Slashdot Mirror

← Back to Domains

Domain: securityfocus.com

Stories and comments across the archive that link to securityfocus.com.

Comments · 2,651

  1. How's this for a little verification by Anonymous Coward · · Score: 1 · on Rave Reviews for Mac OS X 10.4 Tiger

    From here:

    "Dave had some surprises up his sleeve as well. You'll remember that I said he was using a ThinkPad (running Windows!). I asked him about that, and he told us that many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box. In the field, however, they don't have as much money to spend, so they have to stretch their dollars by buying WinTel-based hardware. Are you listening, Apple? The FBI wants to buy your stuff. Talk to them!"

  2. Re:Revealing (and scary) line from TFA by Flendon · · Score: 1 · on U.S. Military's Hackers

    It was first thought that blaster caused the 2003 blackout for the USA. While it played a role (delaying several major reporting systems that should have alerted plant officials in time to trigger failsafes) it never touched the direct controls of the plant. Slammer did penetrate deep into the Davis-Besse nuclear plant, but by luck the plant had a 6-by-5-inch hole in the plant's reactor head (Never thought I could say that about a hole in a nuke plant), so was already shutdown.

  3. Re:Mainly bugfixes? You should do PR for microsoft by remahl · · Score: 2, Informative · on Apple Releases Mac OS X 10.3.9 Update

    I was credited with discovery of the Safari flaw.

    Due to lacking communications, Apple did not notify me in advance that the issue was addressed in 10.3.9, and failed to link to my independent advisory on the issue. Hopefully they will rectify that on Monday.

    My advisory for CAN-2005-0976 is called DR001 and is available on my web site at remahl.se/david/vuln/001/. It has also been posted to bugtraq.

  4. Re:ITS ABOUT TIME by Curtman · · Score: 1 · on Security Patch for OpenOffice

    this hole was found like ... oh yeah only like a day ago.

    No, it was found 3 days ago.. Gentoo had the patch and a new ebuild that day.

  5. Affects people loading malicious MS Word files. by ianezz · · Score: 1 · on Security Patch for OpenOffice

    The advisory on SecurityFocus.

  6. Counter-argument by Slendro · · Score: 2, Informative · on Aggressive Network Self-Defense

    I wrote an article back in 2002 (http://www.securityfocus.com/guest/16531), which was published on SecurityFocus, in response to Mullen's initial SecurityFocus article.

    Not having read the book, I can't be sure, but according to the review there didn't seem to be much of a dissenting opinion in the book on the question of whether aggressive tactics are desirable (or effective).

    That's unfortunate, since as you'll see in my article, I think a good argument can be made that aggressive network defense is both morally bankrupt and ultimately ineffective.

  7. Re:Drastic Measures by XSforMe · · Score: 2, Informative · on Major Aussie ISP Disconnecting Trojaned PCs

    Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?
    In adition to the already commented use of sending spam, zombied machiens can be used to poison DNS servers. The poisoning basically involves sending lots of forged packets to the DNS server in what is known as a birthday attack. There has recently been a rash of these kind of attacks as documented by SANS.

  8. Yes, BIND4/8 are vulnerable by Anonymous Coward · · Score: 0 · on DNS Cache Poisoning Update

    You're also wrong about BIND. BIND 4/8 aren't vulnerable to DNS cache poisoning. They correctly ignore attempts to poison their caches. Unfortunately, they don't bother to scrub the poison when they pass that information on to servers that forward to them.

    From what you said about checking with AT&T, I suspect that's a typo, but if it's not, check this:

    Google

    The SecurityFocus article is especially good. Anyway yes, BIND4/8 are directly vulnerable to poisoning. Some later versions of BIND8 are fixed, but really, BIND9 is the way to go (imho).

  9. link with explanations by Anonymous Coward · · Score: 4, Informative · on DNS Cache Poisoning Update

    Here is a good explanation at security focus

    http://www.securityfocus.com/guest/17905

  10. Re:Informative Links: by nothings · · Score: 3, Interesting · on DNS Cache Poisoning Update
    Reposting from the previous slashdot thread, responding to a djbdns user; note specifically that djb admits the forgery resistance is "quantitative, not qualitative".

