Slashdot Mirror

That's even funnier than it might appear to be at first glance, given that they already outsourced it to l0pht.

Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet. Same thing for email/SMS. Taking photos requires an OK from the user to access the camera. You cannot "attack other apps" because of the sandbox.

Good point. I guess that this never happened because of the tight limits put on app capabilities.

Extraordinary claims, like a complete breaking of the sandbox, require more proof than they have presented. I would bet they are saying they THEORETICALLY could break out of the sandbox but have absolutely no actual working exploits that go outside of existing user permissions and the sandbox...

Ah, the old "That vulnerability is completely theoretical" defense. It worked so well for Microsoft in 1992, and it's still working for Apple today.

I actuall googled for L0pht - seems they are still around!

http://www.l0pht.com/ This page last updated
on March 24th, 2011

Where else would we expect to find them? LOL

@stake used to be "l0pht heavy industries", a nifty little group of hackers toying around. (www.l0pht.com) Now they're all business. Lame. "What happened l0pht? You used to be cool."

Nope, no crack smokin' tonight. Their old site www.l0pht.com still forwards to @stake. But I'd say it's not just their company name that changed.

When the L0pht group (now working for @stake) claimed in a Government Affairs Committee in May 1998 that they could make the Internet "unusable" in 30 minutes, they were largely talking about exploiting BGP.

RFC 2385 was released three months later referring to the problem . . .

When I was sysadmin (for a Windows network), I would just run l0pht. If A) the dictionary could hack it, or B) if they didn't have a number or special character, then I forced them to change their password on the next round. (Here is a detailed explanation of the Microsoft vulnerability.)If they didn't change it to something better, I'd give them a quick phone call and politely explain the security policty I was implementing. (Most people are very cooperative if you tell them politely and don't shave your security policy down their throat.)

There are other free programs out there (I forget the names) that generate nice reports based on l0pht findings. You can, for example, say that 80% of the users have passwords the same as their user names, 50% have passwords with one special character in it, etc.

Perhaps CxOs should visit sites like Astalavista.com. They'd then see how easy it is for a cracker to compromise your network!

The Cult of the Dead Cow spun off L0pht Heavy Industries, a security consultancy, which then changed its name to @Stake. @Stake is well-respected, and produces good papers on the the theory and practice of security holes. But then, so did CdC.

l0pht Heavy Industries, now known as @stake, employ top-flight security experts whose reputation should be plain from the quality and depth of presentations made at conferences (such as Mudge of @stake and his detailed presentations at USENIX security conferences).

The still-excellent l0pht once informed the world that Microsoft had a serious security problem in a product.MS responded with the famous "That vulnerability is purely theoretical.". So, l0pht released a real exploit for the vulnerability.

Apologies, it's hard to find the original links since l0pht got up in the morning, put on a suit, and became @stake

Hello. Wake up. Theoretical vulnerabilites become real, nasty, exploited vulnerabilites very fast. I assume you read comp.risks?

Looks like it isn't very likely to succeed

LOOKS LIKE? It's a done deal. Somebody has exploited a widely-distribited scripting engine. The people who did it as a "proof-of-concept" have proven that the interpreter for this language is wide-open and gagging for a jolly good rogering. I wonder how many unchecked buffers there are in that code. I wonder how it handles multi-byte characters. I desperately hope it wasn't written in C.

I sit here as a smug old Unix hacker, secure in the knowledge that lisp and Smalltalk programs are unlikely to be attacked in the same way that C programs are.

I'm also sure I'm wrong.

It is quite sad to see that the former l0pht (hopefully you remember them), who went corporate and melted into @stake, have joined the "coalition against full disclosure of computer vulnerability information". I'm amazed that Mudge and Weld Pond would turn full circle and endorse this sort of thing. The l0pht were the sort of people who stood for full disclosure. Too bad they have made this decision. I have lost my respect for them.

At least eEye are keeping their heads about them.

Hey,

Bindview, Foundstone, Guardent, @Stake, and Internet Security Systems joined with the software-maker to declare they would immediately begin

Wasn't @stake formed from hacker group l0pht? Yes, I think they were! They used to attend Def Con, and work on Back Orifice and L0phtCrack?? Didn't they get banned from BugTraq because they posted links to thier site in the place of good, solid descriptions?

