Slashdot Mirror

Just a note; Google dictionary knows the spelling for misogyny but not misandry.

A very common issue.

omg, the world is complicated, the sky is falling and we're all going to diiieee!

It's called "diversity", not "mess", and one of those days you'll be fucking glad that we have it, because otherwise, as me and some other researchers have proven ten years ago, in a monoculture one zero-day in the wrong hands means game over, Internet in something like a few hours.

Be glad we have this "mess". It's going to save our collective asses one day.

The real problem is that representatives *have no fucking idea what they are talking about on most subjects*

Politicians are Amateurs

I happened to stumble upon this quote in the Sheepy's email by accident: "which thus enables users to illegally pirate copies of DVD videos."
Guess I'll just have to legally pirate content from now on.

I was John Doe #34.

I was quite worried when we received the email from Weil, Gotshal & Manges LLP but they had put all recipients in the CC field so someone quickly set up a mailing list.

I was in the UK and at that time, had never been to the US, so I figured the Californian court wouldn't have jurisdiction.

A single data point does not make a trend.

No, it doesn't make a trend. It does show it is possible though, and unless you are claiming that spammers would refuse to spam from anything but Windows, we must come to the conclusion that the spamming would continue on another system. The claim that spammers would refuse to work on other system that meet their needs is an extraordinary claim that would need extraordinary proof.

True, but we're talking volume here. Do you really think that 98% of e-mail would be spam if it weren't for the botnets?

There would continue to be compromised systems. People install botnet clients all the time. There is nothing in Linux or OSX that prevents users from installing software that sends email, so your making a false assumption that there wouldn't be botnets without Windows.

Botnets are automated Social Networks. Just like social networks, greater membership brings more members which increases membership. You want some research that supports my position? Here is a link for you to read http://web.lemuria.org/

If you will excuse the dead links, the papers that are posted there point out that there are far more vectors than just Windows, and that if all else fails, it is simple enough to just get users to install your botnet software. Go ahead. Read the articles. What is in them might seem familiar to you, even if they contradict what you are saying here on Slashdot.

I've shown you yours, so now come up with something that contradicts me or YOU shut up.

It also is a sign of things to come: more countries will sue citizens of other countries for what they did on the Internet.

Yeah, something like that could never happen in America...

The aggressive export of american culture, and weapons, and methods sometimes has the disadvantage that the dark age cavemen that get their hands on them actually use them, and not always against each other.

I did the same experiment with some Unity3D tools/scripts of my own, offering them at four different prices with a suggestion as to what I think they equate to, but a very obvious statement that no matter which price you pay, the download will be the same.

Interestingly, the distribution is 6-2-1-1 over the prices, showing that people do not always pick the lowest price, even if they can. Like the World of Goo makers, I consider the experiment a success and may use the model in the future.

It even checks out economically. I made ~180 US$ this way. If I had offered the scripts for $20 (2nd price), even assuming that half of the $10 buyers would have bought it at that higher price, I would've made only $140.

been there, done that and dumped the idea as incredibly stupid and pretty dangerous, together with everyone else who's been doing research in that area several years ago.

What's MS at? Reinventing old, bad ideas, again?

The fact is that computers are not biological organisms and "viruses" don't work the same way.

In certain areas, they do and the analogy is quite valid. For example, worm propagation on the Internet very closely resembles biological population growth models.

While computers and biological organisms are indeed very different critters, on the systems level (i.e including their environments) there are many similarities.

A relevant wikipedia article that doesn't go into enough detail.

Close. Anonymous posting revealed the source, then it was a matter of tracking down working cyphers. Others claim they had working algorithms before that time.

On the other hand, knowing what we know now about that algorithm, calling it "encryption" is a bit of a stretch. Keys can be brute forced in a matter of hours. A more competant algorithm would be a tougher nut to crack (see the Xbox).

Nearly every worm / virus is small presumably so that it can spread quickly in limited bandwidth situations.

Nonsense. Size is a negliegable factor, unless you go into MB sizes. There's almost no difference between a 2k and a 10k worm. I already proved that more than two years ago (see my worm paper, this is on p. 15).

Your initial stage is also covered there.

The whole plugin stuff is something I've looked at after writing the paper, and talked about it in a speech called "The Future of Malware" at two conferences.
There's lots of stuff possible here, but the main point is: It ain't necessary. Why spend hours upon hours on a smart worm or virus, if you can hack up a passable one in 30 minutes and it's good enough?

Am I missing something? I've been watching DVDs on several Linux systems for years. In fact, Linux is the better DVD player, because it allows me to skip the "unskipable" ads and FBI warning nonsense. In fact, I quite value mplayer for its no-nonsense approach - DVD in, mplayer on, movie starts. I never understood why regular DVD players shove you to the menu when obviously watching the movie is what you want to do - the menu can always be available on a button press.

