Slashdot Mirror

Which is lovely so long as you aren't using tools like nmap, in which case you're screwed.

But hey, SP2 was always going to breaks some apps - MS couldn't please everyone, and if tcp sends over raw sockets was being abused by lots of malware and a handful of useful tools, well...

If you wish further discussion with me, please keep in mind the old debate maxim, "soft to the man, hard to the matter".

Also, you would do well to investigate the "decoy scanning" options, -D, before starting a tirade like that.

-D: Causes a decoy scan to be performed which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too.
[...]
Also note that some "port scan detectors" will firewall/deny routing to hosts that attempt port scans. The problem is that many scan types can be forged (as this option demonstrates). So attackers can cause such a machine to sever connectivity with important hosts such as its internet gateway, DNS TLD servers, sites like Windows Update, etc. Most such software offers whitelist capabilities, but you are unlikely to enumerate all of the critical machines. For this reason we never recommend tak- ing action against port scans that can be forged, including SYN scans, UDP scans, etc. The machine you block could just be a decoy.

Since the entire argument is right there in the nmap documentation, if you do not take my word for it, take Fyodor's. I assume he is "network savvy" enough for you?

I don't mind being corrected, but beware that arrogance and ignorance make a poor match.

I hope to have a patch restoring functionality within a couple days, but a workaround is available now. Try adding the --win_norawsock option to your Nmap command-line. That tells Nmap to avoid raw sockets and use the workaround that Nmap uses for systems like Win98 that never supported raw sockets in the first place. Several people have confirmed that Nmap works again for them now, as long as they use that option.

While I commend Microsoft for some of the real security improvements in SP2, limiting raw sockets like this is misguided and harmful. As this workaround shows, there are still plenty of loopholes for sending packets. If that continues, worms and virii will simply use the same techniques. Alternatively, if MS continues to cripple Windows until security scanners can't function, Windows users lose as well. While they won't be able to scan their own systems and networks for vulnerabilities, attackers on superior systems will suffer from no such limitations.

MS should focus on security the system against compromise in the first place (through more timely patching, limiting services available by default, code auditing, privilege separation, etc.) rather than crippling the system for legitimate users. Linux and *BSD offer full raw sockets, and yet they haven't become the haven for viruses and worm propagation that Windows has.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

The problem I see with OS fingerprinting is the assumption that certains OSes are running certain (vulnerable/potentionally trojaned) applications. I don't think you can safely make those assumptions.

While the method you mention is one way of fingerprinting, most modern tools use a more sophisticated approach. Here is a fairly simple explanation of some of those methods if you're interested.

As long as I don't run things as root (which I never do), the most that will ever happen is that one user will be trashed and everything else will be fine.

Maybe in a perfect world. But in reality there has been plenty, and will always be more, exploits that allow a normal user to gain root access. Or in this case, that will allow a virus running with normal user rights to run with roots rights.

Meanwhile, I'm a small independent movie producer, I don't back the MPAA, region encoding, or CSS. I am even a big supporter of fair use... and I can't even get a booth at a hacker convention. But don't worry, the guys who advocate downloading my film over buying a copy got a space...

Don't get me wrong, on my website we pretty much encourage people to download our film, because the way things are going, we don't have any other means of distributing it. But I love how everything is about the P2P networks versus the Hollywood Big Boys. You know, there are still independent movie producers out there... we just don't get any attention from anyone. I guess the only way you get noticed anymore is if you make a big scandal about how Disney won't distribute your flick...

I think I'll go see if the MPAA is hiring...

You might also be interested in "netstat -an" and nmap

compilers! you can't program sh*t on a windows install without buying separate software.

You're a bit out of date. You can download Microsoft's C++ compiler, as well as the "Express" versions of popular visual studio projects, V++/VB.net/C#. And of course you can get copies of all the OSS compilers for windows

games, not just freecell and solitaire

There are far more freeware and shareware games for windows then Linux. DXball and Tetrinet come to mind. Of course, these days you have to look out for Spyware in anything executable.

real networking tools, such as nmap, a variety of firewalls, heck the list is too long to begin here

nmap? Windows has a variety of firewalls as well.

a powerful command prompt for expert users

Cygwin.

