Slashdot Mirror

A quick google will get you anything (heck, it could even get you a hooker's address).

You know, that's not entirely out of the question. This guy stole a hard drive with personal information on it for his "personal use at home". (The referenced article doesn't say that, but I remember reading the results of the investigation and court case in the paper at that time.) He didn't want the data on it at all, just the hardware.

Just jam GPS signals locally. Problem solved. Others created. :)

http://www.landfield.com/isn/mail-archive/2003/Jan /0093.html

If you know enough to make that work, you can identify several modifcations to make it much more effective.

Obviously, the legal implications of doing such are left as a exercise to the reader.

It was reported two years ago. We'll probably hear about it in 2006 too, unless someone takes advantage of it.

FBI reports have in the past tended to sometimes be ridiculously loaded with over-exaggerations for purposes of lobbying the US government to increase (a) their funding and (b) their powers. Recall, even some years before the US invaded Iraq, reports of the Iraqi government (and there were reports of the Cuban government too) having a vast network of computers and computer hackers dedicated to creating major hacking threats to the US's 'IT infrastructure'. Dubious links to "national security risks". E.g. see http://www.landfield.com/isn/mail-archive/2003/Jan /0094.html. More similar propaganda about China: http://www.mail-archive.com/marxism@lists.panix.co m/msg21238.html.

Although there is often some mild hacking activity from countries like this, the FBI sometimes WILDLY distorts the facts, and obviously it is in their interest to do so, since the result is the Senate assigning them ever greater funding and greater powers.

It really amazes me just how much longevity the CCC has displayed, despite having gotten mixed up in scrambles that would have totally taken apart anyone less hardy. From concerns that one of their members might have been bumped off, working for the KGB, breaking into NASA... and somehow still finding time to run the Blinkenlights and the congress every year.

I know I would have cashed my chips and left a group like that a long time ago. Hats off guys, how do you do it?

I think this Broadband Reports article also brings up a good point: among the groups attacking the Act, why do so few of them bring up Echelon? It already gives the government much of the surveillance ability they claim they're lacking, and without congressional oversight.

You really want mandatory locks, which not even root can break. you can set the behavior per-file, as well. It seems to work circa 2000 (Mandrake 7.2) as I just tried it on said box.
Any questions?

As far as "hobbyist" OSs go, you do realize Solaris has the same limitation (but doesn't have the mandatory lock extension). So Solaris is a hobbyist OS, right, cuntwhack?

Whish I had seen this thread earlier. Oh well if you make it to Boston be sure to check out the following:

MIT Computer Flea Market while you are there you will surely meet somone who will be willing you to help you explore the MIT Steam tunnels but before you go be sure to walk down the street to were Alexandar Graham Bell invented the telephone.

Then of course is the Boston Museum of Science.

- SR

And not just CALEA, either. There are other pieces of telecom software and equipment that have been hacked in the past. Some of this eavesdropping by foreign spooks acquired a lot of notoriety due to its interception of highly sensitive traffic.

But it's safe to assume that there was much more eavesdropping that wasn't reported or even discovered.

If this goes on, it will be faster to call the Mossad or the FSB to fix a phone problem in DC than to call the local phone company.

-- SysKoll

http://www.landfield.com/isn/mail-archive/2001/Jun /0099.html http://www.landfield.com/isn/mail-archive/2001/Jun /0099.html

There is more information here on the Czech "Tamara" anti-stealth radar, which apparently the Iraqis were set to buy in November 1997.

http://www.landfield.com/isn/mail-archive/2001/Jun /0099.html http://www.landfield.com/isn/mail-archive/2001/Jun /0099.html

There is more information here on the Czech "Tamara" anti-stealth radar, which apparently the Iraqis were set to buy in November 1997.

I haven't seen anyone (save a few Slashdot trolls) seriously argue that binary-only software is inherently more secure, either in theory or in practice.

Then you must not get out much.


Alexis de Tocqueville Institution published a white paper (funded by Microsoft) that argues this very point. Do you consider them "slashdot trolls"?

How about Steve Lipner, manager of Microsoft's security response center? Is he a troll too?

Hmm, ZDNet has another (unnamed this time) source from MS, who claims that too. You're saying that MS's spokespeople troll /.?

I've also seen company websites (SoftArc comes immediatly to mind) that stated (in effect) "we don't release source code because it's more secure that way" - sorry, no link for this one, as they've changed their site... but there is a chice quote on their security page, where they explain that their products are more secure because "connections employ entirely proprietary protocols"

The thing is that this FUD is spewed about by people who don't know what they're talking about, and believed by others who haven't thought about it too much. "Security through obscurity" makes an inutitive kind of common sense, unless you think about it for awhile, or are exposed to the flaws (which aren't as intuitive.) It's the same kind of sense that got the DMCA passed.