My, how times change.

-M

Bob Patterson is dying

Yet another crippling bombshell hit the beleaguered Bob Patterson community when last month IDC confirmed that Bob Patterson accounts for less than a fraction of 1 percent of ABC Ratings. Coming on the heels of the latest Netcraft survey which plainly states that Bob Patterson has lost more market share, this news serves to reinforce what we've known all along. Bob Patterson is collapsing in complete disarray, as further exemplified by failing dead last in the recent Nielson's Ratings Survey.

You don't need to be a Kreskin to predict Bob Patterson's future. The handwriting is on the wall: Bob Patterson faces a bleak future. In fact there won't be any future at all for Bob Patterson because Bob Patterson is dying. Things are looking very bad for Bob Patterson. As many of us are already aware, Bob Patterson continues to lose market share. Viewership flows like a river of blood. The Network Test Card is the most endangered of them all.

Let's keep to the facts and look at the numbers.

Ratings leader Theo states that there are 7000 viewers of PAX. How many viewers of the WB are there? Let's see. The number of PAX versus WB posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 WB viewers. Bob Paterson posts on Usenet are about half of the volume of WB posts. Therefore there are about 700 viewers of Bob Paterson. A recent article put Network Test Cards at about 80 percent of the Bob Patterson market. Therefore there are (7000+1400+700)*4 = 36400 Network Test Card viewers. This is consistent with the number of The Network Test Card Usenet posts.

Due to the troubles of abysmal ratings and so on, Bob Paterson was moved so it was no longer against Frasier. Now in its new timeslot, its ratings continue to slide. Soon, its corpse turned over to another timeslot.

All major surveys show that Bob Patterson has steadily declined in market share. Bob Patterson is very sick and its long term survival prospects are very dim. If Bob Patterson is to survive at all it will be cult television followers. Bob Patterson continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, Bob Patterson is dead.

Bob Patterson is dying

Wanna see if its codered, just run the win32 netcat ( nc -l -v -p 80 -o hex.dmp ), dont forget to tell zonealarm to let them in though, there is little that is more save than a netcat honeypot ;-)

Wanna have your own complete copy?

nc -v -L -p 80 -o hex.dump > text.dump

Works with the unix and win32 version of netcat, I have had a window open watching trafic coming in on port 80 for a couple of days now, its really weird to know port 80 and 111 are aparantly that interesting on a normal dailup providers ip range.

Having said that, let me remind you that Microsoft says (and trust us on this, really!) Linux is not for you. It will HURT your (read: Microsoft's) business and decrease Linux based (read: Microsoft's) stock in the next few years. And the recent security problems with Linux(read: Windows 2000/NT call into question whether or not it should be used at all.

Hey! What are you laughing at?! It's bad I tell you! Really, really bad! TRUST ME!

Listen, I am both Microsoft (MCSE) and Sun (SSA) certified. I have worked with Solaris, Linux and Windows for years. How can windows users that have little if any Unix knowledge, make any comment on what Taco has to say? I'm sure some of the posts were written by people with experiance on both platforms.. but.. Of the people that LOOVVEE M$ many know little or no Unix .. Most M$ users only know M$. Most Unix users know BOTH Unix and M$. Taco is entitled to his opinion (which it just so happens is accurate this time..you overly defensive Microsoft Borgs!) As far as microsoft.com being usefull, I guess that value is in the browser of the beholder. I don't personally have much use for Microsofts web site except when I need to patch my servers. Unfortunately, Microsoft often releases patches long LONG after a problem has been made known (see L0pht.com for a quote from the Microsoft folks). I admin both Unix and Windows machines, If I need a good technical reference I go to O'Reilly and buy a book on the subject.. not microsoft. Or I go to Docs.Sun.Com , Cisco or Linux.org but I don't go to Microsoft.com which is apparently a good thing because they have had DNS problems most of the day! -Celtic

I know about computers.

What would I want a lady for??

And while I'm on the subject, security is *both* product *and* process. Sure, I'd be stupid not to have the latest patches and train my users. But I'd also be better off not allowing them to use MS Outlook, and IE (remember the scripting bug that allowed one to catch a virus from simply browsing the web?)
---------------------------

A full description of the statement can be found here.
A full description of @Stake's response can be found here.
A full description of Microsoft's response can be found here.

