Slashdot Mirror

Reader Esther Schindler writes: Whatever else he is (author, computer scientist, inventor, futurist, Google employee), Ray Kurzweil is undeniably fascinating, with intriguing predictions about the future -- some of which might be accurate. In an interview, he discusses life extension and technology, as well as how he thinks they'll be connected. "When people talk about the future of technology, especially artificial intelligence, they very often have the common dystopian Hollywood-movie model of us versus the machines. My view is that we will use these tools as we've used all other tools -- to broaden our reach. And in this case, we'll be extending the most important attribute we have, which is our intelligence." Part of what I like is that he sees ways to use technology for good and not for evil. "By the 2030s we will have nanobots that can go into a brain non-invasively through the capillaries, connect to our neocortex and basically connect it to a synthetic neocortex that works the same way in the cloud. So we'll have an additional neocortex, just like we developed an additional neocortex 2 million years ago, and we'll use it just as we used the frontal cortex: to add additional levels of abstraction. We'll create more profound forms of communication than we're familiar with today, more profound music and funnier jokes. We'll be funnier. We'll be sexier. We'll be more adept at expressing loving sentiments."Kurzweil also thinks his diet can help him live forever. Kurzweil claims that he spends "a few thousand dollars per day" (or roughly a million dollar a year) on diet pills and eating right. According to a Financial Times report from last year, Kurzweil's breakfast includes:Berries (85 calories for a cup), Dark chocolate infused with espresso (170 calories for an ounce), Smoked salmon and mackerel (100 calories for a 3-ounce serving), Vanilla soy milk (100 calories for a cup) Stevia (zero calories), Porridge (150 to 350 calories for half a cup, depending on ingredients and cooking method), and Green tea (zero calories). Kurzweil takes 100 pills a day (down from 250 a few years ago, technology has advanced, you see) for "heart health" to "eye health, sexual health, and brain health."

The Register, citing this Playboy article, reports that a Nevada man named Dennis Montgomery was able in 2003 to connive his way into a position of respectability at the CIA on the basis of his company's claimed ability, using software, to "detect and decrypt 'barcodes' in broadcasts by Al Jazeera, the Qatari news station." Montgomery was CTO of Reno-based eTreppid Technologies, which produced bucketloads of data purported to represent "geographic coordinates and flight numbers" hidden in these broadcasts. All of which, it seems, was hokum, finally debunked in cooperation with a branch of the French intelligence service — but not, says the article, before the fabricated information, chalked up to "credible sources," was used as justification to ground some international flights, and even evacuate New York's Metropolitan Museum of Art.

Via Game|Life comes an interview with Tim Schafer of Psychonauts, Day of the Tentacle fame in which he states there will likely be no sequels in the near future for those of us who loved his past works. "I would love to go back and spend time with the characters from any game I've worked on, and I would love to make a sequel to any of them. But I also want to make something new. If there were five of me I might make sequels, but there's always some new idea I want to explore." The interview is a part of Playboy's Geniuses at Play feature. It features discussions with folks like David Jaffe, Phil Harrison, and Clive Barker, the whole of which is worth reading. The subsite for the interviews is safe for work as of this posting.

Via Game|Life comes an interview with Tim Schafer of Psychonauts, Day of the Tentacle fame in which he states there will likely be no sequels in the near future for those of us who loved his past works. "I would love to go back and spend time with the characters from any game I've worked on, and I would love to make a sequel to any of them. But I also want to make something new. If there were five of me I might make sequels, but there's always some new idea I want to explore." The interview is a part of Playboy's Geniuses at Play feature. It features discussions with folks like David Jaffe, Phil Harrison, and Clive Barker, the whole of which is worth reading. The subsite for the interviews is safe for work as of this posting.

Cristiano wrote in to say that an interview with the creators of Google is appearing in the latest Playboy Magazine. That in and of itself is of little note, until one realizes that the issue of Playboy in question is already en route to subscribers and hits newsstands tomorrow, the same day that their IPO auction begins. News.com.com speculates that the SEC may be interested, since this could be a breach of the "quiet period" companies must endure before going public. It may also be nothing but a mistake in scheduling, but it has cast doubts on Google's IPO for some.

You asked nmap creator Fyodor many excellent questions, and his answers (below) are just as excellent. You'll want to set aside significant time to read and digest this interview, because Fyodor didn't just toss off a few words, but put some real time and energy into his answers.

1) Interesting stories involving nmap?
by Neologic

Nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?

Fyodor

The coolest use ever was undoubtedly when Trinity used it to try and save the human race :). But the use I find most gratifying are the Chinese students and residents who have written me about how they use Nmap to locate open proxies. These proxies allow for surfing the uncensored Internet, including the news, educational, pornographic, religious, open source software, government, political, search engine, and human rights sites that are blocked by the Great Firewall of China.

Many of the best features in Nmap came from the user community in ideas if not implementation. For example, the protocol scan (-sO) determines what IP protocols (TCP, UDP, GRE, etc.) a host is listening for. I had not thought of this, but the idea and patch came out of the blue one day in an email from Gerhard Rieger. On another day, a guy named Saurik sent a patch called Nmap+V that allows Nmap to do basic service/version fingerprinting against open ports. It has attracted a cult following, and I plan to add similar functionality to Nmap this year. The initial Windows port by eEye arrived similarly. Despite all these great suggestions, certain other user-contributed ideas are not on the agenda.

Then there are a small handful of users who detect problems nobody else would ever notice, like 4 byte/host memory leaks. They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years. They can't be spammers, as they are intelligent and also use more sophisticated scan techniques than you would need to just find SMTP servers.

2) Recent increases in anal-retentiveness...?
by Zeriel

There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kicked out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?

Fyodor

That is an excellent question, and one that concerns me as well. But first, I think your final statement is too extreme. I would guess 90% of network scanning is non-controversial. You will rarely be badgered for scanning your own machine or the networks you administer. The controversy comes when scanning other networks. There are a lot of (good and bad) reasons for doing this sort of network exploration. Perhaps you are scanning the other systems in your {dorm, department, cable LAN, conference LAN} to look for publicly shared files (FTP, SMB, WWW, etc.). Or perhaps your just trying to find the IP of a certain printer. Maybe you scanned your favorite web site to see if they are offering any other services, or because you are curious what OS they run. Perhaps you are just trying to test connectivity, or maybe you wanted to do a quick security sanity-check before handing off your credit card details to that ecommerce company. You might be conducting Internet research, or be bored on a rainy afternoon. Or are you conducting reconnaissance in preparation for a breakin attempt?

