the Nessus vulnerability scanner, and all the other great Open Source tools out there!

I would also like to thank Slashdot for granting me this interview and to everyone who asked such excellent questions. I only wish I had time to answer more of them. Then again, I have probably rambled on enough. Now it is your turn to ramble in the comments :).

Cheers,
Fyodor

friedegg writes "Google has announced their sponsorship of the US Puzzle Championship, which they describe as a "a national online competition to identify America's most logical minds." Two winners will join the US Puzzle Team, and head to the Netherlands for the World Puzzle Championship in October. The US Puzzle Championship will be held Sunday, May 31 at 1pm EDT, but registration closes tomorrow, May 29 at 9pm EDT! Make sure you read the rules of the challenge if you plan to participate. The rules note that "Members of the Canadian puzzle team may also be selected using this test. Unofficial participation is open to all puzzlers world-wide.""

friedegg writes "Google has announced their sponsorship of the US Puzzle Championship, which they describe as a "a national online competition to identify America's most logical minds." Two winners will join the US Puzzle Team, and head to the Netherlands for the World Puzzle Championship in October. The US Puzzle Championship will be held Sunday, May 31 at 1pm EDT, but registration closes tomorrow, May 29 at 9pm EDT! Make sure you read the rules of the challenge if you plan to participate. The rules note that "Members of the Canadian puzzle team may also be selected using this test. Unofficial participation is open to all puzzlers world-wide.""

It's a clever P2P 'information broadcasting' concept, as the simple diagram on the BitTorrent home page shows. It's gotten a fair amount of notice, especially here on Slashdot. And reader Ignorant Aardvark wrote to us about BitTorrent sites disappearing, possibly because of RIAA/MPAA intervention, so this technology is now generating some controversy as well. The person behind BitTorrent is Bram Cohen, and he's agreed to answer 10 of the highest-moderated questions about BitTorrent you post here. So ask away (after reading the project FAQ and other info about BitTorrent and Bram, of course). We'll run Bram's answers as soon as he emails them back to us.

linuxwrangler writes "According to articles at PC World, c|net, Internet Week and elsewhere, Phoenix Technology is introducing a new BIOS-based anti-theft system. Every time a TheftGuard equipped machine connects to the internet it pings a server at Phoenix which can instruct the machine to wipe its hard drive, report its location or disable itself. Given that most people don't want to have their every movement tracked and don't want someone else to have the power to wipe their drives, Phoenix figures that corporate clients are the prime customer. I just wonder who is liable when a company sells a surplus laptop on eBay but gets their inventory control screwed up and reports it as stolen..."

it0 asks: "I'm writing a web application and since I can't create good graphics, I'll be ripping them from other places on the web. The decent thing to do would be to ask permission, and at least specify where you got the graphic, however I don't see this happening much on other websites. Here's an example: I copied a trashcan icon that seems to be used by everyone and nobody seems to specify its original source. What about wallpapers? I've see a lot of models without references? I've also seen a lot of images that imitate the Windows GUI, and I've yet to notice anyone getting sued! For those interested, here is more information on the subject."

it0 asks: "I'm writing a web application and since I can't create good graphics, I'll be ripping them from other places on the web. The decent thing to do would be to ask permission, and at least specify where you got the graphic, however I don't see this happening much on other websites. Here's an example: I copied a trashcan icon that seems to be used by everyone and nobody seems to specify its original source. What about wallpapers? I've see a lot of models without references? I've also seen a lot of images that imitate the Windows GUI, and I've yet to notice anyone getting sued! For those interested, here is more information on the subject."

chewedtoothpick asks: "My absolute favorite game of all-time, Exile [Archive.org mirror], is a MUD that is about to be shut down, and I've noticed that MUDs have been diminishing in number, especially lately. Why are they all quitting, and what does it take to resurrect them? Is it a matter of buying the code off the creator? Is it a matter of making your own and hope it comes close to the one you want it to be like? Is there nothing we can do to save the classics that define multi-player games?"

An anonymous reader writes "Heise Online is reporting that SAP and MySQL are going to cooperate (German article, you may want to use Google's translation). Short summary: MySQL and SAP are going to develop a new database server. 'The primary responsibility for the development and product management is with MySQL' says SAP spokesperson Karl-Heinz Hess. Until the new database is released, SAP will continue to develop its own free database system SAP DB, however it will now use the MySQL brand name." On a related note, IBM is introducing a low-end version of DB2.

tylernt writes "You know all those old hard drives you have laying around? (Raise your hand if you still have RLL or MFM drives... yeah, I thought so.) Well, now there's something useful you can do with them (besides my personal favorite, shooting them): make electricity! While you're at it, you could do something more productive with that old lawnmower, too."