So, the RIAA... eh, wait. That's the recording industry ass. - sure the author didn't mean the MPAA? They're the 2nd row bad guys here, the DVDCCA is the licensing org and the one that's been suing Linux people around the globe.

So with those bugs fixed, there's still the problem that it's friggin 2005 and we already won this battle almost 2 years ago when the DVDCCA lawsuit was dropped. I should know I was there. Except that I never got my "I was sued by the DVDCCA and I all got was this T-Shirt". :)

So to make a long rant short: What the fuck is "stuff that matters" about this article? It might've been news 3 years ago.

I don't have too much experience as a network administrator, but I find it strange to use the number of vendor-released patches as a metric to reliability. Yes, in a perfect world this would be normal, but I think it's obvious that Microsoft doesn't release patches immediately the after the problem is reported but, in the best case, a few weeks later. Also, AFAIK there are still unpatched vulnerabilities in Windows that have been waiting for an awful amount of time. And consider badly written patches that don't fix the root of the problem. Technical support? Consider that old story of a Microsoft employee that encountered crashes after installing a hotfix. (I can't find the address anymore). He reported on his blog how he barely managed to explain the one at the end of the line that he'd encountered "a STOP error" and that he couldn't see his mouse.

When coming to security, this interval (weeks or months) is huge. Think of Tom Vogt's study about worm propagation. [http://web.lemuria.org/security/WormPropagation.p df]. Three weeks ain't enough. Even three days could be too much.

About "implementing the business requirements".. I admit I only skimmed through the report, but I didn't see any direct referenced to the technology used for that.

And when it comes to problems after upgrading.. RPM is not the only package management system. I don't want to start a RPM vs. Portage vs. APT flame. I only want to show that Linux is not RPM (no pun intended). And the same for distributions. I don't have anything personally with SUSE. Again, Linux does not mean SUSE.

Disclaimer:
Yes, I do use Windows on my desktop system. Yes, I use Linux too, but Windows is my primary OS. No, I am not "pro-Microsoft". I only want to see better software. And I hope I'm not the only one who thinks like that.

You are wrong and I have the research to prove it. I've done some work on optimizing worm propagation and I was asked about IPv6 a few times.

Yes, random scanning will die. It will be replaced faster by more intelligent and more efficient means than you can say "windos update". I'm not sure if we really want to force these worm authors to improve their methods...

"is better to work on creating something done right, or to object to it on moral grounds?"

Open-source developer support or not, I don't think it matters.

Nya nya...

http://www.lemuria.org/security/WormPropagation.pd f

You fucked up, Tom. You must have copied a path to the file from your home directory or something.

That said, article looks interesting. Am giving it a read.

At least they called him by his name, not just "The iTunes back door guy."

I'm pretty sure his nickname is "dvd jon".
Remember that whole DeCSS thing?
--
Fairfax Underground: Where Fairfax County comes out to play

The only "legitimate" software that allowed that was shut down by the DVD consortium

What software is that? Surely you don't mean DeCSS, they dropped that battle. And there's absolutely nothing stopping you from ripping a DVD to your hard drive now, and burning it to DVD-R with the CSS encryption intact.

There have been lawsuits. Google search for decss or 'DVD Jon'. Maybe check out DeCSS Central

One problem with these trade treaties is that they excite absolutely no excitement from the public. Developing countries have other problems to worry about. The content industry lobby gets its own way, no matter what a mess it leaves the law.

Another problem is that most of the world is forced to make all of the same mistakes. It will take another treaty to undo the mistake even if governments recognise it as such and by then the vested interests will be stronger. They will threaten lawsuits demanding compensation for "confiscation" of the rights they should never have been given. That is why copyright term is always rounded up.

Sure, because we all know that private keys are never divulged.

No wonder I couldn't find a link to Frank Stevenson's CSS cryptoanalysis -- I spelled his name wrong. A copy of his his paper is hosted at DeCSS Central.

No wonder I couldn't find a link to Frank Stevenson's CSS cryptoanalysis -- I spelled his name wrong. A copy of his his paper is hosted at DeCSS Central.

Cool link you have here, Tom.

I know it's a stupid thing to /. yourself, but here we go:

My paper on worm propagation from last year (just updated with some more data) shows very clearly what a monoculture does.

I assumed 40 mio. vulnerable systems in it and showed how a malicious worm can wipe them out in minutes.
Some of the advisories that eeyes still has on the unpublished list estimate 300 mio. vulnerable systems.

We've been talking about flash and warhol worms for years now. With each passing day I'm more surprised that it hasn't happened, again.

Looks like they found the problem:

crash image

Lookie here, if you can't figure it out from the malformed URL: http://web.lemuria.org/security/WormPropagation.pd f

It is a nice attempt at active worm defense.