The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first. I've seen a few people with non-administrative roles land in hot water after deciding to "prove" network insecurity by launching an intrusive scan of the entire company or campus. Admins tend to be more cooperative when asked in advance than when woken up at 3AM by an IDS alarm claiming they are under massive attack.

You compared Nmap to P2P tools in having a "negative stigma". In both cases, one effective way to fight the stigma is to limit your own use to "legitimate" purposes. Use BitTorrent to download RedHat ISOs, but not Matrix Reloaded. Use Nmap to secure and monitor your computers, but not to attack other networks. And if you decide to attack other networks anyway, please be courteous and set the evil bit.

Now I'll admit that I don't always obtain explicit permission before scanning other networks. I don't believe (but IANAL) that a simple port/OS scan of a remote system is or should be illegal. Any machine connected to the Internet will be scanned so often that most admins ignore such "white noise" anyhow. But scan other networks often enough, and someone will eventually complain. So my advice would be:

1. Don't do anything controversial from your work or school connections. Even though your intentions may be good, you have too much to lose if someone in power (boss, dean) decides you are a malicious cracker. Do you really want to explain your actions to someone who may not even understand the terms "port scanner" or "packet"? Spend $10 bucks a month for a dialup or shell account. You didn't really violate this rule, as scanning your dorm subnet for just port 80 should not even be remotely controversial!
2. Target your scan as tightly as possible. If you are only looking for web servers, specify -p80 rather than scanning all 65,535 TCP ports on each machine. If you are only trying to find available hosts, do an Nmap ping scan. Don't scan a /16 when a /24 will suffice. The random scan mode now takes an argument specifying the number of hosts, rather than running forever. So consider -iR 1000 rather than -iR 10000 if the former is sufficient. Use the default timing (or even "-T Polite") rather than "-T Insane".
3. Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent Idle Scan technique. But remember there is always a trade-off. You will be harder to detect if you launch scans from an open WAP far from your house, with 17 decoys, while doing followup probes through a chain of 9 open proxies. But if anyone (such as Tsutomu Shimomura) does track you down, they will be mighty suspicious of your intentions.

I occasionally consider adding some sort of "notification packet" prior to a scan that would give hosts the chance to respond and opt-out. This would be like the /robots.txt directives currently used to control polite Web robots. Perhaps the format could even include a text string that IDS systems could log, like: nmap -sS -p- -O -m "Direct questions about this scan to ops at x3512" 192.168.0.0/16 nmap -sS -p- -O -m "mY n4m3 iZ Zer0 |<00L and I'll 0wn j0o%#@" targetcompany.com/24 Of course Nmap would have an option to omit the notification or to send it and ignore any negative responses. Some scanners, such as ISS Internet Scanner already send out NetBIOS popup messages to scanned hosts by default, and other scanners use syslog. I won't be adding any features like this to Nmap unless I see substantial demand and the obvious issues are worked out.

3) OS fingerprinting
by neoThoth

What are the latest advances in fingerprinting networked devices that seem most promising to you? I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture. What are the most elusive OS's that aren't on the NMAP OS fingerprint database?

Fyodor

There are a number of OS detection techniques I hope to add this year. One is to guess (or calculate) the initial TTL of response packets, since this varies by OS. Some operating systems also "reflect" your own chosen TTL under various circumstances. Then there are some newer TCP options, such as selective ack that I might test for. Explicit Congestion Notification (RFC 2481/3168) also shows promise. I'll probably add all of these at once later this year, after discussions with the Nmap-dev list. If you wish to participate, you can join that list by sending a blank email to nmap-dev-subscribe@insecure.org. There is also a low volume, moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 15,000 current members by mailing nmap-hackers-subscribe@insecure.org [archives].

While adding new fingerprinting techniques is fun and exciting, improving the signature database often ads more value. The DB now contains more than 850 signatures, from the Acorn RISC OS and Aironet wireless LAN bridge to the ZoomAir wireless gateway and Zyxel Prestige routers. We're talking gaming consoles, phones, PBX systems, PDAs, webcams, networked power switches, you name it! New fingerprints are submitted daily.

Application level fingerprinting (including HTTP) is coming. I usually regret stating dates, but I hope to develop this functionality within the next 3 months.

4) Stepping into a network security career
by Anonymous Coward

I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work throughout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?

Fyodor

Congratulations on your graduation! Unfortunately (for newcomers), the security field is one that often expects substantial experience and references. This is partly because these jobs require extraordinary trust, and also because of an aversion to mistakes. Everyone makes mistakes, but they can be extraordinarily costly in security and neophytes tend to make more of them. But don't lose hope! Talented security minds are still in very high demand, just be aware that you will have to work even harder to prove yourself.

Here are my suggestions for anyone starting out in network security, whether for fun or profit:

Step 1: Learn everything you can

1. You may wish to start with reading a general overview of security, such as Practical Unix and Internet Security 3rd Edition.
2. Reading alone won't teach you much. Hands-on experience is critical, so I would set up at least a basic test network. At the very minimum you should have a Unix box or two and a Windows machine (because these are very common in the real world). You can use very cheap machines, or even emulate a large network with virtualization software such as VMWare.
3. Next you should learn more about how attacks are performed. Take a look at the excellent and free Open Source Security Testing Methodology Manual (OSSTMM). This document aims to provide a comprehensive framework for security testing. But it mostly lists tasks to perform, without specifying how to do so. You will gain a lot from this manual if you research the tasks you don't know how to complete, and if you actually try performing the tasks on your test network. If this manual is too curt or hard to follow, you could try a more verbose book on vulnerability assessment, such as Hacking Exposed 4th Edition.
4. Now that you understand many of the general security ideas, it is time to get current. This is one area that has actually become easier in the last decade. The thinking used to be that vulnerability information should only be distributed to well-known and trusted administrators and security researchers through private digests such as Zardoz. This was a disaster for many reasons, and the full disclosure movement was born. In the last couple of years things have started to shift toward more limited ("responsible") disclosure and there is also a disturbing pay-money-for-early-disclosure trend. But information is still much more available than it used to be. Most of the news is carried on mailing lists, and I archive the ones I consider the best at Lists.Insecure.Org. You must subscribe to Bugtraq, and I would also highly recommend pen-test, vuln-dev, and security-basics. Read at least the last 6-12 months of archives. Choose other lists that correspond to your interests. SecurityFocus also offers a security-jobs list which is an excellent resource for finding jobs or just understanding what employers desire.