Paul McCord writes "The International Telecommunication Union is asking everyone to join in for World Telecommunication Day 2003, Saturday, May 17. The ITU suggests that this is 'an excellent opportunity to launch public campaigns and advocacy activities in favour of greater access to [information and communication technology] and how the work of ITU helps all of the world's people to communicate.' It may be a bit late to join in on some of the official activities, but awareness if nothing else will help to serve the day's purpose. See the WTD2003 site or this Google News query for information, links."

MobyTurbo writes "Jordan K. Hubbard, on instruction from Apple, had to inform the freebsd-hackers list that the error, pointed to by the error message number named EDOOFUS, must be changed. Several interesting suggestions have been made in the resulting thread."

frankie writes "Anti-spam legislation is getting serious attention from the U.S. Congress and the media. Several bills are on the front burner, including REDUCE, CAN SPAM, and a RICO amendment. However, the strongest contender is a new bill sponsored by Billy Tauzin (R-La.). It would allow spam from any company you've done business with in the past 3 years, override stronger state laws, and block private lawsuits. You can complain now or complain more later."

frankie writes "Anti-spam legislation is getting serious attention from the U.S. Congress and the media. Several bills are on the front burner, including REDUCE, CAN SPAM, and a RICO amendment. However, the strongest contender is a new bill sponsored by Billy Tauzin (R-La.). It would allow spam from any company you've done business with in the past 3 years, override stronger state laws, and block private lawsuits. You can complain now or complain more later."

Skyshadow writes "Google, search engine of choice for pretty much everyone, has announced that it will begin a seperate index for blogs and remove them from the normal index, handling them instead in much the same way as their usenet archives. This will hopefully put an end to the recent difficulties locating primary source material among the mountains of blogs which are clogging the ratings system." There's been comments from elsewhere that says they won't be removing them - but that remains to be seen.

fwc writes "This has to be the story which will never end. Back in 1996, Steven Cohen "stole" sex.com from its original owner (Gary Kremen) by forging a letter to Network Solutions asking for the domain to be transferred to him. Subsequently Kremen sued to get the domain name returned. Through what seemed to be a neverending parade of lawsuits and judgements (Documented on slashdot here, here, here and here, and also in several other places), Kremen finally got his domain back and Cohen was ordered to pay $65 million in damages. In the latest twist, Cohen is asking the US Supreme Court to overturn the verdict of the lower courts by claiming that he owned the sex.com trademark prior to Kremen registering the domain. This should prove interesting since it looks like the filing at the USPTO occured two years after the domain was originally registered."

cscx writes "Well, they've done it again. The boys at MIT have designed a video game that's playable by doing your business at a urinal . The game resembles "Duck Hunt" from the Nintendo days, except instead of the Zapper gun, the game is controlled by your stream hitting a multitude of sensors placed on the back wall of the urinal. Weird? Yes. Still cool? You bet." The accompanying document (PDF link, here's an HTML version from Google) explains how this game could lead to improved sanitation, since you won't want to miss, and may even increase personal hydration, since getting rid of all that water is now so much fun.

An anonymous reader writes "The VIC20 cartridge dump archive has been taken down by FUNET following a request by the IDSA (Interactive Digital Software Association). More info from comp.sys.cbm." Of course, VIC 20 users are now going to have to buy their cartridges in stores, and by "stores", I mean garage sales, flea markets, and swap meets.

mattsucks asks: "I was surfing Google News today, looking for something interesting. I had just loaded the page, and hit refresh. A new story popped up at the top of the news page, so I chased the link. 'Server Too Busy, Try Again Later' replied the kind webserver. Obviously a Google News-driven Slashdotting was in effect (pun intended). Another example: one of our local talk-radio DJs likes to have his listeners pound the web sites of anyone he is peeved at. He's the #1 DJ in his slot, so when he says 'click' he generates a LOT of traffic. What other causes have people found of the Slashdot Effect?"

mattsucks asks: "I was surfing Google News today, looking for something interesting. I had just loaded the page, and hit refresh. A new story popped up at the top of the news page, so I chased the link. 'Server Too Busy, Try Again Later' replied the kind webserver. Obviously a Google News-driven Slashdotting was in effect (pun intended). Another example: one of our local talk-radio DJs likes to have his listeners pound the web sites of anyone he is peeved at. He's the #1 DJ in his slot, so when he says 'click' he generates a LOT of traffic. What other causes have people found of the Slashdot Effect?"