Mr. Diffie isn't writing for the security community, but for the people outside the security community, who might be led to believe that obscurity does provide security.

Oh. Wait, as often as not these countries think of things *first* and America has to play catch-up.


Sometimes they just catch-up in "other ways", using you to beat you at it.

Have a look at was the US did to Enercon.
This is one of the few english language
articles I found:

I understand your point. A good one, but also a very naïve one...
You must recall that governments usually are closely tied to it's land's industry and in my mind, this has become the true purpose of Echelon in the post-cold war aera: Industrial Espionage.
May I quote: "France, deeply suspicious of Britain's uniquely close intelligence links with the US, seized on reports that Echelon cost Airbus Industrie an 8bn contract with Saudi Arabia in 1994, after the US intercepted communications between Riyadh and the Toulouse headquarters of Airbus"

Some more links:
http://www.geocities.com/Area51/Shuttle/5604/data. html
http://www.aclu.org/echelonwatch/highlights.html
http://www.wired.com/news/politics/0,1283,34932,00 . tml

And, yes, don't believe in a conspiracy unless it has been denied... ;-)

You'll find for instance:
http://www.landfield.com/isn/mail-archi ve/1998/Nov / 040.html

Try here

I was forced to work for this pervert for a few months . Everyone knew he was bad news, even before he entered a guilty plea for possession of child pornography including photos of infants.

Why are we letting pedophiles write software to catch criminals?

This guy is NO GENIUS! After all, he thought there really were young girls in an IRC chat room called "Dads & Daughters Sex" and he got caught!

Patrick was supposed to be an Internet Expert, yet he didn't even PGP his kiddie porn!

The Walt Disney Company lost $1Billion dollars investing in Patrick Naughton's company (his college roommate and best friend still works for Disney!). Now the FBI lost hard-earned evidence investing in Naughton's technology.

-Disney paid the price for Naughton's stupidity.

The FBI paid the price for Naughton's stupidity.

And THE AMERICAN PUBLIC did, too! By standing still while "pretty boy" Patrick was able to plea bargain by writing crappy software for the FBI, he got out of jail sooner and he's free to endanger more young girls, maybe even your son or daughter!

You could try forging a bounce message from: Mailer-Daemon@yourdomain.

You can usually just change your email address in your mail client though there are a few ISP's don't allow outgoing email with a from line that isn't the users assigned mailbox.

Alternativly just deliver it straight to port 25, as per example;

This message was created automatically by mail delivery software (Exim).

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

username@mydomain.com
SMTP error from remote mailer after RCPT TO::
host mydomain [192.100.1.81]: 550 Unknown local user 'username'
.

note the empty line to seperate the subject from the body.

Guess who uses IIS? eBay, Dell, Gateway, Intel, Nasdaq, Compaq, most of the UK Government sites... etc.

Most of the UK government sites I know about run apache. The cabinet office did switch to IIS and then got hacked...

I would recommend you to read the book Security Engineering by Ross Anderson.
It gives you a perspective of security from a lot of different fields.
If you must secure stuff you have to think like an alien.
If people who were supposed to control the Defense satellites
in Britain had thought like an alien, none of their satellites
would have been hijacked,
but that story seems to be untrue :).
Anyway, secure your babies.

Here.

item: the version of wu-ftpd that rh released was a pre-release from cvs. they changed the version number. this bug was fixed in cvs months ago.

item: the securityfocus vuln-help people are supposed to help coordinate vendors & the software maintainers. they sent notification of the bug to the wrong address, so the wu-ftpd developers weren't even aware that there was a bug present until the day the rh advisory went out.

item: there was supposed to be a coordinated advisory put out on dec. 3rd. rh preempted that, causing this nasty confusion.

greg lundberg posted a big explanation of what went on to several mailing lists... it should be on the wuftpd-questions archive, but i don't see it there yet.

also, see the news item at securityfocus about this.

In the UK, the governement here _still_ have the ability to imprision without trial indefinitely on the statute books, when it was brought in a "temporary" measure from 1971-1975. Operation Internment had a terrible backlash which, instead of reducing the problem, gained tremendous support for those imprisoned. The UK act ("prevention of terrorism act") still has to be renewed annually, but it always is - who would vote against it with a name like that? So, the whole idea made things worse, and even the clause of an annual review wasn't a sufficent counterbalance to remove it from the laws.