You said "if you ignore windows ports of GNU applications", but if you ignore GNU application on both OSs, Windows is clearly superior. "If you ignore a certain class off applications on X, Y is better" isn't much of an argument.

Another good rootkit checker, which seems to have a more active development cycle, is Rootkit Hunter. Here's a Newsforge article on it, with a few more details.

A few other comments:

Virus scanners won't help on jot against a custom hack (as Valve found out, for instance). They can be helpful, but don't put full reliance on them.

Running an Intrustion Detection/Prevention System such as Snort, Samhain, Prelude, etc. will help you manage the monitoring side of things; more than a few machines becomes a pain without additional help. Also take a look centralising all your logs on a syslogng server or something similar, if you don't already (note that there are various solutions out there to get Windows boxes to log to a syslog server).

A honeypot may distract the hacker from your production servers for long enough for you to identify that there's a problem.

Also take a look at "HoneyTokens": specifically created database records that trigger alarms if they're accessed - usually high profile fictious targets that would make excellent trophy hacks - there's more info on this over at SecurityFocus.

If you suspect that a machine has been compromised, as other have said, the ONLY WAY TO BE SURE is to rebuild the box from scratch. While this may be a real pain, hopefully it'll help you get the procedures in place to make this as painless as possible, so it's not all bad.

Perform security audits/pentests every now and again. Tools like Nessus help: here's a good series on using Nessus (part 2, part 3).

Get familiar with security tools such as the top 75 recommendations at Insecure.org (home of Nmap).

Remember that security is a PROCESS, so be thorough; get an entire plan together and cover all the bases that you can, taking special care to identify and cover the weak points. Your company's security is only as good as its weakest link; for instance, priviledge escalation of weak user account passwords is a good one.

Read SecurityFocus, PacketStorm, CERT and the like, and try to get involved in their communities; they can be invaluable! They're also got a lot of good tutorials, such as how to lock down Apache, IIS; securing PHP, ASP; etc.

Back on topic, my favorite console app is the Mutt E-Mail Client. Who can argue with the powerful searching and flagging, lightning-quick interface, integration with dozens of UNIX editors, encryption tools, and the like, as well as the security and accessibility benefits of a text-based UNIX mailer?

A quick check through my history, and a look at open terminal windows, tells me that most of what I do with the command line is directly related to what I would consider the Operating System. I see a ton of ls, cd, more, dig, tar, gzip, etc. I also see myself using ssh to do OS-type things on other *nix machines. The second place for frequency, though probably first for amount of time using, goes to all of those vim sessions. Lastly, I see a lot of Perl and gcc.

Essentially, I don't use a lot of newly developed tools - or even, for that matter, tools that are still being heavily developed. I don't use the command line to browse, and I don't use it to check mail (though there are a few pines in there). The core of my user experience still feels like it's commands, but in fact, the mindless things that take most of my time are done in a graphical environment (like typing this post). The only tools I see myself using that aren't older than me are tools used for security work (a wonderful list of which you may find here), and the occasional bout of StreamRipper.

Somehow, after this post, I feel less like a console jockey than I thought I was. A better question might be: what do console users need?

Remember,

• VoIP requires H323 and other setuid scripts, potentially opening your network to crackers.
• The internet was simply never designed for realtime interaction, and post-hoc hacks won't make it realtime: instead the system would probably have to be redesigned from the ground up using realtime-XML.
• VoIP completely bypasses the government's anti-terrorist infrastructure, which depends on intercepting phone calls arbitrarily: it is estimated that each percentage point of calls which are transferred to VoIP will result in 600-800 American deaths per annum through terrorism

Nope, OS X can be distinguished by its TCP/IP fingerprint from FreeBSD.
Most of the time even minor version can be determined using this technique.
Use NMAP to discover ...