   There are two major reasons for reading Bugtraq. One is that you must react quickly to new vulnerabilities by patching your servers, notifying your clients, etc. You can get this by simply scanning the subject lines or advisory summaries for bugs that directly apply to you. But then you will miss out on another crucial purpose of Bugtraq. Actually understanding a vulnerability helps you defend against it, exploit it, and identify/prevent similar bugs in the future. When you are lucky, the advisory itself will provide full details on the bug. Check out this excellent recent advisory by Core Security Technologies. Note how they describe exactly how the Snort TCP Stream Reassembly vulnerability works in detail and even include a proof-of-concept demonstration. Unfortunately, not all advisories are so forthcoming. For bugs in Open Source software, you can understand the problem by reading the diff. The next step is to actually write and test an exploit. I would recommend writing at least one for each general class of bug (buffer overflow, format string, SQL injection, etc.) or whenever a bug is particularly interesting.

   Be sure to read the latest issues of Phrack and the research papers posted to the mailing lists. Send your comments and questions to the authors and you may start interesting discussions. Read well-regarded books on the security topics that interest you most.

   I can't emphasize enough that you should intersperse hands-on work with all of this reading. Install unpatched RedHat 8 (or whatever) and run Nmap and Nessus against it. Then compromise it remotely, maybe via the latest Samba hole. Start out with a prewritten exploit from Bugtraq, which isn't quite as easy as it sounds. You may have to modify the 'sploit to compile, brute force the proper offset, etc. Then break in again using a different technique, and your own exploit. Install Ethereal and/or tcpdump and ensure you understand the traffic on your network during both your exploitation and normal network activity. Install Snort on an Internet-facing machine and watch the attacks and probes you'll experience. Wander around your neighborhood with Kismet, Netstumbler, or Wellenreiter on your Laptop or PDA to look for open WAPs. Install DSniff and execute an active MITM attack on an SSH or SSL connection between two of your computers. Take a look at my Top 75 Tools List and ensure you understand what each does and when it would be useful. Try out as many as you can.

5. Take a vacation, or at least a weekend camping! You deserve it! The steps above would probably take at least 3-12 months full-time, depending on your motivation level and the depth and breadth of your research.

Step 2: Now apply your newfound knowledge

Now you have learned enough to be dangerous. At this point, you would have little trouble obtaining most certifications, after studying the specifics of each topic. If your main goal is to find a job quickly, perhaps adding these extra feathers to your cap might be worthwhile. But I think your best bet is to prove your knowledge by joining and contributing to the security community. While this does indeed help others, it isn't an entirely selfless act. It improves your skills, leads to important contacts, and demonstrates your knowledge and ability in a constructive way. The latter is important if securing a career is one of your goals. These steps should also be fun! If not, perhaps you should keep looking at other fields. Here are some ideas:

Start participating with insightful comment and answers on the mailing lists. This is very easy and serves as a great learning experience, way to meet people, and garners some name recognition. If a security manager with a stack of 60 resumes recognizes your name, that is a huge win!

When a new worm or a big new vulnerability comes out, everyone wants to know the details. If you stay up all night disassembling the worm/patch and write the first comprehensive analysis, many folks will find that valuable. And you will learn a lot. Let your first priority be quality - if someone beats you to it, just compare your results with theirs to see if you (or they) missed (or misinterpreted) anything. You can also post your own exploits, although that is more of a political hot potato.

Attending security conferences is a great way to learn, party with fellow hackers, and network (in every sense of the word). Much better is to speak at these conferences. This field changes rapidly so there are always new topics and technologies to discuss. You don't have to be a well-known expert with a long history - just learn your topic well and put in the effort for a quality presentation. You could present at Defcon, at one of the more commercial events, or at a smaller regional con like ToorCon, CodeCon, Hivercon, etc. Among other advantages (often free admission/travel/hotel), this is a great way to meet people with similar interests. I spoke at the latest CanSecWest and have submitted a proposal for the next Defcon.

Now that you've seen and understand a wide variety of software vulnerabilities from your Bugtraq research, start finding your own. You can start by downloading any PHP app from Sourceforge. Most of those are hopelessly vulnerable to Cross-Site-Scripting, SQL injection, and/or remote code execution by "remote include" directives. Many (if not most) Windows shareware daemons are also vulnerable to simple buffer overflows and format-string bugs. Notify the authors and then write an advisory. After a few of these "easy targets", try breaking some more widely deployed programs.

Write a security tool! I could list some suggestions, but by this point you will have many of your own ideas as to what is needed. Scratch an itch.

I hope this helps. If you want more suggestions, Ask Slashdot. From that story, I found this post particularly insightful, especially the emphasis on "people skills". I don't claim to have any, but understand the value :).

5) Have you ever been tempted to use your gifts...
by Tim_F

...in a negative manner?

Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

And if you haven't, why is that the case?

Fyodor

I never do script-kiddie style "hack any random vulnerable box on the Internet" cracking. But sometimes I will launch targeted attacks at specific companies. I'll usually start with just a web browser and various search engines to learn everything I can about my target. I need to understand what the company does, who it partners with, and whether it has any corporate siblings, subsidiaries, or parents. Beyond that, posts by individual employees can be a gold mine. Besides providing names and titles for social engineering and brute force password attacks, the IPs in the mail/news routing headers can be very valuable. One of the reasons I run my own mailing list archive is to maintain access to the raw mail folders which contain the routing info and X-no-archive posts that web archives strip out. Another advantage to locating employees is that you can send them trojan executable attachments, which can be a very effective way into the network.

Next I'll gather known IP network information on the companies via DNS, whois, regional registries like ARIN, routing info, Netcraft, etc. Then comes the scanning (I tend to use Nmap), application-probing, vulnerability discovery, and exploitation stages.

Of course, I only do this when the company is paying me to do so. Performing these pen-tests offers several advantages over blackhat activity:

1. You don't go to jail (If you've worded your contract carefully.)
2. Instead of having to keep your übertechniques secret to avoid prosecution, you get to demonstrate them to management.
3. They actually pay you for this! And you are helping to protect them and the privacy of their customers.

Now some people might ask how you gain these skills without practicing on other networks first. Cheap hardware and the evolution of free UNIX operating systems have made this much easier than in the past. See the previous answer for some suggestions. And remember that you can always work together with friends, or participate in hacking contests like Defcon's Capture the Flag.

6) You'll have seen a lot of breakins.
by Hulver

During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.

Fyodor

On the humorous front, one attacker was was running a public webcam during his exploits, so we were able to watch him crack into our boxes in real time :). I will resist the urge to link a screenshot. His rough location was determined when we noticed Mrs. Doubtfire playing on his TV and correlated that with public schedule listings. He was working with a Pakistani group, but was actually on the US East Coast.

In the "disturbing audacity" front, this year we found that a group of crackers had broken into an ecommerce site and actually programmed an automated billing-sytem-to-IRC gateway. They could obtain or validate credit card numbers by simply querying the channel bot! Expect a more detailed writeup soon.