Guy In A Labcoat writes "I just discovered a "gaming meta news site" called G-Spy. Looks like someone's trying to get something like Google News going for gaming. They claim to scan roughly 40 gaming news sites periodically, in order to get an objective index of what's hot in the world of games at the very moment. Looks interesting!" It's also reminiscent of a gaming version of the weblog-orientated Daypop Top 40.

bcrowell asks: "Here's a moral conundrum for you. The much-hated DMCA can be a tool to enforce copyleft licenses, and in my case, it may be the only effective tool. I'm the author of some free physics textbooks (all free as in beer, some free as in speech) that are available under the GFDL and OPL copyleft licenses. I've learned that there's a guy on eBay who is selling my books on CD and violating the license. (Selling is allowed, since they're free-as-in-speech, but he's violating the license in various ways, such as not informing his buyers about the license, and selling them under a different title and using the tables of contents in his ads without showing the license or listing me as the author.) It's not just me. He's doing the same thing with other copylefted books, such as this one." The submitter is worried about the ethics behind using the recent misuses we've seen so far. Those interested in this question might also be interested in Prof. Felten's answers from his recent Slashdot interview.

"eBay has several different mechanisms for complaining about this, and I used one of them. Other people have complained too, but so far the result just seems to be that eBay deletes the listings of the items (which have already been sold). Meanwhile the guy is still violating copyleft licenses (as well as selling other copyright-violating stuff, such as screensavers containing commercial porn images).

Apparently the most effective way to deal with this on eBay is to participate in their vero program, which basically means sending the DMCA Police after the guy. For instance, if I wanted to sue the guy (which I don't), I'd need to know his name and address. The DMCA says that eBay has to provide that info to someone who complains about a copyright violation.

It seems like it would be a similar deal in the software world. The conventional wisdom about how to prevent infringement is to GPL your code, and transfer the copyright to the FSF, which will contact license violators and (theoretically) sue them if it comes to that. So how long will it be until the FSF is asked by an open-source developer to invoke the DMCA in order to deal with a license violation? In my own case, should I go ahead and join eBay's vero program? It would make me feel like I was in bed with the enemy, but it does seem like it would give me some very effective options for dealing with the situation. For instance, members of the program can have eBay run automated boolean searches for copyright-violating items, and get the results e-mailed to them periodically.

One possible reply to my question is 'Why do you care?" The problem here is that this guy is doing exactly what RMS originally designed copyleft to prevent: he's taking free information and making it not-free. His customers don't know that the books are copylefted, and have effectively had their own freedom taken away: they don't know they can modify the books, copy them, or sell them."

scubacuda writes "CNN and others report that former Microsoft chief of security Howard Schmidt has resigned as White House cybersecurity adviser. 'With the historic creation of the Department of Homeland Security, the transfer of many of the responsibilities from the Critical Infrastructure Protection Board and the release of the strategy, I have decided to retire after approximately 31 years of public service and return to the private sector,' Schmidt said in his April 21 e-mail."

An anonymous reader writes "As many readers will know, mozilla.org was asked to change the name for their standalone browser, Phoenix as another browser had the same name. After months of discussion, the new name was announced as Mozilla Firebird. Despite the new name being approved by AOL Legal, supporters of the FirebirdSQL database were quick to object (though the name is also used by many other people). A coincidentally named supporter of FirebirdSQL, IBPhoenix, put up a slightly immature request for their readers to participate in mass posting campaign targetting mozilla.org developers' email accounts, newsgroups and even forums at independent sites such as MozillaZine and Slashdot. FirebirdSQL's official site later reiterated this message. However, IBPhoenix have now declared this shock-and-awe stage of their campaign over, heralding it a success. Their second stage calls for a more focussed email protest at just two of mozilla.org's members: Mitchell Baker (mozilla.org's leader) and Asa Dotzler (announcer of the name change). In addition, they ask their readers to move away from 'derogatory messages' and to show more 'courtesy'. Unsurprisingly, the beleaguered admins of affected sites such as MozillaZine have welcomed this change of direction. This is getting very interesting!"