You will have to rely on the programmers of your O/S - they take care of it. This is a fix for a specific kind of buffer overflow, and something that has been present on some non-x86 architectures (Sparc, Alpha) for some time.

This is primarily used to stop 'stack smashing' buffer overflows where the the inital code that is executed is part of the overflowed buffer on the stack. Read this and imagine that you can't execute the shellcode that you have placed on to stack memory via the overflow.

obscure ports like 39492 (not the one I actually use, wouldn't want to give away my top secret network secrets!),

Using obscure ports doesn't really matter anymore... All I need is a recent version of nmap, and I can find out what services you're running and what ports they are on :)

It's not really at some "unpredictable" place.
l0pht article

• Abiword - Word processor, supports .doc, .rtf, GPL.
• Open Office - Whole Office suite, including a database frontend and BASIC macro language.
• Perl - Scripting language
• Python - Scripting language
• Cygwin - UNIX emulator. Can create Windows programs, reliant on a cygwin1.dll.
• MinGW - Port of some of the UNIX utilities (BASH, gcc, vi...) to Windows.
• djgpp - UNIX emulator for DOS.
• Mozilla, Firefox, Thunderbird - Web browser, e-mail client, IRC client, lots more.
• Filezilla - FTP client.
• xchat - IRC client.
• putty, pscp, psftp and others - Telnet/SSH clients.
• Gaim - Client for IRC/Yahoo/MSN/ICQ/AIM and more.
• gzip - Compression (usually better than .zip).
• tar - Extracts/Makes tar archives.
• bzip2 - Totally ace compression (usually better than gzip).
• Info-ZIP - Support for .zip. Good free substitute for Winzip.
• 7-zip - Support for multiple compression formats.
• frhed - Hex editor
• Ext2fs - Several programs for doing Ext2 under Windows.
• Antiword - Converts documents out of the proprietary .doc format.
• MySQL - RDBMS.
• Apache - Web/Proxy server
• sendmail - Mail server
• squid - Proxy server
• freeamp - Audio player
• winlame - MP3 encoder
• cd-ex - MP3/OGG encoder?
• gimp - Very detailed graphics program.
• imagemagick - Graphic manipulation. Provides the 'convert' utility under UNIX.
• freeciv - Civilisation clone.
• gnuplot - Plotting package.
• TightVNC - A fork of VNC, with enhancements.
• RealVNC - The original VNC.
• rdesktop - Access Windows Terminal Services and Remote Desktops.
• Nmap - Well known port scanner.
• John the Ripper - Password cracker. Does NT and MD5.

From what I can tell, John runs a dictionary-based attack against your master.passwd file, then runs the dictionary with various shifts in capitalization, then runs the dictionary again with an assortment of numeric digits inserted into its guesses.

Finally John just runs a brute-force attack, generating passwords with successively longer and longer lengths until it lucks out.

In my case John finally did luck out, finding one of my passwords after 18 days of crunching numbers. This particular account had a relatively weak password -- though no dictionary attack would have found it, it was still only five bytes long. That's a wakeup call for me. I've been using shorter passwords for years, thinking that by avoiding common words I was safe. But I can see that they're breakable now.

It's one thing for someone to preach that you should really have longer passwords; it's quite another to see it for yourself. If your passwords are easy to guess, or are variants of dictionary words, or can be generated easily by brute force -- there are widely available tools that can give the keys to the city to any lowlife that wants into your machine.

Run one of the password crackers on your own system today, and become enlightened! And don't be comforted by the 18 days it took to crack my easy five-character password on a 300MHz Celeron notebook: there's also a distributed version of John the Ripper that divides up the work of cracking your password file among many computers.

The more I learn about security, and the tighter I make my systems, the more afraid I am. If you aren't afraid, you are either very very good at what you do -- and I humbly bow before you -- or you haven't much of a clue.

