Slashdot Mirror

Evil Adrian writes "Space.com reports that the sun shot off three more solar flares on Monday. This is quite a historic period for solar activity." The article breaks down the recent flares, and what the effects have been. Update: 11/05 01:57 GMT by T : cyberMalex writes "Space.com is reporting the 10th in a string of major solar flares which have been errupting from the sun over the past two weeks. "This one saturated the X-ray detectors on the NOAA's GOES satellites that monitor the Sun. The jury is therefore out on the definitive classification of the flare." "Other scientists have indicated the flare may indeed be an X20 or stronger. Only one X20 event has been seen in recent years, and it was not Earth-directed and had little effect.""

MrNerdHair writes "The Librarian of Congress has posted a list of exemptions from the DMCA (also obtainable in PDF here.) Works falling in four 'classes' may be considered exempt from Section 1201 of the DMCA's prohibition against 'circumvention of a technological measure which effectively controls access to a work.' Among the list are blacklists of sites used in programs such as NetNanny and cracks to bypass dongles on abandonware. All in all, a very interesting read ..." Not just interesting: as Robin Gross writes, "Unfortunately, the ruling leaves the vast majority of consumers unable to access their own property, such as skipping commercials on DVDs, playing CDs in their PCs, and reading eBooks on PDA's without violating the DMCA." Update: 10/29 15:19 GMT by T : Take a look at Seth Finkelstein's site for an idea of how being pushy can sometimes be helpful; Finkelstein has loudly pushed for the importance of DMCA exemptions, including in Congressional testimony.

An anonymous reader writes "Electronic Frontiers Australia (www.efa.org.au) claims that the raids organized by the music industry on mp3s4free.net have come up with nothing. Only links to other sites and not copyrighted material have been found. The music industry is now saying that just linking is in itself illegal. This does not appear to be supported by Australian law." Update: 10/29 15:26 GMT by T : This story originally referred to "mp3s4free.com," while it should have said -- and has been corrected to read -- "mp3s4free.net."

Michael Yuan writes "Enterprise JavaBean (EJB) is one of the most widely used technologies in enterprise Java. It is designed to be a scalable and flexible distributed framework. In EJB, almost everything can be done in several different ways and it offers the developer the maximum flexibility to choose the right approach for the project in hand." Yuan provides a review, below, of Bitter EJB, to guide programmers interested in large-scale Java development. Update: 10/27 18:27 GMT by T : Peter Wayner provides a somewhat deeper look at the book as well, also below. Bitter EJB author Bruce Tate, Mike Clark, Bob Lee, Patrick Linskey pages 412 publisher Manning rating 9 reviewer Michael Yuan, Peter Wayner ISBN 1930110952 summary Anti-patterns in Enterprise JavaBean development

However, every coin has two sides: the other side of "freedom of choice" is "complexity". Although EJB is an incredibly powerful tool in the hands of experience architects, it is subject to a lot of misuse by novice developers who do not make sound choices. For example, some developers might use a BMP entity bean to map each database table in the system; or access entity beans directly from a distributed layer; or store large amount of data in session objects ... The list goes on. Although those approaches are technically possible, they are hardly the most efficient ways in most cases. Such problems have not only caused many projects to fail but also tarnished EJB's reputation. In fact, the complexity of EJB is often quoted as an argument for other enterprise platforms.

For EJB developers, it is crucial to learn from other people's experiences and follow proven best practices. That helps to reduce the complexity of the platform. Manning's "Bitter EJB" is a very timely book written by well-known experts in the EJB field: Bruce Tate, Mike Clark, Bob Lee and Patrick Linskey. Unlike other "architectural" books, Bitter EJB teaches best practices through common mistakes (anti-patterns). It focuses on "what not to do" but still encourages developers to come up with liberal (everything not forbidden is OK) and innovative solutions. After all, EJB is about flexibility and freedom of choices.

Part I of the book is an overview of anti-patterns in the EJB specification. The EJB specification itself has several major design problems when it first came out in March 1998. EJB v1.1 and v2.0 have gone great length to fix the anti-patterns in the specification. But early adopters may have already developed some anti-patterns in their applications. For new developers, the history also serves as a valuable lesson on what EJB is really for and how different components in the specification fall into their current places. In this part, the authors also provide an excellent recount on what went wrong in the high profile TSS Java PetStore benchmark.

Part II is about session and message-driven beans. Those beans are mainly used in the integration layers. Topics covered in this part include how to deal with large database results, whether to maintain session states, the limitations of XML and much more.

Part III covers EJB persistence. Entity EJBs are probably the most confusing types of components. Many experts have advocated to abolish entity EJBs altogether in favor of other simpler persistence frameworks such as the JDO or even simple JDBC facades. The authors discuss the pros and cons of entity EJBs and covers most leading alternatives. For those who must use entity EJBs, this book also offers useful advices on a range of topics including how to reduce round trips, shorten primary keys and handle expensive database joins etc.

Part IV covers broader topics including performance tuning, testing, building and packaging. One big problem that even EJB developer can recognize the complex deployment descriptors. One chapter of the book is dedicated to reduce code duplication, automate the deployment process and avoid the "integration hell". The last chapter of the book provides an overview of "what's next" in the EJB space.

Overall, it is an excellent book for all EJB developers and other enterprise developers who want to learn from the successes and failures of EJBs."

Peter Wayner's review:

Although there may be as many 36 plots in all of literature, the compartively new world of computer books has really had only one: this new technology is simple, very simple, and it will make your life better and your teeth whiter. Bruce Tate opened up a second plot in his book Bitter Java by exploring just how even the best programming ideas have dark sides. Now he's back with three other authors exploring the world of Bitter EJB.

This book is more fruit from the same tree. Or, to hack the Java MemeStream even more, more beans for the same mill. If you use Enterprise Java Beans (EJB), or think about using them, you should read this book to see what can go wrong. The title shows how naming schemes can be misleading because either the authors aren't really that bitter, or because they're focused entirely on EJBs. This book does not belong in the same camp with the Java==SUV crowd. These authors are really admirers who just want to warn people how to avoid problems with Java and EJB.

Tate and his new co-authors, Mike Clark, Bob Lee, and Patrick Linskey are all consultants who seem to use Java a lot, at least when they're not cheating death. One of the cuter grace notes in the book is a collection of war stories from extreme sports that are mixed in as an allegorical taste of what's to come. Before exploring the problems with a Java concept known as enterprise beans, they tell a kayaking story that ends with the sentence, "Then we hear a loud crunch and look up to see Eric's stern stationary at the top of the drop, revealing the sitaution that every kayaker dreads the most -- the vertical pin."

After stories like this, the book goes on to explore just how the very fancy enterprise beans toolkit can produce an application that moves slower than a stream filled with honey. Each chapter is filled with antipatterns, or lessons about the software learned the hard way. They're sort of like points on the map that say, "There be dragons here."

The book is divided into four parts. The first section, termed "The Basics," explores the simple ways that EJB technology goes bad. The toolkit was heavily hyped as the perfect solution for building business websites that interface seamlessly with large databases. As the business grew, new servers could be added without grief. Alas, as this section points out, there are many reasons why an elephant gun can be the wrong weapon for getting rid of mice in your house.

The next section on "Networks and Messages" describes how good ideas can turn into slow code when people misuse the fancy tools for scaling EJBs. In theory, the EJB toolkit will split up processes simply across multiple machines to handle more customers, but in practice all of the communication can slow things down considerably.
The section on "EJB Persistence" describes how the much-hyped system for seamlessly storing away enterprise beans in databases can weigh down a system. My only beef is that they left out much information on Prevayler, a much-maligned and misunderstood ultra-light toolkit that is like an anti-EJB persistence layer in every possible way. I'm enamored with it, if only because it's such a radical move away from the monolithic APIs like EJBs. While they liken using EJBs to snowboarding in fresh powder with a 100lb pack on your back, Prevayler is sort of like boots-only hiking.


The last section isn't about EJBs per se, but similar toolkits and projects that often get used with EJB. There are antipatterns to avoid with JUnitPref and Ant, too. Some of these suggestions, like some in the rest of the book, aren't terribly new or brillant, but it can't hurt to get another lecture on the importance of testing your code.

The book shines when it's exploring what goes on behind the slick facade of the API. Sure, the EJB toolkit will dutifully load up data from any object on any server in your farm, but you better be careful invoking some of these these methods because the network is slow. The book often points out how invoking that one simple method from the sales literature can start up dozens of sluggish threads. Peeling away the layers helps understand and explain why the system fails.

Many of these lessons aren't limited to Java or EJB. I wouldn't be surprised if the group of authors was busy rewriting the book with examples from .NET. Unfortunately, some programming problems are very hard, and building a toolkit with a simple API won't make them go away. In fact, the simple appearance can cause more trouble when the programmer can't understand what the secret mechanism inside is doing. Almost all of the problems in this book arise from programmers who believe the sales literature when it tells them not to pay attention to what that little bot behind the curtain is doing. If you're working in the world of EJB consulting on big iron, then you've got no choice but to start thinking about what's behind that curtain.

You can purchase the Bitter EJB from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. Peter Wayner is the author of 13 books including Java RAMBO Manifesto and Translucent Databases.

cpk0 writes "ABCNews is reporting on a small, New York based company that is now using and creating a technique of printing circuits directly onto paper with conductive inks. The uses up to this point are somewhat trivial, but the idea is undeniably exciting, and the article outlines some of the future ideas T-Ink Inc. has for this technology." Including electronic candy, oddly enough. Update: 10/27 17:24 GMT by T : Associated Press Technology Editor Frank Bajak points out that this story comes from The Associated Press, which deserves the credit.

TechGuy949 writes ".NET Remoting is a technology that is often overlooked due to Microsoft's intense focus on promoting XML Web Services technology. In actual fact, .NET remoting is often a more appropriate solution than Web Services, and it certainly performs better and scales better when used properly. Ingo Rammer has written a technically sound, very informative book on .NET remoting technology, which is a good thing, given that there are still far too few titles available on this important technology." Read on for the rest of TechGuy949's review of Advanced .NET Remoting. Update: 10/23 17:28 GMT by T : Please note: the reviewer writes for Apress (publisher of this book); book reviewers are encouraged to read the book review guidelines linked below, and to disclose any such relationship. I regret not knowing this before the review ran. Advanced .NET Remoting author Ingo Rammer pages 404 publisher APress rating 8 reviewer TechGuy949 ISBN 1590590252 summary A two-part overview of .NET Remoting, from intro to advanced material.

My Overview and Summary Advanced .NET Remoting breaks out into a two-part book. The first four chapters are at the introductory level, while later chapters are considerably more advanced. The book begins with an informative conceptual discussion on what .NET remoting technology is, but then quickly moves on to more specifics, entirely focused on generous code examples (which actually work, barring one or two stray lines here and there, which I found easy to correct).

I picked up this title needing to get a solid introduction to .NET remoting, and the first part of this book does not disappoint. If you stop reading after the first four chapters (after spending time working on each and every code example). you will feel like you have a solid grasp of the basics of .NET remoting. However, you need to delve into the second part of the book to realize that .NET remoting is a deep and complex topic that is going to require considerable effort on your part to understand.

The second part of the book is not for the faint-hearted. The complexity level ratchets up several notches, and holds nothing back. It delves into advanced topics such as .NET remoting internals, including message sinks, channel sinks, formatters, and transport protocols, and shows you how to customize each part. Ingo's goal is for you to really understand how the .NET Framework implements remoting. The discussion here often borders on the theoretical, but it always stays grounded in relevant code examples.

Intermediate to advanced developers will greatly appreciate this book if they are looking for an in-depth, no holds barred discussion of .NET remoting.

What's in the Book Chapters 1-4 are an introduction to .NET remoting and configuration. Ingo starts with a conceptual discussion to help you understand how .NET remoting fits into the larger picture. He then presents a remoting example that provides an excellent introduction to the core aspects of remoting, including different types of remoting objects; marshalling objects by reference; serializing objects; and using interfaces to share type information. Chapter 4, on configuration, shows you how to use configuration files to simplify your remoting code, and to make it easier to port across different deployment environments.

Chapter 5 is about securing .NET remoting. This chapter was disappointingly short and did not provide enough depth. Also, some security implementation features have changed in v1.1 of the framework, so this section is not the most relevant one in the book. To his credit, Ingo has published a 1.1 update on his website that specifically addresses relevant changes to security implementation in the .NET framework.

Chapter 6 is where things start to get advanced. This chapter discusses object lifetime issues, and shows you how to control the lifetime of remotable objects, through "leasing" and "sponsorship." It also shows you how to implement asynchronous remoting calls using delegates and events. Chapter 6 is a must-read.

Chapter 7-10 is where things get really advanced. These chapters shows you how the .NET framework implements remoting, and it studies the 5 elements of remoting in great depth (Proxies, Messages, Message Sinks, Formatters and Transport Channels). This chapter is packed, and is a must-read for understanding advanced .NET remoting issues, especially when you need to heavily customize the implementation. Intermediate developers will have a harder time with these chapters, and may not find all of the material relevant to a basic .NET remoting implementation.

Chapter 11 closes out the book with an interesting look at how to implement .NET remoting techniques in a client application in order to manage the objects more effectively. Again, intermediate developers will have difficulty with this chapter, which is the most theoretical in the book. Advanced developers will appreciate it however, especially with Ingo's lead-in warning that 100% of the material in the chapter is undocumented by Microsoft!

Table of Contents

1. Introduction to Remoting
2. .NET Remoting Basics
3. Remoting in Action
4. Configuration and Deployment
5. Securing .NET Remoting
6. In-Depth .NET Remoting
7. Inside the Framework
8. Creation of Sinks
9. Extending .NET Remoting
10. Developing a Transport Channel
11. Context Matters

You can purchase Advanced .Net Remoting from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

brentlaminack writes "Information Week and others are reporting on Transmeta's new Efficeon chip. 1.1 GHz, 7 Watts, 1MB cache, 130 nanometer technology. A marked improvement over their previous generation. Let's hope they can capitalize on this before Intel starts filling the same niche. Looks like a nice product, Linus and Co." Update: 10/15 00:22 GMT by T : woobieman29 writes "Looks like this is a good day for high-efficiency processors. Hot on the heels of Transmetas announcement of the Efficeon, VIA Technologies has announced the release of it's latest low-power processor, the NanoBGA EDEN-N. Capable of running at 533MHZ (4 watts), 800MHZ (6 watts), and 1GHZ (7 watts) this appears to be a very good fit for Thin Client and other embedded devices. One really interesting feature is the on-chip Padlock security suite incorporating AES encryption."