7) What makes a honey net enticing?
by cornice

It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I think that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?

Fyodor

Excellent question, and I had many of the same concerns upon joining the project. Then I remembered that most of the attacks and real-world compromises are committed by these marginally skilled script kiddies. So there is still a lot of value in understanding their tools, tactics, and motives. Despite this apparent limitation, I have been surprised by some of the sophisticated things we have found. For example, the first known "in the wild" attack using the Solaris dtspcd vulnerability was caught by one of our honeynets and resulted in this CERT advisory. Then one of our Honeynet Alliance members had their Win2K honeypot compromised and joined into a botnet with 18,000 machines! Attackers on such a grand scale won't even know all of the companies they have compromised, much less whether any of the systems are honeynets.

I do believe baiting the "smart fish" might be possible, but I have never done this. Is not legally entrapment, as we aren't any sort of police force, but I am not very comfortable with the idea. If someone attacks my box that is just unobtrusively sitting on the network, I believe the attacker should have no expectation of privacy for his activities on the system. Things become more complex if I try to lure the attacker.

8) IPv6
by caluml

Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?

Fyodor

Finding a machine by by pinging a completely random 128-bit address will probably never be effective. Fortunately, we won't have to! Nmap does not even do that for 32-bit IPv4 addresses - it is smart enough to skip huge blocks of address space that are unallocated or used for private (RFC1918, localhost) addresses. We will also see patterns emerge for IPv6. For example, they may often be allocated sequentially so that finding one leads to many others. I am waiting until adoption rises and we start seeing these patterns emerge before I can implement them appropriately in Nmap. Certain new DNS features may also prove useful for locating IPv6 machines and networks.

9) standalones and small home nets
by zogger

it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.

Fyodor

I am afraid the focus by security companies on enterprise networks will continue, as that is where the money is. The good news is that securing small home networks is far easier. But that doesn't make it simple, nor mean that many people will bother. I would categorize the risks into 3 categories:

Traditional network server vulnerabilities: Your average home user doesn't need to run any network daemons or have any TCP/UDP ports open to the Internet. Most of the time they only have 1 IP, used either by a standalone PC or a NAT device (e.g. "broadband router") in front of their small network. This is a good configuration, as it limits what attackers can reach directly. But you need to be sure that the IP doesn't have any unnecessary ports open. You can verify this by running 'netstat' on the Windows or UNIX machine using the IP. I would also recommend confirming using a port scanner such as Nmap. Here are example commands:

nmap -p- -sS -T4 -v -O [your IP]
nmap -p- -sU -v [ your IP ]

The TCP and UDP scans could be combined into one execution, but are listed separately since the TCP scan may go much faster. Remote UDP scans are also less reliable against some heavily filtered hosts. You may have to rely on the netstat info or configuration details in this case.

Any open ports found should be evaluated with extreme prejudice. Unless clearly necessary, close Windows file sharing, external NAT device admin ports, and everything else found.

Don't forget the wireless backdoor! Blocking the Internet link from your private machines is insufficient if anyone can hop on your open WLAN and attack your machines. WEP isn't perfect, but the 104-bit (so-called 128-bit) version should at least keep people from accidentally connecting to your network or sniffing your data. Be sure to set a good password and upgrade to recent firmware for your WAP and other network devices.

Subscribe to the security advisory lists for all the operating systems (and devices, if available) you run. Major vendors such as RedHat, Debian, FreeBSD, Mandrake, and Microsoft all offer these. Most even offer automatic updates if you desire that.

Client vulnerabilities: Once you close the services you don't need (ideally all of them), client vulnerabilities must be addressed. Keeping your web browser and mail reader up-to-date is particularly crucial. Also harden them as much as possible. For example, IE is full of holes but at least has a good interface for site-by-site security policies (Tools -> Internet Options -> Security). Go through and neuter the "Internet zone" settings by disabling ActiveX and Java. In the rare case that sites need this, find an alternative site or add them to the trusted zone. If your are really serious about security, neuter "trusted sites" and "local intranet" privileges as well. Many recent IE vulnerabilities trick the browser into using the wrong zones. Consider using a different browser. Also configure your mailer to disregard HTML and JavaScript.

Remember to pay careful attention to security warnings, whether they come from IE, Mozilla, your ssh client, or anything else. Don't just click OK. And don't shoot yourself in the foot when configuring your apps. It is hard to entirely blame the vendor when users tell P2P apps or Windows filesharing to share their whole drive without any password. Failing to change default passwords or enable basic restrictions on X Window or FTP servers is only slightly more forgivable. All of these errors happen frequently! The apps/devices should be secure by default, but you have the ultimate responsibility for protecting your data.

Malware: This is what I consider the biggest problem on desktops: people running applications they can't trust. Email borne viruses, worms and trojans are an obvious example. Be very careful what you click on. Unfortunately, it is very difficult to know what to trust. Mail is trivial to forge, and even the "proper" installers for many P2P applications infest your computer with loads of invasive spyware. Even Intuit TurboTax was caught writing to customers' boot information track.

What can you do? My honest suggestion is to run peer-reviewed open source applications on a free OS such as Linux or FreeBSD. You still have to be careful, but these problems are far less prevalent on UNIX platforms, which also have better tools and procedures to deal with them.

What if dumping Windows is not an option? Run NT/2K/XP instead of Win9X/ME, and try to run everything you can as an unprivileged (non-administrator) user. Be extraordinarily careful about what you install and run, and make frequent backups. You might also want to look into a personal firewall such as Zone Alarm (limited free version.

10) What is your favourite tool?
by Noryungi

I have just read your top 75 security tools list. Thank you for posting all this information, which I am going to study very carefully.

One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

Fyodor

I have far too many favorites among this great group to choose just one! But here are a few developers and tools that are particularly worthy of mention:

One of the people I most admire in the security field is Solar Designer. He is a guru in networking, security, and low level kernel/assembly/architecture details. He has also created many tools that security professionals use daily. Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community.

Among SD's tools is John the Ripper, my longtime favorite local password hash cracker. It has been around forever, but was written with a flexible and powerful interface while keeping extensibility in mind. So it is still as useful in these days of shadowed password files and MD5/Blowfish hashes as it was back in the days of crypt() and unprotected /etc/passwd. Lately SD has been working on the Owl secure GNU/Linux distribution, which can be installed on disk for hardened systems like firewalls, or booted and run from CD as an easy way to run security tools such as John and Nmap.

Another of those "brilliant yet still nice" security developers is Dug Song. Even after the seminal "Insertion, Evasion, and Denial of Service" paper by Ptacek and Newsham, many IDS vendors continued to ignore the problem. When Doug released Fragrouter (now fragroute), which implements some of these attacks, vendors finally took notice! He has also written the excellent libdnet library, but my favorite of his tools is DSniff, a suite of tools for advanced network sniffing and "monkey-in-the-middle" attacks. It even handles ARP poisoning and other techniques for sniffing hosts on a switched LAN.