This is probably what they are talking about:

Intel "f00f" Pentium bug

Never tried it out.

Don't know if it still works with the Pentium 2, 3, or 4.

Is anybody willing to verify that this 'bug' still works for the Pentium 2, 3, and 4s?

I agree about 7-Zip, except that it doesn't do multivolume archives - it'll extract RAR multivolume, but cannot create them.

As long as I'm posting, here goes my top 10

Windows (after all the patches, of course)

1. Firefox (or whatever it's name is during the week of the install) (also MyIE is sort of neat)
2. Latest version of Outlook (usually as part of Office - gotta have email, but GOTTA take the plunge and transition to a better email client...)
3. Putty
4. WinAmp
5. PowerDVD
6. Yahoo Messenger (it's sad, but I still like it better than GAIM et al...)
7. WinSCP
8. Windows Privacy Tools
9. Adobe Acrobat Reader
10. BNR2
11. EverQuest!

Linux

Nothing! RedHat (Fedora) comes with all I need. Though the programs I update right away (and use most often) are:

1. NMAP
2. Mozilla
3. Apache
4. SSH
5. SSL
6. PHP
7. TinyProxy (Essential for bypassing my employer's content filter)

Ok, so TinyProxy isn't part of the base install. Whatever.

That's about it. I don't really use Linux as a primary machine, and I rarely use the graphical interface on it. On the Windows box I will also usually install a better editor, though it changes about every install. WinVIM is my current choice. And of course, the latest codecs for QuickTime Alternative and XViD.

• OpenSSL - support program
• OpenSSH - connections in and out
• Mutt - email
• nmap - scanning tool
• libpcap - support library
• Ethereal - network sniffer
• mtr (Matt's TraceRoute) - trace problems
• whois (ARIN compatible) - find where the problems are
• tf (tinyfugue) - BBS client
• mangband - multiplayer ascii game

I always install Fprot antivirus, ethereal, nmap, and gftp. Installation of linux isn't complete without these tools. I use Nmap to test the firewalls on my network, Ethereal to look for unwanted traffic or communication problems behind my router, and gFTP is a nice GUI FTP client that never seems to come with default installs. Although, Linux isn't as susceptible to virus and trojan issues, it's nice to at least have a scanner available.

Remember the time he 'invented' TCP SYNcookies six years after they were actually created?. To be fair to him, his SYNcookies proposal wasn't the same as what had already been suggested - his had some pretty major omissions that made it unworkable.

Or the time he predicted the end of the Internet with the introduction of raw sockets into Windows XP, or earlier because of Code Red?

If one is supposed to be doing a firewall test then a *proper* port scanning utility such as the excellent nmap should be used, rather than a tool on the website of a known netkook.

• nmap for basic port sniffing.
• nessus for more extensive security sweeping.
• ethereal for packet capture & analysis.
• snort for intrusion detection.
• magnum marine for spammer management (I feel a mod-down comin on!)

I have a vague notion about how to use some of them in limited fashion, but I'm handicaped by not having an intimate knowledge of how IP and TCP really work (down at the packet level).

Hhmmmm... I wonder when something like nmap will start attempting to do port-knocking to scan for open ports?

You must mean the Nmap Security Scanner.

Some other good Security LiveCD distros are Knoppix STD and P.H.L.A.K. But I mainly use Knoppix (which also has kismet and nmap), and when I want speed, SLAX is very good.

NMAP Port scanner from insecure.org

SATAN the aformentioned Security Admin Tool for Analyzing Networks.

TripWire for checking when someone's trying to access your system, and stopping them.

Shorewall a relatively easy to set up firewall-in-a-box for Linux.

Sure, he may be aware of ethereal/tcpdump, but why should he assume these tools suite his particular situation better than others (that he may be unaware of)? I, for one, read this thread to find out about new or obscure tools. I remember being surprised by a few entries in this list a year ago, and I am sure an updated copy would have a few more entries that I haven't heard about yet.