E1ven writes "First Microsoft detergent, now, UNIX Diapers, among other niceties. The author of this page has apparently worked to photograph and categorize the use of the term UNIX in other, non software products." (And don't forget Linux detergent.) Update: 10/12 21:23 GMT by T : Less garbled now ;)

yeremein writes "According to this vnunet.com article, SCO's code changes Update: 10/04 20:51 GMT by T : (This should read "SGI's" rather than "SCO's.") removing arguably System-V-related code from SGI's Linux submissions is 'not enough.' According to Blake Stowell of SCO, 'Making minor amendments to its XFS file system doesn't cure the breach. SGI must do more as outlined [in the August letter] to cure all of their breaches.' But later on in the article, we learn what was outlined in the August letter: 'We don't believe that SGI has taken all of the steps necessary to cure all of the breaches, and in fact in our letter to them, we state "SGI's breaches of these agreements cannot be cured."' So SCO essentially told SGI, 'You're in violation of our contract and unless you remedy the violations, we'll pull your UNIX license. Oh, BTW, you can't remedy the violations.' This looks to me like the clearest example yet of how SCO is acting in bad faith." Read on below for another snippet of SCO strangeness.

An anonymous reader writes "As many are aware, SCO has sought (and got) a 4 month extension to its IBM lawsuit. According to the Salt Lake Tribune: 'SCO spokesman Blake Stowell said Tuesday that he understood the extension is being sought "for the purpose of gaining documents from IBM related to the patents they claim. . . . Some of the patents aren't even filed with the U.S. Patent Office, as far as we can learn."' I thought this was worth looking at, and quickly found that the patents in question are 4,814,746, 4,821,211, 4,953,209, and 5,805,785 - which can be found by typing in their numbers in this USPTO form."

Tonight's Slashback brings updates and clarifications to several previous Slashdot stories, so read on below for information on the (over-stated) recall of Segway scooters, the fate of RAV AntiVirus's Linux development team, VeriSign's Site Finder, the (latest) Lindows v. Microsoft scuffle, and more.

Linux antivirus developers join Kaspersky Labs prostoalex writes "The Linux development team of Romania-based RAV AntiVirus, acquired this June by US-based Microsoft, joined Russia-based Kaspersky Labs. This transition took place after Microsoft confirmed there will be no Linux or Novell version of antivirus software. Kaspersky Labs now works on RAV Migration program for Unix/Linux users, since the company officials deem this market as one of the fastest-growing."

VeriSign must love attention. talon77 writes "Netsys is reporting that a class action lawsuit has been filed against Verisign due to their Sitefinder. It's about time."

And Anonymous Brave Guy writes "VeriSign are in legal trouble yet again, this time for handing over a domain name to a former employee of the former holder. Also some interesting tidbits in here about the impact of the sex.com case, the fact that since July domain names are regarded as property under U.S. law, and the idea that VeriSign might themselves be held accountable for punitive damages awarded against someone who takes over a domain name improperly."

Piling on, Anonymous submits: "Verisign seems to have issues with returning proper response packets for DNS queries on unused domains, so we thought we would give them a quick reminder in case they forgot what the right answer was. You can find pictures here. (This was on their building in Mountain View, and the signs said 'Verisign/Netsol, as if people didn't hate you enough already... How greedy/stupid are you? [Made with figlet/vim/a2ps/poster.c]')"

Update: 10/02 00:37 GMT by T : And (ooops!) this part got chopped off: "Note that the Verisign web search is powered by Inktomi for search and overture for ads, both of which are now owned by Yahoo. You can always vote with your dollars and your clicks."

Ohio uncappers peer at the ToS. Mike writes "Looks like Broadband Reports has posted a follow up to what happened to those Ohio Cable broadband users who had FBI agents confiscate their hardware for uncapping their modems (See original BBR story here, Slashdot story here). Looks like most of the offenders settled for fines and community service, but one took the case all the way, and eventually got it overturned because the cable company's AUP failed to clearly mention their legal stance on uncapping."

Thorn-in-side lessons, part IIXIIXV. jlechem writes "Lindows and Microsoft are at it again. Wired News is running a story about Lindows refusing to take down the settlement website reported on by Slashdot earlier. CEO Michael Robertsone stated 'Our plan is to continue to offer the MSfreePC service in spite of your threats. If required, we will be a voice in the courtroom defending a consumer's right to use technology and an online process to secure their settlement claims.'"

MPAA Scratches Oscar Screeners xstein writes "In a follow up to this story, the major studios have agreed to go along the MPAA's proposal to stop sending out screener tapes and DVDs to Academy members. The agreement would include MPAA's seven studio members, Disney, WB, Sony, Universal, 20th Century Fox, Paramount, and MGM, as well as their affiliates, which include New Line, Miramax, Focus Features and Sony Pictures Classics. Dreamworks, although not an MPAA member, also agreed to the ban. This move scratches a longstanding tradition, and is seen to hurt smaller, independent-minded movies distributed by MPAA members the most, though may allow truly independent studios such as Lions Gate to gain extra attention with their screener tapes. E! Online and Salon.com have the scoop."

Phantom Offices? Ray B writes "On September 18th, Slashdot posted about an article on the Phantom video game console. Of particular note in the primary article investigating the Phantom's founder(s), was that the company did not even have physical offices.

Just four days later, the Phantom email Newsletter #2 is issued, with the first bit of news being:

"Infinium Labs recently signed a five-year lease on 10,000 sq. ft. of prime office space to locate its corporate offices in the Centre Pointe Building in downtown Sarasota, Florida. The Centre Pointe offices are in close proximity to many of the company's early investors, its corporate legal counsel and the industrial design firm that is developing the Phantom Game System(TM) prototypes"

Coincidence or damage control?"

Well, start with the Python then and work your way up. Wolfbone writes "A recent edition of 'Global Business,' a BBC World Service programme available here in RealAudio form, contains an admission that the BBC cannot afford to put it's entire archive online, contradicting an earlier Slashdot story and the BBC's own report. Even though it only has 11.56 Petabytes of the stuff, some of it recorded on wax cylinders, it would be too expensive, apparently, to keep their earlier promise. The rest of the programme is about the more general problems of long term archiving of data and how some organizations still don't trust digital electronic formats and prefer to stick with paper and microfiche."

Segway recall: in and out in 10 minutes! ptorrone writes "I got my Segway HT updated today, the 'recall' is a simple software update, it took 10 minutes and that was about it. To clarify what the recall is ...the HTs are not being sent back, Segway has people in each state of the USA and they update them. So far all owners have been notified and thousands have updated. The update makes it harder for people to ride after numerous low battery alerts (3 people out of 6,000 thought something else). Here are my pictures from the update procedure."

An anonymous reader writes "A version of Linux has been created that radically speeds up system boot time -- to less than 200 milliseconds (ms) from power-up to application code startup. The techniques, created by Real-time Linux vendor FSMLabs, are processor independent, and boot times of under 100 mS are expected in the future." Update: 09/30 01:04 GMT by T : Yep -- both headline and post should have read "ms" (milliseconds) rather than "mS" (milli Siemens); thanks to all the alert readers.

Cildar writes "In the 'oops' category, the RIAA was forced to withdraw its suit against a 66 year old computer neophyte (read Apple User for god's sake) when they discovered she thought 'Kazaa' was a magician playing at local kids' birthday parties. The story is as reported in the Boston Globe." Update: 09/24 15:19 GMT by T : Note, the magician crack is a joke ;)

AnteTempore writes "The voting has just ended. Few good and several bad amendments were accepted. The directive proposal was accepted: 361 for, 135 against, 28 abstentions. The precise numbers and results for each amendment will be available on europarl.eu.int tomorrow." Reader swentel submits this report on the vote (French) with slightly different numbers (364 voting yes, 153 No, 33 abstaining) but just as bad. Watch this story for updates. Update: 09/24 15:44 GMT by T : Dr.Seltsam writes to say that the early reports are "not quite correct. The German publisher Heise states in this article, that the vote concerned strong changes on the directive." In particular, "pure software patents will not be allowed." Google's translation engine does a decent job with the German.

Mr. Slurpee writes "Virginia Tech's 1100-node dual 2 GHz Apple G5 Terascale Cluster is getting racked up and ready to roar. If you're a penniless geek like me, at least there's some tech pr0n for us to drool over. There's 1100 of them ... think they could part with one?" Update: 09/22 02:55 GMT by T : Matt submits a link to this full mirror of the photos, writing "The page owner's comment on the original mirror being taken down due to bandwidth? 'Bring it on!'"

veg writes "In the last few hours there have been several reports of a new ssh bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Theo's pride." Update: 09/17 00:24 GMT by T : friscolr writes "Hot on the heels of rev 1 of the buffer.adv advisory, here is revision 2, which fixes more than revision 1 did. Also see the 3.7.1 release notes."

KingDaveRa writes "The Register is reporting that motor giant Ford is switching to Linux for its sales systems, human resources, customer relations and infrastructure, referencing a report in yesterday's Scotland on Sunday. According to The Register, the biggest battle was over which Linux vendor to use - RedHat or SuSE." Update: 09/16 01:51 GMT by T : An anonymous reader points to this NewsForge report, according to which Ford is not moving to Linux.

Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available. Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S. Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."

daanger0us writes "RAM based MP3 players are still pretty popular. As hard drive based MP3 players get larger storage capacity, the RAM based MP3 players have to add new features to keep themselves compelling to customers. The Samsung Yepp YP-55V is one of the RAM based MP3 players that's added some pretty cool features at a reasonable price. 256MB of RAM, FM Tuner, ability to record from a line-in, from the FM Tuner and voice recording, USB Drive capabilities, upgradeable firmware, weighing in at 2.2 ounces all for around $160. Designtechnica has a full review. How many people still consider a RAM based audio player when shopping?" Update: 09/03 22:11 GMT by T : That should be "MB," not "MG" as it originally read.

bogomip_bandit writes "The divx codec is no longer free, no strings attached. Until recently, when downloading the codec from divx.com, one could select Dr Divx for a price, Divx Pro for a price, the divx codec for free, or the divx codec with bundled adware to help support divx development etc. Recently the site has changed. Now when one visits the download page, the only free codec you can download is adware supported. This means even to just watch divx movies and not do any actual enncoding, one has to install adware on their machine. I for one will be finding a different video codec." Sounds like a good reason (if you needed one) to look curiously at Ogg Theora. Update: 08/20 20:04 GMT by T : Correction: As several readers have pointed out, the bare codec is still available, it's just listed below the payware / adware versions.

Bootsy Collins writes "In a brief article, Computer Business Review Online quotes Darl McBride as saying that SCO has been busily identifying Linux end users and is preparing to launch lawsuits against them in order to encourage more such end users to buy licenses from SCO. SCO indicates that they'll start with a company that uses AIX, Dynix and Linux, so as to 'settle several legal arguments in one go.'" Not everyone is going to take the SCO approach sitting down; read on for a story on how (among others) Weta Digital and Australia's Massey University aren't jumping to say Uncle to SCO. Update: 08/20 13:11 GMT by T : Oops! Massey University is in New Zealand, not Australia.

Chris Brewer writes "Massey University's Helix supercomputer would incur a licensing charge of nearly US$100,000 for it's 132 CPU Beowulf cluster, and Weta Digital's render farm could cost somewhere between US$1.15 and US$1.5 million dollars at SCO's 'introductory' pricing, according to this Computerworld article. Massey's parallel computing director says it's unlikely that they'll buy a licence, instead, waiting for what the U.S. Courts decide. Weta's CTO Scott Houston says that they're also not going to buy a licence, but are focusing on making movies in the meantime."

mr.crutch writes "Few details are available, but CNet is reporting that IBM has filed counterclaims against SCO. CNet also has an interview with Red Hat CEO Matthew Szulik..." Jizzbug writes "Thanks to the folks of K5, we can all obtain our rights to use the Linux kernel from SCO, and without paying up to SCO's extortion. If kernel.org kernels aren't safe, sco.com kernels certainly ought to be." LWN has a copy of SCO's Linux License for your perusal. Bruce Perens is speaking of the dangers of patent portfolios to open source software, notable because IBM's counterclaims include patent infringement. And finally, a company is selling SCO Check, a tool to de-SCOify your Linux system, if SCO ever presents any evidence whatsoever of infringing code in Linux. Update: 08/08 00:16 GMT by T : SCO's public response to IBM's counterclaim is short and to the point. Among other things, it says "If IBM were serious about addressing the real problems with Linux, it would offer full customer indemnification and move away from the GPL license." Given the other links in this story, perhaps SCO should go first on that count.

PoisonousPhat writes "STMicroelectronics, Texas Instruments, Nokia and ARM have formed the Mobile Industry Processor Interface Alliance (MIPI), who seek to define open standards for cell phone components. Forget that expensive camera phone, just plug in a third-party device." Update: 07/30 18:13 GMT by T : Thanks to Alain Mellan for the link to STMicroelectronics.

Jeff Carroll writes "Developers building Java applications for wireless handheld devices have been looking forward for some time now to the release of devices supporting version 2.0 of the Connected Limited Device Configuration (CLDC), and version 1.1 of the Mobile Information Device Profile (MIDP). These new releases contain support for features demanded by developers that didn't make the original releases. In support of CLDC 2.0 and MIDP 1.1, Roger Riggs and his team of authors from Sun, Nokia, and Motorola have released Programming Wireless Devices with the Java 2 Platform, Micro Edition, Second Edition (since I don't have a copy of the first edition, I can only evaluate the new edition on its own merits)." (Read on for his review.) Update: 07/23 16:31 GMT by T : Whoops -- that's CLDC 1.1 and MIDP 2.0, not the other way around. Programming Wireless Devices with the Java 2 Platform, Micro Edition, 2ed. author Roger Riggs, Antero Taivalsaari, Jim Van Peursem, Jyri Huopaniemi, Mark Patel, Aleksi Uotila pages 464 publisher Addison-Wesley Professional rating 7 reviewer Jeff Carroll ISBN 0321197984 summary In-depth introduction to and reference on CLDC 2.0 and MIDP 1.1.

As is characteristic of the titles I've seen from Sun's Java series, this book goes into great detail about architectural decisions, standards process, and philosophy underlying the new release. The first six chapters are given over to this discussion. This material is mostly great for experienced developers seeking a deeper understanding, occasionally so abstract as to be silly (as in the case of the Java washing machine and its downloadable stain-removing code), but likely to be of only secondary interest to new J2ME developers focused on coming up to speed.

What this book does best is comprehensive exposition of the J2ME APIs. There are chapters dedicated to the APIs for forms, graphics, games, sound, persistence, and networking, with code samples offered in most cases, and a Java Almanac-style reference to all J2ME-specific classes and interfaces is provided as an appendix. Features that are new to the J2ME second edition are clearly identified.

The remainder of the book constitutes a detailed discussion of the new technologies for event-driven launch, application security, and over-the-air deployment, perhaps the most potentially confusing of which is event-driven application launch. While the book explains the new technology well, it doesn't address how it will be introduced by network operators, or how it might interact with or replace similar existing proprietary technologies such as Sprint's MUGlets.

Another subject that is not dealt with here that will soon be relevant to developers for any particular J2ME-supporting network is that of optional packages (OPs) - features to be supported at the option of particular device vendors and/or network service providers. It is fairly clear that, going forward, the wireless network infrastructure and its supported features will be an integral part of the J2ME platform that will have to be taken into account by developers, and books which fail to discuss popular and commonly adopted OPs will be of limited usefulness (you'd think that Sun would know that after all that rhetoric about the network being the computer). In general, a book of this sort would benefit from the participation of network operators, as it does from that of device manufacturers Nokia and Motorola.

