Slashdot Mirror

I keep a bunch of "classic" bookmarks around. Some are undisputed gems, others are, well, to my taste. Bytes being cheap here's a batch.

• Ars Technica: The PC enthusiast's resource
• AmbySoft Inc. White Papers: Scott Ambler's Online Writings
• windows.oreilly.com -- Deep Inside C#: An Interview with Microsoft Chief Architect Anders Hejlsberg
• TQ
• The Rise of ``Worse is Better''
  
• A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux
  
• Theist Hall of Shame
• Internetworking Technology Overview
  
• Software Technology Review
  Eric Weisstein's World of Mathematics
• P.S.: More Than Just Words
• Welcome to the On-Line Encyclopedia of Integer Sequences
• John McCarthy
  
• Slashdot | Net Translations of Dead-Tree IT Classics
  
• advICE
  
• 0xdeadbeef archives
  

What difference does it make what platform it runs on? Just compile it for whatever you have on hand.

ISS offers the source code for "altivore" a "feature complete version of Carnivore". It gives you a pretty good idea of how it works.

http://www.networkice.com/press/altivore.html

If you are going to use Windows software from untrusted (i.e. most everyone, especially M$) sources you must take steps to protect yourself. First, trust your gut. Does the developer "smell funny"? Is the software from a startup company with no visible means of revenue? I tend to trust programs created by individuals or small teams that demonstrate some passion for what they do (EAC, or LAME for example)

Then, get Technological on their ass. Start with a personal firewall that monitors all outgoing traffic. Zone Alarm is the one I trust - gut feelings, and I've read some negative things about Black ICE. Amaze and astound your friends as you block requests from RealPlayer, Windows Update, and other "legitimate" programs that like to access the net without asking permission.

Then get Ad Aware and get that sinking feeling as you see the total number of unauthorized programs, components, and services on your system.

Finally, install Proxomitron to make make your browser behave a bit more politely by re-writing the html it sees before it sees it (and find yet another reason to love Shonen Knife. They're way kawaii!)

Forewarned and fore-armed (hairy ones, even), you stand a much better chance of maintaining control of your system.

I am afraid if you do you are in for a RUDE awakening. The fact of the matter is that these $20,000 solutions cost that much for a reason, and the reason is they've spent years optimizing them for high speed links. This is something the hobbiest programmers who work on Snort cannot compete with. For instance, what open source coder has a SMARTBITS on their desk? Something like that is essential to test these things, but they cost upwards of $10,000.

So I would say yes, if all you want to do is monitor a T1 or two, and you're willing to tinker alot, something like Snort would work. But if you have a SERIOUS network with lots of bandwidth, you're gonna have to pony up the dough.

Disclosure: I helped build one of the systems that Snort supposedly beat, and I analyzed the source code for another one that was bought by that company. Snort CANNOT beat either one in a high bandwidth situation. I've seen the code, I've run the tests, trust me.

I no longer work for that company so have little to gain by saying this.

check out Altivore.

I wonder how many tech-saavy parents would use it to monitor their kid's activities.

See here.

Unless you consider US$39.95 free...

Don't know about ZoneAlarm, but BlackIce isn't free. It costs $40.

Network Ice, makers of the BlackICE firewall, has a great site that contains all sorts of free information on typical exploits, ports attacked, etc.

http://advice.networkice.com/Advice/default.htm

ht tp: //advice.networkice.com/advice/Intrusions/2002901/ ?magic_cookie=2f312e31

Is it abuse-windows-users day today?

Secondly, consider a desktop firewall. Consider a CEO that is on an Ethernet switch along with other employees on the same switched backbone. There is probably zero chance that remote exploits against the desktop will ever be monitored. Many companies put armor around servers but leave such desktops wide-open. An amazing number of corporate desktops have File and Print Sharing enabled or can easily be compromised by a Trojan.

