Slashdot Mirror

I used nlite after needing to slipstream my RAID drivers into my windows install. (no floppy drive.) At the same time I removed all the bloat (media player, explorer, msn, explore XP intro etc, and included a bunch of updates with the tool offline-updates.

I considered trying vlite on the recovery disks that I made with my laptop (presario c700 (1GB RAM)) right before I overwrote it with Ubuntu. But there wouldn't be much point as the Ubuntu has proven to be much more responsive and offers the encrypted install option with the 'alternate' install.

Anyone had success with vlite or nlite on OEM 'recovery' disks?

Heise points out that youtube FLV files are generated by youtube from other videos, but seems to leave open the possibility that FLV video files could be malicious in their own right on other sites. Clearly player programs could be malicious (or vulnerable) but what about the videos themselves?

i use Firefox with NoScript for general purpose browsing

That's what I'm doing. Firefox with NoScript on Linux. I never access secure systems from a Windows box.

It may be a false sense of security but so are anti-virus programs. Every Windows machine I've ever cleaned had some type anti-virus program running, many with up to date signatures.

heise Security did some research on this issue and actually captured the packets with the requests for stock prices. And while they did contain a number, it was certainly not the IMEI of the iphone. For what it is worth: the weather application even transmitted a different imei parameter. see: Controversial checks of stock prices with iPhone bye, ju

Here's the official English translation: http://www.heise-security.co.uk/articles/98120

"The tool called "dd" included in every Linux distribution may not seem very powerful, but it fulfils all of the requirements listed above. In the US government's Computer Forensic Tool Testing Program [1], dd was the only imaging tool that passed all of the tests with flying colours. Even such well known commercial products as Encase and SafeBack had a few shortcomings in these tests."

"The US Defense Department's Computer Forensic Lab has developed an expanded version of dd called dcfldd, which calculates the md5 hash. "

http://www.heise-security.co.uk/articles/74855/1

Just be sure to apply the recent hotfix for a pretty nasty vulnerability.

http://www.heise-security.co.uk/news/98576

I've yet to hear someone defend the problematic firewall.

OK, here you go! Start with this surprisingly level-headed thread over in the ArsTechnica forums. The c't article seems to have been written by people with a limited understanding of nmap and an axe to grind. The bottom line is the functionality Leopard firewall is no different from the one in Tiger, except that it adds a third setting which allows exceptions for ports to be added on-the-fly as applications request them. I do agree that the firewall should come enabled by default, but at least OS X has a very small number of open ports out-of-the-box, which mitigates the issue. But regardless, the hysteria over Leopard's firewall is unwarranted.

Lsof was of course done locally, but if you look at the image in the article of their connection to the NETBIOS name server you can see it was from a different IP (192.168.69.2 192.168.69.21). In theory he could have run the ntp request and the connection to the netcat service they started locally, but it seems wholly unlikely. Give the guy some credit, C't isn't written by complete idiots.

http://www.heise-security.co.uk/bilder/98120/1/1

http://www.heise-security.co.uk/articles/98120

The author of the Patch for the Windows URI Hole, KJK::Hyperion, found a big bug in his patch for the Windows URI hole. "I just found a gruesome memory leak in it. A silly bug, brown paperbag-grade shame."

According to the article on heise security he did already publish a bugfix version of his patch -- hoping the best it's not buggy again.

If I ever have to reinstall XP though, I would probably install all the updates.

Making an update DVD with ctupdate will allow you to go from a fresh install to fully-patched without picking up any of the malware Microsoft has been pushing out lately. WindizUpdate is good for incremental updates, and it works with Firefox.

Ah, no MORON... if you install XP no SP, or XP SP1, or XP SP2 on a new machine, WU will still work, but tell you that/when you need to install the updated Windows Installer. So, obviously, it wasnt necessary to do this in this fashion.

If you check the new WU files (as will be announced one day in the near future) the changes were made to bring WU more feature compatible with each other (Vista and XP version) to allow some of the more "nefarious" updates, integrated update of the Live components and other inter-related MS products (Office, etc) and "crippleware" features MS has announced back in January and again in the last few weeks (watch and see folks... I've been right on this particular company too many times in the past - the last time was when in a thread months before I mentioned that WGA phoned home - PERIOD - no matter what you selected - and then when I mentioned WGA sends a TON of personally identifiable info).

Regardless, you pointed out my point perfectly. WU's "DONT do this" switch doesn't work. A simple user prompt saying "You REALLY need to do this" would have been sufficient.

How you can be so idiotic to tell me I am a moron and then tell me I am correct I dont know.

For those of you who aren't the above Anonymous Craphead... keep these rather interesting lack of a connection (that should have been made here) in mind...