All the code samples and background on architecture notwithstanding, this book is clearly targeted at experienced Java programmers, not handheld device programmers working in other technologies. If you don't already know Java, this book will not teach you. There is also nothing said here about selection, configuration, or use of development tools; readers who are not already adept at the use of J2ME development tools, including the Wireless Tool Kit (WTK), should not expect to acquire that knowledge from this book. (People who need help in this area may want to consider Jonathan Knudsen's Wireless Java or Kim Topley's J2ME in a Nutshell.)

Keeping the aforementioned caveats in mind, this is an excellent introduction to and reference on the new release of J2ME.

You can purchase Programming Wireless Devices with the Java 2 Platform, Micro Edition, 2ed. from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

gemal writes "We're very pleased to announce the creation of the Mozilla Foundation, a non-profit organization that will serve as the new home for mozilla.org. The Mozilla Foundation will continue mozilla.org's work of coordinating the development of the Mozilla codebase. With an independent non-profit as the legal home for Mozilla, we will also promote the distribution and adoption of Mozilla applications and technologies. In addition, we will raise funds to ensure Mozilla's long-term survival." Update: 07/15 21:47 GMT by T : Yablo writes "MozillaZine is running a blurb about how since earlier today, when the Mozilla Foundation was created, AOL has laid off all the Gecko developers. Ex-mozilla.org has a list of the casualties."

ptorrone writes "It was just a matter of time until the Segway technology would be used as a robotics platform. University of Southern California Robotics Lab's Segway RMP (Robotic Mobility Platform) has a lot of great information if you're looking to convert a Segway to a robot. On the site there are videos as well as instruction on how to build your own." Update: 07/13 21:30 GMT by T : Dr. Andrew Howard writes with an important clarification about the project: "This is *not* a standard Segway HT that we have converted to robotics applications. Rather, this is a customized, limited production unit that has been specially modified by the manufacturer. The web-site does *not* show how to convert an existing Segway HT into a robotic platform."

An anonymous reader writes "So you spent all that time researching, compiling and formatting your dissertation ... now what if it became classified information? That's exactly what may end up happening to Sean Gorman's dissertation. He's compiled a detailed map of American companies and the networks that bind it all together, right down to the very last fibre connection. The government wants it classified in the interest of national security. Large financial institutions want it classified/destroyed in the interest of economic security. But terrorists would love for this to be published ... it would make their job so much easier." If Gorman can map the fiber network though, doesn't that mean someone else could do the same? Update: 07/09 13:06 GMT by T : Sorry, I blinked past the story as posted yesterday.

Michael McCracken writes "Finally, a new OS X programming book that isn't just another introduction to Cocoa. This book adds a lot to the available references by covering the system as a flavor of Unix, presenting information on important topics like sockets, multithreading and pipes, which other OS X books leave out. It also includes coverage and sample code for some of the unfamiliar new technologies that have been introduced recently, such as the Keychain, Rendezvous (aka Zeroconf), and using the Security framework to authorize users." Read on for the rest of his review. Core Mac OS X and Unix Programming author Mark Dalrymple and Aaron Hillegass pages 541 publisher Big Nerd Ranch rating 9 reviewer Michael McCracken ISBN 0974078506 summary A developer's guide to the Unix foundations of Mac OS X, including coverage of recently added technologies. Includes complete source code and online companion material.

If you've been learning Mac OS X Cocoa programming, you might already know Aaron Hillegass through his excellent book Cocoa Programming for Mac OS X, which was one of the first good introductory books on the topic, and is still one of the best available. Information about this earlier book can be found at bignerdranch.com/Book/. Both Aaron and Mark are instructors at the Big Nerd Ranch, which offers courses in Mac OS X programming. More information about them and the courses can be found at http://www.bignerdranch.com/Company/Who.html. This book is based on the course with the same name at the Big Nerd Ranch. The book's website and a link to order it online can be found at borkware.com/corebook/ . Discussion and further information for both books can be found at cocoadev.com/index.pl?CocoaBooks.

Audience and Writing Style This book is not an introduction to programming on OS X. It doesn't explicitly cover how to use Apple's Project Builder or Interface Builder, or much of the Cocoa or Carbon APIs, except during discussion of code examples. So if you're entirely new to programming or to using Mac OS X, start with a different book such as Hillegass' earlier Cocoa Programming for Mac OS X to get up to speed with using the development environment. This book will leave you behind at times if you are unfamiliar with using the command line, however, the examples are complete enough to follow along by just typing in what's in the book.

Core Mac OS X and Unix Programming does have some very basic material in its first few chapters. They focus on the details of C programming, using the compiler, memory management, and debugging. These chapters will be mostly review for anyone who's developed in C on Unix before, but will be invaluable for programmers who learned to program using Java, for instance. They should also be required reading for programmers who started programming with Objective-C and Cocoa and are still unsure about using "plain" C. If you've ever complained about having to use a C API from CoreFoundation in your nice pure Cocoa application, don't avoid this book -- you need to read it even more.

The book is clearly written and easily understood. The writing is occasionally conversational, in keeping with its history as a course textbook. In the grand history of well-written technical books, it is also occasionally funny. The authors don't try to sell the technologies they discuss, instead giving practical advice that's useful to a programmer who is trying to actually build something. For example, the authors discuss bugs and inconsistencies in the system, clumsy API design and other problems that aren't great ad copy but you will need to know to develop robust applications.

I found this aspect of the book one of the most appealing, that it felt as though I was actually getting down to business. Gems of practical advice that can cut short frustrating problems appear throughout the book, so be sure to read carefully, don't just skim.

Hits Here I'll discuss a few examples of where I think this book really shines. First, the level of detail of the standard Unix APIs and the development tools is excellent -- I learned many immediately useful things in the first 13 chapters. For example, chapter 8, "Debugging With GDB," was not simply a repeat of the online help, but also contained useful tips about how to use GDB more effectively, from using Objective-C specific features to tracking subtle memory errors. Programmers who had only used Project Builder's interface to GDB will benefit greatly from this chapter.

Next, there is pervasive sample code. Each chapter had a complete sample program demonstrating the topic at hand. Much of this code is also available online: see "Online Supplements" below.

Finally, as I mentioned before, the text contains tips and reminders throughout about potential mistakes, tricky problems, and differences between Mac OS X, OS 9, and other Unix flavors. A particularly useful example of this is in chapter 24, "CVS." There is a small but important paragraph that discusses using CVS 1.11 (as used in Sourceforge) with Interface Builder .nib files that can really save some grief. In other chapters, they even include workarounds for system bugs in some of the sample code. This pragmatic approach is really appealing.

Misses In this section I'll mention a couple potential disappointments. You will have to be willing to learn by just reading code at times. Most of the code examples are not explained line-by-line as is the custom in tutorial books. Comments explain tricky code, and the text covers the areas most relevant to the chapter topic, but for other sections, understanding is up to you. I mentioned this because although I feel the code is clear and a fair trade-off was made to fit in a lot of information, the amount of explanation you like is a matter of personal preference, and so you should know what to expect.

Pointers to further reading is another problem. Aside from referring to man pages, there is little attempt to point to good external documentation on any of the more complicated topics. One chapter is not enough to completely cover BSD Sockets, for example, and so a reference to a Unix network programming book would be useful. In fact, every chapter could be improved by a references section, even if it only collected links to Apple online documentation or Unix community websites. With all the practical knowledge in this book, the lack of clues on where to look to answer your own questions was disappointing.

Finally, the cost of the book, at $97.95, is higher than you might expect. I admit that as a student, I would have to think twice about paying this price, although I am sure it would be easily justifiable for professional programmers. I believe that it is worth the price, however, because you would have to buy several other books to cover the same range of topics, and you still wouldn't get the Mac OS X specific information.

Online Supplements

The authors have set up a promising resource for the book at http://borkware.com/corebook/ . The site includes the sample code, errata, reader comments indexed by the chapter and topic they refer to, and a general discussion board. There are already some errors listed, and a few pointers to useful documentation and interesting external discussions on mailing lists. The sample code is not complete at the time of this review, but more is being added. This site looks like it will be a useful addition to the book, especially if many good chapter-indexed comments are added. The site could be kept open as a reading companion while going over a chapter in the book. This site's organization is, in my opinion, much more useful and usable than other books' companion websites, including the site for "Cocoa Progamming," which hid its information from you unless you knew which page number was relevant to your topic.

Conclusion Core Mac OS X and Unix Programming is a very useful book, and even if you've been developing on Unix systems for years, you can probably learn a few immediately useful things by reading it. I recommend it for any serious Mac OS X programmer who wants to know what to read next after all the tutorials that have come out in the last year or so. I suspect it'll become a canonical reference, and may even be in need of a clever nickname. Congratulations to Mark and Aaron on a job well done.

Michael McCracken is a grad student and Mac OS X developer; he says "I have not attended any Big Nerd Ranch courses, nor have I met either author, although I did see Aaron Hillegass in a crowd once." Update: 07/02 17:36 GMT by T : According to publisher AtlasBooks, bn.com won't actually be carrying this book, but you can get it right now from Atlas. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

volsung writes "It's finally here! Xiph.org has made a beta release of firmware with Ogg Vorbis support for the Neuros portable music player. You can grab the firmware from the Neurosetta site. Note that this beta release only plays Vorbis files, and may skip on very high quality files, like average bitrates above 200 kbps. Also, you'll need to head over to the positron website for instructions on how to upload Vorbis files. Big thanks go out to Monty all of his hard work, and Digital Innovations for supporting the project. (See the DI press release here.)" Update: 07/01 15:26 GMT by T : Stan Seibert writes with an update: if you'd like to get one of these players, visit open.neurosaudio.com to find them on sale.

Thanks to Frictionless Insight for putting up a review of Jessica Mulligan and Bridgette Patrovsky's new book, Developing Online Games, a New Riders-published title written by two veteran MMO creators. The review mentions, in particular, that "..the central theme, the nail-it-to-your-face, tattoo-it-on-your-forearm message of Developing Online Games is that persistent world (PW) games, like EverQuest, aren't a product, they're a service. It is a failure to understand this unassuming statement that has caused such trouble for the PW genre." There's also an excerpt from the book available on the FI site. Update: 06/26 15:29 GMT by T : Here's Peter Wayner's review of this book from April.

dmurawsky writes "According to an article at Forbes, Nextel announced that it had been awarded a primary trademark for the term 'PTT' and a Secondary trademark for 'Push To Talk.' Now maybe it's just me, but this term has been used in the radio world for around 60 years. I would have thought it was in the public domain by now. I wonder how Motorola or other radio manufacturers are going to take this. Here's a discussion of the topic at QRZ, an amateur radio forum." Update: 06/24 01:03 GMT by T : Thanks to reader Dan Horn for pointing out the flubbed original headline: Yes, this is about trademarks, rather than patents.

worldwideweber writes "With the announcement of the release of the 2.5.72 version of the Linux kernel came the news that Linus Torvalds will be leaving Transmeta for OSDL to work on the linux kernel full-time. The email calls this a leave of absence for about one year." Update: 06/17 17:19 GMT by T : As many readers have pointed out, the length of Linus' leave is not actually specified in this email.

Dan writes "Niels Provos says this is a heads up for the upcoming integration of libevent into the NetBSD source tree. Libevent provides a simple API to abstract event notification and handling. Applications are notified via callbacks on IO events, timers and signals. Libevent is meant to replace the event loop found in event driven software."

Ant writes "Synopsis: Opera, Mozilla & Netscape with javascript enabled are vulnerable to remote command execution. This has been tested on Microsoft, and many many Unices. Macintosh may also be vuln. Ironically enough, IE is unaffected." Update: 06/08 23:56 GMT by H : The problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability. Update: 06/09 00:56 GMT by T : According to this followup message from Mozilla security group member Daniel Veditz, the problem is actually one that's already been fixed in Mozilla 1.3, and not a remote command execution vulnerability at all. (Thanks to reader Jared Klett and others.)

rkohutek writes "This whitepaper came out of my employer's desire to deploy high speed wireless internet to an underserved, mostly rural area. Although very easy to do on the ground level, I found it to not be a cake walk when it came to actually making it a viable network case -- in a "normally" deployed wireless network it is very easy to spoof an IP or MAC address and hop on the network and get free bandwidth. This is not acceptable and the acronym WARTA, Wireless Authentication, Routing, Traffic control, Accounting was thought up to cover the things that we needed to do. Read on for how we managed to make it work using Free Software: HTML or PDF." Update: 06/07 20:42 GMT by T : He sends along word of this mirror as well.

real gumby writes "Shades of E.E. "Doc" Smith! Thomas Gee has made an 802.11 antenna from an old floppy disk and a paper clip. He credits this site for the inspiration (featuring an antenna from an old ice cream spoon). As MacPlus comments: "It's stylish, effective, and doesn't detract from that `everything computing' ambience in your home."" Warning: French. Update: 06/07 18:27 GMT by T : (Not Fremch ;))

You asked nmap creator Fyodor many excellent questions, and his answers (below) are just as excellent. You'll want to set aside significant time to read and digest this interview, because Fyodor didn't just toss off a few words, but put some real time and energy into his answers.

1) Interesting stories involving nmap?
by Neologic

Nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?

Fyodor

The coolest use ever was undoubtedly when Trinity used it to try and save the human race :). But the use I find most gratifying are the Chinese students and residents who have written me about how they use Nmap to locate open proxies. These proxies allow for surfing the uncensored Internet, including the news, educational, pornographic, religious, open source software, government, political, search engine, and human rights sites that are blocked by the Great Firewall of China.

Many of the best features in Nmap came from the user community in ideas if not implementation. For example, the protocol scan (-sO) determines what IP protocols (TCP, UDP, GRE, etc.) a host is listening for. I had not thought of this, but the idea and patch came out of the blue one day in an email from Gerhard Rieger. On another day, a guy named Saurik sent a patch called Nmap+V that allows Nmap to do basic service/version fingerprinting against open ports. It has attracted a cult following, and I plan to add similar functionality to Nmap this year. The initial Windows port by eEye arrived similarly. Despite all these great suggestions, certain other user-contributed ideas are not on the agenda.

Then there are a small handful of users who detect problems nobody else would ever notice, like 4 byte/host memory leaks. They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years. They can't be spammers, as they are intelligent and also use more sophisticated scan techniques than you would need to just find SMTP servers.

2) Recent increases in anal-retentiveness...?
by Zeriel

There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kicked out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?

Fyodor

That is an excellent question, and one that concerns me as well. But first, I think your final statement is too extreme. I would guess 90% of network scanning is non-controversial. You will rarely be badgered for scanning your own machine or the networks you administer. The controversy comes when scanning other networks. There are a lot of (good and bad) reasons for doing this sort of network exploration. Perhaps you are scanning the other systems in your {dorm, department, cable LAN, conference LAN} to look for publicly shared files (FTP, SMB, WWW, etc.). Or perhaps your just trying to find the IP of a certain printer. Maybe you scanned your favorite web site to see if they are offering any other services, or because you are curious what OS they run. Perhaps you are just trying to test connectivity, or maybe you wanted to do a quick security sanity-check before handing off your credit card details to that ecommerce company. You might be conducting Internet research, or be bored on a rainy afternoon. Or are you conducting reconnaissance in preparation for a breakin attempt?