Unfortunately for him, I have just published a paper that shows that and how future worms will be much too fast for his - or anyone elses - manual defense methods.

In short, I've demonstrated that by the time he's starting to analyze the worm, it has already infected 90%+ of the vulnerable machines.

As soon as worm writers acquire some coding skills (most of the past worms were pathetic), all defenses that require manual actions will be too slow.

Sorry.

Hm. I don't quite know what point I'm trying to make here, but here goes anyway.

I think we're only going to see more of this as games become more and more realistic and involve online communities rather than single-player games or shoot-em-ups. The latter is specifically made so that if a person loses one fight, he isn't set back much. It wouldn't be fun otherwise.

I play an online turn-based strategy/rp game called BattleMaster, where you have quite a bit of freedom to behave however you like, within the RP restrictions of your realm and class. You can be a jerk, you can be noble, you can be snooty. I'm amazed at the people who are able to pick a path for their characters, and stick with it - "this character will always be true to his country, even at the expense of other players", or "this character will do whatever it takes to get the highest fame and fortune", etc. I, on the other hand, keep coming up against the fact that there are real people on the other side of the computer screen, and they've invested months playing these characters up to this point. We're all here to have fun, and it simply isn't fun to lose all that effort.

As a ruler, I had thirty characters under my command and I controlled not only the future of both my realm as a whole, but through that, each of these characters as well. I ended up failing both miserably, thanks to bad timing and alliances that fell through, and I will probably never try being a ruler again. I have the political skills, but the stress of so much fate resting in my hands was too much of a burden.

Another character of mine once defected from one nation to another. I've seen other players do it all the time. My stomach was queasy and my hands were literally shaking, though, while I wrote my manifesto to my ex-comrades and clicked the button to become a traitor. It took me some time to realize exactly what I was scared of, sitting safely in a cozy computer chair in my living room... I was scared about what everyone else would think of me - that in their eyes, I was a rebel and traitor, not a man of honor.

I have a hard time keeping my real self out of my virtual characters. I set myself a high standard to live up to, and that rolls over into my online lives as well. Likewise, when someone thinks I've done something dishonorable online, it hits me about as hard as someone telling me to my face.

In the end, though, the advantage of the game world is the ability to turn it off, which I will be doing for this game next month. With a couple clicks, I won't ever again hear from any of the people I've endured harassment from or any of the people who I feel I've failed as their leader, yet I can still draw from the experiences as though they were my own - because they were.

-jupo

the incident had nothing to do with rot13

wrong. The vulnerability in the cert advisory had nothing to do with rot13, but Dmitry and friends pointed out several problems at their talk in las vegas. One was that the "unbreakable" digital format that Adobe was selling to book publishers was nothing more than doing a rot13 on the file and then gzipping it.

Dmitry wrote a program that decrypted the things. The DMCA declares such programs to be a "circumvention device", and make writing them, owning them, or describing them illegal. He wrote the program in Russia, but he flew to the USA and described it at his talk, thus violating the DMCA.

FWIW, that's the entire point of the DeCSS Art Contest; DeCSS has been declared a circumvention device, which makes it illegal. People are trying to skirt the law by incorporating it into artwork and claiming that forcing them to alter the art would violate their freedom of speech.

- Local and remote denial of service.
- Distributed denial of service (flooding remote computers with data packets to freeze it).
- Bounce attacks with spoofed UDP packets

This bit sounds an awful lot like the GameSpy reflection attack: you send them a forged UDP packet asking for some resource, they send out 400 times as much data to the poor bloke whose IP you put on it. Rinse, lather, repeat and you have yourself a pretty big DRDOS (not the guys MS killed, rather a Distributed Reflection Denial Of Service).

It's a web-based game, which is why it's OS-neutral.

It's called BattleMaster.

Everquest is a game centered on rewarding you for how much time you put into it.

Then play something else. I'm running a (free as in beer) online game called BattleMaster that is explicitly built to allow you the full game even if you can only log on twice a day for 5-10 min each.

Independents (no matter whether it's music, films or games) are those who aren't afraid of risk. Therefore, lots of innovation will happen there.

As I see it (disclaimer: I am the project leader of an indy game), the games industry may well be where the music industry is already: Small unknowns creating new ideas that the big publishers than dumb down for the mainstream and rehash for a couple of years until they've found the next trend.

So? You can find DeCSS over all sorts of servers in europe, even a Google Search will create some interesting results. Infact the first few links, are a collection of links to where you can download DeCSS: First Link, Second Link and Third Link. I just hate it when people make a big deal out of something so pointless.

almost everything said here about price fixing, market delays and other reasons for region coding has already been said last year. I've collected most of it on my DeCSS page.

> Of course you'd never get goodies like this from the big boys
> (aka Sony, Toshiba, Panasonic).

what a surprise, given that the big players were part of the cartel that developed the whole CSS bullshit.