    While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet.

    That seems fairly reasonable. I don't think you're really protected from poisoning, unless "poisoning" only applies to certain kinds of DNS spoofing. Specifically, first note the exceptions to the djbdns security guarantee (emphasis mine):

    • Bugs outside of djbdns, such as OS bugs or browser bugs. (People could seize control of BIND 9.1 through an OpenSSL buffer overflow, but that was a bug in OpenSSL, not in BIND.)
    • The vulnerability of DNS to forgery. (BIND's port reuse makes blind forgery much less expensive, but this is a quantitative difference, not a qualitative difference. The DNS architecture needs cryptographic protection.)
    • Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

    Specifically, his forgery page points out that a spoofing attack based on the birthday paradox can still work... although probably tens of millions of packets are required. This page, which I think I got off slashdot before, uses the TCP sequence-number guessing tools to try to attack it. It's probably not quite as secure as djb estimates, but probably still in the millions. They don't seem to have actually run numbers for the randomized-port plus randomized-id, so it's unclear whether they actually attacked that thoroughly.

  11. Re:Djbdns - immune to DNS cache poisoning (?) by nothings · · Score: 3, Informative · on DNS Cache Poisoning Spreads Malware
    While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet.

    That seems fairly reasonable. I don't think you're really protected from poisoning, unless "poisoning" only applies to certain kinds of DNS spoofing. Specifically, first note the exceptions to the djbdns security guarantee:

    • Bugs outside of djbdns, such as OS bugs or browser bugs. (People could seize control of BIND 9.1 through an OpenSSL buffer overflow, but that was a bug in OpenSSL, not in BIND.)
    • The vulnerability of DNS to forgery. (BIND's port reuse makes blind forgery much less expensive, but this is a quantitative difference, not a qualitative difference. The DNS architecture needs cryptographic protection.)
    • Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

    Specifically, his forgery page points out that a spoofing attack based on the birthday paradox can still work... although probably tens of millions of packets are required. This page, which I think I got off slashdot before, uses the TCP sequence-number guessing tools to try to attack it. It's probably not quite as secure as djb estimates, but probably still in the millions. They don't seem to have actually run numbers for the randomized-port plus randomized-id, so it's unclear whether they actually attacked that thoroughly.

  12. Re:Remember when viruses were cool? by Egregius · · Score: 1 · on Mabir.A Virus Targets Symbian Phones

    Hybris is pretty neat!

    I have this weird fascination with viruses and worms. Perhaps because they represent artifical life in the wild. And of course, they're pretty bleeding-edge when it comes to interesting software techniques. For example the Simile-MetaPHOR virus is pretty '1337'. Combining oligo-, poly- and metamorphism, encryption and entry-point-obscuring in highly advanced ways. It even uses genetic algorithms in a limited way to find a good 'shape' that resists emulation by virus-scanners. Self-updating viruses via newsgroups, hadn't seen those yet though. They usually use some central server that gets taken down quickly.

    Creating virusses and worms as thought-experiments can be pretty interesting in it's own right, but as long as viruses only alter their appearance instead of their nature, they remain pretty 'un-intelligent'. A virus that harnesses distributed computing in order to find new exploits through which to spread, THAT would be pretty scary. And highly-nontrivial to write.

  13. Re:Not too surprising by Smurf · · Score: 1 · on Feds Hack Wireless Network in 3 Minutes
    Keynote costs about $1000 more and runs a lot slower (factor in outrageously expensive and slow Apple hardware).


    Well, this troll was kind of funny, so I'll bite.

    First, as you can read here, " many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box. In the field, however, they don't have as much money to spend, so they have to stretch their dollars by buying WinTel-based hardware."

    So they were giving their demo using Windows XP because they are poor, but they actually prefer Macs.

    Second, you can get Keynote and Mac hardware that will run it flawlessly for far less than $1000. Even portables, although you may have to settle for a second hand one. (Or get an edu discount for an iBook, etc).

    Third, since you haven't used Macs seriously recently (if ever), you can't really say they are slow. Leave those claims to people who actually know what they're talking about.

