Domain: jammed.com
Stories and comments across the archive that link to jammed.com.
Comments · 21
-
Re:google just does everything different
I swear, it seems Google bucks every bad trend in the software/IT industry.
Here's Bruce Schneier pointing out the problems with such strategies in 1998. Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.
Totally different. Schneier is talking about putting up money to "prove" that a given product has no bugs. Google is smart enough to know that every product has bugs, and is just giving an incentive for people to find them (or more likely, for the finders to report them.)
-
Re:google just does everything different
I swear, it seems Google bucks every bad trend in the software/IT industry.
Here's Bruce Schneier pointing out the problems with such strategies in 1998. Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.
Good old Bruce was writing about cracking contests.
The way TFS is phrased, it doesn't sound like Google will at any point claim "we're secure, because we paid for security bugs."
It sounds more like "we'd like to be secure. Probably we messed up somewhere. We'll try to find it ourselves, but if you help us out, we'll say thanks and get you a beer."Bruce's rant was against companies who'd say something like "Chromium is the most secure browser ever. We are so convinced, we will actually pay for security bugs found in our code." Google's statement sounded quite different to me.
-
Re:google just does everything different
I swear, it seems Google bucks every bad trend in the software/IT industry.
Here's Bruce Schneier pointing out the problems with such strategies in 1998. Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.
-
Old news - real, but oldFrom time to time they have conducted mock attacks and it has been demonstrated more than once that an external agent could destroy various pieces of equipment by ordering them to perform out of spec. And there are other weak points as well - hack into the railroads and instruct the train to deliver the coal to the wrong place, for example. But here's a story from August 13 2001 in the LA Times
For two weeks last spring, hackers wormed their way inside a computer system that plays a key role in moving electrical power where it is needed around the state. The computers belong to the California Independent Service Operator, an agency that oversees much of the state's electricity transmission grid--including the massive complex of power plants and transmission lines. Cal-ISO patched the flaw that allowed hackers to roam through portions of its network before power supplies were affected. But the episode sent shock waves throughout the energy industry.
The crux of the issue is that the system is vulnerable - recall 2003 when a single tree branch killed power across several states for a week? That is not indicative of a healthy and robust grid system. And if the system is that vulnerable to an accident what would happen if somebody with malice aforethought (and a degree in EE) decided to spice things up a bit?
Unless the utility companies make explicit plans to correct things a macro-catastrophe is inevitable. Personally I think that a solar storm is more likely than a terrorist attack but it *WILL* happen and tens of millions of people will lose their grid indefinitely (probably several years to restore full access). (I further predict that the system will be rebuilt to the old specs because it will be cheaper and easier to do it that way, flushing an opportunity to build a hardened grid).
This is your transformer. (note that this company claims to be able to repair your transformer in less than 30 weeks - that means that)
This is your transformer after a solar storm. Yes, the sun did this.
This is the transformer with which most geeks are more familiar. -
Copyright today = tool to stay rich, full stop.
There's another wrinkle to this that occurred to me recently. Some time ago, I ran across this online essay about conservativism in the US. The piece comes at the question of "what is conservativism" from a different angle than others I've seen. Read it through; it's a very interesting bit of writing. I've often been very puzzled by why various members of my family espouse politics and policies that have been plainly ruinous to them. This essay finally sets forth a convincing and understandable argument for their behaviour.
The basic premise of the linked posting is that conservativism starts from the idea that aristocracy is a good thing -- not necessarily kings and queens and dukes and duchesses, but rather an upper class, the rich, those that have enough money and power to not have to work. People further down the social ladder that ascribe to this philosophy, despite possibly being actively harmed by it, do so in the hopes that they too might some day climb high enough to be able to sit back and rely on other people to do the work.
Copyright-forever comes out of this same thinking.
So yes, certainly, current copyright law is prima facie unconstitutional, and the SCOTUS's "justification" of it as still somehow "limited", despite being retroactively extended every single time something deemed important gets close to falling into the public domain ("Steamboat Willie", anyone?), is nothing more than a bald power grab by the upper classes, the moneyed elite who are very intent on remaining the moneyed elite.
I can already hear some folks claiming I'm some sort of Commie pinko. This couldn't be further from the truth. I'm very fond of freedom, of not being told what to do, and of many aspects of a freer market. As far as I'm concerned, part of the problem in the US right now is that the market is anything but free in the places where it matters -- we have far too many state-sanctioned monopolies and oligopolies, and far too much protection of the robber-barons at the top (financial bailout packages, anyone?). Let alone all the issues that come of a locked-down information market, preventing the healthy functioning of anything resembling a real democratic republic -- a mass media that is increasingly owned by a small group of ultra-rich, that is free in name only, beholden to the same moneyed interests that already run the show...