The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first. I've seen a few people with non-administrative roles land in hot water after deciding to "prove" network insecurity by launching an intrusive scan of the entire company or campus. Admins tend to be more cooperative when asked in advance than when woken up at 3AM by an IDS alarm claiming they are under massive attack.

You compared Nmap to P2P tools in having a "negative stigma". In both cases, one effective way to fight the stigma is to limit your own use to "legitimate" purposes. Use BitTorrent to download RedHat ISOs, but not Matrix Reloaded. Use Nmap to secure and monitor your computers, but not to attack other networks. And if you decide to attack other networks anyway, please be courteous and set the evil bit.

Now I'll admit that I don't always obtain explicit permission before scanning other networks. I don't believe (but IANAL) that a simple port/OS scan of a remote system is or should be illegal. Any machine connected to the Internet will be scanned so often that most admins ignore such "white noise" anyhow. But scan other networks often enough, and someone will eventually complain. So my advice would be:

1. Don't do anything controversial from your work or school connections. Even though your intentions may be good, you have too much to lose if someone in power (boss, dean) decides you are a malicious cracker. Do you really want to explain your actions to someone who may not even understand the terms "port scanner" or "packet"? Spend $10 bucks a month for a dialup or shell account. You didn't really violate this rule, as scanning your dorm subnet for just port 80 should not even be remotely controversial!
2. Target your scan as tightly as possible. If you are only looking for web servers, specify -p80 rather than scanning all 65,535 TCP ports on each machine. If you are only trying to find available hosts, do an Nmap ping scan. Don't scan a /16 when a /24 will suffice. The random scan mode now takes an argument specifying the number of hosts, rather than running forever. So consider -iR 1000 rather than -iR 10000 if the former is sufficient. Use the default timing (or even "-T Polite") rather than "-T Insane".
3. Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent Idle Scan technique. But remember there is always a trade-off. You will be harder to detect if you launch scans from an open WAP far from your house, with 17 decoys, while doing followup probes through a chain of 9 open proxies. But if anyone (such as Tsutomu Shimomura) does track you down, they will be mighty suspicious of your intentions.

I occasionally consider adding some sort of "notification packet" prior to a scan that would give hosts the chance to respond and opt-out. This would be like the /robots.txt directives currently used to control polite Web robots. Perhaps the format could even include a text string that IDS systems could log, like: nmap -sS -p- -O -m "Direct questions about this scan to ops at x3512" 192.168.0.0/16 nmap -sS -p- -O -m "mY n4m3 iZ Zer0 |<00L and I'll 0wn j0o%#@" targetcompany.com/24 Of course Nmap would have an option to omit the notification or to send it and ignore any negative responses. Some scanners, such as ISS Internet Scanner already send out NetBIOS popup messages to scanned hosts by default, and other scanners use syslog. I won't be adding any features like this to Nmap unless I see substantial demand and the obvious issues are worked out.

3) OS fingerprinting
by neoThoth

What are the latest advances in fingerprinting networked devices that seem most promising to you? I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture. What are the most elusive OS's that aren't on the NMAP OS fingerprint database?

Fyodor

There are a number of OS detection techniques I hope to add this year. One is to guess (or calculate) the initial TTL of response packets, since this varies by OS. Some operating systems also "reflect" your own chosen TTL under various circumstances. Then there are some newer TCP options, such as selective ack that I might test for. Explicit Congestion Notification (RFC 2481/3168) also shows promise. I'll probably add all of these at once later this year, after discussions with the Nmap-dev list. If you wish to participate, you can join that list by sending a blank email to nmap-dev-subscribe@insecure.org. There is also a low volume, moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 15,000 current members by mailing nmap-hackers-subscribe@insecure.org [archives].

While adding new fingerprinting techniques is fun and exciting, improving the signature database often ads more value. The DB now contains more than 850 signatures, from the Acorn RISC OS and Aironet wireless LAN bridge to the ZoomAir wireless gateway and Zyxel Prestige routers. We're talking gaming consoles, phones, PBX systems, PDAs, webcams, networked power switches, you name it! New fingerprints are submitted daily.

Application level fingerprinting (including HTTP) is coming. I usually regret stating dates, but I hope to develop this functionality within the next 3 months.

4) Stepping into a network security career
by Anonymous Coward

I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work throughout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?

Fyodor

Congratulations on your graduation! Unfortunately (for newcomers), the security field is one that often expects substantial experience and references. This is partly because these jobs require extraordinary trust, and also because of an aversion to mistakes. Everyone makes mistakes, but they can be extraordinarily costly in security and neophytes tend to make more of them. But don't lose hope! Talented security minds are still in very high demand, just be aware that you will have to work even harder to prove yourself.

Here are my suggestions for anyone starting out in network security, whether for fun or profit:

Step 1: Learn everything you can

1. You may wish to start with reading a general overview of security, such as Practical Unix and Internet Security 3rd Edition.
2. Reading alone won't teach you much. Hands-on experience is critical, so I would set up at least a basic test network. At the very minimum you should have a Unix box or two and a Windows machine (because these are very common in the real world). You can use very cheap machines, or even emulate a large network with virtualization software such as VMWare.
3. Next you should learn more about how attacks are performed. Take a look at the excellent and free Open Source Security Testing Methodology Manual (OSSTMM). This document aims to provide a comprehensive framework for security testing. But it mostly lists tasks to perform, without specifying how to do so. You will gain a lot from this manual if you research the tasks you don't know how to complete, and if you actually try performing the tasks on your test network. If this manual is too curt or hard to follow, you could try a more verbose book on vulnerability assessment, such as Hacking Exposed 4th Edition.
4. Now that you understand many of the general security ideas, it is time to get current. This is one area that has actually become easier in the last decade. The thinking used to be that vulnerability information should only be distributed to well-known and trusted administrators and security researchers through private digests such as Zardoz. This was a disaster for many reasons, and the full disclosure movement was born. In the last couple of years things have started to shift toward more limited ("responsible") disclosure and there is also a disturbing pay-money-for-early-disclosure trend. But information is still much more available than it used to be. Most of the news is carried on mailing lists, and I archive the ones I consider the best at Lists.Insecure.Org. You must subscribe to Bugtraq, and I would also highly recommend pen-test, vuln-dev, and security-basics. Read at least the last 6-12 months of archives. Choose other lists that correspond to your interests. SecurityFocus also offers a security-jobs list which is an excellent resource for finding jobs or just understanding what employers desire.

   There are two major reasons for reading Bugtraq. One is that you must react quickly to new vulnerabilities by patching your servers, notifying your clients, etc. You can get this by simply scanning the subject lines or advisory summaries for bugs that directly apply to you. But then you will miss out on another crucial purpose of Bugtraq. Actually understanding a vulnerability helps you defend against it, exploit it, and identify/prevent similar bugs in the future. When you are lucky, the advisory itself will provide full details on the bug. Check out this excellent recent advisory by Core Security Technologies. Note how they describe exactly how the Snort TCP Stream Reassembly vulnerability works in detail and even include a proof-of-concept demonstration. Unfortunately, not all advisories are so forthcoming. For bugs in Open Source software, you can understand the problem by reading the diff. The next step is to actually write and test an exploit. I would recommend writing at least one for each general class of bug (buffer overflow, format string, SQL injection, etc.) or whenever a bug is particularly interesting.

   Be sure to read the latest issues of Phrack and the research papers posted to the mailing lists. Send your comments and questions to the authors and you may start interesting discussions. Read well-regarded books on the security topics that interest you most.

   I can't emphasize enough that you should intersperse hands-on work with all of this reading. Install unpatched RedHat 8 (or whatever) and run Nmap and Nessus against it. Then compromise it remotely, maybe via the latest Samba hole. Start out with a prewritten exploit from Bugtraq, which isn't quite as easy as it sounds. You may have to modify the 'sploit to compile, brute force the proper offset, etc. Then break in again using a different technique, and your own exploit. Install Ethereal and/or tcpdump and ensure you understand the traffic on your network during both your exploitation and normal network activity. Install Snort on an Internet-facing machine and watch the attacks and probes you'll experience. Wander around your neighborhood with Kismet, Netstumbler, or Wellenreiter on your Laptop or PDA to look for open WAPs. Install DSniff and execute an active MITM attack on an SSH or SSL connection between two of your computers. Take a look at my Top 75 Tools List and ensure you understand what each does and when it would be useful. Try out as many as you can.

5. Take a vacation, or at least a weekend camping! You deserve it! The steps above would probably take at least 3-12 months full-time, depending on your motivation level and the depth and breadth of your research.

Step 2: Now apply your newfound knowledge

Now you have learned enough to be dangerous. At this point, you would have little trouble obtaining most certifications, after studying the specifics of each topic. If your main goal is to find a job quickly, perhaps adding these extra feathers to your cap might be worthwhile. But I think your best bet is to prove your knowledge by joining and contributing to the security community. While this does indeed help others, it isn't an entirely selfless act. It improves your skills, leads to important contacts, and demonstrates your knowledge and ability in a constructive way. The latter is important if securing a career is one of your goals. These steps should also be fun! If not, perhaps you should keep looking at other fields. Here are some ideas:

Start participating with insightful comment and answers on the mailing lists. This is very easy and serves as a great learning experience, way to meet people, and garners some name recognition. If a security manager with a stack of 60 resumes recognizes your name, that is a huge win!

When a new worm or a big new vulnerability comes out, everyone wants to know the details. If you stay up all night disassembling the worm/patch and write the first comprehensive analysis, many folks will find that valuable. And you will learn a lot. Let your first priority be quality - if someone beats you to it, just compare your results with theirs to see if you (or they) missed (or misinterpreted) anything. You can also post your own exploits, although that is more of a political hot potato.

Attending security conferences is a great way to learn, party with fellow hackers, and network (in every sense of the word). Much better is to speak at these conferences. This field changes rapidly so there are always new topics and technologies to discuss. You don't have to be a well-known expert with a long history - just learn your topic well and put in the effort for a quality presentation. You could present at Defcon, at one of the more commercial events, or at a smaller regional con like ToorCon, CodeCon, Hivercon, etc. Among other advantages (often free admission/travel/hotel), this is a great way to meet people with similar interests. I spoke at the latest CanSecWest and have submitted a proposal for the next Defcon.

Now that you've seen and understand a wide variety of software vulnerabilities from your Bugtraq research, start finding your own. You can start by downloading any PHP app from Sourceforge. Most of those are hopelessly vulnerable to Cross-Site-Scripting, SQL injection, and/or remote code execution by "remote include" directives. Many (if not most) Windows shareware daemons are also vulnerable to simple buffer overflows and format-string bugs. Notify the authors and then write an advisory. After a few of these "easy targets", try breaking some more widely deployed programs.

Write a security tool! I could list some suggestions, but by this point you will have many of your own ideas as to what is needed. Scratch an itch.

I hope this helps. If you want more suggestions, Ask Slashdot. From that story, I found this post particularly insightful, especially the emphasis on "people skills". I don't claim to have any, but understand the value :).

5) Have you ever been tempted to use your gifts...
by Tim_F

...in a negative manner?

Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

And if you haven't, why is that the case?

Fyodor

I never do script-kiddie style "hack any random vulnerable box on the Internet" cracking. But sometimes I will launch targeted attacks at specific companies. I'll usually start with just a web browser and various search engines to learn everything I can about my target. I need to understand what the company does, who it partners with, and whether it has any corporate siblings, subsidiaries, or parents. Beyond that, posts by individual employees can be a gold mine. Besides providing names and titles for social engineering and brute force password attacks, the IPs in the mail/news routing headers can be very valuable. One of the reasons I run my own mailing list archive is to maintain access to the raw mail folders which contain the routing info and X-no-archive posts that web archives strip out. Another advantage to locating employees is that you can send them trojan executable attachments, which can be a very effective way into the network.

Next I'll gather known IP network information on the companies via DNS, whois, regional registries like ARIN, routing info, Netcraft, etc. Then comes the scanning (I tend to use Nmap), application-probing, vulnerability discovery, and exploitation stages.

Of course, I only do this when the company is paying me to do so. Performing these pen-tests offers several advantages over blackhat activity:

1. You don't go to jail (If you've worded your contract carefully.)
2. Instead of having to keep your übertechniques secret to avoid prosecution, you get to demonstrate them to management.
3. They actually pay you for this! And you are helping to protect them and the privacy of their customers.

Now some people might ask how you gain these skills without practicing on other networks first. Cheap hardware and the evolution of free UNIX operating systems have made this much easier than in the past. See the previous answer for some suggestions. And remember that you can always work together with friends, or participate in hacking contests like Defcon's Capture the Flag.

6) You'll have seen a lot of breakins.
by Hulver

During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.

Fyodor

On the humorous front, one attacker was was running a public webcam during his exploits, so we were able to watch him crack into our boxes in real time :). I will resist the urge to link a screenshot. His rough location was determined when we noticed Mrs. Doubtfire playing on his TV and correlated that with public schedule listings. He was working with a Pakistani group, but was actually on the US East Coast.

In the "disturbing audacity" front, this year we found that a group of crackers had broken into an ecommerce site and actually programmed an automated billing-sytem-to-IRC gateway. They could obtain or validate credit card numbers by simply querying the channel bot! Expect a more detailed writeup soon.

7) What makes a honey net enticing?
by cornice

It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I think that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?

Fyodor

Excellent question, and I had many of the same concerns upon joining the project. Then I remembered that most of the attacks and real-world compromises are committed by these marginally skilled script kiddies. So there is still a lot of value in understanding their tools, tactics, and motives. Despite this apparent limitation, I have been surprised by some of the sophisticated things we have found. For example, the first known "in the wild" attack using the Solaris dtspcd vulnerability was caught by one of our honeynets and resulted in this CERT advisory. Then one of our Honeynet Alliance members had their Win2K honeypot compromised and joined into a botnet with 18,000 machines! Attackers on such a grand scale won't even know all of the companies they have compromised, much less whether any of the systems are honeynets.

I do believe baiting the "smart fish" might be possible, but I have never done this. Is not legally entrapment, as we aren't any sort of police force, but I am not very comfortable with the idea. If someone attacks my box that is just unobtrusively sitting on the network, I believe the attacker should have no expectation of privacy for his activities on the system. Things become more complex if I try to lure the attacker.

8) IPv6
by caluml

Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?

Fyodor

Finding a machine by by pinging a completely random 128-bit address will probably never be effective. Fortunately, we won't have to! Nmap does not even do that for 32-bit IPv4 addresses - it is smart enough to skip huge blocks of address space that are unallocated or used for private (RFC1918, localhost) addresses. We will also see patterns emerge for IPv6. For example, they may often be allocated sequentially so that finding one leads to many others. I am waiting until adoption rises and we start seeing these patterns emerge before I can implement them appropriately in Nmap. Certain new DNS features may also prove useful for locating IPv6 machines and networks.