Well, be have been declared the enemy since 1933, when Franklin Delano Roosevelt declared a number of national emergencies (banking, agriculture, etc) as part of his New Deal program and obtained sweeping, dictato ria l powers under Title 50, also known as the War Powers Act of 1917. Section 5b provides for expanded presidential powers. This act has been amended several times. We're still in that state of emergency, officially; in fact, Clinton extended it. FDR didn't assign the new powers to existing agencies, but created new "temporary" agencies, many of which still exist today. No president has been willing to end it, because they give up their special powers when that happens.

It's the national emergency that lets the President legislate via executive order. The power of legislation is supposed to rest in congress, not the President. Since 1933, the President has been able to legislate on his own without oversight from any part of the government. We have been living in a nation of Public Policy, not Common Law, since then.

Ask your favorite candidate if they plan to end all national emergencies, including the big, old one.

(previous post due to slipup with "submit" vs "preview")

________________________________________

Well, be have been declared the enemy since ,a href="http://www.unitedstates-on-line.com/FDR32.ht ml">1933, when Franklin Delano Roosevelt declared a number of national emergencies (banking, agriculture, etc) as part of his New Deal program and obtained sweeping, dictatorial powers under the Title 50, also known as the War Powers Act of 1917. Section 5b provides for expanded presidential powers. This act has been amended several times. We're still in that state of emergency, officially. FDR didn't assign the new powers to existing agencies, but created new "temporary" agencies, many of which still exist today. No president has been willing to end it, because they give up their special powers when that happens.


________________________________________

A black-hat being investigated by the FBI could possibly turn their tool against them, using *nivore for counter-intelligence. At least the FBI has to pretend to obey the law and respect some limits -- a black-had has no such restrictions.

I wonder if there is enough information in what has been released to be able to identify a carnivore box remotely. Does it use promiscuous mode packet sniffing? Could you detect one with a variant of l0pht's antisniff? Does it exhibit any tcp/ip eccentricities that could be detected with nmap or SATAN?

Irrelevant. If they found it offensive, they would have said it by now - black people didn't used to be offended by being called "niggers", but they are now, and it's being changed. How many people were protesting when it was first introduced is irrelevant.

Exactly my point. Thank you for agreeing. The definition was changed.

Don't get so ahead of yourself.. it says "depreciated" not changed. From the dictionary...

depreciate (d-prsh-t)
v. depreciated, depreciating, depreciates. v. tr.
To lessen the price or value of. To think or speak of as being of little worth; belittle. See Synonyms at deprecate.
v. intr. To diminish in price or value.

Nothing here says anything about "changing" the definition, only a note saying that this is an uncommon definition of hack and is (or should be!) little used.

I know a teenager or early twentysomething like yourself might find this hard to believe, but 1996 is quite recent. 1990 is also quite recent.

First, age is irrelevant and you are being discriminatory and elitist by saying that my age somehow has a relationship to my ability to argue. But if you must argue the point about age, I'd like to point out that, almost exclusively, the progress in the computer technology sector has been coming from the people you just belittled. Anecdotal evidence - companies are discriminating against old people severely because of the widespread perception (fact?) that they are not as productive as their younger counterparts. [Source: FACEI] Second, wake up. This is the internet - 3 months of "internet history" is about 5 years of "real world" history right now. We're operating under a constant acceleration caused by technology advancement. If you think 5 years ago is "recent", remember that 5 years ago, e-commerce didn't exist, Linux had only been around for a few months in a usable form, and the "web" was still a morass of pasty grey webpages and broken HTML. Slashdot got maybe 10 hits a day, and IPO was just another word.

The "old" definition backs up the media.

I beg to differ, according to my research, hacker originally meant "someone who makes furniture with an axe". That's the "old" definition. As early as the 1960's, the term "hacker" was rechristianed to the definition in the Jargon File. Had you done some preliminary research, you would have discovered that this is where the derivatives "sports hacker" and whatnot came from - it was first used by the computer industry and then started spreading into normal use. That is, until the media misinterpreted it by equating computer enthusiast with computer criminal.