    And last, even if a particular Mac is slow by today's standards, that is actually a moot point since you don't need a lot of power to run a decorous Keynote (or PowerPoint) presentation.
  14. WEP is dead by DustMagnet · · Score: 3, Informative · on Feds Hack Wireless Network in 3 Minutes

    Sorry about replying to myself, but here's a better link for explaining how this attack works.

  15. Re:I do not see any change by Odin's+Raven · · Score: 2, Interesting · on Google Adds Satellite Imagery to Maps
    Sinus0idal: hmmm, I'm sure the whitehouse roof isn't quite that plain in real life :-)
    ajm: Nor are the buildings next door a flat green color on top.

    You're both quite correct. See the SecurityFocus article "Secret Service airbrushes aerial photos". Note that the link to the old vs new images has changed since the article was written - they're now here. You might notice a remarkable similarity between a couple of the retouched pictures and Google's White House imagery.

  16. Re:Insecure Cookies by Anonymous Coward · · Score: 1, Interesting · on Microsoft Offers New Data-Security Scheme


    Microsoft solved reading other domains cookies years ago, they still do it now on a lot of their sites, whats funny is they have one department making an internet browser that has security restrictions on cookie usage yet in another department they are thinking up ways to get round the security restrictions they put in place

    whats the betting on their Microsoft/MSN cookies will be able to cross domains by default ? seeing as everybody wised up to their exploit game perhaps they are seeking other ways to compromise peoples privacy, advertising aint worth shit without that all important user tracking

    you usually judge people based on their previous actions and with MS having such a piss poor record on security and privacy with obviously teams of programmers dedicated to getting round security restrictions (unless this exploit and those GUID servers was mysteriously unintentional) i wouldnt trust those fuckers with telling the time, never mind my security or privacy

  17. Re:California Universities by ahodgkinson · · Score: 1 · on Berkeley Grads' Identity Data Stolen
    • Is it just me, or is this like the third story of personal information being stolen from California universities recently? WTF is going on over there?
    Nope, it's not just you. The same thing is going on everywhere else. It's just that in California they have a law that requires disclosure when data gets out. (article describing law)

    The reason you keep hearing about data leaking from Californian universities is because they actually follow the law, unlike some federal agencies.

    A better question to ask is: 'What about all the privacy violations that you don't get to hear about?

    You need this law at the federal level.

  18. Re:How To Make Easy Random Passwords by SmokeHalo · · Score: 3, Interesting · on How the Secret Service Cracks Encrypted Evidence
    I read an article from SecurityFocus a while back that had the suggestion of using song lyrics as a password. In the example it gave, the first line from Led Zeppelin's "Stairway to Heaven" was used. Thus the line:
    There's a lady who's sure all that glitters is gold
    Becomes
    Talwsatgig

    Of course, you would then add in caps, numbers, or non-alpha characters as you see fit. And if you're thinking of hanging the "decryption key" on your cube wall, it's much less conspicuous with song lyrics than a sentence such as the parent's example.
  19. Re:Canada by jdwest · · Score: 2, Interesting · on Identity Theft Victim Gets Last Laugh

    Evidently, the CRMP are great at sifting through Mac OS X, too.

  20. Re:Don't start from scratch by bad-badtz-maru · · Score: 1 · on Beginning PHP 5 and MySQL E-Commerce

    Me too, I like my software with fresh exploits.

  21. Re:there has NEVER been ANY exploits for MacOS EVE by Anonymous Coward · · Score: 0 · on Symantec: Mac OS X Becoming a Malware Target

    Just doing a quick search through BugTraq, there were many exploits for Webstar under Mac OS X. But here's one from an early release--so don't say there are none, just some that weren't as thoroughly documented (because, frankly, who cares).

  22. Re:in other news by Anonymous Coward · · Score: 0 · on Some Linux Distros Found Vulnerable By Default

    seems the link is not working now! http://www.securityfocus.com/archive/75/393292/ really something should be implemented to stop stuff like this. http://www.securityfocus.com/archive/75/393292 god damn it slashdot why dont the link work?