• MS has ensured that WGA phones home - no matter what
• MS (for most average computer using people) collects your personal information (and machine info, etc) during registration
• WGA sends personally identifiable info home (even though MS claims the info is anonymous) WGA Phones home MS claims they'll delete the WGA info if they don't think you are a pirate... not that I don't believe them (but I dont), but when will they do that? A few years later? A few months later? FACT is they DONT delete your registration info, and they DONT delete the machine identifying info - otherwise they WOULDNT be able to tell if your copy was "pirated" (you know, those problems with moving Windows to another machine... of COURSE they keep the data - otherwise they wouldnt be able to know such things).
• MS has filed numerous ad patents promising the ability to deliver this personal info
• MS already collects (numerous times a month) the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date - all of which can be easily linked back to your name and possibly address as entered during various stages of the Windows Final Setup.

The list could go on and on... some here will be marked Trolls for coming up with the obvious conclusions (that MS so handily proves them right about at a later date)... but history will again (and again, and again) prove them (and I) correct.

If anyone still thinks all their ad related patents, the need to update and control any part of the OS, their data collection needs for their ad platform, their ability to cripple Vista (and I bet you soon XP), their WGA server "failure... oh, I mean wrong code... or both" problems, their "WGA always phones home - with plenty of info to identify you" tool, their (not the first) stealth update, (and on and on) are all coincidence; well then, I have a bridge to sell you.

http://www.heise-security.co.uk/articles/80682
ct update.

I have found that a combination of Heise Security's ctupdate and nLite can be used to create a very nice custom Windows installation CD that not only includes any updates you choose to include, but you can also specify a large number of custom registry settings that will be set when you install.
Is very nice

http://www.heise-security.co.uk/articles/80682 The script downloads the patches from MS site and you can then burn it to cd or copy to usb or network. And apply them all at once. Works like charm.

Whilst skimming over the About-Section of the page, this tool's description reminded me of heise's "offline update" ( http://www.heise-security.co.uk/articles/80682 ). It's an alternative tool, allowing the download of selected Microsoft Windows update packs for later, offline (re-)use. Nice to have - if you're still on Windows, that is. Wonder if/when it's gonna be shot down as well.

F-Secure have a particular knack for the headline grabbing initiative don't they now? They spent considerable time and effort a few years ago warning us of the virus epidemic that would engulf mobile phones. To date we've still only seen one proof of concept virus, and that required the user to physically install it.

Meanwhile their security software is insecure: http://www.heise-security.co.uk/news/87063 - leaving a buffer overflow in your flagship security suite is a tad dumb.

F-Secure press releases should be regarded as denial of service attacks as they stop the flow of sensible information about security.

this is what you're looking for: http://www.heise-security.co.uk/articles/80682

'In order for the boot sector to be compromised [in x64 Vista], there must already have been a kernel-level compromise .. My guess is that compromising this particular security mechanism will be hard'

Do you meant that this VBootkit bootable CD doesn't really launch and bypass the whole security mechanisms of Windows Vista.

'VBootkit that launches from a CD and boots Vista, making "on the fly" changes in memory and in files being read'

How exactly does x64 Vista prevent the boot sector being compromised?

was Re:Looks like it (Score:5, Interesting)

There are two good options. They don't have every last update for the various flavors of XP (home, pro, and media center) but they have the majority of them.

Autopatcher and Offline Updater

Both have options for 2000, XP, and 2003 Server

After getting burned by wgatray a few times (with fully legal installs, they were from HP's restore partition) I disabled automatic updates. I do this on all new installs now. For updates, I use Offline Update. Keep in mind, though, that all updates phone home. To prevent this I disable networking before installing them and block *.microsoft.com and 207.46.0.0/16 at the router.

An alternative to Offline Update is Autopatcher which does have releases for Vista. I used Autopatcher for XP for a while before switching to Offline Update. It works well. I haven't tried it for Vista yet, though.

(BTW, I exclusively use Linux and FreeBSD at home and have for the last 11 years. I have to deal with Windows for family and work)

It isn't "a little XML that [shows] you denied the EULA". It's a large piece of XML with several encrypted fields, which you can see here. . A message saying "no" shouldn't need any of that.

Also, a public IP address can't be used to reliably identify a single machine or OS installation.

You might want to read the original article WGA notification just doesn't stop by heise Security instead of the gibberish google translation of the german version ;-).

http://www.heise-security.co.uk/news/86294

There's an english language article about the same packet dump
Some of the data is encrypted, some of it are just acronyms you don't know

Think about the AV products for Linux or Mac. Most of them clean Windows viruses out of files/emails so that they won't infect other machines

This is not the first time that the MoAB team has had its fun at the expense of users. Those who tried to call not yet released advisories by guessing their file names were treated to extremely disgusting pornographic images. When heise Security reported on the matter and refused to retract its criticism, calling the action "childish", LMH accused Heise of being into "illegal, dishonest, malicious" activities.
He apparently just failed to understand that a German version of the English report had been published hours beforehand and obviously misunderstood the activities of heise readers as a denial-of-service and brute-force attack by the editors. The time frame of the log files published starts after the publication of the German report, and no address is from heise. A polite request to correct the published statements received no reaction.