As part of my DeCSS page, I once took a small sample of DVD prices. Check it out here and look for the "Price Fixing" chapter (about one page down).

Well, CSS is patented

What documentation can you find for that? When I searched for css patent, Google only gave me information on Microsoft's patent on cascading stylesheets. Searching for css scrambling patent, on the other hand, revealed mostly pages about Digimarc's patents on watermarks along with a few pages denying existence of any patent on the Content Scrambling System here. However, this page lists a couple patents; which one are you talking about?

I know about the obscurity myth, but when it comes to encryption where the end user owns the means of decryption (whether that be the software or hardware) then eventually the secret will be out. Even with decryption built into the speakers, someone will do a MoRE on it.

. .

Hey, flame / mod me away here - I deserve it because I've been looking for a thread in which to post this rejected story sub from a week ago . . But what the heck here it is anyway :

( I was originally going to say this post is well OT because of the distance limitations of the below, but what about using this transmission in a PA system at a stadium, or a train station, where volumes and hence transmission possibilities are greater / farther? And just how much is over the air networking really explored by companies? This story is already dang good and right where it hurts for community and campus networks, but if I were building this kit for business I'd be thinking that planning permission would be the area I'd be researching most. In other words, do the "amateurs" have a real chance at a lead in this technology, especially price / performance wise? After all, you and I personally *don't* have to make budgets for contingent liability just in case the town planning dept. gets difficult. I'm all for guerilla networks - take a look at the below . . )

Aerial Acoustic Communications

Network with just a pair of pc speakers and a $5 mic! This recent paper explains the theory and writes up the experiment.

This may not be the answer to all your needs - 1000bps was one of the best results - but the authors talk about short distance communications for PDAs, or a television using sound for remote control. The environmental noise against which the authors deployed Spread Spectrum techniques, and a reference to audio steganography make for interesting reading, and radio hams may appreciate the use of FSK. Is this the future, or just a hint that playing albums backwards wasn't really the way to get the message?

There's also a lecture video here which was held at PARC on 11/8/01. You can grab the stream as a file using ASF Recorder or you can read up on some applications musings here. Happy Listening . .

No.

I'm so happy about this ruling. if yahoo in the US is not bound by french law, then surely /me in Germany is not bound by silly US laws like the DMCA, right?

uh, right?

why is it that I have this feeling that this knife doesn't cut both ways? or will I be receiving a court document soon (to add to the other 1000 or so pages) that'll tell me I'm dismissed from the California DeCSS suit?

not holding my breath. the ruling is, of course, obvious. at least until the hague convention gets passed, which will invalidate it and make all those silly foreign lawsuits enforceable locally. that will be a day! finally you can sue everyone, everywhere for pretty much every imaginable reason.

To anyone who's been trying to get 'em to disk (esp. thoes of us on dial-up connections who want to watch these in a real framerate): Head over here and grab the ASFRecorder.

Now, go here. Left click the Windows Media Player link for the video you want.

As the video window loads up, center click and hold, then right click while still center clicking, and view source on the doc (you have to do this to get around the "no right click" script).

Extract the path to the ASX file from the HTML.

Drop that into ASFRecorder, and download the damn things :).

For those of ya that want to be able to watch this (or any other streaming ASF or WMV) skip-free there's a great FREE (no license, just plain old free) program called ASFRecorder that does exactly that, and can be compiled on just about any platform (but GUI is windows only) called ASFRecorder (what an original name =P). You can get it from http://www.lemuria.org/mirrors/asfrecorder/ (or just search google...original site died cuz author was hired up by some company). Just downloaded an watched the 143MB movie skip free, and damn is it cool =)

"Bunner does not dispute that the DVD CCA is mad."

and neither does this other defendant in the case. I'd even phrase it differently, maybe "insane".

also take note of the organizational structure of DVD CCA. we haven't seen the last of Mr. Hoy yet. I'm fairly certain he'll be spending more time in court as his other systems get broken.

This might make things difficult for hosts in the USA, but what can they realistically do about servers in, say, Europe? Or a "Sealand"-ish offshore host? (Although the DeCSS issue does come to mind...)

Ultimately the RIAA would seem to be aiming at an ever-moving target here anyway--have all the recent attacks on "software piracy" by MS and others been a deterrent to the warez d00dz? I still see just as much free (as in beer!) stuff available now as there has ever been...

The Napster argument gets old here on /. 'cause the rebuttal is always "yeah but you're STEALING!!! It's WRONG!" Nevertheless, people are now accustomed to getting free music and WILL NOT GO BACK. Even the clueless will get clued in quickly when Napster (1)shuts down (2)begins charging $, and millions will migrate to whatever alternative is available. Stealing or not, that's just how people ARE.