ctar writes "You couldn't ask for a more appropriate or schizophrenic slashdot story...The NYTimes online was the only one carrying the story according to Google News, so this is all you get."

heirodule writes "In this messageboard posting internet retailer The warstore says he was contacted by Games Workshop, maker of miniature wargames such as Warhammer 40,000 and the Lord of the Rings Battle Game. GW will be refusing to distribute their product to retailers who sell over the internet after July 1. That's bad enough, but they cited the problem of IP violations (like people posting pictures of their products?) as part of the rationale. The claim is that for GW, this has nothing to do with internet sales offering discounts (yeah, right) but with the 'experience' that GW wants customers to have (of coming into their own stores and getting a hard sell)." The nearest Game Workshop store to me is a 1 hour, 10 minute drive, according to their store locator. The Usenet thread may be of interest.

On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk (but -- update -- see the P.P.S below). I spoke with Virgil this morning.

Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."

The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.

For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).

At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.

A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)

The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."

Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.

Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.

So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?

If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?

This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.

P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:

"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."

On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk (but -- update -- see the P.P.S below). I spoke with Virgil this morning.

Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."

The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.

For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).

At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.

A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)

The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."

Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.

Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.

So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?

If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?

This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.

P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:

"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."

prostoalex writes "John Markoff and G. Pascal Zachary from The New York Times take a look at Google, its already dominant position in the field of Web search and its increasing influence in the field of Internet advertising. Google is driving advertisers away from larger advertising venues, like AOL-TW et al., since (surprise!) people actually pay attention to relevant text links and are quite annoyed by pop-ups and similar "innovations". Some interesting data about Google: number of employees is about 800, number of buildings is 4, number of servers is 54K, for which there are about 100K microprocessors and 261K hard drives. This is claimed to be the largest computing system in the world, and that also raises barriers for anyone entering the field of Web search - most of companies out there can only imagine a Beowulf cluster of these, let alone build them so that the Web searches are delivered within a second."

Shadow Wrought writes "We have all read the numerous RIAA articles on Slashdot, not to mention scores of other articles that discuss the industry's purported demise. An article at the Christian Science Monitor calls this assumption into question by pointing to the success that Indie Labels are beginning to enjoy. An interesting read and one that provides pretty good support against the RIAA's argument that a quartet of college students is responsible for their troubles."

sigh71 writes "Stuff.co.nz is running a story on Peter Jacksons next big project, remaking the original King Kong. To be written by the same guys who wrote the scripts for Lord of the Rings. Google for more info."

Princeton Computer Science Professor Edward W. Felten has been mentioned and quoted frequently on Slashdot, usually about DMCA matters and, more recently, about new state laws that may make it illegal to use "unapproved" networking devices, VPNs or firewalls with your home or office Internet connection. Please avoid questions that can be answered by reading the pages linked to here or with a bit of Google research. We'll post Prof. Felten's answers to 10 of the highest-moderated questions as soon as he has time to answer them.

quakeslut writes "According to the newly posted Mozilla Staff Minutes, Moz is set to have initial ActiveX support for the next alpha. ActiveX... be afraid... be very afraid."

dubl-u asks: "What do my fellow freelancers feel about the various shell companies out there? I've got a chunk of work coming up at a place with an especially persnickety contracts department, and I'll probably need to go through a third-party shell company. I used one a couple of years back and they were ok, but there are a lot of them out there, and I'd love to hear about real-world experiences before I sign up. For those unfamiliar with this part of the business, it goes like this: I find my own work; the shell company hires me as an 'employee' and handles my billing and tax withholding for me. Some also 'provide' things like health insurance and 401k plans, although I have to pay for it. You can think of it as outsourcing a lot of the paperwork of being a freelancer. Some outfits, large companies especially, demand this sort of thing."