While I'm on this topic, let me also give "mad props" to the Hping2 packet prober, Kismet wireless stumbler, Ethereal packet decoder, Netcat, recent THC releases, Snort IDS, the Nessus vulnerability scanner, and all the other great Open Source tools out there!

I would also like to thank Slashdot for granting me this interview and to everyone who asked such excellent questions. I only wish I had time to answer more of them. Then again, I have probably rambled on enough. Now it is your turn to ramble in the comments :).

Cheers,
Fyodor

scubacuda writes "Law.com's article, The Biggest IP Cases of 2002, has a nice summary of some of the intellectual property cases that have caught our attention this last year. Of particular interest to slashdotters: Kelly v. Arriba Soft Corp. (regarding Arriba's visual search engine), Enzo Biochem Inc. v. Gen-Probe Inc. (regarding a gene patent being invalid because it did not meet the written description requirement), an Illinois federal court injunction against Aimster, United States v. Elcom Ltd a/k/a Elcomsoft Co. Ltd. , and Playboy Enterprises Inc. v. Welles (regarding Playmate of the Year, Terri Welles, using Playboy's marks and metatags on her website)."

bigstripes sent us a couple of websites that game chairs: The RocknRide and the Simcraft for people for whom strapping a subwoofer to your chest just isn't enough. Curious what the MST3k guys are doing? bill notes that most of the guys are working on a website Timmy Bighands, although Joel is doing his own thing. QuasEye sent us a link to a review of The Matrix: The Musical. I need footage of this, but it sounds frightening beyond measure. Frank Martini pointed us to a VinylVideo who are hawking a kit that lets your old record player play video. Sun Tzu pointed us to a list of milestones in a programmers life, while jamesoutlaw sent in a site that caricatures common discussion group personalities in Usenet ... and surprisingly enough Many of the stereotypes apply just as well to Slashdot. Schmam notes that Stevie Case, one of the designers for Quake II, now working with Ion Storm, famous for being Romero's GF, and for beating him at Quake, as well as being hot ... well she's in playboy, but you're only allowed to read the article or else I'm telling your mom. Hey, its nice to note that Slashdot took 2 People's Voice Webby Awards one in the Print & Zines and the other in Community. I'm not exactly sure what it proves tho (besides the fact that you guys like us enough to fill out a form) but thanks to those who voted us. May peace and prosperity follow you (and may the Webbies not sell your e-mail address to people bent on selling you toner). And now for the strang(er) part of the quickies, HelLfiRe leads us towards The Stinkymeat Project which is, well, a photo documentary of a plate of rotting meat. Read only on a settled stomach. Richard Stevens sent us an Amazingly Strange cartoon strip: This guy draws inane pictures based on the idiotic titles people send him. If you want something slightly better drawn, mkoscica sent us plif which is really twisted, but funny.

If you're using Microsoft Internet Explorer running on Microsoft Windows, turn off Javascript now. Your cookie file is readable by any hostile website. Or, if you'd like to see the security hole in action, leave Javascript on and check it out: "Open Cookie Jar." (read more)

Peacefire webmaster Bennett Haselton is on a roll. After discovering yesterday's Hotmail hole, today he's published his discovery that MSIE's Javascript contains a bug that allows any hostile website to obtain your cookies.

Essentially the bug is that MSIE's Javascript is not very smart about determining which domain you're coming from. If the URL you're looking at has its "/" characters replaced by the hex representation "%2f", it can be fooled into thinking your path is actually a very long machine name. Because it interprets that path wrongly, a well-placed ".yahoo.com" in the URL can make Javascript think it should be using Yahoo's cookies - and Javascript can be told to deliver those cookies back to the hostile server.

Bennett and I believe the bug is confined to the Javascript code in MSIE, but we have not done extensive testing to determine this. For now, at least, we believe turning off Javascript will be sufficient to eliminate this security hole.

Or, you could migrate to another browser or operating system...

We have only tested this with IE 5, and Windows 95/98. Reports of success or failure with other versions would be welcome.

After Bennett explained to me how this works, I wrote a short CGI script to demonstrate what lurks in cookie files. Instead of silently stealing your private information and squirreling it away for later use, it echoes that information back to you (and then forgets it, of course). Updated: That script has been rewritten by and is now hosted at securityspace.com. For best results, first go log into amazon.com, type your zip code into hollywood.com, and visit playboy.com. Then go visit securityspace's general info page and click the "click here."

Newsbytes and CNET have picked up this story and have good writeups.

You asked for it; you got it. We asked Jon Katz your questions, ranging from the community to religion, and he's offered up his responses. If you can't get enough of our resident gasbag, check out his interview at Playboy, too.

Truth or Parody (Score:5, Interesting)
by Duxup (pointandlaugh@hotmail.com)

I'm trying to keep this from sounding like a flame but still ask what I mean here. I should note that I haven't read a lot of Katz. However the few times I have your opinion seems so simple and stark it would seem your almost parodying opinions that you don't believe in. I wonder sometimes if you really believe all the things you write, or if the intent is more to promote discussion?

Katz:

I never write solely for the purpose of being provocative, or simply to push buttons. That would be dishonest. Parodying opinions would be worse, and I dont even know what that means (nor has "simple" or "stark" ever been used to describe my writing). The awful truth is that I believe everything I write quite sincerely, and often too passionately, when I write it. But I never write something with the feeling that it's 100 per cent true or right. I've learned otherwise.

And yes, my job is to promote discussion of issues, that's definitely my major purpose and intent. It's why I'm here. It sure isnt to beef up Freshmeat.

Writing online is challenging. The feedback is so intense, and comes in so many forms, that I often learn new things, change my mind, or alter my opinions, or see new aspects of an issue. It's a privilege for a writer to be here -- if you keep your eyes open, you never stop learning and growing. Or being humbled. And you can't get too lazy or arrogant, or you'll get eaten alive. And boy, do you get read. A lot of writers say this, and its true, but the only real insult for a writer is to be ignored.

When I wrote columns for Rolling Stone and New York Magazine, I got little feedback -- readers had no easy way to reach me -- and my ideas were rarely changed or stretched. Here, I grow and learn every day, about technical things and everything else. I never get or want or expect the last word, and never assume what I write is the only truth.

My columns are the best expression of what I hope is an interesting issue or idea at the time I write it. After that, it goes out into the hive and lives or dies on its own worth. My columns are beginnings of conversations, never the end. And I wish you all could see my e-mail, as I have some of the greatest conversations anybody interested in technology could possibly wish for.