  23. YOU may not run them... by Paradox · · Score: 3, Insightful · on Some Linux Distros Found Vulnerable By Default
    If you follow the link in the article to the original entry from security focus, you'd see that malicuous remote user comprimised a machine that was patched up to current.

    Seriously, if you're letting people log onto your PC and run fork bombs, you have far greater problems than a lack of resource limits in the default install.


    Look, you seriously misunderstand something here. Run a server long enough and it gets very likely that even with the latest patches, you will get attacked. If someone breaks into your box, exactly how much power do you want them to have?

    The ability to bring the machine to a screeching halt with an attack that dates back to the Land Before Time is not a feature! It is a security hole and it's every bit as important to fix as your exterally visible holes.

    Because, one of these days some cracker is going to get the drop on your box. You'd better hope your box is ready for that.
  24. in other news by Anonymous Coward · · Score: 0 · on Some Linux Distros Found Vulnerable By Default

    script kiddy admits to fork bombing... http://www.securityfocus.com/archive/75/393292/

  25. more then 1 million. by Anonymous Coward · · Score: 0 · on Over a Million Zombie PCs

    i sent a email to my isp complaining that my machine was attacked over 100 times in 30 minutes by zombie computers. they dont get it was already compramised machines they thought it was just port scanning. you know what ports got hit the most? 135 137 139 and 455 guess what that is ? netbios what does netbios = ? yes you guessed it microsoft. the only real way to get this type of stuff to stop is no1 make sure people are nated no2 if people do have there machine compramised and it starts anonying other people with constant exploits being sent at you. they should have there isp account take away from them untill they fix it up. granted not all machines that are compramised are windows machines alot of them are poorly administrated *nix boxes but only about 10%. as you can see from http://www.securityfocus.com/archive/75/393292/ here you can make joe user update his windows box but you can put him behind a firewall so the only bugs he can get hit by are ie bugs or other things along them lines

  26. Re:Because RAR files can be trojan'ed. by jbridges · · Score: 1 · on Gmail Goes Public

    Was fixed a couple years ago.

  27. Re:Yet somehow, it does. by Deviate_X · · Score: 2, Interesting · on Wells Fargo Web-Enables ATMs

    The implication here are grave, and important, Additionally it should be questioned is:

    For how many years have ATM terminals been exposed to the entire internet? The 2003 nachi worm exposed the fact that important financial networks have been susceptible to exploitation for a long time.

    It's the more embarrassing to realize that none of the so called Analysts, Gartner Analysts (a $9 billion advice giving outfit), or so called security experts, who now have the gall to pontificate (http://www.securityfocus.com/), had anything useful to say prior.

    No it took some script-kiddy with too much time on her hands to post a worm to mirc networks (perhaps) to bring the real issue to the fore.

    The dangerous ones are not the worm writing script-kiddies, it's the smart ones who notice the vulnerability and exploit them quietly.

    Simply: Prior to nachi, know one can account for what went on [skimmer], except that your accounts were unsafe and exposed, after nachi you at least have the opportunity know it.

  28. Re:s-l-o-w ATM keypad by Anonymous Coward · · Score: 0 · on Wells Fargo Web-Enables ATMs
    Is it because of being Windowized, or just bad programming? The old OS/2 ATMs responded instantly.
    The modern PED is a physically and logically self contained tamper-resistant unit that encrypts a PIN within milliseconds of its entry, and within centimeters of the customer's fingertips. The plaintext PIN never leaves the unit
    - http://www.securityfocus.com/news/9161
    I doubt the PED, which is the part of the ATM that handles PIN entry, is also windows based. The problem is likely just bad programming.
  29. Yet somehow, it does. by mcc · · Score: 5, Informative · on Wells Fargo Web-Enables ATMs

    Existing Windows XP embedded based ATMs, made by Diebold, have already been effected by Windows XP-targetting worms. This should be sufficient to demonstrate that the code bases at least share whatever code caused vulnerability to the Nachi worm. The obvious question then becomes, if and when further holes in Windows XP are discovered, what happens if they too are in the code shared with Windows XP Embedded?

    I mean, it's just an awfully funny coincidence that the sudden emergence of the term "cyber-crime" in connection with ATMs just happens, after all these years of computer ATMs, to coincide with the introduction of Windows based ATMs.