9) standalones and small home nets
by zogger

it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.

Fyodor

I am afraid the focus by security companies on enterprise networks will continue, as that is where the money is. The good news is that securing small home networks is far easier. But that doesn't make it simple, nor mean that many people will bother. I would categorize the risks into 3 categories:

Traditional network server vulnerabilities: Your average home user doesn't need to run any network daemons or have any TCP/UDP ports open to the Internet. Most of the time they only have 1 IP, used either by a standalone PC or a NAT device (e.g. "broadband router") in front of their small network. This is a good configuration, as it limits what attackers can reach directly. But you need to be sure that the IP doesn't have any unnecessary ports open. You can verify this by running 'netstat' on the Windows or UNIX machine using the IP. I would also recommend confirming using a port scanner such as Nmap. Here are example commands:

nmap -p- -sS -T4 -v -O [your IP]
nmap -p- -sU -v [ your IP ]

The TCP and UDP scans could be combined into one execution, but are listed separately since the TCP scan may go much faster. Remote UDP scans are also less reliable against some heavily filtered hosts. You may have to rely on the netstat info or configuration details in this case.

Any open ports found should be evaluated with extreme prejudice. Unless clearly necessary, close Windows file sharing, external NAT device admin ports, and everything else found.

Don't forget the wireless backdoor! Blocking the Internet link from your private machines is insufficient if anyone can hop on your open WLAN and attack your machines. WEP isn't perfect, but the 104-bit (so-called 128-bit) version should at least keep people from accidentally connecting to your network or sniffing your data. Be sure to set a good password and upgrade to recent firmware for your WAP and other network devices.

Subscribe to the security advisory lists for all the operating systems (and devices, if available) you run. Major vendors such as RedHat, Debian, FreeBSD, Mandrake, and Microsoft all offer these. Most even offer automatic updates if you desire that.

Client vulnerabilities: Once you close the services you don't need (ideally all of them), client vulnerabilities must be addressed. Keeping your web browser and mail reader up-to-date is particularly crucial. Also harden them as much as possible. For example, IE is full of holes but at least has a good interface for site-by-site security policies (Tools -> Internet Options -> Security). Go through and neuter the "Internet zone" settings by disabling ActiveX and Java. In the rare case that sites need this, find an alternative site or add them to the trusted zone. If your are really serious about security, neuter "trusted sites" and "local intranet" privileges as well. Many recent IE vulnerabilities trick the browser into using the wrong zones. Consider using a different browser. Also configure your mailer to disregard HTML and JavaScript.

Remember to pay careful attention to security warnings, whether they come from IE, Mozilla, your ssh client, or anything else. Don't just click OK. And don't shoot yourself in the foot when configuring your apps. It is hard to entirely blame the vendor when users tell P2P apps or Windows filesharing to share their whole drive without any password. Failing to change default passwords or enable basic restrictions on X Window or FTP servers is only slightly more forgivable. All of these errors happen frequently! The apps/devices should be secure by default, but you have the ultimate responsibility for protecting your data.

Malware: This is what I consider the biggest problem on desktops: people running applications they can't trust. Email borne viruses, worms and trojans are an obvious example. Be very careful what you click on. Unfortunately, it is very difficult to know what to trust. Mail is trivial to forge, and even the "proper" installers for many P2P applications infest your computer with loads of invasive spyware. Even Intuit TurboTax was caught writing to customers' boot information track.

What can you do? My honest suggestion is to run peer-reviewed open source applications on a free OS such as Linux or FreeBSD. You still have to be careful, but these problems are far less prevalent on UNIX platforms, which also have better tools and procedures to deal with them.

What if dumping Windows is not an option? Run NT/2K/XP instead of Win9X/ME, and try to run everything you can as an unprivileged (non-administrator) user. Be extraordinarily careful about what you install and run, and make frequent backups. You might also want to look into a personal firewall such as Zone Alarm (limited free version.

10) What is your favourite tool?
by Noryungi

I have just read your top 75 security tools list. Thank you for posting all this information, which I am going to study very carefully.

One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

Fyodor

I have far too many favorites among this great group to choose just one! But here are a few developers and tools that are particularly worthy of mention:

One of the people I most admire in the security field is Solar Designer. He is a guru in networking, security, and low level kernel/assembly/architecture details. He has also created many tools that security professionals use daily. Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community.

Among SD's tools is John the Ripper, my longtime favorite local password hash cracker. It has been around forever, but was written with a flexible and powerful interface while keeping extensibility in mind. So it is still as useful in these days of shadowed password files and MD5/Blowfish hashes as it was back in the days of crypt() and unprotected /etc/passwd. Lately SD has been working on the Owl secure GNU/Linux distribution, which can be installed on disk for hardened systems like firewalls, or booted and run from CD as an easy way to run security tools such as John and Nmap.

Another of those "brilliant yet still nice" security developers is Dug Song. Even after the seminal "Insertion, Evasion, and Denial of Service" paper by Ptacek and Newsham, many IDS vendors continued to ignore the problem. When Doug released Fragrouter (now fragroute), which implements some of these attacks, vendors finally took notice! He has also written the excellent libdnet library, but my favorite of his tools is DSniff, a suite of tools for advanced network sniffing and "monkey-in-the-middle" attacks. It even handles ARP poisoning and other techniques for sniffing hosts on a switched LAN.

While I'm on this topic, let me also give "mad props" to the Hping2 packet prober, Kismet wireless stumbler, Ethereal packet decoder, Netcat, recent THC releases, Snort IDS, the Nessus vulnerability scanner, and all the other great Open Source tools out there!

I would also like to thank Slashdot for granting me this interview and to everyone who asked such excellent questions. I only wish I had time to answer more of them. Then again, I have probably rambled on enough. Now it is your turn to ramble in the comments :).

Cheers,
Fyodor

You asked nmap creator Fyodor many excellent questions, and his answers (below) are just as excellent. You'll want to set aside significant time to read and digest this interview, because Fyodor didn't just toss off a few words, but put some real time and energy into his answers.

1) Interesting stories involving nmap?
by Neologic

Nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?

Fyodor

The coolest use ever was undoubtedly when Trinity used it to try and save the human race :). But the use I find most gratifying are the Chinese students and residents who have written me about how they use Nmap to locate open proxies. These proxies allow for surfing the uncensored Internet, including the news, educational, pornographic, religious, open source software, government, political, search engine, and human rights sites that are blocked by the Great Firewall of China.

Many of the best features in Nmap came from the user community in ideas if not implementation. For example, the protocol scan (-sO) determines what IP protocols (TCP, UDP, GRE, etc.) a host is listening for. I had not thought of this, but the idea and patch came out of the blue one day in an email from Gerhard Rieger. On another day, a guy named Saurik sent a patch called Nmap+V that allows Nmap to do basic service/version fingerprinting against open ports. It has attracted a cult following, and I plan to add similar functionality to Nmap this year. The initial Windows port by eEye arrived similarly. Despite all these great suggestions, certain other user-contributed ideas are not on the agenda.

Then there are a small handful of users who detect problems nobody else would ever notice, like 4 byte/host memory leaks. They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years. They can't be spammers, as they are intelligent and also use more sophisticated scan techniques than you would need to just find SMTP servers.

2) Recent increases in anal-retentiveness...?
by Zeriel

There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kicked out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?

Fyodor

That is an excellent question, and one that concerns me as well. But first, I think your final statement is too extreme. I would guess 90% of network scanning is non-controversial. You will rarely be badgered for scanning your own machine or the networks you administer. The controversy comes when scanning other networks. There are a lot of (good and bad) reasons for doing this sort of network exploration. Perhaps you are scanning the other systems in your {dorm, department, cable LAN, conference LAN} to look for publicly shared files (FTP, SMB, WWW, etc.). Or perhaps your just trying to find the IP of a certain printer. Maybe you scanned your favorite web site to see if they are offering any other services, or because you are curious what OS they run. Perhaps you are just trying to test connectivity, or maybe you wanted to do a quick security sanity-check before handing off your credit card details to that ecommerce company. You might be conducting Internet research, or be bored on a rainy afternoon. Or are you conducting reconnaissance in preparation for a breakin attempt?

The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first. I've seen a few people with non-administrative roles land in hot water after deciding to "prove" network insecurity by launching an intrusive scan of the entire company or campus. Admins tend to be more cooperative when asked in advance than when woken up at 3AM by an IDS alarm claiming they are under massive attack.

You compared Nmap to P2P tools in having a "negative stigma". In both cases, one effective way to fight the stigma is to limit your own use to "legitimate" purposes. Use BitTorrent to download RedHat ISOs, but not Matrix Reloaded. Use Nmap to secure and monitor your computers, but not to attack other networks. And if you decide to attack other networks anyway, please be courteous and set the evil bit.

Now I'll admit that I don't always obtain explicit permission before scanning other networks. I don't believe (but IANAL) that a simple port/OS scan of a remote system is or should be illegal. Any machine connected to the Internet will be scanned so often that most admins ignore such "white noise" anyhow. But scan other networks often enough, and someone will eventually complain. So my advice would be:

1. Don't do anything controversial from your work or school connections. Even though your intentions may be good, you have too much to lose if someone in power (boss, dean) decides you are a malicious cracker. Do you really want to explain your actions to someone who may not even understand the terms "port scanner" or "packet"? Spend $10 bucks a month for a dialup or shell account. You didn't really violate this rule, as scanning your dorm subnet for just port 80 should not even be remotely controversial!
2. Target your scan as tightly as possible. If you are only looking for web servers, specify -p80 rather than scanning all 65,535 TCP ports on each machine. If you are only trying to find available hosts, do an Nmap ping scan. Don't scan a /16 when a /24 will suffice. The random scan mode now takes an argument specifying the number of hosts, rather than running forever. So consider -iR 1000 rather than -iR 10000 if the former is sufficient. Use the default timing (or even "-T Polite") rather than "-T Insane".
3. Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent Idle Scan technique. But remember there is always a trade-off. You will be harder to detect if you launch scans from an open WAP far from your house, with 17 decoys, while doing followup probes through a chain of 9 open proxies. But if anyone (such as Tsutomu Shimomura) does track you down, they will be mighty suspicious of your intentions.

I occasionally consider adding some sort of "notification packet" prior to a scan that would give hosts the chance to respond and opt-out. This would be like the /robots.txt directives currently used to control polite Web robots. Perhaps the format could even include a text string that IDS systems could log, like: nmap -sS -p- -O -m "Direct questions about this scan to ops at x3512" 192.168.0.0/16 nmap -sS -p- -O -m "mY n4m3 iZ Zer0 |<00L and I'll 0wn j0o%#@" targetcompany.com/24 Of course Nmap would have an option to omit the notification or to send it and ignore any negative responses. Some scanners, such as ISS Internet Scanner already send out NetBIOS popup messages to scanned hosts by default, and other scanners use syslog. I won't be adding any features like this to Nmap unless I see substantial demand and the obvious issues are worked out.

3) OS fingerprinting
by neoThoth

What are the latest advances in fingerprinting networked devices that seem most promising to you? I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture. What are the most elusive OS's that aren't on the NMAP OS fingerprint database?

Fyodor

There are a number of OS detection techniques I hope to add this year. One is to guess (or calculate) the initial TTL of response packets, since this varies by OS. Some operating systems also "reflect" your own chosen TTL under various circumstances. Then there are some newer TCP options, such as selective ack that I might test for. Explicit Congestion Notification (RFC 2481/3168) also shows promise. I'll probably add all of these at once later this year, after discussions with the Nmap-dev list. If you wish to participate, you can join that list by sending a blank email to nmap-dev-subscribe@insecure.org. There is also a low volume, moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 15,000 current members by mailing nmap-hackers-subscribe@insecure.org [archives].

While adding new fingerprinting techniques is fun and exciting, improving the signature database often ads more value. The DB now contains more than 850 signatures, from the Acorn RISC OS and Aironet wireless LAN bridge to the ZoomAir wireless gateway and Zyxel Prestige routers. We're talking gaming consoles, phones, PBX systems, PDAs, webcams, networked power switches, you name it! New fingerprints are submitted daily.

Application level fingerprinting (including HTTP) is coming. I usually regret stating dates, but I hope to develop this functionality within the next 3 months.

4) Stepping into a network security career
by Anonymous Coward

I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work throughout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?

Fyodor

Congratulations on your graduation! Unfortunately (for newcomers), the security field is one that often expects substantial experience and references. This is partly because these jobs require extraordinary trust, and also because of an aversion to mistakes. Everyone makes mistakes, but they can be extraordinarily costly in security and neophytes tend to make more of them. But don't lose hope! Talented security minds are still in very high demand, just be aware that you will have to work even harder to prove yourself.

Here are my suggestions for anyone starting out in network security, whether for fun or profit:

Step 1: Learn everything you can

1. You may wish to start with reading a general overview of security, such as Practical Unix and Internet Security 3rd Edition.
2. Reading alone won't teach you much. Hands-on experience is critical, so I would set up at least a basic test network. At the very minimum you should have a Unix box or two and a Windows machine (because these are very common in the real world). You can use very cheap machines, or even emulate a large network with virtualization software such as VMWare.
3. Next you should learn more about how attacks are performed. Take a look at the excellent and free Open Source Security Testing Methodology Manual (OSSTMM). This document aims to provide a comprehensive framework for security testing. But it mostly lists tasks to perform, without specifying how to do so. You will gain a lot from this manual if you research the tasks you don't know how to complete, and if you actually try performing the tasks on your test network. If this manual is too curt or hard to follow, you could try a more verbose book on vulnerability assessment, such as Hacking Exposed 4th Edition.
4. Now that you understand many of the general security ideas, it is time to get current. This is one area that has actually become easier in the last decade. The thinking used to be that vulnerability information should only be distributed to well-known and trusted administrators and security researchers through private digests such as Zardoz. This was a disaster for many reasons, and the full disclosure movement was born. In the last couple of years things have started to shift toward more limited ("responsible") disclosure and there is also a disturbing pay-money-for-early-disclosure trend. But information is still much more available than it used to be. Most of the news is carried on mailing lists, and I archive the ones I consider the best at Lists.Insecure.Org. You must subscribe to Bugtraq, and I would also highly recommend pen-test, vuln-dev, and security-basics. Read at least the last 6-12 months of archives. Choose other lists that correspond to your interests. SecurityFocus also offers a security-jobs list which is an excellent resource for finding jobs or just understanding what employers desire.

   There are two major reasons for reading Bugtraq. One is that you must react quickly to new vulnerabilities by patching your servers, notifying your clients, etc. You can get this by simply scanning the subject lines or advisory summaries for bugs that directly apply to you. But then you will miss out on another crucial purpose of Bugtraq. Actually understanding a vulnerability helps you defend against it, exploit it, and identify/prevent similar bugs in the future. When you are lucky, the advisory itself will provide full details on the bug. Check out this excellent recent advisory by Core Security Technologies. Note how they describe exactly how the Snort TCP Stream Reassembly vulnerability works in detail and even include a proof-of-concept demonstration. Unfortunately, not all advisories are so forthcoming. For bugs in Open Source software, you can understand the problem by reading the diff. The next step is to actually write and test an exploit. I would recommend writing at least one for each general class of bug (buffer overflow, format string, SQL injection, etc.) or whenever a bug is particularly interesting.