Finally, I also "honeypot" my system. This is a little esoteric, but I've configured Outlook to check a number of e-mail accounts. One of those accounts I've saved the password in the registry and it goes of to check a POP account on a special system. That system is triggered to notify me when anybody but me logs in to read mail. (The password is saved in exactly a location that many Trojans will look for). This is a little esoteric for most people, though.

(Disclaimer: the company I work for makes a popular remotely-managed desktop firewall/IDS combo).

We are a small ISP with Network ICE Sentry monitoring one of our backbones. We see regular events from people infected by the Sub7 trojan. you can change your IP address, but you can't hide. (I hear you can get a desktop version of this IDS as well with a personal firewall).

If (and this is a big ?If?) Network Ice can demonstrate that MAPS could be inaccurately labelling some sites as spam sites, specifically Network Ice, then MAPS could have problems.

Network Ice are not the company in this suit, Black Ice are.

Here are some samples of them spamming (found in nanae):

http://www.deja.com/getdoc.xp?AN=557977300&fmt=tex t

http://www.deja.com/getdoc.xp?AN=558186941&fmt=tex t

http://www.deja.com/getdoc.xp?AN=600168362&fmt=tex t

http://www.deja.com/getdoc.xp?AN=626576761&fmt=tex t

Moderators, please moderate this up. I've seen a couple of posts that have confused this issue. I think it is important to know the difference.

Robert Graham
CTO/Network ICE

PS: It appears that Black Ice Software isn't using our BlackICE product, which of course would warn them that their e-mail servers are forwarding spam :-)

Packet reassembly and state-based protocol analysis are critical to the minimization function. My believe is that Carnivore is essentially stateless, just like my own Altivore. I can create real-world scenarios where Altivore fails the minimization test. Sure, they occur less than 1% of the time; I don't know how that fits within the law. However, software can be written to meet minimization requirements 100% of the time (e.g. BlackICE does this for detecting cr/hacking).

My question is: will a sniffing expert be analyzing the packet reassembly and protocol analysis part of the source code in order to validate that Carnivore captures all the data authorized by the court order, but no additional data? Moreover, is there really somebody on your team that understands even what I'm talking about?

Will you be able to justify the time and expense of a) reviewing Carnivore, and b) deploying Carnivore, when Network ICE has created Altivore, an open source program which claims to do everything for which the DOJ says that they need to use Carnivore?

Will you be able to justify the time and expense of a) reviewing Carnivore, and b) deploying Carnivore, when Network ICE has created Altivore, an open source program which claims to do everything for which the DOJ says that they need to use Carnivore?

Is it that difficult for the Justice department to diffuse this controversy by dropping Carnivore and just use Altivore?

Curious that no one has listed the links for the Page, Company, or Source Code. Let alone the Forum or associated presentation. Maybe this will help: http://www.networkice.com/altivore/

Curious that no one has listed the links for the Page, Company, or Source Code. Let alone the Forum or associated presentation. Maybe this will help: http://www.networkice.com/altivore/

Curious that no one has listed the links for the Page, Company, or Source Code. Let alone the Forum or associated presentation. Maybe this will help: http://www.networkice.com/altivore/

Curious that no one has listed the links for the Page, Company, or Source Code. Let alone the Forum or associated presentation. Maybe this will help: http://www.networkice.com/altivore/

I read the story (they say that this software was released and is available) and then I went to NetworkICE's web site. There is no mention of Altivore there (even in the press releases section)and it's not available for download yet.

I read the story (they say that this software was released and is available) and then I went to NetworkICE's web site. There is no mention of Altivore there (even in the press releases section)and it's not available for download yet.

As usuall, the mainstream press like CNN wouldn't think of linking directly to the source code. The source is at http://www.networkice.com/altivore/al tivore.c . Discussion of this is at http://www.networkice.com/altivore.

As usuall, the mainstream press like CNN wouldn't think of linking directly to the source code. The source is at http://www.networkice.com/altivore/al tivore.c . Discussion of this is at http://www.networkice.com/altivore.