If you don't think a window of opportunity of several minutes is preferable to a nearly unlimited window of opportunity, you've either got a severe ideological bias towards the nonexistent utopian solution, or you're a broken robot incapable of tears.

What I really think is that the length of this window of opportunity does not matter at all. There are reports that universal phishing kits exist already, making it really simple for anyone not only to create a phishing site but also to mount a man-in-the-middle attack. This makes coordinating with your money laundering agent the most difficult and time-consuming part of the entire attack.

Furthermore I think that those solutions are superior that give the user better control over transactions carried out on his or her behalf. SecureID fails to achieve that. It just makes authentication slightly stronger where identity never was the primary issue.

Heise Security released an script called Offline Updater.

This script will allow you to create all-inclusive, fully-automated update cds for the English and German versions of Windows 2000, Windows XP, and Windows 2003. The script will create a CD .iso for each OS and/or it can also create an all-inclusive DVD .iso for all of the above versions. You then burn the .isos you created and the installation is entirely automated (some reboots required but automatically continues with the install).

Here is an short and sweet write-up on this - http://www.heise-security.co.uk/articles/80682/3
Here is where you download the file (.zip) - http://www.heise.de/ct/ftp/projekte/offlineupdate/ ctupdate302.zip
Here is Heise Security's Forum on the script - http://www.heise-security.co.uk/forums/go.shtml?li st=1&forum_id=108277

Heise Security released an script called Offline Updater.

This script will allow you to create all-inclusive, fully-automated update cds for the English and German versions of Windows 2000, Windows XP, and Windows 2003. The script will create a CD .iso for each OS and/or it can also create an all-inclusive DVD .iso for all of the above versions. You then burn the .isos you created and the installation is entirely automated (some reboots required but automatically continues with the install).

Here is an short and sweet write-up on this - http://www.heise-security.co.uk/articles/80682/3
Here is where you download the file (.zip) - http://www.heise.de/ct/ftp/projekte/offlineupdate/ ctupdate302.zip
Here is Heise Security's Forum on the script - http://www.heise-security.co.uk/forums/go.shtml?li st=1&forum_id=108277

There was a recent story here on Slashdot about how to collect and install Windows updates for a "not on the Internet situation."
Check out info from http://www.heise-security.co.uk/articles/80682 for how to go about it. Haven't tried it myself yet but looks to be useful.

Win2k - Offline Updates: http://www.heise-security.co.uk/articles/80682 . From a post here on Slashdot a while ago, it's a pretty slick tool. Just keep running it until they stop making updates for Win2k, then burn it to multiple high-quality archival CD's for safety :D A firewall (or even consumer router) never hurts, unless it's the Norton firewall.

Win98 - I'll agree with another poster, virtualize it. VMWare Player is your friend. (and why is Win98 your friend too? I suppose it's not WinME ;D )

this exact story shows why disclosure continues to be necessary. Esser failed especially at getting PHP programmers to make PHP more secure. They summarily resited any of his effortsand suggestions, and in the end he felt isolated and antagonized. "the moment you criticize the security of PHP itself you become persona non grata" he wrote in his blog

The sorry fact is that those assholes *have* to be forced. You *have* to beat sense into them, since apparently they are not accesiible to reason.

So full disclosure continues to be the way to go.

Heise has more details on the issue.

As an Introduction to exploiting heap overflow, I'd recommend the following papers:
An article from heise security and a tutorial by w00w00.

Excuse, but where did you read that FF has that exact same vulnerability?

Also, even though FF does have issues, I believe you'll be hard pressed to find a vulnerability in FF that has been known for years and still gone unfixed. (According to heise on http://www.heise-security.co.uk/news/79745 this is actually an old bug that also affects IE 6)

Security focus is quoting Mozilla developer blogs to claim that the demo was a hoax. Dont know if the demo is a hoax or this report is a hoax. Another UK site too is claiming that it is a joke. But on the otherhand thousands of newspapers and websites and blogs are claiming that Firefox is so broken it is unfixable.

...the unofficial patch that was release by independant security specialits? A bit of a black eye for MS, no?

I had submitted the same news on 6th but was rejected by editor.
  http://www.heise-security.co.uk/news/77800

Ehm, this text was written for the predating 2^63 way of finding collissions and should be considered rather out of date, even though the current attack is only for 64 rounds of SHA-1. Oh, and supplying the reference would also be a good idea. Kudo's for reading the document and following the link though.

http://www.heise-security.co.uk/articles/75686

For all those failing "to see a problem" or guessing about the implications: this actually is quite severe, and it doesn't just concern "broken" applications.

Heise has some fine backround in their Know-How article about cracked hashes.