   Be sure to read the latest issues of Phrack and the research papers posted to the mailing lists. Send your comments and questions to the authors and you may start interesting discussions. Read well-regarded books on the security topics that interest you most.

   I can't emphasize enough that you should intersperse hands-on work with all of this reading. Install unpatched RedHat 8 (or whatever) and run Nmap and Nessus against it. Then compromise it remotely, maybe via the latest Samba hole. Start out with a prewritten exploit from Bugtraq, which isn't quite as easy as it sounds. You may have to modify the 'sploit to compile, brute force the proper offset, etc. Then break in again using a different technique, and your own exploit. Install Ethereal and/or tcpdump and ensure you understand the traffic on your network during both your exploitation and normal network activity. Install Snort on an Internet-facing machine and watch the attacks and probes you'll experience. Wander around your neighborhood with Kismet, Netstumbler, or Wellenreiter on your Laptop or PDA to look for open WAPs. Install DSniff and execute an active MITM attack on an SSH or SSL connection between two of your computers. Take a look at my Top 75 Tools List and ensure you understand what each does and when it would be useful. Try out as many as you can.

5. Take a vacation, or at least a weekend camping! You deserve it! The steps above would probably take at least 3-12 months full-time, depending on your motivation level and the depth and breadth of your research.

Step 2: Now apply your newfound knowledge

Now you have learned enough to be dangerous. At this point, you would have little trouble obtaining most certifications, after studying the specifics of each topic. If your main goal is to find a job quickly, perhaps adding these extra feathers to your cap might be worthwhile. But I think your best bet is to prove your knowledge by joining and contributing to the security community. While this does indeed help others, it isn't an entirely selfless act. It improves your skills, leads to important contacts, and demonstrates your knowledge and ability in a constructive way. The latter is important if securing a career is one of your goals. These steps should also be fun! If not, perhaps you should keep looking at other fields. Here are some ideas:

Start participating with insightful comment and answers on the mailing lists. This is very easy and serves as a great learning experience, way to meet people, and garners some name recognition. If a security manager with a stack of 60 resumes recognizes your name, that is a huge win!

When a new worm or a big new vulnerability comes out, everyone wants to know the details. If you stay up all night disassembling the worm/patch and write the first comprehensive analysis, many folks will find that valuable. And you will learn a lot. Let your first priority be quality - if someone beats you to it, just compare your results with theirs to see if you (or they) missed (or misinterpreted) anything. You can also post your own exploits, although that is more of a political hot potato.

Attending security conferences is a great way to learn, party with fellow hackers, and network (in every sense of the word). Much better is to speak at these conferences. This field changes rapidly so there are always new topics and technologies to discuss. You don't have to be a well-known expert with a long history - just learn your topic well and put in the effort for a quality presentation. You could present at Defcon, at one of the more commercial events, or at a smaller regional con like ToorCon, CodeCon, Hivercon, etc. Among other advantages (often free admission/travel/hotel), this is a great way to meet people with similar interests. I spoke at the latest CanSecWest and have submitted a proposal for the next Defcon.

Now that you've seen and understand a wide variety of software vulnerabilities from your Bugtraq research, start finding your own. You can start by downloading any PHP app from Sourceforge. Most of those are hopelessly vulnerable to Cross-Site-Scripting, SQL injection, and/or remote code execution by "remote include" directives. Many (if not most) Windows shareware daemons are also vulnerable to simple buffer overflows and format-string bugs. Notify the authors and then write an advisory. After a few of these "easy targets", try breaking some more widely deployed programs.

Write a security tool! I could list some suggestions, but by this point you will have many of your own ideas as to what is needed. Scratch an itch.

I hope this helps. If you want more suggestions, Ask Slashdot. From that story, I found this post particularly insightful, especially the emphasis on "people skills". I don't claim to have any, but understand the value :).

5) Have you ever been tempted to use your gifts...
by Tim_F

...in a negative manner?

Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

And if you haven't, why is that the case?

Fyodor

I never do script-kiddie style "hack any random vulnerable box on the Internet" cracking. But sometimes I will launch targeted attacks at specific companies. I'll usually start with just a web browser and various search engines to learn everything I can about my target. I need to understand what the company does, who it partners with, and whether it has any corporate siblings, subsidiaries, or parents. Beyond that, posts by individual employees can be a gold mine. Besides providing names and titles for social engineering and brute force password attacks, the IPs in the mail/news routing headers can be very valuable. One of the reasons I run my own mailing list archive is to maintain access to the raw mail folders which contain the routing info and X-no-archive posts that web archives strip out. Another advantage to locating employees is that you can send them trojan executable attachments, which can be a very effective way into the network.

Next I'll gather known IP network information on the companies via DNS, whois, regional registries like ARIN, routing info, Netcraft, etc. Then comes the scanning (I tend to use Nmap), application-probing, vulnerability discovery, and exploitation stages.

Of course, I only do this when the company is paying me to do so. Performing these pen-tests offers several advantages over blackhat activity:

1. You don't go to jail (If you've worded your contract carefully.)
2. Instead of having to keep your übertechniques secret to avoid prosecution, you get to demonstrate them to management.
3. They actually pay you for this! And you are helping to protect them and the privacy of their customers.

Now some people might ask how you gain these skills without practicing on other networks first. Cheap hardware and the evolution of free UNIX operating systems have made this much easier than in the past. See the previous answer for some suggestions. And remember that you can always work together with friends, or participate in hacking contests like Defcon's Capture the Flag.

6) You'll have seen a lot of breakins.
by Hulver

During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.

Fyodor

On the humorous front, one attacker was was running a public webcam during his exploits, so we were able to watch him crack into our boxes in real time :). I will resist the urge to link a screenshot. His rough location was determined when we noticed Mrs. Doubtfire playing on his TV and correlated that with public schedule listings. He was working with a Pakistani group, but was actually on the US East Coast.

In the "disturbing audacity" front, this year we found that a group of crackers had broken into an ecommerce site and actually programmed an automated billing-sytem-to-IRC gateway. They could obtain or validate credit card numbers by simply querying the channel bot! Expect a more detailed writeup soon.

7) What makes a honey net enticing?
by cornice

It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I think that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?

Fyodor

Excellent question, and I had many of the same concerns upon joining the project. Then I remembered that most of the attacks and real-world compromises are committed by these marginally skilled script kiddies. So there is still a lot of value in understanding their tools, tactics, and motives. Despite this apparent limitation, I have been surprised by some of the sophisticated things we have found. For example, the first known "in the wild" attack using the Solaris dtspcd vulnerability was caught by one of our honeynets and resulted in this CERT advisory. Then one of our Honeynet Alliance members had their Win2K honeypot compromised and joined into a botnet with 18,000 machines! Attackers on such a grand scale won't even know all of the companies they have compromised, much less whether any of the systems are honeynets.

I do believe baiting the "smart fish" might be possible, but I have never done this. Is not legally entrapment, as we aren't any sort of police force, but I am not very comfortable with the idea. If someone attacks my box that is just unobtrusively sitting on the network, I believe the attacker should have no expectation of privacy for his activities on the system. Things become more complex if I try to lure the attacker.

8) IPv6
by caluml

Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?

Fyodor

Finding a machine by by pinging a completely random 128-bit address will probably never be effective. Fortunately, we won't have to! Nmap does not even do that for 32-bit IPv4 addresses - it is smart enough to skip huge blocks of address space that are unallocated or used for private (RFC1918, localhost) addresses. We will also see patterns emerge for IPv6. For example, they may often be allocated sequentially so that finding one leads to many others. I am waiting until adoption rises and we start seeing these patterns emerge before I can implement them appropriately in Nmap. Certain new DNS features may also prove useful for locating IPv6 machines and networks.

9) standalones and small home nets
by zogger

it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.

Fyodor

I am afraid the focus by security companies on enterprise networks will continue, as that is where the money is. The good news is that securing small home networks is far easier. But that doesn't make it simple, nor mean that many people will bother. I would categorize the risks into 3 categories:

Traditional network server vulnerabilities: Your average home user doesn't need to run any network daemons or have any TCP/UDP ports open to the Internet. Most of the time they only have 1 IP, used either by a standalone PC or a NAT device (e.g. "broadband router") in front of their small network. This is a good configuration, as it limits what attackers can reach directly. But you need to be sure that the IP doesn't have any unnecessary ports open. You can verify this by running 'netstat' on the Windows or UNIX machine using the IP. I would also recommend confirming using a port scanner such as Nmap. Here are example commands:

nmap -p- -sS -T4 -v -O [your IP]
nmap -p- -sU -v [ your IP ]

The TCP and UDP scans could be combined into one execution, but are listed separately since the TCP scan may go much faster. Remote UDP scans are also less reliable against some heavily filtered hosts. You may have to rely on the netstat info or configuration details in this case.

Any open ports found should be evaluated with extreme prejudice. Unless clearly necessary, close Windows file sharing, external NAT device admin ports, and everything else found.

Don't forget the wireless backdoor! Blocking the Internet link from your private machines is insufficient if anyone can hop on your open WLAN and attack your machines. WEP isn't perfect, but the 104-bit (so-called 128-bit) version should at least keep people from accidentally connecting to your network or sniffing your data. Be sure to set a good password and upgrade to recent firmware for your WAP and other network devices.

Subscribe to the security advisory lists for all the operating systems (and devices, if available) you run. Major vendors such as RedHat, Debian, FreeBSD, Mandrake, and Microsoft all offer these. Most even offer automatic updates if you desire that.

Client vulnerabilities: Once you close the services you don't need (ideally all of them), client vulnerabilities must be addressed. Keeping your web browser and mail reader up-to-date is particularly crucial. Also harden them as much as possible. For example, IE is full of holes but at least has a good interface for site-by-site security policies (Tools -> Internet Options -> Security). Go through and neuter the "Internet zone" settings by disabling ActiveX and Java. In the rare case that sites need this, find an alternative site or add them to the trusted zone. If your are really serious about security, neuter "trusted sites" and "local intranet" privileges as well. Many recent IE vulnerabilities trick the browser into using the wrong zones. Consider using a different browser. Also configure your mailer to disregard HTML and JavaScript.

Remember to pay careful attention to security warnings, whether they come from IE, Mozilla, your ssh client, or anything else. Don't just click OK. And don't shoot yourself in the foot when configuring your apps. It is hard to entirely blame the vendor when users tell P2P apps or Windows filesharing to share their whole drive without any password. Failing to change default passwords or enable basic restrictions on X Window or FTP servers is only slightly more forgivable. All of these errors happen frequently! The apps/devices should be secure by default, but you have the ultimate responsibility for protecting your data.

Malware: This is what I consider the biggest problem on desktops: people running applications they can't trust. Email borne viruses, worms and trojans are an obvious example. Be very careful what you click on. Unfortunately, it is very difficult to know what to trust. Mail is trivial to forge, and even the "proper" installers for many P2P applications infest your computer with loads of invasive spyware. Even Intuit TurboTax was caught writing to customers' boot information track.

What can you do? My honest suggestion is to run peer-reviewed open source applications on a free OS such as Linux or FreeBSD. You still have to be careful, but these problems are far less prevalent on UNIX platforms, which also have better tools and procedures to deal with them.

What if dumping Windows is not an option? Run NT/2K/XP instead of Win9X/ME, and try to run everything you can as an unprivileged (non-administrator) user. Be extraordinarily careful about what you install and run, and make frequent backups. You might also want to look into a personal firewall such as Zone Alarm (limited free version.

10) What is your favourite tool?
by Noryungi

I have just read your top 75 security tools list. Thank you for posting all this information, which I am going to study very carefully.

One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

Fyodor

I have far too many favorites among this great group to choose just one! But here are a few developers and tools that are particularly worthy of mention:

One of the people I most admire in the security field is Solar Designer. He is a guru in networking, security, and low level kernel/assembly/architecture details. He has also created many tools that security professionals use daily. Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community.

Among SD's tools is John the Ripper, my longtime favorite local password hash cracker. It has been around forever, but was written with a flexible and powerful interface while keeping extensibility in mind. So it is still as useful in these days of shadowed password files and MD5/Blowfish hashes as it was back in the days of crypt() and unprotected /etc/passwd. Lately SD has been working on the Owl secure GNU/Linux distribution, which can be installed on disk for hardened systems like firewalls, or booted and run from CD as an easy way to run security tools such as John and Nmap.

Another of those "brilliant yet still nice" security developers is Dug Song. Even after the seminal "Insertion, Evasion, and Denial of Service" paper by Ptacek and Newsham, many IDS vendors continued to ignore the problem. When Doug released Fragrouter (now fragroute), which implements some of these attacks, vendors finally took notice! He has also written the excellent libdnet library, but my favorite of his tools is DSniff, a suite of tools for advanced network sniffing and "monkey-in-the-middle" attacks. It even handles ARP poisoning and other techniques for sniffing hosts on a switched LAN.

While I'm on this topic, let me also give "mad props" to the Hping2 packet prober, Kismet wireless stumbler, Ethereal packet decoder, Netcat, recent THC releases, Snort IDS, the Nessus vulnerability scanner, and all the other great Open Source tools out there!

I would also like to thank Slashdot for granting me this interview and to everyone who asked such excellent questions. I only wish I had time to answer more of them. Then again, I have probably rambled on enough. Now it is your turn to ramble in the comments :).

Cheers,
Fyodor

You asked nmap creator Fyodor many excellent questions, and his answers (below) are just as excellent. You'll want to set aside significant time to read and digest this interview, because Fyodor didn't just toss off a few words, but put some real time and energy into his answers.

1) Interesting stories involving nmap?
by Neologic

Nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?

Fyodor

The coolest use ever was undoubtedly when Trinity used it to try and save the human race :). But the use I find most gratifying are the Chinese students and residents who have written me about how they use Nmap to locate open proxies. These proxies allow for surfing the uncensored Internet, including the news, educational, pornographic, religious, open source software, government, political, search engine, and human rights sites that are blocked by the Great Firewall of China.

Many of the best features in Nmap came from the user community in ideas if not implementation. For example, the protocol scan (-sO) determines what IP protocols (TCP, UDP, GRE, etc.) a host is listening for. I had not thought of this, but the idea and patch came out of the blue one day in an email from Gerhard Rieger. On another day, a guy named Saurik sent a patch called Nmap+V that allows Nmap to do basic service/version fingerprinting against open ports. It has attracted a cult following, and I plan to add similar functionality to Nmap this year. The initial Windows port by eEye arrived similarly. Despite all these great suggestions, certain other user-contributed ideas are not on the agenda.

Then there are a small handful of users who detect problems nobody else would ever notice, like 4 byte/host memory leaks. They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years. They can't be spammers, as they are intelligent and also use more sophisticated scan techniques than you would need to just find SMTP servers.

2) Recent increases in anal-retentiveness...?
by Zeriel

There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kicked out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?