A comprehensive listing, that has been some years in the making, can be found at Insecure.org.

I found this page, created by the famous and brilliant Fyodor (of nmap fame), to be a truly indispensible resource when I first began to be interested in computer security.

Hope this helps!

-pararox-

SCO OpenServer support updates. X11R6.7 now works on Release 5.0.7...

Wouldn't it be possible that X.Org follow nmap's stance on licensing their software ?
That would force them (SCO) to use the regular/former version of XFree86 instead of one that might bring more promises and contributions.

That would be also an interresting trend to follow

Even includes nmap training, where by 'training' I mean 'obviously reading a script off an iBook and then masturbating for no reason'.

Try not to kill Fyodor's server.

Here's a kicker: when a security audit was planned for one of the machines, DOI pulled the plug when they knew it would be getting scanned!

Without knowing the rules of engagement, I'd say this sounds totally justified, based on the apparent equation of "security audit" with "scan". A lot of the bozo "security auditors" who rely on scanning (because it's cheap) instead of actual auditing don't bother to secure the traffic between their company's network and the target of the scan. Meanwhile, they may require you to poke a big hole in your perimeter just to let their scan in. Consequently, any vulnerabilities in the target system get exposed to any observer on the network path. In these cases, it's better to pull while the idiots scan, report the idiot to your local inspector general, and then do the audit yourself with the scant funds left over after the idiots (still) get paid.

Furthermore, pulling the system in advance of the scan may have been the prescribed response to detecting the scan's imminence based on IDS logs or other activity. Again, we need to know the actual rules of engagement to know whether the admins were avoiding their duties or fulfilling them.

Auditing security is a lot more complex than running nmap or Retina. Doing it properly is expensive and time-consuming, and involves understanding the system and network architecture, mapping out trust relationships, logging into systems and auditing their patch levels and network and process profiles, groveling through code, possibly lots of it, possibly incoherent and uncommented, etc. Too many vendors want to come in with scanners and charge a queen's ransom for a couple of hours of real work, without providing any real security.

if so, we know that he wasn't using Nmap 3.50

HOLY CRAP! From the SCO Website!

Feb 27, 2004

For immediate release:

SCO Group of Linden, Utah announced the first end-user lawsuit designed to further their SCOSource program to get people to properly license SCO IP currently being distributed in Linux. SCO has filed suit against the owners of insecure.org who, according to Netcraft, are running Apache/Linux.

Asked for comment, SCO Group CEO Darl McBride responded: "It is a terrible day when IP owners have to resort to a lawsuit to protect their valuable IP interests. insecure.org had months to do the right thing and respect SCO IP by signing up for our SCOSource program, but they blatantly ignored our generous offer. It appears that the only option left open to us is to take our case to the courts where we will ultimately prevail. So, it is with great sadness and regret that the SCO Group announces this lawsuit, because we don't do business this way. It just goes to show you how far these IP terrorists will go to destroy the valuable creations of hard-working Americans. Nobody likes a lawsuit, but we have a right and a duty to protect ourselves and the Constitution of the United States from the evil axis of IP destruction that is the Open Source community."

When I checked out the NMAP link, I eventually clicky=clicky-clicky'ed overt to the insecure.org homepage and saw (about halfway down) that part of the source for NMAP was featured in the movie Battle Royale.

So, this got me thinking: Since NMAP source is GPL, does it's inclusion in Battle Royale make the movie a derivative work and therefore also subject to the GPL?

Just thought I'd ask, because I don't think that - other than the DeCSS - case, anyone's ever mentioned this possiblility.

Slashdot has an interview with security legend Fyodor, admin of the famed insecure.org and author of the world's most affordable port scanner, nmap.

The best part of this interview is that Slashdot does not often interview criminals. Many Slashdot readers know that Fyodor used his tool to illegally attack a college student in 2002, for his personal amusement but also to the benefit of Slashdot's admins. For those that don't know the story, I will present a brief summary.