Giving up freedoms to defend freedoms, is like comiting suicide in self defence.

An army - no. A big issue is education - it requires a basic level of education to become a hacker, and much of the African population falls below that level. But there are African hackers, I know a couple. South Africa has produced quite a few, since it has a somewhat first-world education system, at least for its wealthier citizens (used to be whites only, but that's changed a bit now).

The digitial certificate company Thawte is South African, for example (see this article. Of course, Thawte has since been acquired by the U.S. certificate monopoly, Verisign - can't have any foreign competition, wouldn't be good for business.

For your amusement, here are a few links (found on Google):

• Zambian hacker replaces president's picture on web site
• South African hacker 0wnz government telecomm network
• Hacking in South Africa

But some of the best African hackers leave for other countries, where they can earn more money and leave the various problems of Africa behind.

The founder of X.com, Elon Musk, is a South African. X.com now owns Paypal. Musk founded X.com with the $305 million in cash he made from selling the Internet directory company he founded, Zip2.

You may argue whether some of the above are truly hackers, but the point is, the skills are there, just not in the numbers that you get in countries with better-educated populations.

Yeah but noone wants to go after Procom for their violations.

...I can only go by what Cafeglobe's translation says, but here's the summary:

It looks like they have a system with a 5 metre (16 ft) range. You mount a "base" unit on the ceiling, and then attach little satellite units to your computers. Communication is line of sight, and utilizes LEDs. The system can apparently find new or relocated nodes in an average of 5 seconds.

Am I the only one who sees no freaking point? Here's a comparison between this and 802.11b (aka AirPort):

Range
802.11b: 45 metres (150 ft)
Optical: 5 metres (16 ft)
Winner: 802.11b by a mile (at least, if you get a crazy antenna).

Reliability
802.11b: Bandwidth drops slightly when somebody uses the office microwave
Optical: You're booted from your Quake game every time that tall guy with big hair walks by your desk
Winner: 802.11b, by two frags

Cost
802.11b: Base station - $299. Satellite - $99.
Optical: Base station - $1190. Satellite - $400.
Winner: 802.11b, by about the cost of a new PC (and some long EtherNet cables).

Mobility
802.11b: Still works even if you run with your laptop.
Optical: Drops the connection every time your annoying office-mate bumps the cubicle wall.
Winner: 802.11b can handle any move you make.

Security
802.11b: Shitty, unless you live in a Faraday Cage.
Optical: Shitty, unless you live in a windowless hole.
Winner: Tie. Use IPSec and/or SSH, and it won't matter if you're using RFC 1149 or any other wireless network.

Bandwidth
802.11b: 11Mbps
Optical: 100 Mbps
Winner: Optical, until somebody stands in your line-of-sight.

Overall Score
802.11b, 4. Optical, 1.

In short, forget about optical unless you need 100 Mbps, can't string EtherNet cable, and don't mind if it goes down every time somebody walks by your desk. I'd say it would be good for LAN parties, except it's too expensive. I'd say it's good for trade shows and other temporary large gatherings of computers, except you just know the Microsoft guys would be throwing paper airplanes at the RedHat booth optical transmitter. I have no clue who would actually want this, other than a rich gadget freak.

If I were going to design my own optical networking gadget, it would be peer-to-peer, with each peer having multiple line-of-sight connections to neighbours. That way, if one is interrupted, packets are instantly rerouted through the other links. Unless a crowd of people is standing around your desk, you're fine. It would probably cost way too much, though. Until that gets cheaper, 100BaseT cables duct-taped to the floor, ceiling, and walls are the way to go for quick, cheap connectivity.

We have an older story about building-to-building optical networks, but I think this is first inter-office optical LAN I've seen.

First of all, I think you mean intra-office optical LAN. Second, sometimes, when you get an idea, and nobody else has done it, it means you're a genius. Sometimes, it means you're a moron.

In order, from the FAQ:

1. What is lzip?
Lzip is the most advanced file compression utility ever conceived. It is literally years ahead of gzip (though admittedly gzip was around first), and makes use of mathematical transforms the bzip developers have never even heard of.

So the lzip people know, exactly, the contents of the bzip developers heads? They'll be telepaths then.

2. What makes lzip different from gzip/bzip2?
The second is that the performance is vastly improved.

Tell me it takes longer to MP3 encode than it does to gzip or bzip2. (MP3 being the most used lossy codec, to slashdotters).