Network ICE Releases Open-source Carnivore

They are saying this gives ISPs the ability to do what Carnivore is supposed to do on their own, and thus eliminate any need to allow Carnivore to be installed to comply with an intercept order.

The Altivore Page

Newsalert coverage.

According to this Linux Today story/press release, "Network ICE is disclosing the source code to a new e-mail sniffing program called 'Altivore.' This software provides a potential alternative to ISPs who do not want to install the FBI's secretive black-box known as 'Carnivore.'" The press release is at NewsAlert, and the source is here.

Can't stop snickering... :-)

A friend of mine uses the Windows programs Blackice and ZoneAlarm but I'm curious as what (preferably free) programs one can use to detect port scans and intruders under Linux and BSD?

I have heard of Tripwire. Does any one have any experience running that one?

Isn't that called OS fingerprinting? You send out a packet and see how the computer in question responds.

I know for a fact that Black Ice (firewall software by Network Ice, link to more info here) catches these and returns nothing. 'Course, the computing and communications group here at the U of W has also banned port scanning, but that hasn't stopped anyone. . .

The beta of the next version of BlackICE Sentry (from Network ICE) has Carnivore features built in. Administrators can configure "from" or "to" patterns to capture e-mails to the disk in mbox format. It can keep up with full-duplex 100-mbps connections, so you can tap into links between switches. This version runs on Linux, Solaris, or WinNT. It costs $5000, though.

(Moral of the story: decompile you product and remove any strings that a paranoid might interpret incorrectly).

The confusion stems from ESR's guide. He insists that the proper word for cybercriminal is "cracker", not "hacker". This is true in the geek community, but it is not true in either the general community or the security community. In the security community, the word "crack" has specific connontations about breaking passwords and/or copyright restrictions.

Journalists who use the word "hacker" to refer to the recent DDoS attacks gets flames from nerds insisting that they use "cracker". When they use "cracker", they get flames from security people who tell them what an idiot they are for using the wrong word since no passwords were cracked in these attacks. Most journalists I know try "cracker" a few times before they get sick of the complaints from the security other side. They also realize that their audience (the general population) just doesn't understand the word cracker as well as hacker.

I only post this because I'm tired of religious wars on the "meaning" of words. Words don't have any particular meaning; there is only what people understand when they hear a word. By creating a dictionary that defines a word contrary to how most people use it, ESR is perpetuating a religious war.

One might want to consider this alternate definition of "hacker".

As it stands right now, the average Solaris box can easily be exploited by buffer overflow scripts against Sun RPC services (cmsd, tooltalk, amd, etc). However, the same percentage of Windows boxes can be exploited via .htr buffer overflow or the RDO exploit.

BTW, if you've been running a firewall or intrusion detection system for the last several months, you probably have evidence of the perps. You may also want to check out this list of intrusions that hackers can run against systems, which are really evenly distributed among UNIX and Winsoze systems.

As it stands right now, the average Solaris box can easily be exploited by buffer overflow scripts against Sun RPC services (cmsd, tooltalk, amd, etc). However, the same percentage of Windows boxes can be exploited via .htr buffer overflow or the RDO exploit.

BTW, if you've been running a firewall or intrusion detection system for the last several months, you probably have evidence of the perps. You may also want to check out this list of intrusions that hackers can run against systems, which are really evenly distributed among UNIX and Winsoze systems.

• Easy to understand help on all the intrusions it detects. example1 example2
• Extremely high performance. The test here compares the "Sentry" version against other network-based IDSs. The "Defender" version is higher performance than other personal firewalls, but it does both IDS and firewalling.
• You can buy/download online and install it immediately without even having to reboot your machine.
• It does some simple scans against the intruders (DNS, NetBIOS) and sometimes finds out who they are.

• Easy to understand help on all the intrusions it detects. example1 example2
• Extremely high performance. The test here compares the "Sentry" version against other network-based IDSs. The "Defender" version is higher performance than other personal firewalls, but it does both IDS and firewalling.
• You can buy/download online and install it immediately without even having to reboot your machine.
• It does some simple scans against the intruders (DNS, NetBIOS) and sometimes finds out who they are.