*Those individuals interested in independently verifying the facts presented in this article should skip to the "Verification" section near the end.

Sdem had created a hoax account entitled electricmonk, and used it to post this comment pronouncing that we was actually a cute Linux booth babe. "electricmonk" left an email at Yahoo and encouraged Slashdot readers to get in touch.

Fyodor proceeded to do so, boasting of his previous exploits with women he'd met online. He was even helpful enough to attach a picture.

This is where the story turns ugly. Sdem responded with a truthful email, in which he advised Fyodor that the whole thing was a hoax. After that, sdem posted a log of his exploits to sid=20721 (trolltalk), mentioning that he had tricked Fyodor and referring to many of the biters as "wankers". This apparently really set Fyodor off, and he began to plot criminal revenge.

First, Fyodor dug through insecure.org's referrer logs to find what IP address had requested the picture of Fyodor & his paramour. Using this information (and the logged User-Agent), Fyodor knew from the get-go Sdem's IP address and O/S. From this point, he launched nmap against Sdem's box and was greeted with the holy grail of sorts for BlackHats: an open X windows server on port 6000.

Sdem had been running an X-windows server for Windows on his Win2k box. Fyodor was able to bypass the authentication on the X-windows server and used the X-windows server to take complete screen captures of Sdem's machine whilst sniffing and recording keystrokes.

Fyodor proceeded to take hours worth of screen captures, including information on a "secret troll irc server" that sdem was using. Fyodor wrote a detailed writeup of what he observed, including an irc robot used on the server to detect new Slashdot stories for the purpose of early posting. Fyodor also mined and posted as much information about Sdem as he could find, including his real name and contact information. Jamie McCarthy used this illegally obtained information shortly after it was posted to log on to the irc server, monitor the bot, and modify Slashdot in order to break the story monitor.

Fyodor even submitted his "troll hunting" story to Slashdot, though it was rejected.

After he was done hacking Sdem's computer, Fyodor posted his screen captures and a log of his breakin to www.insecure.org/tmp/trolls. The content was removed 24 hours later. He went on to boast in sid=20721 about his "troll hunting finale". While sid 20721 is regularly cleaned, a cache of Fyodor's boasting about his illegal break-in is available here. Very interesting reading.

So, while Fyodor's interview is no doubt very interesting, I think that, as an accomplished (and due to the lack of prosecution very successful) criminal, the nature of questions given to Fyodor in the interview don't do justice to the type of expertise this man has in illegally penetrating computers across state lines and getting away with it. I'm sure that many companies would like to have

Slashdot has an interview with security legend Fyodor, admin of the famed insecure.org and author of the world's most affordable port scanner, nmap.

The best part of this interview is that Slashdot does not often interview criminals. Many Slashdot readers know that Fyodor used his tool to illegally attack a college student in 2002, for his personal amusement but also to the benefit of Slashdot's admins. For those that don't know the story, I will present a brief summary.

*Those individuals interested in independently verifying the facts presented in this article should skip to the "Verification" section near the end.

Sdem had created a hoax account entitled electricmonk, and used it to post this comment pronouncing that we was actually a cute Linux booth babe. "electricmonk" left an email at Yahoo and encouraged Slashdot readers to get in touch.

Fyodor proceeded to do so, boasting of his previous exploits with women he'd met online. He was even helpful enough to attach a picture.

This is where the story turns ugly. Sdem responded with a truthful email, in which he advised Fyodor that the whole thing was a hoax. After that, sdem posted a log of his exploits to sid=20721 (trolltalk), mentioning that he had tricked Fyodor and referring to many of the biters as "wankers". This apparently really set Fyodor off, and he began to plot criminal revenge.