Fyodor

That is an excellent question, and one that concerns me as well. But first, I think your final statement is too extreme. I would guess 90% of network scanning is non-controversial. You will rarely be badgered for scanning your own machine or the networks you administer. The controversy comes when scanning other networks. There are a lot of (good and bad) reasons for doing this sort of network exploration. Perhaps you are scanning the other systems in your {dorm, department, cable LAN, conference LAN} to look for publicly shared files (FTP, SMB, WWW, etc.). Or perhaps your just trying to find the IP of a certain printer. Maybe you scanned your favorite web site to see if they are offering any other services, or because you are curious what OS they run. Perhaps you are just trying to test connectivity, or maybe you wanted to do a quick security sanity-check before handing off your credit card details to that ecommerce company. You might be conducting Internet research, or be bored on a rainy afternoon. Or are you conducting reconnaissance in preparation for a breakin attempt?

The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first. I've seen a few people with non-administrative roles land in hot water after deciding to "prove" network insecurity by launching an intrusive scan of the entire company or campus. Admins tend to be more cooperative when asked in advance than when woken up at 3AM by an IDS alarm claiming they are under massive attack.

You compared Nmap to P2P tools in having a "negative stigma". In both cases, one effective way to fight the stigma is to limit your own use to "legitimate" purposes. Use BitTorrent to download RedHat ISOs, but not Matrix Reloaded. Use Nmap to secure and monitor your computers, but not to attack other networks. And if you decide to attack other networks anyway, please be courteous and set the evil bit.

Now I'll admit that I don't always obtain explicit permission before scanning other networks. I don't believe (but IANAL) that a simple port/OS scan of a remote system is or should be illegal. Any machine connected to the Internet will be scanned so often that most admins ignore such "white noise" anyhow. But scan other networks often enough, and someone will eventually complain. So my advice would be:

1. Don't do anything controversial from your work or school connections. Even though your intentions may be good, you have too much to lose if someone in power (boss, dean) decides you are a malicious cracker. Do you really want to explain your actions to someone who may not even understand the terms "port scanner" or "packet"? Spend $10 bucks a month for a dialup or shell account. You didn't really violate this rule, as scanning your dorm subnet for just port 80 should not even be remotely controversial!
2. Target your scan as tightly as possible. If you are only looking for web servers, specify -p80 rather than scanning all 65,535 TCP ports on each machine. If you are only trying to find available hosts, do an Nmap ping scan. Don't scan a /16 when a /24 will suffice. The random scan mode now takes an argument specifying the number of hosts, rather than running forever. So consider -iR 1000 rather than -iR 10000 if the former is sufficient. Use the default timing (or even "-T Polite") rather than "-T Insane".
3. Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent Idle Scan technique. But remember there is always a trade-off. You will be harder to detect if you launch scans from an open WAP far from your house, with 17 decoys, while doing followup probes through a chain of 9 open proxies. But if anyone (such as Tsutomu Shimomura) does track you down, they will be mighty suspicious of your intentions.

I occasionally consider adding some sort of "notification packet" prior to a scan that would give hosts the chance to respond and opt-out. This would be like the /robots.txt directives currently used to control polite Web robots. Perhaps the format could even include a text string that IDS systems could log, like: nmap -sS -p- -O -m "Direct questions about this scan to ops at x3512" 192.168.0.0/16 nmap -sS -p- -O -m "mY n4m3 iZ Zer0 |<00L and I'll 0wn j0o%#@" targetcompany.com/24 Of course Nmap would have an option to omit the notification or to send it and ignore any negative responses. Some scanners, such as ISS Internet Scanner already send out NetBIOS popup messages to scanned hosts by default, and other scanners use syslog. I won't be adding any features like this to Nmap unless I see substantial demand and the obvious issues are worked out.

3) OS fingerprinting
by neoThoth

What are the latest advances in fingerprinting networked devices that seem most promising to you? I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture. What are the most elusive OS's that aren't on the NMAP OS fingerprint database?

Fyodor

There are a number of OS detection techniques I hope to add this year. One is to guess (or calculate) the initial TTL of response packets, since this varies by OS. Some operating systems also "reflect" your own chosen TTL under various circumstances. Then there are some newer TCP options, such as selective ack that I might test for. Explicit Congestion Notification (RFC 2481/3168) also shows promise. I'll probably add all of these at once later this year, after discussions with the Nmap-dev list. If you wish to participate, you can join that list by sending a blank email to nmap-dev-subscribe@insecure.org. There is also a low volume, moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 15,000 current members by mailing nmap-hackers-subscribe@insecure.org [archives].

While adding new fingerprinting techniques is fun and exciting, improving the signature database often ads more value. The DB now contains more than 850 signatures, from the Acorn RISC OS and Aironet wireless LAN bridge to the ZoomAir wireless gateway and Zyxel Prestige routers. We're talking gaming consoles, phones, PBX systems, PDAs, webcams, networked power switches, you name it! New fingerprints are submitted daily.

Application level fingerprinting (including HTTP) is coming. I usually regret stating dates, but I hope to develop this functionality within the next 3 months.

4) Stepping into a network security career
by Anonymous Coward

I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work throughout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?

Fyodor

Congratulations on your graduation! Unfortunately (for newcomers), the security field is one that often expects substantial experience and references. This is partly because these jobs require extraordinary trust, and also because of an aversion to mistakes. Everyone makes mistakes, but they can be extraordinarily costly in security and neophytes tend to make more of them. But don't lose hope! Talented security minds are still in very high demand, just be aware that you will have to work even harder to prove yourself.

Here are my suggestions for anyone starting out in network security, whether for fun or profit:

Step 1: Learn everything you can

1. You may wish to start with reading a general overview of security, such as Practical Unix and Internet Security 3rd Edition.
2. Reading alone won't teach you much. Hands-on experience is critical, so I would set up at least a basic test network. At the very minimum you should have a Unix box or two and a Windows machine (because these are very common in the real world). You can use very cheap machines, or even emulate a large network with virtualization software such as VMWare.
3. Next you should learn more about how attacks are performed. Take a look at the excellent and free Open Source Security Testing Methodology Manual (OSSTMM). This document aims to provide a comprehensive framework for security testing. But it mostly lists tasks to perform, without specifying how to do so. You will gain a lot from this manual if you research the tasks you don't know how to complete, and if you actually try performing the tasks on your test network. If this manual is too curt or hard to follow, you could try a more verbose book on vulnerability assessment, such as Hacking Exposed 4th Edition.
4. Now that you understand many of the general security ideas, it is time to get current. This is one area that has actually become easier in the last decade. The thinking used to be that vulnerability information should only be distributed to well-known and trusted administrators and security researchers through private digests such as Zardoz. This was a disaster for many reasons, and the full disclosure movement was born. In the last couple of years things have started to shift toward more limited ("responsible") disclosure and there is also a disturbing pay-money-for-early-disclosure trend. But information is still much more available than it used to be. Most of the news is carried on mailing lists, and I archive the ones I consider the best at Lists.Insecure.Org. You must subscribe to Bugtraq, and I would also highly recommend pen-test, vuln-dev, and security-basics. Read at least the last 6-12 months of archives. Choose other lists that correspond to your interests. SecurityFocus also offers a security-jobs list which is an excellent resource for finding jobs or just understanding what employers desire.

   There are two major reasons for reading Bugtraq. One is that you must react quickly to new vulnerabilities by patching your servers, notifying your clients, etc. You can get this by simply scanning the subject lines or advisory summaries for bugs that directly apply to you. But then you will miss out on another crucial purpose of Bugtraq. Actually understanding a vulnerability helps you defend against it, exploit it, and identify/prevent similar bugs in the future. When you are lucky, the advisory itself will provide full details on the bug. Check out this excellent recent advisory by Core Security Technologies. Note how they describe exactly how the Snort TCP Stream Reassembly vulnerability works in detail and even include a proof-of-concept demonstration. Unfortunately, not all advisories are so forthcoming. For bugs in Open Source software, you can understand the problem by reading the diff. The next step is to actually write and test an exploit. I would recommend writing at least one for each general class of bug (buffer overflow, format string, SQL injection, etc.) or whenever a bug is particularly interesting.

   Be sure to read the latest issues of Phrack and the research papers posted to the mailing lists. Send your comments and questions to the authors and you may start interesting discussions. Read well-regarded books on the security topics that interest you most.

   I can't emphasize enough that you should intersperse hands-on work with all of this reading. Install unpatched RedHat 8 (or whatever) and run Nmap and Nessus against it. Then compromise it remotely, maybe via the latest Samba hole. Start out with a prewritten exploit from Bugtraq, which isn't quite as easy as it sounds. You may have to modify the 'sploit to compile, brute force the proper offset, etc. Then break in again using a different technique, and your own exploit. Install Ethereal and/or tcpdump and ensure you understand the traffic on your network during both your exploitation and normal network activity. Install Snort on an Internet-facing machine and watch the attacks and probes you'll experience. Wander around your neighborhood with Kismet, Netstumbler, or Wellenreiter on your Laptop or PDA to look for open WAPs. Install DSniff and execute an active MITM attack on an SSH or SSL connection between two of your computers. Take a look at my Top 75 Tools List and ensure you understand what each does and when it would be useful. Try out as many as you can.

5. Take a vacation, or at least a weekend camping! You deserve it! The steps above would probably take at least 3-12 months full-time, depending on your motivation level and the depth and breadth of your research.

Step 2: Now apply your newfound knowledge

Now you have learned enough to be dangerous. At this point, you would have little trouble obtaining most certifications, after studying the specifics of each topic. If your main goal is to find a job quickly, perhaps adding these extra feathers to your cap might be worthwhile. But I think your best bet is to prove your knowledge by joining and contributing to the security community. While this does indeed help others, it isn't an entirely selfless act. It improves your skills, leads to important contacts, and demonstrates your knowledge and ability in a constructive way. The latter is important if securing a career is one of your goals. These steps should also be fun! If not, perhaps you should keep looking at other fields. Here are some ideas:

Start participating with insightful comment and answers on the mailing lists. This is very easy and serves as a great learning experience, way to meet people, and garners some name recognition. If a security manager with a stack of 60 resumes recognizes your name, that is a huge win!

When a new worm or a big new vulnerability comes out, everyone wants to know the details. If you stay up all night disassembling the worm/patch and write the first comprehensive analysis, many folks will find that valuable. And you will learn a lot. Let your first priority be quality - if someone beats you to it, just compare your results with theirs to see if you (or they) missed (or misinterpreted) anything. You can also post your own exploits, although that is more of a political hot potato.

Attending security conferences is a great way to learn, party with fellow hackers, and network (in every sense of the word). Much better is to speak at these conferences. This field changes rapidly so there are always new topics and technologies to discuss. You don't have to be a well-known expert with a long history - just learn your topic well and put in the effort for a quality presentation. You could present at Defcon, at one of the more commercial events, or at a smaller regional con like ToorCon, CodeCon, Hivercon, etc. Among other advantages (often free admission/travel/hotel), this is a great way to meet people with similar interests. I spoke at the latest CanSecWest and have submitted a proposal for the next Defcon.

Now that you've seen and understand a wide variety of software vulnerabilities from your Bugtraq research, start finding your own. You can start by downloading any PHP app from Sourceforge. Most of those are hopelessly vulnerable to Cross-Site-Scripting, SQL injection, and/or remote code execution by "remote include" directives. Many (if not most) Windows shareware daemons are also vulnerable to simple buffer overflows and format-string bugs. Notify the authors and then write an advisory. After a few of these "easy targets", try breaking some more widely deployed programs.

Write a security tool! I could list some suggestions, but by this point you will have many of your own ideas as to what is needed. Scratch an itch.

I hope this helps. If you want more suggestions, Ask Slashdot. From that story, I found this post particularly insightful, especially the emphasis on "people skills". I don't claim to have any, but understand the value :).

5) Have you ever been tempted to use your gifts...
by Tim_F

...in a negative manner?

Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

And if you haven't, why is that the case?

Fyodor

I never do script-kiddie style "hack any random vulnerable box on the Internet" cracking. But sometimes I will launch targeted attacks at specific companies. I'll usually start with just a web browser and various search engines to learn everything I can about my target. I need to understand what the company does, who it partners with, and whether it has any corporate siblings, subsidiaries, or parents. Beyond that, posts by individual employees can be a gold mine. Besides providing names and titles for social engineering and brute force password attacks, the IPs in the mail/news routing headers can be very valuable. One of the reasons I run my own mailing list archive is to maintain access to the raw mail folders which contain the routing info and X-no-archive posts that web archives strip out. Another advantage to locating employees is that you can send them trojan executable attachments, which can be a very effective way into the network.

Next I'll gather known IP network information on the companies via DNS, whois, regional registries like ARIN, routing info, Netcraft, etc. Then comes the scanning (I tend to use Nmap), application-probing, vulnerability discovery, and exploitation stages.

Of course, I only do this when the company is paying me to do so. Performing these pen-tests offers several advantages over blackhat activity:

1. You don't go to jail (If you've worded your contract carefully.)
2. Instead of having to keep your übertechniques secret to avoid prosecution, you get to demonstrate them to management.
3. They actually pay you for this! And you are helping to protect them and the privacy of their customers.

Now some people might ask how you gain these skills without practicing on other networks first. Cheap hardware and the evolution of free UNIX operating systems have made this much easier than in the past. See the previous answer for some suggestions. And remember that you can always work together with friends, or participate in hacking contests like Defcon's Capture the Flag.

6) You'll have seen a lot of breakins.
by Hulver

During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.

Fyodor

On the humorous front, one attacker was was running a public webcam during his exploits, so we were able to watch him crack into our boxes in real time :). I will resist the urge to link a screenshot. His rough location was determined when we noticed Mrs. Doubtfire playing on his TV and correlated that with public schedule listings. He was working with a Pakistani group, but was actually on the US East Coast.

In the "disturbing audacity" front, this year we found that a group of crackers had broken into an ecommerce site and actually programmed an automated billing-sytem-to-IRC gateway. They could obtain or validate credit card numbers by simply querying the channel bot! Expect a more detailed writeup soon.

7) What makes a honey net enticing?
by cornice

It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I think that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?

Fyodor

Excellent question, and I had many of the same concerns upon joining the project. Then I remembered that most of the attacks and real-world compromises are committed by these marginally skilled script kiddies. So there is still a lot of value in understanding their tools, tactics, and motives. Despite this apparent limitation, I have been surprised by some of the sophisticated things we have found. For example, the first known "in the wild" attack using the Solaris dtspcd vulnerability was caught by one of our honeynets and resulted in this CERT advisory. Then one of our Honeynet Alliance members had their Win2K honeypot compromised and joined into a botnet with 18,000 machines! Attackers on such a grand scale won't even know all of the companies they have compromised, much less whether any of the systems are honeynets.

I do believe baiting the "smart fish" might be possible, but I have never done this. Is not legally entrapment, as we aren't any sort of police force, but I am not very comfortable with the idea. If someone attacks my box that is just unobtrusively sitting on the network, I believe the attacker should have no expectation of privacy for his activities on the system. Things become more complex if I try to lure the attacker.