The media will generally call you what you call yourself.

There's about 20,000 people on BugTraq who would like to talk to you about that, as well as a few "hacker" organizations like these guys.

I'm going to stop replying now, as you seem to be intent on chasing your tail and offering little or nothing in the way of new insight on the matter. There's nothing new to discuss here.

--

The guys over at L0pht (which I didn't see at the MIT Flea yesterday...) were working on such a system. I wonder if it's mothballed due to their newfound partnership with @Stake. Hm.

My .02
Quux26

there is a MUCH better explaination (and tutorial on this) by mudge of l0pht.com. One niffty trick i remember from the tutorial was a program that skipped over a line of it's own code. the program had two printf()'s, one of them never got executed because the IP was captured and increamented, therefore skipping a line of execution.

One of the major problem with a buffer over flow attack is that it's very depenedant on the flavor of OS and application you are overflowing. even if you have an exploit for a buffer overflow in say wuftp, is won't work on anything but the exact build, and OS setup it was designed for. because the offset for the IP will be different.

or something like that :)

-Jon

Reminds me of Network Flight Recorder which used to be open source minus the signature files contributed by l0pht which were under copyright. I believe NetworkComputing magazine did a test on IDS systems a while back and found that many were not mature enough to depend on for security. Though allowing people to help with the project will go a long way in keeping it up to date.

Another thing that interests me is the fact that intent is considered, quite explicitly, by Patel. I didn?t realize that the intent of the creators of a device could have such a large part to play in the legal fate of that device. If Napster had been created in all innocence of infringement issues, would it have a stronger defense?

Gosh, that seems pretty reasonable to me... The issue that we're debating is not the legality etc..., but the state of the injunction. Since their primary intent and raison'd'etre is music piracy, should the site be shut down while we consider the legality of this? Yes. If their primary intent and business was the sharing of (non-copyrighted) cookie recipes, can you justify the shutting down of the entire site?? They are not being blamed for an unexpected side effect, or unintentional use, but for designing and promoting a tool to be used for theft. From your comment it would seem you are not a total stranger to law, isn't this considered "malice and forethought"??

At this point I would like to point out that I refer to it as theft because that is what it is under modern law.

Judges are taught to observe the "Letter of Law" as well as the "Spirit of Law", IMHO, Napster has definitely violated the letter of the law, [All rights reserved. Unauthorized duplication, hiring, lending public performance, and broadcasting is a violation of applicable laws.] and is treading a fine line with the spirit of the law. By conservative we mean to say she more closely observes the letter of the law, as opposed to the spirit of the law. Napster is trying to turn this in to a debate of copyright laws, but in reality they are simply trying to profit from an illegal trade. (Isn't that the CIA's job??)

The point is that they tread shaky legal ground in this arena and they have the audacity to tease the lions. If you reverse engineer a program to figure out why it crashes your system is that different than doing it to sell a "pirated" version?? I do believe so. What happened with Napster was not an unexpected consequence, but the design and purpose of the system.

Why do we love the laws against spam and rail against the laws against theft? I guess that we're just not the victims.....

Perhaps we should just phrase it "All technology is good except that which can be used to spy on or annoy me. If the technology harms a large enough corporation it's even better."

~Jason

"I'm not biased, just consistent in my position."

It's already been done and it's called (strangely enough) SLINT. Unfortunately, it's not available to the public. Perhaps some polite inquiries could persuade them to release it? Or maybe not. Anyway, it's there.

Sometimes I feel that certain people in security view the products and the admins using those products as the enemy, and not the crackers at all!

Who was cracking Novell's LANManager password scheme - included in Win9x - before l0phtcrack was released? How many DDoS attacks had you heard of before the release of trinoo, etc? What about fragmented IP packets before teardrop?

The real problem with full disclosure is not that holes aren't patched - publicly announced bugs usually do get fixed sooner rather than later. The problem is that users don't always deploy the patches. In the meanwhile, well-meaning (or otherwise) "grey hats" who have coded exploits to holes they discovered - usually in order to enhance their media shebang and sell more of their own security "solutions" - have handed a tool to skript kidz who simply hunt the net until they find a box whose harassed admin hasn't installed the latest patch. Alone, many of these "crackers" couldn't crack a paper bag. With the utilities in their arsenal, it's trivial.