    And I somehow suspect that in five years, when WinXPEmbedded ATMs are everywhere, if anyone observes it as odd that how ATMs suddenly have a security track record now, we'll have people saying "oh that's just part of the technology, there's nothing you can do about it, it would be the same with any other vendor"...

  30. Re:Scrambling? by Ulric · · Score: 3, Informative · on eBay Scrambles to Fix Phishing Bug

    It was reported on Bugtraq on Feb 13. Here: http://www.securityfocus.com/archive/1/390378/2005 -02-07/2005-02-13/0

  31. Linus' Security Practice by alanlke · · Score: 5, Informative · on Cox on Torvalds and Linux Kernel Development

    Cox may have had a good point on Linus' methods for security patches, but fortunately the community has spawned sites such as this http://www.securityfocus.com/ to publicly announce when people find security flaws from poking through the patch code.

    Even if Linus tries to keep these things secret, they'll get out quite quickly.

  32. Re:Firefox isn't made by Microsoft. by Anonymous Coward · · Score: 1, Interesting · on Mozilla 1.8b1 Released, Firefox Growth Slowing

    Interestingly, FireFox 1.0 is vulnerable to an arbitrary code execution via drag&drop vuln that was first discovered on IE:

    http://www.securityfocus.com/archive/1/391526/2005 -02-22/2005-02-28/0

    Works on Windows and Linux apparently.

  33. Guess what kind of laptop Clarke uses by saha · · Score: 2, Informative · on Richard Clarke on Microsoft security
    Actually, in a Frontline documentary Cyber War (I recommend watching the steamed video) which directly relates to the original posting, Richard Clarke singles out Microsoft for being negligent for their lax security. I would have to agree. For the past few years its been either viruses, annoying Windows Messenger pop ups, worms and finally spyware that has plagued the Windows users. The last problem highlights just how negligent Microsoft has been when they could have implemented pop-up blockers and by default have restrictions on Active X downloads, when all other web browsers had pop up blocking two years before Microsoft finally implemented it in XP SP2. Every week I have several people come into my office because of spyware issues. Which I'm starting to believe really does afflict 90% of Windows PC users now. On the weekends when people find out I'm a systems administrator or run into friends they're always asking me how to disinfect their machines from spyware, viruses and other issues. I feel I should reprint my business cards with the URLs of Spybot, Adaware, Mcafee Virusscan, Firefox ...and other tools on the back of the card. I'm honestly fed up of saying the same old thing every weekend when I'm not at work. At work its part of my job, but its irritating and annoying that so many people are afflicted with security issues that Microsoft neglected for so long because they had to try to cram as many features as possible into their bloatware.

    During the show Frontline show you'll see Clarke using his a slick Powerbook G4. Its nice to know I'm in good company, using a platform that represents a small yet prominent minority. These days unless my users have a specific application(s) that only runs on Windowson, my usual recommendation because of all my frustration with Windows is for them to get a Mac. If they can't afford to upgrade their hardware to Apple yet, I point them to the most popular Linux distro sites (except Red Hat) or BSD flavors, but I do warn them that there is a little of bit of work involved to get their environment set up right. For those people who like to argue that Windows has more security issues because its more popular, I say that's baloney. Five to six years ago it was my SGI Irix machines that kept getting hacked into once or twice a year. SGIs representing the smallest Unix flavor we had at the time and significantly smaller than the Mac population. Over the past 3 years the number of Windows security issues has exploded exponentially where I can't in good conscience recommend it to most folks.

    A Visit from the FBI Seems like FBI prefers Mac OSX as well.

  34. Listening to Richard Clarke by tlmatters · · Score: 1, Interesting · on Richard Clarke on Microsoft security

    As a bona fide news junkie, my opinion after watching this guy across many networks for the last several years is that he is most interested in his own reputation. Not by exhibiting stellar ethics or by being correct on the issues, but by gilding the facts to best deflect the personal criticism of the moment.