And, as we all know ad nauseum, I get plenty of disagreement. I take responsibility for what I say. I read all criticism, even flames. I don't believe in many aspects of the moderation system. I set my prefs to everything. To me, steering software is the anti-thesis of community. I consider it self-censorship, a Balkanization of ideas, an effort to smother a human problem with software.

If somebody has a comment about my work, I owe them the courtesy of seeing it, however hostile or nice.

But remember that I express opinions more frequently than anybody on Slashdot. That means I will generate more intense feeling than most. The Net is a big place, and everybody has an opinion. Everything one writes in the nature of an opinion ticks somebody off. If you can't handle that, you can't express opinions on a forum like this and ought to go to a newspaper op-ed page, where nobody can ever reach you.

One difference on Slashdot is that disagreement tends to be intensely personalized, more than on other sites. People don't seem comfortable just disagreeing, some have to attack the source of the idea. They challenge motives, attack integrity, ridicule writing style, intelligence, sincerity, almost everything.

Notwithstanding that, writing on Slashdot has been the most successful experience of my media writing life. My columns are linked and distributed all over the world, I am quoted everyplace, asked to write for places, I get about 200 to 300 e-mails a day, and many more people are familiar with my work than at Hotwired or other sites I've written for on the Web. I don't mean this to be self-serving, just to respond to questions about why Im here, and to point out that there are different perspectives on my experience here.

You did ask.

The considerable criticism I get is obvious, and much of it is valuable, thoughtful and worthwhile. But I have never gotten more praise or worked with people I like and respect more. I think this community is the most extraordinary thing I've seen in my life as a media/technology writer, and I am very happy and quite proud to be a part of it.

Preaching to the choir (Score:5, Interesting)
by Q*bert (Don'tSpamqweaver@vovida.com)

I would like to ask why you choose to air your articles on Slashdot. They are written from a non-technical point of view for a non-technical audience wholly unfamiliar with their subjects: Weblogs, the DVD controversy, the Linux revolution itself. Clearly, the Slashdot audience finds your articles insultingly simplistic. We are already familiar with these issues, often in more detail (technical and historical) than you, and by and large we are annoyed to have our opinions simplified and read back to us.

I have two questions. First, do you agree with me in seeing your posts as popular digests of our culture, intended for a lay audience?

Second, if you do agree, why do you persist in using Slashdot as a forum?

Katz:

Ummmm... no, I don't agree with you. I think the subtext of this message isn't about how dumb I am, but how smart you think you are.

Come on, Q*Bert, think about this. Would I still be here if that was really the view of the "Slashdot audience", whatever that may be? Would you be bothering even to write this question?

I don't mean to be snarky, but I must have been away when you were elected mayor of Slashdot, and spokesperson for the community. How do you know how everyone views my writing? Are you really saying that I should never write about privacy, genetics, open source, culture, books, movies, corporatism, media coverage of technology because you know all there is to know about it, and couldn't possibly learn anything more from any discussion? Sounds like it.

You also are wantonly inaccurate about Slashdot's audience, which is considerably wider than you seem to grasp, with varying levels of technical expertise, and which neither one of us is qualified to speak for. Happily, all kinds of people come through here, from programmers to housewives, and find the site interesting.

I dont write for a lay audience on Slashdot, and I don't have one, so far as I know.

The people who read me are directly involved with technology -- administrators, programmers, developers, students, and many, many highly-technical Linux geeks and nerds. I get mail from programmers, people overseas, from CEO's, government officials, bio-ethicists, geneticists, NSA spooks, and all sorts of teenaged geeks from all kinds of schools, from high school to college.

I'm not here to break news or tell you things. Of course you know a lot about these issues -- that's what makes this community unique. I'm here to promote discussion of things we all -- sometimes even me -- know a lot about. You are dead wrong if you think many members of the "community" don't want to talk about these issues. They do.

Simply, I write here because I love Slashdot, love the audience and the feedback I get, and believe I have the potential of doing good work. I love the bottom-up nature of the site, the intensely participatory nature of the community (I read Freshmeat every day, and marvel at it, understanding hardly anything. It's one of the most interesting places to go on the Web).

I've never discussed it with him, but I believe Rob asked me to write for Slashdot BECAUSE I am clueless in many ways. I'm not a geek, not a technical person, and have no desire to be one. I don't carry a lot of Linux or other baggage ideologically. I'm a writer, a very different thing. I think there's room for one or two here. Operating systems per se are not important to me. I love writing about technology, media, culture and politics. And I believe my record is stong in spotting trends and patterns involving technology-related subjects.

The implications of things like DVD and Open Source aren't static -- they aren't fully grasped at one moment, and then unworthy of further discussion. They are organic, evolving, changing all the time, especially as they move beyond this community and go out and hit the world.

Rob has never told me what to write and what not to write, but we (and Jeff too) communicate all the time. Via Robs grumpy and cryptic e-mail, I've figured out the role he sees for me -- to try to put things in a non-technological context, to try and bring a fresh, non-technical perspective to the things you all are doing here. "Write what it means," he tells me all the time. I trust his instincts.

So I stay here because Im happy, stimulated and welcome. The notion of my being a hated figure is, to me, largely mythical, a Slashdot version of hype. I've made a ton of friends here, and value them very much. I have a Linux laptop which I work often, and while it remains a nightmare and a mystery, I love the fact that I have actually begun to learn more about how computing works.

Ive worked in different media, covered politics and government, studied the history of technology. (I've worked at the Washington Post, Boston Globe, Philadelphia Inquirer, CBS News, Rolling Stone, Wired and Hotwired, and written 10 books), and have been obsessed with technology for years. I'm the sort of clown who will talk for hours about how cars changed the world, but have no interest in learning how the internal combustion engine works.

Whatever you think of me and my work, I have no apologies to make for it, but lots of improvements to work on. I don't think there can be a lot of doubt that people read what I write and talk about.

Ive also been here for nearly two years. I hate to break the news to you, but Im part of the Slashdot community too. So is anybody else who wants to join.

A -real- question (Score:5, Insightful)
by jd

Libertarianism means a lot of different things to different people. Usually, it is meant purely in the context of a hypothetical "Big Government". However, recently, events have shown that duly elected Governments around the world can be dictated to and ordered around by "Big Corporations", who are accountable to no-one, including the market place. Can you pin down, exactly, what your interpretation of Libertarianism is, and how it handles the whole power question, where you have Corporate Law, rather than Government Law?