Tweakmeister asks: "With the product cycle for cell phones being what seems like months, is there any use for old phones? How about pagers? A search reveals some initiatives to recycle them or send them to foreign countries. Have you found any alternative uses for old cell phones?" We last touched on this subject in this previous article, from two years ago. Have any new ideas shown up on the horizon, since then?

gomoX writes "A group of 802.11b fans in Tordera, Spain, are running a wireless node on the roof of a building, with the idea of a free wireless network for everyone on the neighbourhood. Its a system running linux with a home made can antenna, mounted on a plastic tool box in the roof. To keep it cool under the sun and protect it from rain, wind, they have immersed it into vegetable oil (yes, the whole thing). As oil is non-conductive, everything should run fine. The site is in Spanish, here is the google translation and the google cache."

gomoX writes "A group of 802.11b fans in Tordera, Spain, are running a wireless node on the roof of a building, with the idea of a free wireless network for everyone on the neighbourhood. Its a system running linux with a home made can antenna, mounted on a plastic tool box in the roof. To keep it cool under the sun and protect it from rain, wind, they have immersed it into vegetable oil (yes, the whole thing). As oil is non-conductive, everything should run fine. The site is in Spanish, here is the google translation and the google cache."

tcyun asks: "The intro text from kaisyain's review brought up a thought that has been floating around in my head as I am a new home-owner. If one wanted to design a home that would last for hundreds of years, what would one have to do? I, and many of my friends, have recently/ purchased homes. As with all homes, some things are in good shape, others are not. Many items are the fault of initial design, many are due to poor upkeep and repairs. Looking around, it is possible to have a home last for hundreds of years (my family's ancestral home is about 400 years old and there are castles in Europe that are older). If one wanted to build/modify a home, what would one need to do to make sure that the home would still be standing, and usable, hundreds of years from now?" M : Wired suggests going underground.

"A few elements come to mind: structural integrity, usability, reparability, ease of upkeep, physical location (geology and neighborhood), technology, and aesthetics.

• Structural integrity: Rock lasts a long time, but has a variety of draw backs. Concrete (poured or cinder block) foundations are common where I live but wood is still the material used for most of the structure. Should steel cross-beams be considered for parts of the structure? I have heard good things about laminated/engineered wood.
  
  
• Technology: Folks on Slashdot have talked about wiring homes with cat-5/7/x and installing empty conduit 'just in case.' Is this really useful with the proliferation of wireless? Would it be more useful if a crawlspace was made available between the ceiling and the attic so that any type of ducting/wiring could be run into a room? Should all rooms have access to a central column through which wiring, plumbing and ducting were run?
  
  
• Usability: I have a small house with a small, combined living-family-dining room. I am fairly sure that 50 years ago the designers were not laying out the space to take into account book shelves, a large television, stereo cabinet, gaming consoles, and more in addition to a couch, chair and dining table. Simply making the room larger is one option, but cavernous space is not necessarily good for usability. What would be a good floor plan and how might different sized rooms be distributed to be useful over time for multiple purposes? Would it need a bathroom? (joke)
  
  
• Reparability: the previous homeowners made a number of DIY 'improvements' which are nice, until one needs to make a repair. Many items are installed in ways where the only option is to remove entire installations. What types of modular improvements can be made that allow for easy repair/replacement over time as needs change?
  
  
• Location: How would one choose where to build a home that would last for hundreds of years? Do you pick an existing neighborhood, space that is at the edge of a town/city or somewhere further out? Does one pick a neighborhood that has been economically/geologically/stable/safe over the longer term even if it is not in great shape at the moment. At first glance, cities in the United States like San Francisco, Detroit, Chicago, Pittsburgh have all gone through 10-20 years spells of nastiness, but have been fairly stable cities at the macro level for a hundred years.
  
  
• Aesthetics: Does one simply design/architect and deal with the fact that it will variously become attractive/unattractive over time?

And to complicate matters, how different are the options if one imposes a budget for initial construction (depending on your own idea of what a realistic budget is)."

Slashback tonight brings a few followups to recent Slashdot postings on the fate of model rocketry in the new, hypercautious America; a few Python gatherings for those who prefer that language to Perl; and a response from Los Alamos to recent claims of lax security. Enjoy!

Besides which, it's the hidden cameras that matter. An anonymous reader adds this followup to the story posted last month about Wired reporter Noah Shachtman's account of sneaking into classified areas at Los Alamos national Laboratory.

"In an email message to all Los Alamos National Laboratory employees, Pete Nanos, the current Director of LANL, responded with information suggesting that the Wired reporter who thought he had broken in to a 'top secret area' had in fact just crossed a cattle fence:

'The Wired reporter clearly did not enter a Laboratory security area. The Laboratory encompasses more than 40 square miles. The security force protects important assets within those boundaries but cannot -- and does not -- protect every square foot of property. Based on the article, it appears the reporter crossed a barbed-wire cattle fence, not a fence that protects a Los Alamos security area.
There is a small security area with several buildings (roughly 400 feet by 400 feet) near the driveway entrance to TA-33. That area is surrounded by a seven-foot-high chain-link fence topped with three strands of barbed wire. A security guard is stationed inside that area seven days a week and 24 hours a day. Clearly, the reporter did not climb that fence.
There are several other buildings outside the security area that are locked for property protection interests. They have no security interests. There are several gates and fenced areas on the TA-33 site, which are there for safety access control, not security.
It's unlikely the reporter would be prosecuted for trespassing; the Laboratory does not have law enforcement authority to prosecute, and none of the proper authorities witnessed the trespass.'"