• Easy to understand help on all the intrusions it detects. example1 example2
• Extremely high performance. The test here compares the "Sentry" version against other network-based IDSs. The "Defender" version is higher performance than other personal firewalls, but it does both IDS and firewalling.
• You can buy/download online and install it immediately without even having to reboot your machine.
• It does some simple scans against the intruders (DNS, NetBIOS) and sometimes finds out who they are.

• Easy to understand help on all the intrusions it detects. example1 example2
• Extremely high performance. The test here compares the "Sentry" version against other network-based IDSs. The "Defender" version is higher performance than other personal firewalls, but it does both IDS and firewalling.
• You can buy/download online and install it immediately without even having to reboot your machine.
• It does some simple scans against the intruders (DNS, NetBIOS) and sometimes finds out who they are.

The cool thing is that the only product that could do both (BlackICE Sentry) is also available as a $40 personal version (BlackICE Defender) that you can install on your own (Windoze) machine. It includes a personal firewall to boot and is really easy to use. It also has extensive anti-evasion technique to solve problem number 3 that you mention. Go to networkice.com and download a copy of it if you don't believe me.

A local hack would imply that the police enter your premise and sit down at your computer. A remote hack implies that the police connect to your computer while you're surfing on the Internet.

I can see this rankling a lot of Slashdotters who fear Big Brother, but remote access is really not different than what anybody anywhere on the world can do. I mean, you system is either vulnerable or hardened against intrusion. On Linux, if you simply remove all unnecessary network services in inetd.conf and install simple packet filters like ipchains, then there isn't much the police are going to be able to do. Similarly, on Windows you can install Network ICE which will not only block them, but also alert you to exactly what they are trying to do.

I mean, anybody who runs such countermeasures regularly sees attempts against their machines. Why get into a tizzy over the government doing what Russian hackers/crackers are doing to you anyway? Indeed, the Russian hackers are likely to be much more intelligent than government drones.

In any event, I've got countermeasures on my system. This means that the most likey outcome is that bungling investigators would tip me off to the investigation, not compromise my machine.

(I guess my reaction is atypical: my geek distaste for l-users who can't configure their system outweighs my geek distrust of authority :-)

A local hack would imply that the police enter your premise and sit down at your computer. A remote hack implies that the police connect to your computer while you're surfing on the Internet.

I can see this rankling a lot of Slashdotters who fear Big Brother, but remote access is really not different than what anybody anywhere on the world can do. I mean, you system is either vulnerable or hardened against intrusion. On Linux, if you simply remove all unnecessary network services in inetd.conf and install simple packet filters like ipchains, then there isn't much the police are going to be able to do. Similarly, on Windows you can install Network ICE which will not only block them, but also alert you to exactly what they are trying to do.

I mean, anybody who runs such countermeasures regularly sees attempts against their machines. Why get into a tizzy over the government doing what Russian hackers/crackers are doing to you anyway? Indeed, the Russian hackers are likely to be much more intelligent than government drones.

In any event, I've got countermeasures on my system. This means that the most likey outcome is that bungling investigators would tip me off to the investigation, not compromise my machine.

(I guess my reaction is atypical: my geek distaste for l-users who can't configure their system outweighs my geek distrust of authority :-)

The funny thing is, even though its only for windows, it detections a lot of intrusions for Linux, like the infamous rpc.mountd or numerous POP and IMAP exploits that only Linux is susceptible too (of course, it's really meant for the TONS of windows exploits).