We're talking about a constant-time algorithm that can reduce a file down to 0% of its original size. What's not to like?

Contsant time - not linear. In otherwords, give it a large enough file, and it can compress it before it reads it all off the disk.

Compress down to 0% - I reffer the reader to the comp.compression FAQ, point 73. It's impossible.

3. What do you mean I can't restore my files?
On the reassuring side, it is important to note that the compression algorithm used by lzip only discards the unimportant data.

An algotithm that works on generic files, but can identify the important data in them. Guess all the compression research just got made useles then - identfying what parts of the data is important is impossible, only a human can do that [0].

8. What is the Lessiss-Moore algorithm?
It utilizes a two-pass bit-sieve to first remove all unimportant data from the data set. Lzip implements this quiet effectively by eliminating all of the 0's.

Uh-hu. Removes all the 0's. Do I really need to elaborate on that one.

Oh, and thier liscence is the FOOL liscence. Go figure.

[0] In MP3, a human came up with the psychoacoutstic model. The codec just applies that model.
--

md5 digests are 128 bits.

Err, last I checked, that pretty much made it a virus. Check out the alt.comp.virus FAQ, specifically question 3. This code hits all of the criteria. It's worth pointing out that merely infecting applications on the same machine is how a lot of older viruses (before the Windows-based email worms became popular) spread themselves. This is, more or less, one of the "classic" virus types.

Furthermore, while I don't disagree that the built-in security of Unix greatly restricts the flow of viruses, a cross-platform virus could wreak some serious havoc. A quick "find ~ -name \*.exe -print | wc -l" indicates that I've got 42 DOS executables sitting in my home directory. Some of these are for DOSemu, some are old files that'll never get run again (leftover CGIs from when work's website was NT-based), and a few sets of drivers that I downloaded for machines I was fiddling with. While I probably don't have anything to worry about in this case, it's not that hard to abstract it out to a case where it would spread.

Finally, even if the virus completely failed to spread on any and every Linux platform (which, IMO, is overly optimistic), its behavior on Windows would still classify it as a virus.

"Whatever happened to the right of the people to be secure in their ... papers..., against unreasonable searches and seizures?"

IP messages are not transmitted on paper unless you use RFC1149.

Znork wrote:

Just check the comp.sys.shells faq :). Which shell has the most features? Not that you'd ever use them all...

Perhaps you meant the comp.unix.shell FAQ? Good pointer. The one with the feature list you are referring to is right here:

UNIX shell differences and how to change your shell

Definitely worth a read. And a specific FAQ on ZSH:

Z-shell (zsh) Frequently-Asked Questions

Of course, I have a vested interested in seeing people switch to zsh. It is my primary shell, and the more people use it, the more boxes will come standard with zsh, and the less frequently I'll have to revert to bash.

Znork wrote:

Just check the comp.sys.shells faq :). Which shell has the most features? Not that you'd ever use them all...

Perhaps you meant the comp.unix.shell FAQ? Good pointer. The one with the feature list you are referring to is right here:

UNIX shell differences and how to change your shell

Definitely worth a read. And a specific FAQ on ZSH:

Z-shell (zsh) Frequently-Asked Questions

Of course, I have a vested interested in seeing people switch to zsh. It is my primary shell, and the more people use it, the more boxes will come standard with zsh, and the less frequently I'll have to revert to bash.

Here is a like to a collection of X related faqs from comp.windows.x

X FAQ

Originally they were released for free on the net. There is still some site that has the first four books available online.

During a Denial of Service attack, certain peers can be overwhelmed, while others are passing little or no traffic. This tool will let you bounce tranceroutes off of other starting points so that you can correctly verify your transit and peering operation. There is a lot of value in this tool. I can see larger ISPs paying a subscription to gain access to this type of service to help them develop their own Quality of Service with peering providers.

Hopefully they add support for IPv6 and the 6bone, as for now we're restricted to using web pages with traceroute CGI's. For more information on BGP routing, take a look at http://www.landfield.com/rfcs/rfc1771.html. Have a nice day!

-Pat

Although it is still relatively early in this slugfest, I hereby invoke Godwin's Law. Although frob2600 makes some good points, he was sloppy.

For those of you who don't know what it is:
"As a Usenet discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches one."
A excerpt of the explanation from the Jargon File:
"There is a tradition in many groups that, once this occurs, that thread is over, and whoever mentioned the Nazis has automatically lost whatever argument was in progress."

You may read up on Godwin's Law from the FAQ.