Meh. I grew up in DC -- I only pray my inside-the-Beltway cynicism be proven unjustified.
Cheers,
-
Re:Good or bad
Sometimes the 'user mindset' gets silly. I often find our users think they're so important to the company that they're justified in doing ANYTHING, including surfing for porn in open cubicles during business hours at world headquarters with tour groups walking past. Or, more frightening, to cover up their ignorance or to short-cut understanding... blah, blah, blah.
Sure, there are roadblock powertrippers out there in the IT security field, just as there are in pretty much any security field (CIA, cops, mall security, etc.) On the other hand, there are legitimate risks out there that do have real-world bottom-line consequences. No one thinks that viruses are a big deal until you've got an entire factory floor idled because the controller's infected. No one thinks that they'll be hacked and make the news for it, but they do (Caterpillar, TJX, even security company Guidance Software, to name a few).
What gets me down about my job (yes, I'm in IT security) is not the adversarial nature of it. What really gets me is that absolutely NO ONE really wants security implemented until AFTER the company makes the Wall Street Journal for being hacked. Who gets fired on that day? Often times, it's the security people, despite the fact that they'd been trying to implement countermeasures that would have at least reduced the damage from the attack. Until your company makes the WSJ, security is overhead, a liability, a roadblock. Afterwards, they're the ones who let the barbarians through the gates, regardless of how many times the board denied funding security projects.
I used to be jazzed about IT security, but 10+ years of being told that nothing overrides the business need, and that I'm nothing but a roadblock has ground me down to the point where I'm just punching the clock and trying to figure out what career path to do next.
And to all you whiny, lazy, good-for-nothing assholes who can't remember their precious password: Can you remember where your car keys are? Your Social Security Number? Your birthdate? Your wife's birthdate? The phone number to the restaurant that delivers your dinner? The name of the girl you had a crush on in 4th grade? People remember all sorts of things when they want to, and when it's important to them. Now, think about this... if your company makes the WSJ because you set your password to Ripken09, who are they going to fire? Yeah, you're right: they'll can the poor security schmuck that's dedicated his career to compensating for stupid pukes like you, but you'll probably keep your job since there really wasn't much that could be done about the hacker anyway.
I guess there's the problem in a nutshell. The only people who care enough about security to do something about it are those who stand a chance of losing something when security fails. The vast majority of the time, the only people at risk are the security guys.
Holy crap, I just re-read that. Never realized how bitter and vindictive I've become. I got to get me a new job!
-
Re:Uhh...That is not it. The articles I read were specifically discussing a DES mode, that when used in 3-des, with different sub-keys, had a potential weakness that rendered the resulting ciphertext no more protected than simple des.
What your talking about is a deliberate drop to DES levels, this is flaw in trying to do 3passes with des in a certain mode that renders the results no more secure than with a single 56key.
Though most of the articles indicate the theoretical attack isn't very pratical (large volume attacks with known plaintext to extract the key), the total actuall time is on par with single des. The fear is that this shows a fundemental weakness that could have a more practical exploit.
Try a google on 3des weakness. here's a snippet from one of the links.
"The time requirements for the attacks are not much more than for
breaking single DES, but the chosen ciphertext and chosen key
requirements are the show stoppers. To pull these off, you really must
have access to the encryption process, as it is unlikely your adversary
will be a willing accomplice. But if you can get that kind of access,
you can probably get plaintext and keys by much simpler methods. Folks
like Eric Thompson at AccessData Corp. do this all the time.
Cryptographers worry about these flaws, however, as they might be
signs of weaknesses that could be exploited by more practical
means. So codes are designed to withstand even theoretical attacks
like this. The version of Triple-DES that Biham and Knudsen attacked
had already undergone several rounds of revisions to patch up
other weaknesses. One has to wonder, however, whether the quest
for a method that withstands all theoretical attacks is worth the
effort or even has an end."
That's from :http://lists.jammed.com/IWAR/1998/03/0033.html
While I don't know how reliable/trustworthy/knowledgeable that source is, but all the others I've seen say simular things. Of course it's possible I'm missing something here not being a cryptographer, but it shure looks like 3des has, at least theoreticly, issues.
My real point though was that blindly chaining ciphers has potential pitfalls that may be non-obvious as well as adding cpu-time consumeing complexity.
Mycroft -
Doesn't ring right to me.
Honeypot Proxy
By August 5th the agents already had a good idea what was going on, when Ethics made a fateful mistake. The hacker asked the Secret Service informant for a proxy server -- a host that would pass through Web connections, making them harder to trace. The informant was happy to oblige. The proxy he provided, of course, was a Secret Service machine specially configured for monitoring, and agents watched as the hacker surfed to "My T-Mobile," and entered a username and password belonging to Peter Cavicchia, a Secret Service cyber crime agent in New York.