First, Fyodor dug through insecure.org's referrer logs to find what IP address had requested the picture of Fyodor & his paramour. Using this information (and the logged User-Agent), Fyodor knew from the get-go Sdem's IP address and O/S. From this point, he launched nmap against Sdem's box and was greeted with the holy grail of sorts for BlackHats: an open X windows server on port 6000.

Sdem had been running an X-windows server for Windows on his Win2k box. Fyodor was able to bypass the authentication on the X-windows server and used the X-windows server to take complete screen captures of Sdem's machine whilst sniffing and recording keystrokes.

Fyodor proceeded to take hours worth of screen captures, including information on a "secret troll irc server" that sdem was using. Fyodor wrote a detailed writeup of what he observed, including an irc robot used on the server to detect new Slashdot stories for the purpose of early posting. Fyodor also mined and posted as much information about Sdem as he could find, including his real name and contact information. Jamie McCarthy used this illegally obtained information shortly after it was posted to log on to the irc server, monitor the bot, and modify Slashdot in order to break the story monitor.

Fyodor even submitted his "troll hunting" story to Slashdot, though it was rejected.

After he was done hacking Sdem's computer, Fyodor posted his screen captures and a log of his breakin to www.insecure.org/tmp/trolls. The content was removed 24 hours later. He went on to boast in sid=20721 about his "troll hunting finale". While sid 20721 is regularly cleaned, a cache of Fyodor's boasting about his illegal break-in is available here. Very interesting reading.

So, while Fyodor's interview is no doubt very interesting, I think that, as an accomplished (and due to the lack of prosecution very successful) criminal, the nature of questions given to Fyodor in the interview don't do justice to the type of expertise this man has in illegally penetrating computers across state lines and getting away with it. I'm sure that many companies would like to have

Slashdot has an interview with security legend Fyodor, admin of the famed insecure.org and author of the world's most affordable port scanner, nmap.

The best part of this interview is that Slashdot does not often interview criminals. Many Slashdot readers know that Fyodor used his tool to illegally attack a college student in 2002, for his personal amusement but also to the benefit of Slashdot's admins. For those that don't know the story, I will present a brief summary.

*Those individuals interested in independently verifying the facts presented in this article should skip to the "Verification" section near the end.

Sdem had created a hoax account entitled electricmonk, and used it to post this comment pronouncing that we was actually a cute Linux booth babe. "electricmonk" left an email at Yahoo and encouraged Slashdot readers to get in touch.

Fyodor proceeded to do so, boasting of his previous exploits with women he'd met online. He was even helpful enough to attach a picture.

This is where the story turns ugly. Sdem responded with a truthful email, in which he advised Fyodor that the whole thing was a hoax. After that, sdem posted a log of his exploits to sid=20721 (trolltalk), mentioning that he had tricked Fyodor and referring to many of the biters as "wankers". This apparently really set Fyodor off, and he began to plot criminal revenge.

First, Fyodor dug through insecure.org's referrer logs to find what IP address had requested the picture of Fyodor & his paramour. Using this information (and the logged User-Agent), Fyodor knew from the get-go Sdem's IP address and O/S. From this point, he launched nmap against Sdem's box and was greeted with the holy grail of sorts for BlackHats: an open X windows server on port 6000.

Sdem had been running an X-windows server for Windows on his Win2k box. Fyodor was able to bypass the authentication on the X-windows server and used the X-windows server to take complete screen captures of Sdem's machine whilst sniffing and recording keystrokes.

Fyodor proceeded to take hours worth of screen captures, including information on a "secret troll irc server" that sdem was using. Fyodor wrote a detailed writeup of what he observed, including an irc robot used on the server to detect new Slashdot stories for the purpose of early posting. Fyodor also mined and posted as much information about Sdem as he could find, including his real name and contact information. Jamie McCarthy used this illegally obtained information shortly after it was posted to log on to the irc server, monitor the bot, and modify Slashdot in order to break the story monitor.

Fyodor even submitted his "troll hunting" story to Slashdot, though it was rejected.