Strictly speaking, frob2600 did not directly mention the political regime of the third Reich, but I believe that his post fulfills the spirit of the Law's requirement. Namely, in his zealous pursuit of proving his point he feels it necessary to unnecessarily compare the opposing view to one of the world's most hated political groups.

----

A few weeks back we had a discussion here about a new email client for Linux that was 'compatible' with LookOut, including support for HTML email. I posted a small rant on why that's not a feature, but a bug, and a few called me a ludite.

I agree with you this is a bug not a feature, however, if you were not prepared to offer a non-buggy way to make the users who expect this happy, that might legitimately have earned you such an epithet.

Face it, the typical e-mail user these days does expect some formatting capabilities. There is a way to do this without diving into html-hell. See this. The Text/Enriched MIME format was designed to provide formatting capabilities that many users desire without the never-ending problems entailed by using HTML out of place. The makers of Pegasus Mail have taken a very usable approach to satisfy users desires with the minimal messiness on the other end - HTML messages incoming can be parsed internally with a minimal module that only understand the most commonly used and innocous tags, handed off to an external browser for parsing, or simply stripped to text. Formatted messages are normally sent using Text/Enriched, RTF is also available as an option (very useful if you know the recipient to be on a windows box.) So the pmail users can receive these annoying things and read them fine, but when they forward/reply they don't perpetuate the madness.

The few features of HTML which are actually useful in email are properly used by selecting the Text/Enriched MIME format, see RFC1896.

Some mail gateways discard HTML before forwarding messages - more of them should.

Yeah, this thread's s'posed to be about shell wars, not OS wars :-)

C shell considered harmful!

(Actually, in all seriousness - I really like that "Csh considered harmful" - and the Korn shell rocks. I grew up on SunOS 4.x and csh/tcsh (with Bourne shell for scripting) and was led to ksh by a clued manager in my first job after graduation who said "Hey, check this out, they even say Sun might make this the standard shell someday instead of that C shell".

Been addicted to it ever since. First thing I do is make /bin/ksh my default shell. If it ain't there, I put it there.

--

Here is a link to the International Fedration of Library Associations and Institutions with a huge bibliography of resources, not a summary but a great source of links to a large number of documents on current IP laws and regulations and some of the problems with the system.

One interesting link is about common myths of copyright.

And here is the copyright FAQ (a bit hard to find since the orignial link from the IFLAI is dead.

OSPF is explained in RFC1131, later replaced by OSPF V2 in RFC1247.

Explaining the internals of OSPF is beyond the scope of this forum.

You can, however, RTFM RFC1131 and RFC1247. These are in Postscript.

BGP is described in RFC1771

Now, listen up, go get a life!

OSPF is explained in RFC1131, later replaced by OSPF V2 in RFC1247.

Explaining the internals of OSPF is beyond the scope of this forum.

You can, however, RTFM RFC1131 and RFC1247. These are in Postscript.

BGP is described in RFC1771

Now, listen up, go get a life!

OSPF is explained in RFC1131, later replaced by OSPF V2 in RFC1247.

Explaining the internals of OSPF is beyond the scope of this forum.

You can, however, RTFM RFC1131 and RFC1247. These are in Postscript.

BGP is described in RFC1771

Now, listen up, go get a life!

The Post Office has an official policy that there is no such thing as junk mail - that all advertising mail is valued by both parties. Check here, and search for "junk".

All these tactics sound cool, but are ineffective. If you want the mail to stop, get off their lists. Junkbusters is a good place to start, and a quick Google search will find others. A truly noble thing would be to lobby your congress person for European-style laws that allow opting out on a national level.

This is probably the best choice for unwanted junk mail. All that mail is an environmental nightmare, killing trees, poisong rivers through the paper-making process, and filling landfills with 70 billion pieces of junk a year. Let 'em know what you want (I still get ThinkGeek mailings), and let 'em know what you can do without.

Unfortunately, Tripod allows users to pick names which contain underscores, and then uses them as labels within the DNS; this is in contravention of RFC 1034 sec 3.5, which states:

The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. (my emphasis)

This doesn't often cause much of a problem for most people, since most systems are properly "liberal in what they accept, and conservative in what they send" ; however, in my experience, some systems have problems with the broken names, notably some firewall software.

I suppose somebody should point this out to Tripod, really.

M

Jacco
---
# cd /var/log

Don't forget that in the US your vote is counted. Get involved, make sure there is no election fraud in your distrcit (even if it is to your favor!). Alone we lose freedom, togather we stand up for everyone in a force that the corruption in DC cannot hope to match.