Something doesn't quite ring right about this, apart from the obvious entrapment of the proxy. If his penetration of the T-Mobile system was as comprehensive as suggested, they why would the cracker he access the system via the public "My T-Mobile," ? It simply doesnt make sense unless he's simply picked it up as a lone username/password, and been socially engineered into using it.
The 'Hacker' also made little attempt or no serious attempt to cover his tracks, his IRC handle can be readly linked to his name, physical & email addresses and CV here, as disclosed by the artical.
The Mutual Legal Assistance Treaty with the Russian Federation. is apparently publicly available.
My guess is that Myth is really a handle for Peter Cavicchia, the ShadowCrew is and always has been a secret service entrapment operation for script kiddies and wannabes. -
Re:His Resume is posted online !http://lists.jammed.com/securityjobs/2001/09/att-
0 059/01-RESUME_OF_NICHOLAS_JACOBSEN.txtClicky... AC, so no karma whoring for me.
:-) -
Re:Hahahhaha
-
Re:Fun and games with statistics
-
Yup... more info here
I've been asking around about this, and it's amazing how many people are just brushing it off as nothing. It is a serious issue for IP addresses that are being hit.
Here are some more posts on the topic, elsewhere. Note how some people just say "Oh, you are getting hits! Hits are good, no?".
http://www.webmasterworld.com/forum39/1435.htm
http://lists.jammed.com/incidents/2003/08/0369.htm l
http://www.derkeiler.com/Mailing-Lists/linuxsecuri ty/2003-08/0002.html
The blocking rules people suggest (see page five of the first link) don't work at my site, for some reason. Maybe it's because I only have access to .htaccess, not my own httpd.conf.
-
AppleCatI remember reading something years ago about how you created the first modem device for the Apple ][. It featured not only Bell 103 communications, but also a whole slew of "phreak tools", including the ability to do just about every blue/black/red/etc box set of tones imaginable. I believe for some reason you weren't allowed to follow through with the production and sale of this device, because it was just too powerful in the hands of a phone phreak. Many of these capabilities, however, appeared later in the Novation AppleCat modem.
My question is, am I correct in that your device never made it out of the door? Additionally, did it become, or did you have any part in the legendary AppleCat modem? What was the full feature list of your device, and how did it compare to the later AppleCat modem?
For those who don't know what a Novation AppleCat modem is, you can check out this site for more information.
-
Reported on VULN-DEV 19 months agoJustin Ellison posted a message on the VULN-DEV mailing list called How I turned my cable modem into a sniffer on May 1, 2001. The discussion was originally called "Hijack IP Address using cable modem", so all of this has been known for over 19 months.
DOCSIS cable modems have many functions accessible through SNMP. The built-in firewall could be interesting - you could send out a new firewall rule blocking access to a specific site or port (or all sites) to thousands of users, then firewall the SNMP port so the ISP can't easily fix it.
To find the IP of your modem, you can:
- see if it appears as the first hop in a traceroute (but usually it doesn't, the first hop is often the CMTS)
- watch ARP/DHCP broadcasts, looking for the MAC address of your modem (usually printed on the modem somewhere)
- ping -b 255.255.255.255, and see which computer replies (I couldn't figure out how to do this on Windows)
- see if your ISP has a domain for the modems - my ISP had hostnames like x1-AA-BB-CC-DD-EE-FF.modems.isp.net for each of the modems, where AA-...-FF was the MAC address (I found out about this domain by watching DHCP packets)
- social engineering (if you can find someone who even knows what an IP address is), or ask a friend who works for the ISP
Try "public" or "private" for the SNMP community strings. If that doesn't work, download the config file from your modem's TFTP server (you might need to spoof an IP in the 10.x.x.x range), and it should contain the correct strings. The address of the TFTP server is usually mentioned in DHCP replies to the modems.
-
Re:5 years? You are an optimist
I belived junk fax analogy was an avenue of hope until about April this year, when a U.S. court ruled that ban on junk faxes violated the firstr amendment. See this Politech post. And fax.com are back in business, check their site.
-
Countersue!
This is a typical case of frivolous lawsuits. There are, unsurprisingly, rules against this. If anyone actually fights it out in court, I expect that the Court would in fact grant attorneys fees to Google or the other defendants/counter-plaintiffs, as they have done in other cases. There is precedent for this which is binding in California.
In fact, some courts would consider this a SLAPP case (Strategic Litigation Against Public Participation), trying to restrict the free speech rights of the critics of the web site. Anti-SLAPP suits are great because attorneys fees are automatically granted if you win.
The problem is the up-front cost of litigation. Unfortunately, there is nothing that can be done until at least one case goes through the courts. BUT, in the past, some people have been prevented by judgement from suing anyone else, because they were "court abusers." Hopefully this will happen to Mr. Novak.