Katz:

Libertarianism is one of the most interesting political ideas on the Net, or anywhere else, and I would love to pin it down, though there are many different interpretations of it. In recent months, several Libertarians have been e-mailing me, guiding me to websites, and I've enjoyed that. My sense of it as a philosophy is that it values freedom and a minimal involvement of government in people's lives, and celebrates individuals, and their right to make their own choices.

Im skittish about labels and parties. I'm not a political person. I find both liberalism and conservatism suffocatingly narrow and inadequate, and I would never describe myself as being one or the other. I hate the whole idea of a two-party, two -ideology system. If there's a question I have about Libertarianism, it's in trying to define the role government should or shouldn't play in people's lives or social problems. For example, I believe government should have stopped Microsoft much sooner, and should definitely halt the AOL/Time-Warner merger. I think its a responsibility of government to keep the Net and the Web as free and non-commercial as is possible. I don't believe Libertarians would share that view.

But I have to say that my thinking about Libertarianism is a work-in-progress. Maybe the best response is to write about it a bit, and start some discussions.

Politics isn't a strength of mine. But the second part of your question was very interesting because Libertarianism could play an enormous role in the many legal, technological and cultural questions popping up around the new Corporate Internet springing up all around. If I understand them correctly, the Libertarians present a strong political rationale for keeping a space like the Net free from corporate or government interference. If I were a lawyer, Id be busting through walls to take up Net law.

Honest question (Score:5, Interesting)
by swordgeek (spamlist@um......go.com)

One of the biggest and most valid criticisms you (regularly) receive on /. is directed to your writing style. Specifically, you write _long_ articles with _long_ (occasionally run-on) sentences containing questionable grammar. Given that you're a professional (paid!) journalist, do you feel that this affects how seriously your readers take your writing?

Katz:

Well, I barely got through high school and didn't finish college. I'm sure my grammar needs work. But I've written 10 books, almost every one of which was very favorably reviewed by some very tough literary critics. Apart from the books, I've written for the New York Times, GQ, Rolling Stone, Wired, and have gotten very few complaints about my grammar.

Writing is a very personal thing, from the point of view and the writer and the reader. It's subjective. There is no single way to do it. I feel pretty good about my writing, though never satisfied. I dont think I want it to change too much. My Slashdot pieces should be shorter, crisper.

I wish I could change everything I ever wrote, long sentences and otherwise. But I feel even better now that Slashdot is hiring some professional copy editors, which every writer desperately needs. You've definitely had to put up with some raw stuff though. In my early months here, I had no time to proofread my stuff (Slashdot isn't my full-time job) and had all sorts of formatting problems. Some it was sloppy for sure, for which I apologize. Programmers are an especially tough audience, as precision means a lot to them, and they aren't forgiving of sloppiness or mistakes.

Im sure reading me can sometimes be a chore. But I can't say I care tons about grammar. Id rather swing (or not) for my ideas.

Community interest (Score:5, Interesting)
by Signal 11 (signal11@mediaone.net?Subject=Slashdot comment)

It's a rare person indeed who draws such an intense response from the geeks and slashdotters amongst us - I'd like to know why you keep posting and commenting even though so many people are outwardly hostile towards you...

What draws you towards this community?

Katz:

I am very proud to be a rare person, and however you meant it, I thank you.

In some ways, I think I've answered this question in my previous responses. But again, I caution you against myopia, and the tunnel vision that sometimes comes from gauging the reality of the world by Threads there is no single response to me here. Some people are hostile, some people are not. Most people the great majority, I'm sure -- don't say either way, so I dont think either of us really knows for sure.

I'm drawn to the people running the site, the people posting on it, the people reading it, and the overall OS and free software idea, an idea I've been waiting for much of my work life. Also to the astounding often decidedly non-hostile -- response I get to my writing, a dream for any writer. As I've said elsewhere, if the response to my work was overwhelmingly hostile, I wouldn't have any desire to be here.

But I have to say one thing: If I permitted myself to be driven away by hostility toward my ideas, that would be a kind of cowardice I could never live with. It would be a horrible precedent for any writer, and a rebuke to the whole idea of free speech and open discussion.

I also don't buy these generalizations inherent in your very valid question. I don't believe most people on Slashdot hate me. I think it's a wildly exaggerated meme, stemming mostly from some loud and often (but not always) people who don't even have the courage to post under their own names, and for whom flaming is like a contact sport.

If you read through Threads, which I do, the most piercing comments are from smart people who criticize me under their own names. The most hostile comments are often from people who clearly havent read a word Ive written, but who are just rushing to get flames up first. The many interesting and thoughtful criticisms of me theres a whole sub-literature devoted to why I'm a jerk and don't belong here are almost always posted under names and ID's, which I respect and appreciate. And read.

There have been some eloquent, even powerful criticisms of me from people who do post under their own names (Hey, Rogers, Chris). They raise important questions, some of which I agree with and have learned from. People take seriously the idea that a writer is given so free and regular a forum to express himself here, and I take it as a compliment and a challenge.

But believe me, anybody who thinks Ill be chased off by criticism is really smoking something strange. I will never give in to the idea that I should leave because some of my ideas are unpopular among some people. You'd absolutely have to kill me first. In fact, I have just re-upped for at least another year, and plan to devote more of my writing to Slashdot, and reduce or eliminate the writing I do for other places. This is what I very much have wanted.

But to re-cap: I am first and foremost drawn to the open source idea, which I sincerely believe may possibly, though by no means definitely, salvage media and will transform society.

Secondly, I am attracted to and comfortable in this intensely interesting community of bright, idea-loving, idealistic, quarrelsome people -- I feel quite at home here. I respect what you have built, shared and believe in. I have been railing against Microsoftism before most of you were programming, and spent much of my life (unsucessfully) battling monopolistic corporations, even as I have depended on them for my livelihood. I wish I were more technically inclined, so I could participate more directly. But failing that, I am privileged to be writing about technology, media and society for one of the best media and technology sites in the world.

To me, the more rational question under those circumstances is why WOULDN'T I write here?

I also have a very powerful connection with Rob and Jeff, shaped in part by having worked for, (and at times been one) a series of media sleazebags. Rob and Jeff, and in recent months, Robin, are great editors. I trust them, and am grateful for the freedom they give me, the opportunity I have to learn, and the humor and ethics they bring to their and my work. You have to be my age and have my experience, perhaps, to appreciate how rare that is.

A More Civil Net (Score:5, Interesting)
by Skyshadow

Jon -- You seem like a fellow who might have some small amount of experience with the lack of civility which is rampant on the Net. Given that, I have a two-part question:

a) Who do you suppose the main culprits are? Why do you suppose that certain forums (like /.) can be somewhat civil one day and full of trolls and flamers the next? Is it simply a matter of certain people skipping fourth grade classes for the day, the flood of newbies, a popularity thing or just the nature of the beast? This leads into the second part of my question...

b) Do you foresee a circumstance where the Net will ever be a civil place without compromising anonymity and free speach? Or is every net medium which tries to provide these things doomed to go the way of Usenet?