Perhaps we can have a celebrity deathmatch. hfastedge writes "Ok, now that 2 perl conferences have been mentioned, I've been brought over the edge. Python is a language that is just as old, and arguably better from: most importantly a uniform standard of readability (enforced by using whitespace to delimit blocks (instead of {}), by avoiding overuse of cryptic symbols, and by a culture that strives to keep innovations as "pythonic"), and a rich development community. Anyway, normally, there are Python events in Europe, and a trail at O'Reilly's OSCON. But now, there is a far cheaper event taking place on March 24-28 in Washington DC: http://python.org/pycon/.

Examples of Python in action: 0, 1, 2, 3, 4, 5, 6, 7"

Fly up go phhhhhwwwtttpffffff .... MyNameIsFred writes "Slashdot recently discussed whether anti-terrorism laws would destroy model rocketry. The government has ruled, and the message is clear, "When it comes to the hobby of model rocketry, size does matter. And in this case, the magic number is 62.5 grams. That's the largest amount of propellant a single model rocket engine can have in it and still be exempt from a new set of federal rules that will go into effect May 24." What does this mean for the the big guys in model rocketry, who use engines larger than this?"

supine writes "David Ritz has issued a request for discussion on applying a Usenet Death Penalty to Australia's largest ISP, Bigpond (and it's parent company Telstra)." This brought back to memory the time when AOL was facing similar charges.

China has released more information about that country's plans for moon exploration: Mortimer.CA writes "There's an article over at New Scientist (and elsewhere, Google.News it) about one of the objectives being to mine it: 'The prospect for the development and utilisation of the lunar potential mineral and energy resources...'. China being having a space program is only one (profound) question. Another one is whether we should be mining the moon: I'm sure the more 'vocal' conservationalists have one opinion. What about mining asteroids?"

ceejayoz writes "A newly discovered gas cloud around Jupiter, created by ion radiation hitting the surface of Europa, has cast doubt on possible life on the moon. Google News has more ..."

TKS writes "It's one of those cases you study that can send a whole network to failure but never really happens. However, this time it did. Today Vodafone's spanish nation wide network stopped working [google Translation / Original Verion] for more than 7 hours leaving eight million clients without service. Allegedly an error updating a node's software expanded to the whole network affecting mobile connections and internet access." The Fish comes in handy if you don't speak Spanish.

DarklordJonnyDigital writes "Ars Technica is reporting that Google founder Larry Page has admitted that the Google project wasn't originally intended to be a search engine at all. "It wasn't that we intended to build a search engine. We built a ranking system to deal with annotations." ' Of course, happy accidents have often been the cause for advancement, technologically or otherwise.

David Gerard writes "From Heise (via Mozillazine: taxpayers in the Swiss canton of Geneva are being given a CD with a French version of Mozilla 1.2.1, OpenOffice.org 1.0.1 and tax program GEtax 2002. Rough English translation from Google." This strikes me as a really cool idea. I already get the cards that tell me to file online rather than fill out paper forms, but it still forces me to buy tax software every year.

rjnagle writes "The availability of HOW-TOs and newsgroups is supposed to make the sysadmin's job easier, right? Much as I am a proponent of the 'distributed learning model' for Linux, the endless searching for answers on the Web for setting up Linux RAID was getting to be a royal pain. Sure, there was a RAID how-to and an excellent newgroup, but some of the information is out of date, and the tricks suggested by people a year ago may be no longer needed today. Robert reviews the O'Reilly title Managing RAID on Linux below to see how it stacks up to HOWTOs, guesswork and anecdotal evidence. Managing RAID on Linux author Derek Vadala pages 245 publisher O'Reilly rating The best reviewer Robert Nagle (aka idiotprogrammer) ISBN 1565927303 summary This book brings RAID to the masses

A person deciding to go with RAID faces a panoply of options and gotchas. Hardware or software? How many controllers? ATA or SCSI (or ataraid)? RAID 1 or RAID 5? Which file system or distribution? Kernel options? Mdadm or raidtools? /swap or /boot on raid? Hybrid? Left or right symmetric? One poster pointed out that putting two ATA drives on the same controller could impact performance. Yikes! Didn't I do that? Upon discovering that O'Reilly had just published its Managing RAID on Linux book, looking at sample chapter , I bought the book and let my blood pressure return to normal.