See this related article written by the l0pht:
http://www.l0pht.com/~oblivion/so apbox/index.html

I'm all for disclosure of security holes - it keeps vendors honest, and it allows for creative security community solutions. It may not be in the best interests of the world (and info security does have a global impact these days) to code actual *demos* in order to pressure vendors into implementing fixes. Just explain the hole, explain the danger, heck even explain a step-by-step exploit. Just dont code the bitch. Your neighborhood harassed admin will thank you.

-konstant
Yes! We are all individuals! I'm not!

I've spent way too much on a Palm Pilot IIIe and there ultra-awesome 1980s 14.4 modem -- only to find out that the palm pilot can not possible handle keyboard input while using the modem.

Welcome to the world of HP Jornada already with color screens, and as bad as *Wince* is, it atleast handles some type of crapass multitasking. I can't do anything when I'm surfing the web or wardialing on my pilot but sit there and wait to get to a pc to do something interesting with the horrible data I've gathered.

I missed out hardcore.

There should be programs for that.
try:
hackers.com
L0pht.com
hackers.com has a large archive of programs.
-----
If my facts are wrong then tell me. I don't mind.

"Microsoft in itself does not pose a security risk [but] rather the [risk comes from] dumb 'paper MCSEs'."

How do you explain L0PHTCRACK: Inside a high-technology company, " L0phtCrack 2.5 cracked 90% of the passwords in under 48 hours on a Pentium II/300."

I doubt the most experienced MCSE could reverse engineer MS's source code and remove that tiny glaring security flaw (you know, access by any SKR1PT K1DDIE to your machine). Not after the DMCA anyways.

Or the problems with buffer overflows, the Netbios port (hey if you're an mcse, may as well just shut down everything microsoft has implemented, I mean - its your fault its there).

File & Print sharing, non-encrypted network protocols.

You can't blame MCSEs for Microsofts mistakes - after all, they were trained by MS.

Try securing your systems BEFORE they get cracked. A good few places to start:

Insecure.org, especially this top 50 security tools page.
SecurityFocus the disseminators of the BUGTRAQ list among others.
Attrition.org, especially their security page.
And of course 2600, the l0pht, and Phrack for the latest tasty street info....

#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak

L0pht Heavy Industries has been working on a 10Mogobip wireless network for two years now, they've gotten nodes in Boston, Derry New Hampshire, Cambridge Massachusetts, and Somerville Massachusetts.

Apparently, they have gone beyond simply using microwave, they are also using radio (which is a staple to the guerrilla.net system)...and the security breach he was worried about has been solved...by (1) an NSA approved encryption system, and (2) (which hasn't been implemented) another encryption system "to keep the spooks out".

Ugh...this looks bad, pardon my poor grammar, as I've not completely woken up. For more information, please click the link above.

L0pht's already working on it. guerrilla.net

-Spazimodo

Fsck the millennium, we want it now.

they've got a heap of info up at L0pht's site here

Does Vice President Al Gore have an unfair advantage in the online campaign of the presidency since he invented the Internet? Will the FEC step in to level the playing field for G.W. Bush so he can compete online against Al Gore?

Absolutely. Since Gore wrote the specs on TCP/IP and was the main instigator of all the RFC's in existance he has a major advantage. Bush is probably going out and secretly hiring all the "SkR1p7 K1DDi3z" once he has them on their side he will have a more level playing field.

Bush probably wants the L0pht on his side as well being as they are top notch, and of course they wrote the one book that prevents the one father of the internet from sleeping at night.

;)

Already some organizations are pursuing private or public networks, and one in particular I can think of is infact a totally new paradigm, as Dilbert would say.

It's called radionet, and the L0pht is working on developing a radio-based network, as far as I can gather. If you are interested check out L0pht's site , and follow links to find info.

But the point is really that global networking can go in many directions. THis radionet is one, but others, like gibson's view, or my favorite, Rudy Rucker's thyberthpace in the Hacker and the Ants. Any is possible. Face it, we cant know the future.