Imagine having to have an intrusion detection system to thwart:

• "sink overflow" when the hacker turns the faucet on and leaves the plug in
• "toaster denial-of-service" when the hacker makes the default time 1-hour for toast, which not only denies you a nice pop tart in the morning, but also triggers the fire alarm.
• "fridge spoofing attack" which attempts to redirect the auto-grocery system (which detects when you are out of something and orders more) so that the hacker can send free coke and pizza to himself

Says HERE
BlackICE was designed for multiple platforms, but currently does not run on Linux. However, it detects many attacks directed against Linux machines, such as the rpc.mountd overflow.
DETAILS We plan to support UNIX platforms, especially Linux, in the future. This page will be updated in the future as we get more information.

I installed it on a Windoze and found it useful. I watched it detect a NetBus probe-- the icon flashes and you are given the date, time, info, and IP address. When you select the attack for more info it brings up a web page telling you what the attack is, how common it is, not to panic, what you can do about it, including a submit-the-IP address option that tells you to what ISP the attacker's IP (theoretically) belongs to. The info was easy-to-understand and direct so that non-techies won't panic if they read it-- and that's obviously who the product is geared towards.

Overall, it has an intuitive GUI, logical tracking methodology, and is a thorough product.

Good for them (although I concurr that they REALLY should remove an enorsement from JP)...

The reason its sold for $40 rather than $4000 is that it runs "non-promiscuous". The personal version is just the "Sentry" version with the sniffing component removed.

Doesn't work on Linux, though :-( But it will detect/block intrusions if the Windows box is used as a router (though that violates the license agreement, it doesn't check).

The reason its sold for $40 rather than $4000 is that it runs "non-promiscuous". The personal version is just the "Sentry" version with the sniffing component removed.

Doesn't work on Linux, though :-( But it will detect/block intrusions if the Windows box is used as a router (though that violates the license agreement, it doesn't check).

I'm not sure what other people feel is the philosophical basis for taxation. It seems to me perfect taxes are basically usage taxes: what you pay exactly matches the benefit you get. For example, rich people should probably pay for for police protection because they have more to lose in a theft. Another philosophical basis might be to "adjust" society to be more like one would we like to live in (i.e. we don't like others around us to suffer in poverty). Combining those two mean we'd prefer gasoline taxes to toll roads, for example (we don't want usage toll booths every mile, and gasoline taxes approximate the benefit AND encourage lower pollution etc.).

For example, if I go to the local store and buy something, the local government probably has the right to levy a sales tax. It maintains the roads I use, it provides police protection, etc. However, when I buy from the Internet, the local government is much less involved. Does my city or state government have the right to tax transactions at the same rate as before? (BTW, the federal government is much more involved, i.e. tracking hacking, fraud, and the lot, but they don't see the money).

Currently, taxes are pretty much a blunt instrument. In the above example, much of what I pay for in the sales tax isn't related to the transaction, but the theory is that it "correlates". Richer people benefit from government services such as fire protection on more expensive homes, and they tend to buy more. Therefore, we think it ok to charge a "fee" for the transaction even though the "benefit" as nothing to do with the transaction.

From this perspective, the government currently subsidizes Internet transactions. The FBI tracks down credit card fraud, which effectively lowers your credit card fees, but you don't pay for that protection. Likewise, shipping your books from Amazon.com creates wear-and-tear on the roads, but you don't pay for that.

Personally, I like the idea of a tax-free Internet zone precisely because taxes across International borders gets difficult. For example, the company I work for sells a $39.95 product that we've sold over the net to Europe, Canada, Asia, South America, etc. We simply cannot handle a country-by-country tax problem. It would cost much more than $39.95 to sell a single copy to Venezuela, for example. Direct Internet taxation will stifle lots of business activity.

As a consequence, I'd like to search for other ways to indirectly tax Internet transactions. A fuel tax springs to mind (which I like for other reasons) to tax shipments. A credit-card tax would also be a good thing (since the government is already subsidizing credit card transactions anyway). In other words, rather than stifle all the small businesses which aren't equiped to deal with the taxes, why not shift the burden onto the big companies that can?

Anyway, those are my thoughts.