RAID is one of these subjects that is really not complex; it's just very hard to find all the information in one place. This is precisely the book to solve the problem. Author Derek Vadala, sysadmin and founder of Azurance.com, an open source/security consulting firm, has gathered a lot of information and even personal anecdotes to go through the decision making process when going over to RAID. He goes step-by-step through that process, educating us about hard drives, controllers, and bottlenecks along the way. This exhaustive book may be the first to bring RAID to the masses.

Although parts of the book (RAID types, file system types) may seem already familiar to experienced Linux users, it is helpful nonetheless to have everything in a nifty little book. A section of file systems provided not only a rundown of the merits and drawbacks of each one, but also a guide to their utilities. I learned for example what "file tails" for Reiser are, and why using them causes performance to degrade after reaching 85% capacity. The book compares raidtools with mdadm as well as lovely commands like nohup mdadm -monitor -mail=paranoidsysadmin@home.com (which, if you haven't guessed, causes the system to email you RAID status reports upon boot).

People who use software RAID may skip over the chapter on RAID utilities for the leading RAID controller cards. Still, there was one interesting tidbit: Why, the author asks, do makers of controller cards put all their BIOS utilities on DOS floppies which require us to find a DOS boot disk? Seriously, how many of us carry around DOS boot disks nowadays? The book made me aware for the first time of freedos, an open source solution that solves precisely that problem.

The Software RAID stuff was pretty thorough and clarified a lot of things. The book does an excellent job in helping to identify and eliminate bottlenecks and optimizing hard drive performance (using hdparm and various monitoring commands). The anecdotes and case studies definitely clarified which RAID solution is suited for which task.

I am less impressed by the book's sections on disaster recovery and troubleshooting. Although these subjects are brought up at several places in the software RAID chapter, the book could have discussed several failure scenarios or used a fault tree (such as the famous Fault Tree in Chapter 9 of the Samba book, a marvel for any tech writer to read). The book doesn't even discuss booting with software RAID until the last 10 page of the book and then gives it only a single paragraph (even though the author acknowledges it as "one of the most frequently asked questions on the linux-raid mailing list."). Call me old-fashioned, but isn't the ability to boot into your RAID system ... kinda important? As someone who just spent a significant amount of time troubleshooting RAID booting problems in Gentoo, I for one would have liked more insight into the grub/lilo thing. Also, in the next paragraph in the last chapter on page 228, the author casually mentions that "all /boot and / partitions must be on a RAID-1." Say what? Please pity the poor newbie who religiously follows the instructions in the book but fails to read until the end. I'm not sure what the author meant by this statement, but it required a much more substantial explanation and needed to go into a much earlier chapter.

These complaints don't detract very much from this excellent book, a true O'Reilly classic and a model of clarity and helpfulness. This book provides enough knowledge to avoid the dread and uncertainty that comes with trying to tackle Linux RAID. With a book like this, a sysadmin can sleep a little easier.

Recommended Readings:

• Reliable Linux , by Iaian Campbell, Wiley and Sons, Dec 2001, ISBN: 0471070408. Gives excellent information not only about RAID but on general Linux reliability issues.
  
• Software RAID in the Linux 2.4 Kernel by Daniel Robbins. (Part Two).
  
• Linux Journal Article on Software RAID by Joe Edwards, Audin Malmin and Ron Shaker. ( Part Two).
  
• "How to do a gentoo install on software RAID" by Chris Atwood. Gentoo User Forum.

Robert Nagle (aka Idiotprogrammer )is a Texas technical writer, trainer and Linux aficionado. You can purchase Managing RAID on Linux from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

scubacuda writes "BBC News reports that Larry Lessig held a private meeting with government media policy advisers at Number 10 Downing Street to urge them to ensure that laws designed to prevent digital piracy do not trample over the right of fair use. Lessig's views could influence the government's approach to proposals to change the Patent Act to implement the European Union Copyright Directive."