Domain: governmentsecurity.org
Stories and comments across the archive that link to governmentsecurity.org.
Comments · 11
-
Re:Won't work
Spoken like a true M$ fanboi! I think you have never been to http://www.remote-exploit.org/ or http://www.governmentsecurity.org/. For starters, just try http://www.nessus.org/. If you believe that privileges can't be escalated, would you mind if I use your PC?
-
Re:Nvidia 8800GT PS3
I modified code from this SHA1 cracker. Good enough evidence?
-
Re:scripting
Oh, there's lots of those: http://www.governmentsecurity.org/archive/t4695.html is one example. There are more for PHP, I'm sure for Ruby and Python but I rarely dabble in those languages.
But also, what is Java then? A scripting language? :D The definitions never really seem to settle. -
Comments from the author
I am the author of the report "802.11n: The End of Ethernet?". There many good comments but some mis-information. Here are a couple of points:
Security: This is a broad topic so let's break it down. 802.11 networks provide authentication, data privacy, and data integrity. If you use best practice wireless security (802.1X + WPA2 + AES encryption) you can deploy a wireless network with authentication/privacy/data-integrity that is just as good as a wired network. Sure, WEP was broken (and lots of companies still have WEP) but WEP is not a best practice. If you want strong wireless security, you have to use WPA2. It is true that wireless denial of service is a vulnerability but the real question is what level of risk can you live with and how much are you willing to pay for RF monitoring/mitigation? Also, don't forget that a wired network is not perfectly secure. Eavesdropping can occur on a WIRED network too (see http://www.governmentsecurity.org/articles/articles2/AC...ble-Security.pdf_fl/
Stability: By "stability" I mean wireless connection reliability. It is certainly true that 802.11b/g/a APs can exhibit instability. 802.11n and best practice network design can alleviate a lot of the problems. Much of the instability with 802.11b/g/a networks is caused by multipath and co-channel interference. 802.11n makes use of MIMO (multi-input / multi-output) radio design that takes advantage of multipath to actually boost throughput and reliability. In addition, dense deployment of lightweight APs & controllers will improve stability through load balancing and dynamic radio management. Co-channel interference can be reduced (but not eliminated) by using 5 GHz spectrum and modern Wireless LAN systems (controller + lightweight APs). In addition, 802.11k (radio resource management) and 802.11v (station control) will be ratified by the IEEE in the next 12 - 24 months. Taken together these two new standards will make a WLAN more like the cellular network (where the network controls roaming - rather than the station) and will greatly increase wireless stability.
From the previous postings, it is clear that a lot of you have had pretty painful wireless experiences. But the technology and products are changing pretty rapidly. The state of wireless technology over the next 2 - 3 years will be very different from where it was over the last couple of years.
Paul DeBeasi, Senior Analyst, Burton Group, pdebeasi@burtongroup.com
-
STP MP3 player
STP.exe, a single 209KB file that can play MP3 and WAV files, and CD's, and it understands M3U and PLS playlists. Works in Windows 95-on and minimizes to the System Tray.
http://www.governmentsecurity.org/archive/t3767.ht ml -
Re:Deep Freeze
We had Deep Freeze on some computers at the high school I went to. It makes the computers slow as piss because there's a lot more disk access (for some reason - can't remember why right now) and it's trivial to bypass if you have a DOS/Linux boot disk.
See this "1337 dud3" for more information. Informative, even if it sounds like a 13-year-old on AIM. ("LOLZ I HAX0RED j00 WIT T3H SUB7 LOLZ!") -
This is a problem with the "security" fieldThere is no code of ethics.
You have kids trying to "make a name" by breaking things. You have companies paying these kids to find vulnerabilities, I've heard that there is a 6-figure type bounty on certain specific vulnerabilities. At the same time you have big corporations that are taking a beating in the media because vulnerabilities are disclosed before they have time to react; you also have big corporations being told about problems (whether or not it is through proper channels remains to be seen, I don't expect that the new Windows bug is going to get fixed when you tell MS Sales about it.) You have security companies like eEye publishing every vulnerability they can find to give their company some "street cred." You have companies like Foundstone (now Symantec) pirating software to search for holes in it. There is this whole rationalization in the "hacker community" that they are some how doing the software vendors favors by finding the stuff; so just randomly postscanning hosts is really "research," huh? Dispite your lack of any publishing, education and any agreements with anybody that you're "researching" on? You have frauds like Steve Gibson saying that big corporations are putting backdoors in to code on purpose. You have opensource tools changing their license and close sourcing because of companies that are simply packaging their work can charging a lot of money for it; who can blame them? There are companies that now sell exploits and "0days." You have a whole OS "designed" around security, yet they cannot publish any of the changes they've actually made and explain why they have made them (come on guys, this would be a best seller of a book, just lists of code, this is the bug, this is why it's a bug, this is how we fixed it...) At the same time, I don't want Apple and MS pushing out patches minutes after they hear about things, I want the code QAed.
Now the lawyers are getting involved. We need to check ourselves as an industry. We are a stones throw away from developers being held responsible for damages caused by software, there are already people in favor of that. Just stop and think about that. There is no union, there is no protection for the worker here, we're held in contempt at a lot of places, because of the highly paid prima donnas jerking around writing shitty code. It will only get worse right now.
It's a sort of hot area right now, the feds are spending money. You can't be involved with software or networking and not have some kind of concern for security. This may sound old fashioned but to get a cert, whatever certs the security world wants to embrace, there should be an oath that encourages security always, encourages openess, discourages black market tactics for trading viruses and exploits, discourages this whole notion of "black magic," and discourages profiting from secrecy regarding security. I'd even go one better and add to the oath that there should be a certain and accepted public disclosure process for when a vulnerability is found in a network or application, the owner is told and then after 90 days the whole world is told, all of the time. I know of companies that have found problems in networks and then extorted money for information regarding them. That's just wrong and that should be criminal.
There are no security best practices, not in any formal sense. You can pull 100 consultants or CISSPs off the street and you'll get a 100 different sets of things you should and shouldn't do. We need to formalize the discipline. We need to encourage practices during the writing of software and constuction of networks for security.
-
Well, this has to be done sooner or later...And of course, this posting wouldn't be complete without a list well know default passwords and appliances...
http://www.governmentsecurity.org/articles/Defaul
t LoginsandPasswordsforNetworkedDevices.php -
Re:And the username/password pair is...
May be this extensive list should help .. -
Re:linksys box?
-
Hacking with Google 101