8) IPv6
by caluml

Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?

Fyodor

Finding a machine by by pinging a completely random 128-bit address will probably never be effective. Fortunately, we won't have to! Nmap does not even do that for 32-bit IPv4 addresses - it is smart enough to skip huge blocks of address space that are unallocated or used for private (RFC1918, localhost) addresses. We will also see patterns emerge for IPv6. For example, they may often be allocated sequentially so that finding one leads to many others. I am waiting until adoption rises and we start seeing these patterns emerge before I can implement them appropriately in Nmap. Certain new DNS features may also prove useful for locating IPv6 machines and networks.

9) standalones and small home nets
by zogger

it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.

Fyodor

I am afraid the focus by security companies on enterprise networks will continue, as that is where the money is. The good news is that securing small home networks is far easier. But that doesn't make it simple, nor mean that many people will bother. I would categorize the risks into 3 categories:

Traditional network server vulnerabilities: Your average home user doesn't need to run any network daemons or have any TCP/UDP ports open to the Internet. Most of the time they only have 1 IP, used either by a standalone PC or a NAT device (e.g. "broadband router") in front of their small network. This is a good configuration, as it limits what attackers can reach directly. But you need to be sure that the IP doesn't have any unnecessary ports open. You can verify this by running 'netstat' on the Windows or UNIX machine using the IP. I would also recommend confirming using a port scanner such as Nmap. Here are example commands:

nmap -p- -sS -T4 -v -O [your IP]
nmap -p- -sU -v [ your IP ]

The TCP and UDP scans could be combined into one execution, but are listed separately since the TCP scan may go much faster. Remote UDP scans are also less reliable against some heavily filtered hosts. You may have to rely on the netstat info or configuration details in this case.

Any open ports found should be evaluated with extreme prejudice. Unless clearly necessary, close Windows file sharing, external NAT device admin ports, and everything else found.

Don't forget the wireless backdoor! Blocking the Internet link from your private machines is insufficient if anyone can hop on your open WLAN and attack your machines. WEP isn't perfect, but the 104-bit (so-called 128-bit) version should at least keep people from accidentally connecting to your network or sniffing your data. Be sure to set a good password and upgrade to recent firmware for your WAP and other network devices.

Subscribe to the security advisory lists for all the operating systems (and devices, if available) you run. Major vendors such as RedHat, Debian, FreeBSD, Mandrake, and Microsoft all offer these. Most even offer automatic updates if you desire that.

Client vulnerabilities: Once you close the services you don't need (ideally all of them), client vulnerabilities must be addressed. Keeping your web browser and mail reader up-to-date is particularly crucial. Also harden them as much as possible. For example, IE is full of holes but at least has a good interface for site-by-site security policies (Tools -> Internet Options -> Security). Go through and neuter the "Internet zone" settings by disabling ActiveX and Java. In the rare case that sites need this, find an alternative site or add them to the trusted zone. If your are really serious about security, neuter "trusted sites" and "local intranet" privileges as well. Many recent IE vulnerabilities trick the browser into using the wrong zones. Consider using a different browser. Also configure your mailer to disregard HTML and JavaScript.

Remember to pay careful attention to security warnings, whether they come from IE, Mozilla, your ssh client, or anything else. Don't just click OK. And don't shoot yourself in the foot when configuring your apps. It is hard to entirely blame the vendor when users tell P2P apps or Windows filesharing to share their whole drive without any password. Failing to change default passwords or enable basic restrictions on X Window or FTP servers is only slightly more forgivable. All of these errors happen frequently! The apps/devices should be secure by default, but you have the ultimate responsibility for protecting your data.

Malware: This is what I consider the biggest problem on desktops: people running applications they can't trust. Email borne viruses, worms and trojans are an obvious example. Be very careful what you click on. Unfortunately, it is very difficult to know what to trust. Mail is trivial to forge, and even the "proper" installers for many P2P applications infest your computer with loads of invasive spyware. Even Intuit TurboTax was caught writing to customers' boot information track.

What can you do? My honest suggestion is to run peer-reviewed open source applications on a free OS such as Linux or FreeBSD. You still have to be careful, but these problems are far less prevalent on UNIX platforms, which also have better tools and procedures to deal with them.

What if dumping Windows is not an option? Run NT/2K/XP instead of Win9X/ME, and try to run everything you can as an unprivileged (non-administrator) user. Be extraordinarily careful about what you install and run, and make frequent backups. You might also want to look into a personal firewall such as Zone Alarm (limited free version.

10) What is your favourite tool?
by Noryungi

I have just read your top 75 security tools list. Thank you for posting all this information, which I am going to study very carefully.

One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

Fyodor

I have far too many favorites among this great group to choose just one! But here are a few developers and tools that are particularly worthy of mention:

One of the people I most admire in the security field is Solar Designer. He is a guru in networking, security, and low level kernel/assembly/architecture details. He has also created many tools that security professionals use daily. Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community.

Among SD's tools is John the Ripper, my longtime favorite local password hash cracker. It has been around forever, but was written with a flexible and powerful interface while keeping extensibility in mind. So it is still as useful in these days of shadowed password files and MD5/Blowfish hashes as it was back in the days of crypt() and unprotected /etc/passwd. Lately SD has been working on the Owl secure GNU/Linux distribution, which can be installed on disk for hardened systems like firewalls, or booted and run from CD as an easy way to run security tools such as John and Nmap.

Another of those "brilliant yet still nice" security developers is Dug Song. Even after the seminal "Insertion, Evasion, and Denial of Service" paper by Ptacek and Newsham, many IDS vendors continued to ignore the problem. When Doug released Fragrouter (now fragroute), which implements some of these attacks, vendors finally took notice! He has also written the excellent libdnet library, but my favorite of his tools is DSniff, a suite of tools for advanced network sniffing and "monkey-in-the-middle" attacks. It even handles ARP poisoning and other techniques for sniffing hosts on a switched LAN.

While I'm on this topic, let me also give "mad props" to the Hping2 packet prober, Kismet wireless stumbler, Ethereal packet decoder, Netcat, recent THC releases, Snort IDS, the Nessus vulnerability scanner, and all the other great Open Source tools out there!

I would also like to thank Slashdot for granting me this interview and to everyone who asked such excellent questions. I only wish I had time to answer more of them. Then again, I have probably rambled on enough. Now it is your turn to ramble in the comments :).

Cheers,
Fyodor

RoLi writes "Heise has a story (The babelfish translation sounds like a speech from Yoda, but the important facts are translated correctly.) about LinuxTag taking legal action against SCO. SCO will either have to retract their claims, disclose their "proof" (if it exists) or be fined. That's certainly good news." Update: 05/26 17:25 GMT by T : Reader Fizz points to the more understandable LinuxTag press release (in English and German), and adds: "The notice, dated Friday, May 23, maintains that SCO Group is sowing uncertainty among the community of GNU/Linux users, developers and suppliers."

Arathorn writes "TheOneRing.net has a Quicktime movie up of just over a minute's worth of live footage from Return of The King , as shown at E3. The quality's pretty abysmal, but it gives a much-needed taster of what RoTK's going to look like. The soundtrack (such as it is) is from the final act of The Two Towers." Update: 05/21 18:47 GMT by T : Reader Adam Roben has set up a BitTorrent session as well.

Dixie_Flatline writes "Macbidouille.com is reporting that they have preliminary benchmarks involving PPC970 hardware. The results are seriously impressive. We're looking at a single processor PPC 970 1.4GHz machine quite strikingly outperforming a dual G4 1.42GHz machine. Don't worry, there's an English translation embedded in the page so you don't have to try to muddle through the French." Update: 05/05 19:58 GMT by T : Thanks to Eric from macbidouille.com, above link updated to a static page; hopefully you'll get better response this way.

Duke submits a link to this New York Times story, according to which "it seems that Monster.com has taken the U.S. government's policy of sanctions against certain countries and run with it where no man has gone before. Monster 'has deleted resumes that list current addresses in those countries.' and more fun stuff. If you haven't had the opportunity for a really self-rightous post in a while, Monster.com has made it simple for you." Update: 04/28 01:34 GMT by T : Note that the New York Times ran the story, but like many other newspaper stories, the real credit goes to the Associated Press.

theodp writes "Eleven groups, including the Electronic Privacy Information Center and Junkbusters, filed a complaint with the FTC, asking that it investigate Amazon for violations of the Children's Online Privacy Protection Act. An Amazon spokesman called the complaint groundless because "Amazon.com is not a site directed at children." So what was the deal with those Amazon Press Releases for the Harry Potter Magical Candy Contest For Children Ages 6 to 13, Toy Quest Toy Design Contest For Kids 12 And Under, and the Be a Poet Contest For All Kids 12 and Under?" Update: 04/23 23:54 GMT by T :theodp writes with an update from Ad Age which says that Amazon has "announced it has removed children's identifying information from its Web sites."

jnazario writes "The Center for Democracy and Technology has recently put together a really neat paper studying the methods by which spammers get your email addresses. The report posted otherwise unused email addresses in a variety of locations, using different techniques for visibility (ie HTML encoding vs plaintext) and then watched what accumulated after six months. They generated some interesting results into the methods by which spammers can track you (with publicly available websites containing your bare email address being the most popular method) and even some techniques to stop spam, such as HTML encoding your email address. A very interesting read."

cyb97 writes "As I write this the worlds largest computerparty is going on in Hamar, Norway. The Gathering 2003 is in action with over 5.000 participants! Webcams and participants are live on the internet through a 1 gigabit line, so you better lock down your servers tonight!" Some of the webcam images are just surreal. Update: 04/17 01:00 GMT by T : Speaking of images, reader vvizard (currently Gathered) directs you to this directory of high-resolution images.

Slashback tonight brings updates and clarifications on the odds of Apple Computer buying Universal Music, the Evil Bit RFC, and more, including Niels Provos' reasons for moving his cryptographic research tools off-shore.

The more numerous the laws ... friscolr writes "The Register has an article about security researcher Niels Provos's (creator/collaborator for systrace, honeyd, openssh, various steg tools, and more) struggle to continue his Ph.D. studies amidst an increasingly restrictive set of U.S. and Michigan laws. This isn't the first time a prominent security researcher in Michigan has voiced serious concerns over new laws."

You may remember several earlier stories mentioning Provos' research, such as this article on his honeynet creation tool honeyd.

Apple Records has a certain ring, though, doesn't it? egoff writes "The Apple/Universal Music deal is unlikely, according to the New York Times (reg req), nor would it be a sure hit with investors. However, if the deal did go through, it would be because of Steve Job's vision for the future of digital music. Said one former Apple exec: 'Apple always needs to pull a rabbit out of its hat. Universal is a pretty big rabbit.'"

Swearing in another language doesn't count. Chilliwilli writes with an update to the recent Anger As a Software Design Philosophy: "Anyone that took a look at the foul language feckfeck might be amazed to see that somebody has actually risen to one of the three challenges and written a quine in this more irritating of languages. Congratulations go to 'hoser'."

Upping their meds. Elyjah writes "Steve Bellovin has compiled a short list of emails he got regarding his most recent RFC (3514) which appeared this last April 1st. (I believe you may have seen something on Slashdot about it.) Some people just...don't...get it."

If you go beyond the Enterprise, doesn't that invalidate their theme song? Built enough floppy-disk Enterprises? GaryK writes "With Dell getting rid of 3.5" disk drives, I'm quite sure we'll have to come up with creative uses for the hundreds and hundreds of floppies we have around our offices. This guy should serve as an inspiration to us all.

An anonymous reader writes "It looks like pSyCo from XEmulation.com Has found a way to boot Xbox Linux Live on an unmodified Xbox with nothing but an Xbox and Linux PC (no memory card of any kind, etc). Also a guide to using this method to flash your Xbox's onboard TSOP with the bios of choice, making the Xbox modded without an actual mod-chip. $5 to rent 007 to mod my xbox sounds nice =) Check it out at: XEmulation.net Forum or XboxHacker.net BBS. *Wonder what the DMCA would think about this...*" This builds on the "007"-based method discussed earlier. Update: 04/15 01:11 GMT by T : XEmulation.com, not .net. Sorry.

Catskul writes "Along with the news that the polished and (more nearly) complete human genome being published Monday, comes a surprising observation about the genome: We have substantially fewer genes than expected; between 27,000 and 40,000 as compared to an original estimate of 140,000." Update: 04/14 01:22 GMT by T : For everyone who can't look at a Z, headline updated with an S in "surprise."

Kavau writes "The lower house of the German parliament just passed an amendment to the copyright law (sorry, article in German only). The highly controversial law will severely limit consumers' rights to make private copies of copyrighted media, and imposes special taxes on virtually any device that can potentially be used for copyright circumvention (among these devices are printers, CD burners, scanners and cell phones). Also, circumvention of copyright protection mechanisms will become illegal, as it already is in the United States." There's a short blurb (in English) at the Register Update: 04/13 19:20 GMT by T : [Sorry, actually it's The Inquirer]; note that this has passed the lower house of the German parliament, but has not yet been voted on by the upper.

Kavau continues: "The law does not directly prohibit the fabrication of private copies, but it offers the copyright holder the right to do just that. And we probably can expect the majority of copyright holders to make use of this right. The law simply takes away what US citizens would call the consumer's right to fair use. An exception is made for schools and research institutes, which may provide excerpts of copyrighted media to a group students or researchers.

One of the most important maxims of European law is "in dubio pro reo" (if in doubt, rule in favor of the defendant). While this principle applies to the judicature, and we are talking about the legislature here, the new law nevertheless seems to have perverted this principle: it treats every computer owner as a potential copyright pirate. Thank you, government, for the trust you are showing in your citizens! What's next? Special taxes on pen and paper? Note also that we are likely going to see similar laws in other European countries soon. The law follows guidelines imposed by the European Union in 2001."

Reivec writes "I was having a discussion with Keith Packard on IRC about the current developments in the XFree86 Saga and politics already discussed here earlier, and I learned many interesting things. The project has a new website, xwin, and things are getting underway. 'We're in the process of building community, from that we can construct a government. It's a hard process to construct a representative system from what we have now, so it will take a bit of time. Weeks, not months. --Keith'" Read on for some more details. Update: 04/13 03:30 GMT by T : Reader Khalid points to this informative interview with Packard at Linux Weekly News, too. " The site is has only been up a day or so and there isn't a lot on it right now, but he would like to see a lot of community involvement on the site and many user submitted stories to get conversation rolling. A french site has already taken notice and posted some information on xwin as well. Since such a fork could make a large impact on many *NIX users, I felt the need to ask, 'assuming you had an active fork under development, how interchangable would you expect it to be with Xfree (assuming release builds). Do you think distros would be quick to change if it offered improvements? Or could they provide both and have the user choose upon installation?' Keith replied, 'Given that distros will have input into how it gets built, I expect they'd be interested in a version closer to what they need. And, given that RH and Debian maintainers are both actively encouraging changes, it's hard to see how they wouldn't want to follow. (or lead).' So if you have had any interest at all in the XFree86 development, this is definitely a community site you should take advantage of."