I'm not sure what other people feel is the philosophical basis for taxation. It seems to me perfect taxes are basically usage taxes: what you pay exactly matches the benefit you get. For example, rich people should probably pay for for police protection because they have more to lose in a theft. Another philosophical basis might be to "adjust" society to be more like one would we like to live in (i.e. we don't like others around us to suffer in poverty). Combining those two mean we'd prefer gasoline taxes to toll roads, for example (we don't want usage toll booths every mile, and gasoline taxes approximate the benefit AND encourage lower pollution etc.).

For example, if I go to the local store and buy something, the local government probably has the right to levy a sales tax. It maintains the roads I use, it provides police protection, etc. However, when I buy from the Internet, the local government is much less involved. Does my city or state government have the right to tax transactions at the same rate as before? (BTW, the federal government is much more involved, i.e. tracking hacking, fraud, and the lot, but they don't see the money).

Currently, taxes are pretty much a blunt instrument. In the above example, much of what I pay for in the sales tax isn't related to the transaction, but the theory is that it "correlates". Richer people benefit from government services such as fire protection on more expensive homes, and they tend to buy more. Therefore, we think it ok to charge a "fee" for the transaction even though the "benefit" as nothing to do with the transaction.

From this perspective, the government currently subsidizes Internet transactions. The FBI tracks down credit card fraud, which effectively lowers your credit card fees, but you don't pay for that protection. Likewise, shipping your books from Amazon.com creates wear-and-tear on the roads, but you don't pay for that.

Personally, I like the idea of a tax-free Internet zone precisely because taxes across International borders gets difficult. For example, the company I work for sells a $39.95 product that we've sold over the net to Europe, Canada, Asia, South America, etc. We simply cannot handle a country-by-country tax problem. It would cost much more than $39.95 to sell a single copy to Venezuela, for example. Direct Internet taxation will stifle lots of business activity.

As a consequence, I'd like to search for other ways to indirectly tax Internet transactions. A fuel tax springs to mind (which I like for other reasons) to tax shipments. A credit-card tax would also be a good thing (since the government is already subsidizing credit card transactions anyway). In other words, rather than stifle all the small businesses which aren't equiped to deal with the taxes, why not shift the burden onto the big companies that can?

Anyway, those are my thoughts.

A lot of posters to Slashdot have the same qualities :-) A lot of it is simple "maturity", younger people rarely have it, but usually think they do. Another part of it is understanding a concept from another person's point of view, which few geeks are willing to do.

Business reasons are often like peacock feathers: utterly stupid and wasteful from any logical perspective, yet somehow evolution seems to favor them. Businesses that survive do things in a "business" manner. Geeks in a business environment are always telling management how stupid they are for putting such big feathers on a peacock, when better solutions exist. And geeks know they are absolutely right, thus the problem.

Marc was simply one of those geeks (making assumptions by extrapolating from my own experience). BTW, so were Steve Jobs and Bill Gates. Jobs got pushed out of Apple for much the same reasons. In Jobs' case, he conflicted with management until he was pushed out. It wasn't an issue if Jobs was right or wrong, only that his geekness made him incompatible with those who ran the company. However, once geeks like Jobs and Gates start running the place, they actually prove that their non-business-practices have merit.

The problem for geeks/nerds everywhere is that business is much like the military: to become a leader, you have to prove that you are a good follower, even those two skills aren't directly related. For geeks to get into a position of power (in order to implement the ideas that they know are right), they have to stop being so difficult and arrogant, even when it is obvious that management are idiots.

Of course, OpenSource often does an end-run around business, but it doesn't mean you'll get the $$$ or the babes going that route :-)

The update is currently in beta and will probably be released next week. In any case, the intrusion is now listed.

The CNN story states that someone from Network ICE reported the exploit and that Network ICE's BlackICE intrusion-detection application has been updated to allow for the AOL exploit, but to monitor for alterations to the original code, but the Database of Intrusions detected by BlackICE mentions nothing of an AIM buffer overflow. It's possible that this is another phony email from an MS employee or some other AOL-hater.