Katz:

To me, this is a truly significant issue, vastly more important than me. The first part is complex. We all know who the culprits are, immature people who will grow up to be great and creative human beings but aren't yet. And ideologues who hate people for having ideas that are different from theirs.

Slashdot is pretty typical for a Web site when it comes to general level of disagreement. Disagreement is one of the great benefits of the Net people who didn't have a voice now do. But Slashdot is abnormal for the way in which discussions are personalized. It often reminds me of what's happened in Washington, where all politics has become ugly and personal, rather than simply bi-partisan or ideologically divergent.

I think a big problem here is the conspiratorial and rebellious roots of Linux (fighting the Death Star) and also the Anonymous Cowards login. AC's can be very valuable, sources of news from corporations and governmnent, etc. But unfortunately, the name is too literal, an abuse of Rob's original idea. The lethal combination of anonymity, adolescent hostility and cowardice destroys any discussion.

In my own case, a number of posters have raised legitimate concerns about my being here, about my occupying this rare pulpit, about my motivations, but even these complaints can't be discussed because AC's simply don't permit any legitimate conversations to take place. It is not possible to have a coherent running conversation in public on Slashdot on any issue, whether you're Jon Katz or anybody else. And I aint the only person who gets roasted here. Go on any topic. The inability to have a coherent or civil public discussion is a major crisis for any group of people who purport to be a community. And it works against promoting the very values many of the people who post here share.

Rob is viscerally unable to silence, censor or exclude anybody, so I don't see that changing. But he's also a programming whiz, so Im eager to see what he comes up with. But youre asking honest questions and you deserve honest answers, and the truth is, AC's have increasingly made Slashdot's Threads a laughingstock on the Web. I know some of you like to think you're laughing at me and people like me, but many of you would be mortified to know how many people come onto Slashdot to laugh at the nightmare that is Threads.

Rob's moderation systems have definitely made this better, and he thinks quite a bit about this issue.

The only way I can perceive civil discussions happening on sites like this is if topics were clearly identified, people were required to post under some form of recognizable ID, and experienced moderators with power kept the conversation on track and kicked out people who attacked ideas or posters personally or strayed off topic.

Personally, I'd offer people absolute freedom to comment on issues, but suspend people who assaulted other people verbally, and if they didn't stop, kick them off the site. There is no excuse or justification for the way they behave. People are responsible for their words as well as their actions.

I think the single biggest regret I have about being on Slashdot isn't that the flames or the silly name-calling, but that nobody but me gets to see some of the most amazing e-mail in the world, not just to me but everybody who writes here -- from bio-ethicists, geneticists, programmers, brilliant geeks and nerds, educators. I've shared much of this mail with Rob and others so they can see it. None of these posters would dream of posting on Threads, and if they did, Slashdot would have the best technology discussions on the planet.

There is a staggering amount of hostility on Slashdot, which transcends disagreement. I think it's embedded deeply in the culture here -- as is intelligence and creativity.

The real casualty of this is that there's nowhere for people to go to have rational and informative discussions about technology privacy, hacking, cracking, copyright, genetics, AI, nano-technology, supercomputing. The only discussions that are possible occur in the places where people know the least mainstream journalism and politics.

Almost all of you have something to contribute about these discussions, but many of you choose not to. Youd rather flame and attack. It's your choice, but it does have consequences, for the site, and for the issues you claim to care about.

These public conversations have to occur, as digital democracy spreads and the Net collides with politics, and computing becomes more universal. But Im afraid the precedent being set here is that they will only occur in restricted environments, because conversations arent really possible in un-restricted ones.

Anti-Katz (Score:5, Interesting)
by Simeon2000 (irSc_addict@PhotmAail.cMom)

I am a Christian. I am a geek. I am not alone. Though we ChristoGeeks (a new demograph I just coined which you may proceed to patronize) tend to be a quiet group here on Slashdot, I felt the need to voice this question.

You seemingly never fail to rail upon religion (more often than not, Christianity) in each of your posts here. I haven't read your book, but more than likely you will do it in there, too. My question is... why? Obviously you are against religion, and seem to view it as a form of mind control/censorship. Did you have a bad experience with Christianity as a young child? Do you think the vocal minority of Christians in the public eye are obnoxious? Or is this simply another way to pander to your audience, who at the time is mainly comprised of anti-Christian Slashdot readers.

Katz:

I love the term ChristoGeeks. I have a great reverence for the Christianity as practiced and taught by Jesus Christ (see below). Were he alive today, I would be in his Church. And I hardly ever write about religion in any context. Its not a regular theme of mine at all.

If Jesus's teachings were followed today, we would live in a wonderful world. I have less affection and respect for contemporary organized religion of all faiths, which have, in my opinion, turned far away from such teaching. I do resent the so-called Christian Right, which intruded itself into American politics more than any other religion and often promotes censorship and a visceral distrust of technology. But I have also criticicized other religions when they do this.

I believe religion has no place in politics, education or technology.

Some -- in fact, almost all -- of the people closest to me in the world are devout Christians, and in the original and wonderful sense of the term. But it's a word that gets tossed around quite a bit by people who have no real right to use it, and who greatly distort the spirit and the teachings of Christ.

I hear from many people who identify themselves as Christians. When I think of Christianity, I think of a faith that at its core, promotes charity, tolerance, generosity, love and peace. Thats not what I see on Washington talk shows, where the so-called "Christian" agenda is often used to push for censorship, attack culture and technology, and force a certain kind of moral values on people who don't necessarily want them. Judaism and the Muslim Faith certainly do this as well, at times, but not nearly in so organized and vocal a way.

I also believe that religion, like all powerful institutions, needs watching and, occasionally, poking. It's not my purpose to give offense. But I have to say what I believe. Religion gets plenty of great press. It can handle a whack or two from me. (If you are interested, my last book, "Running To The Mountain," was inspired by the Trappist Monk and writer Thomas Merton. My ideas about religion are discussed there.) I don't mention it in my new book "Geeks", though.

Anonymous Coward writes "Every month, Playboy features excerpts from current and historic issues. This month's historic issue is from 1978 and features a very brief write-up of the new Commodore PET computer."

The article's been up for only a little bit, but a huge number people have e-mailed that Playboy's Gillan has done a column on Linux. It's a typical media piece, explaining Linux but being featured in Playboy, I think, means that we've conquered the media. And I have, of course, no comment on what the sheer number of submissions must mean about our readers. *grin*