Oh, and if Slashdot is sued, I'd be happy to help with the defense. I'm no litigator, but writing the reply brief to this would be entertainment, not work.
Thalia -
good points
I didn't go to H2K2, although I looked over the itinerary and this speech caught my eye because of it's title and because of who was giving it. I know most of the people involved in this.
As far as the specific finger pointing at specific people, I don't really care and there probably was both truth and falsehoods contained in them. I don't care about that part of it, the specifics. As far as the *general* tone, I tend to agree with it.
Hackers break into systems and networks despite whatever technical roadblocks and threatened legal roadblocks are in their way. On the other side is law enforcement, who imprisons them, and corporate security people who try to prevent breakins from a technical standpoint and who work with law enforcement. These two sides are in *conflict* and as laws become more draconian (the recent retroactive hacker laws, or the life imprisonment hacker laws in the US) and hysteria about "cyber-attacks" or whatever they're called on the news grows, this only sharpens the definitions between the two conflicting groups.
This notion that there is a kind of continuity, with "black hats", "grey hats" and "white hats" and law enforcement all blending into one another is ridiculous. For that part, anyone actively engaged in the type of law breaking that the government is interested in enforcing would be crazy to go to these cons, or being a known person in these circles.
The skilled hackers I have known usually had regular contact with a handful of people and never went to cons. And even many of them got busted. Don't forget TAP's 3rd commandment of phreaking - "every 3rd phreak is an FBI agent".
There's a circle of people who always have, and always will, keep to themselves, get into systems and stay there unobtrusively, who are usually very good at programming, hacking, or social engineering. They seize the means of production, for a short time, from the bourgeoisie for themselves. Some of them don't even hack, they just look for buffer overflows, race conditions, or whatever the hell people look for nowadays, and pass them on to the people who do hack when they do find them. Security always exists so a small elite can hoard to themselves ownership and control of most of the pie, usually directly for, if not, as a side result of. For those like me who agree with Proudhon that "property is theft", what is obscene is not that some 16 year old wants to get into Monsanto's network, but what is obscene is Monsanto, it's profits which it expropriates from the surplus labor time of it's workers, it's frankenfood, toxic dumping and poisoning of the environment, and the security apparatus it employs, from it's software and hardware security, to it's onstaff security, to the state security apparatus, that maintains and continues it's existence. Most of the computer community is repulsive to look at, but at least there's some hope. -
Novation AppleCat ][ Link
-
Re:I miss my AppleCat.I used to run a Cat-Fur BBS called the Psychodelic Cat-Fur (409). The Novation AppleCat ][ was an amazing modem for its day and had features you don't see on current modems. The thing was a phreakers dream. It could produce any tone you wanted from a couple lines of AppleBasic. But my favorite feature was voice synthesis. I used to prank call with my Apple
//e using that ability -- it had a handset so you could listen in. What would freak out a farmer more than a computer generated voice warning from the US Agriculture Department that a biblical swarm of locus are desending upon Southeast Texas?14 was so cool.
:P -
We need to define the crime a worm writer commits
First, the "WiReD" article confuses worm - a program or process that propagates itself to a different computer, usually via some networking protocol, and chainmail - an email message that requires human intervention to automatically send out more email messages, usually containing the same or slightly evolved chainmail. WiReD should straighten up its vocabulary on this issue, they do no service to anyone confusing the two.
Second, the techniques used by both chainmail and worms are all used by legitimate scripts, programs and emails. How does law enforcement propose to declare one email message a crime, and another legitimate? And I don't mean "Let's ask some expert like Graham Cluely."
Sure an IIS worm like Code Red usually uses some initial exploit, like overflowing a buffer in an IIS module or service or plug-in or whatever the MSFT lingo is, but Nimda used a variety of techniques built in to IIS, "shares" and Outlook. The variety of Outlook worms (Anna Kournikova, Nude Housewife, etc etc) and even the CHRISTMA EXE chainmail of 1987 used entirely legitimate techniques built in to Outlook and other email viewers. The 1988 Internet Worm used both legitimate techniques (BSD "r" commands that didn't require a password) and exploits like "fingerd" buffer overflows. How do we define the crime - "I didn't authorize this use of Outlook" really doesn't amount to a way to decide whether or not a particular program committed a crime. Similary, worms like x.c get telnet servers to crash in particular ways when they spread. Gee whiz, a network server process crashes! That's news, for sure. I guess that hasn't happened to me since yesterday. How do we make one instance of a crashed program a crime, and another instance into a bug report?
-
info: security distributions & resources
see the Linux Weekly News' Security page for information on Linux security projects which are already under way:
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive
Distribution-specific links
Caldera Advisories
Debian Alerts
Red Hat Errata
SuSE Announcements
Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSEC
Security Focus
SecurityPortal