After he was done hacking Sdem's computer, Fyodor posted his screen captures and a log of his breakin to www.insecure.org/tmp/trolls. The content was removed 24 hours later. He went on to boast in sid=20721 about his "troll hunting finale". While sid 20721 is regularly cleaned, a cache of Fyodor's boasting about his illegal break-in is available here. Very interesting reading.

So, while Fyodor's interview is no doubt very interesting, I think that, as an accomplished (and due to the lack of prosecution very successful) criminal, the nature of questions given to Fyodor in the interview don't do justice to the type of expertise this man has in illegally penetrating computers across state lines and getting away with it. I'm sure that many companies would like to have

• Simon's Win32 Cheat-Sheet - Written by a Unix fan who has moved to Windows when he started working for Microsoft.

• PuTTY - Probably the best Windows telnet / SSH terminal.
• NMap - yes, there's a Windows version of this port scanning / network security tool
• Windows XP Powertoys - the TweakUI control panel toy is probably the most valuable - it lets you set up X-Window like focus that follows the mouse

Clickable link for the lazy

Yeah, sure. Lynx is secure. Proven by this and this and this pages. NOT!

yah! we are all a happy family again.

Kids, use many tools. Here's a good list to start with.

Naw dude, you set the password is "Z1ON0101".

disable grid nodes 21 - 48

It's heartwarming to see that the ping of death lives on.

I am not sure how they could tie dynamic IP addresses that may be running Linux to the actual user (name, address, etc.), but I am sure if we looked, we could find a way. I would think static IP's would not be much of a challenge, especially if it were tied to a domain name (it would then be a 'no brainer').

But perhaps there is not enough money in the small fry to warrant SCO doing this. And if they try an 'RIAA', maybe if the various defence funds set up by IBM, Redhat, etc. were opened up to help the little guys, then I would think the return on investment (cost of lawyers versus the money they could get from a home user) would be so low as to not be worth while.

Mind you, given that IBM and Redhat, etc. are not likely to expand their net to back home users of Linux, and also given SCO's history, this could happen. Given SCO's history: that unless there is something we are not seeing, they are already going after something with a negative return on their investment: suing IBM without seemingly a leg to stand on.

There is still no substitution for good (that is with the security in mind) programming practices. And of course readily available information about vulnerabilities.

I think it matters not that much if you have 90% boxes on the net running windows (God forbid, really!) and 10% of "others". Or it breaks down different way. Nmap does very good job identifying remote operating system nowdays. So for a persistent and dedicated cracker it should not matter that much if you have a "monoculture" or big veriety of OSes. The only difference, i think, would be that in "monoculture" environment scrip kiddies would be more successfull.

Yes, at least early 2.0 kernels were vulnerable to the (in)famous Ping of Death

Not flaming here, but you may be comparing apples to oranges. You are complaining that /. reports every active Microsoft worm while it is out there, actively infecting multiple computers, but does not report every vulnerability affecting Linux machines. Slashdot doesn't tend to report new vulnerabilities affecting Windows, unless it comes as something spectacular, such as 6 high risk holes announced at once.

If you're reading security sites, then you're "doing it right", and that's what you need to focus on. You. I run Jay's IPTables Firewall. I occasionally check LinuxSecurity, but instead I usually visit their Packetstorm mirror and try out some of the latest exploits against my various machines just to see if I'm vulnerable. I also check CERT weekly, NIPC's Cybernotes biweekly, D-Shield and Incidents.org biweekly, and update Nessus and check my firewall biweekly. I don't have any open ports, so I rarely check for updated Snort rules. I do check my MRTG reports about once a day to see if an inordinately high amount of traffic is flowing through my firewall. There's so much that everyone should do all the time, that there's hardly enough time to complain about how much focus a web site places on reporting one OS'es actively exploited holes vs another OS'es potential vulnerabilities. In the time to read this, you could have been reviewing the Top 75 security tools and seeing where they fit in your environment, even if your environment is your house.