Sam

im just generally awesome

POP3 over SSH with port forwarding has some timing problems - you must to wait until the SSH connection is up before running fetchmail. Consider this alternative:

Create the script sshtunnel:

#!/bin/sh
ssh $1 "nc 127.0.0.1 $2"

And in your .fetchmailrc use this script with the plugin option:

poll host plugin sshtunnel user name password pass

Instead of opening a TCP connection fetchmail will run the script passing it the hostname and port number as arguments and use its standard input and output to talk to the POP server. No timing issues - fetchmail will wait patiently while you type your password or passphrase to ssh.

It requires netcat to be installed on the target machine.

Why encrypt only incoming mail? My outgoing mail is also delivered over ssh (courtesy of PostFix)

----

I wish that people would stop making comments like "that's so stupid" or "this is so dumb" I mean, really, leaving the little guy on your desktop is no dumber than using vi or emacs or AmiPro or AbiWord or KWord or anything else. It's just a personal preference, right?

Maybe you should try the OUA Vulnerability Proof of Concept web page. You'll see quite quickly how simplying having that damn paperclip (not even running) is one of the worse security holes to come along... not anything like leaving a dozen x-terms open, all running vi or emacs.

Don't forget to set your macro virus protection back after you do the demo... not like it would be of any help against a worm/virus using this exploit.

And to state the obvious, this is some seriously cool reverse engineering on the part of @state and l0pht. I looked at his script code ... lots of hex numbers in the calls, must have been a lot of effort to do this job. If anyone needs any examples to show why reverse engineering needs to remain legal, this is a great one.

>Users have to run the attachment manually!

Unless its in a preview window or is a special type that windows knows about. See l0pht about an example.

There are still many unexpolored ares in the windows virus arena. I suspect the next ones to bite will make use of ms-tnef or the auto-icon buffer overflows.

All ILOVEYOU did was rasie the bar a bit.

http://www3.l0pht.com/~dildog/webserver.doc

Note that you can upload files, download them, execute programs, and change file attributes by clicking on them in the directory list. The webserver shuts down when they close the document though, since I didn't bother to try to make the tool any more insidious than it was already.

Have fun.

Damn, that even beats out CAMNEERG, the web serving mac plus! (At least camneerg has the added "feature" of displaying everything backwards, thus the name).

No offense, but, you're obviously not familiar with radio.

Usually, with ham radio at least, you'd use a TNC to convert from serial data to RF for a radio to transmit. The faster the data rate, the higher the bandwidth. Why do you think they call cable "High Bandwidth"? 'Cause you can't do 6 megabits over 560kHz (AM Broadcast), you need Higher Bandwidth.

Ask youreself: What kind of line quality do you need for voice? To answer this, think in terms of an MP3. A radio recording of a talk show only needs Mono/22kHz/8bit/96bps. That is fine for radio, but for data (especially for full-duplex) you're gonna need some serious improvement. You may be asking "But doesn't the audio get digitized first?" Yes (probably) but it still only requires a 14.4-class data rate to transfer.

References...
TAPR: These guys are the IETF of packet radio.
Guerilla.net: An underground alternative to the wired Internet.

P.S. TNC is a "Terminal Node Controller". Could be described as a radio-modem.

Get your "illegal" software here!
I love it when articles have links....

1 2 3 4 5 6 7

There's a few to start you off.

The pieces are all coming together to establish an anarchic wireless internet-alike.

i)Get yourself and all your friends these cards.

ii)Fit a higher-powered directional antenna as described in other posts on this thread, so
that you can make at least a surburb-wide network. Hopefully, with time, this 'burb sized networks will grow together.

iii)Set up an encrypted (IPSec) IPv6 network running over this framework (IPv6 so we have enough numbers to go round without crazy masquerading setups)

iv) Help develop+ install the freenet server/client on all machines, as well as standard DNS stuff. (Think of freenet as a sortof fully decentralised napster, but even cooler)

v) laugh at the censors.

I believe l0pht have been working on such a scheme for some time, but only now are the pieces really coming together.

L0pht (@stake)'s wireless network.

Midcoast Wireless
-russ

(Seriously, though: I use ssh for work, TinyFugue for play and netcat for scripts. =)

Also, isn't a one-time pad a very different thing from a one-time password?