    As far as his statements in S.F. regarding Microsoft's security practices, he has a good point. But said security practices are so bad, someone mentioning it is akin to a toddler informing me that water is wet... it doesn't take a highly developed intellect to come to the conclusion.

    Considering Richard Clarke's Clintonesque respect for 'the facts', why would anyone give him a serious ear? Most especially on a topic where he isn't saying something both true and unique from what other people are saying.

    The left in America (I'm sorry, the People's Republic of America) seem to love the guy, but for the open minded who desire to learn more about him I submit:
    Time Magazine article from 03/2004
    Security Focus from 02/2003
    The Daily Standard from 03/2004

    Ethical men give you the facts like a recording, beware of folks who's version of what they call 'facts' develop over time, especially when they take a self serving direction.

  35. Re:I'm no zealot by johnnyb · · Score: 1 · on Study Finds Windows More Secure Than Linux

    You are indeed correct. Found a good article on IIS security here. Looks like Microsoft is finally taking cues from Apache on how to design a webserver.

  36. absolutely! by dexterpexter · · Score: 5, Informative · on MS Employee Calls for No More Passwords

    Yep. I first learned about it in my forensics coursework.

    For more information on this, this Google search produced some good sites explaining tihs.

    Also, in just conducting that search, I learned that 2000 and XP is apparently immune from this particular problem, according to this site.

    "With LM, password hashes were split into two separate 7-character hashes. This actually made passwords more vulnerable because a brute-force attack could be performed on each half of the password at the same time. So passwords that were 9 characters long were broken into one 7-character hash and one 2-character hash. Obviously, cracking a 2-character hash did not take long, and the 7-character portion could usually be cracked within hours. Often, the smaller portion could actually be used to assist in the cracking of the longer portion. Because of this, many security professionals determined that optimal password lengths were 7 or 14 characters, corresponding to the two 7-character hashes.
    ...
    But things are different with newer versions of Windows. Windows 2000 and XP passwords can now be up to 127 characters in length and so 14 characters is no longer a limit. Furthermore, one little known fact discovered by Urity of SecurityFriday.com is that if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail.

    With this in mind, going longer than 14 characters may be good advice. But if you want to enforce very long passwords using group policy or security templates, don't bother - neither will allow you to set a minimum password length greater than 14 characters."

  37. More info by kryptik_79 · · Score: 1 · on Tecmo Sues Game Hackers Under DMCA

    Kevin Poulsen provides some more details on SecurityFocus.

  38. privacy protections that apply online are statutor by tpgp · · Score: 3, Informative · on Precedent for Warrantless Net Monitoring Set

    As this anonymous post on security focus points out:

    The obvious error in this analysis is that the relevant privacy protections that apply online are statutory, not constitutional. So they are unaffected by Caballes.

  39. Re:Inaccurate Inaccurate comparison by ChatHuant · · Score: 1 · on Don Box: Huge Security Holes in Solaris, JVM

    IIS is server side disaster.

    Sounds like FUD to me. SecurityFocus disagrees with you. And for a lagniappe compare the vulnerabilities listed against IIS 6 and the ones listed against Apache.

    So do you have any facts to back your post?

  40. Re:NAT by tepples · · Score: 1 · on TCPA Support in Linux

    Universities are not ISPs, so this is not really a valid point.

    Not only are universities ISPs, but they're also monopoly ISPs. You try getting a standard residential cable or DSL connection in a residence hall.

    My (theoretical) hack was to change the NAT software so that it forwarded transparently.

    Would the ISP trust your h4x0r3d NAT software?

    And if I cannot connect using my chosen operating system, then I will simply switch ISPs.

    If both the local cable ISP and the local DSL ISP switch to "trusted" access, then how much does it cost to move house?

    it provides no benefit to the ISP

    Other than possibly pretending to control the spread of viruses?

  41. Re:80% redaction by Tackhead · · Score: 2, Informative · on EFF Asks How Big Brother Is Watching The Internet
    > Whatever they get will likely be 80% redacted. How is that useful? How is that freedom of information? You ask for info and they black out much of the useful stuff.

    Well, if they did the redaction digitally in a PDF, the information could be pretty damned useful after all, as long as you render the PDF on a sufficiently slow PC.

  42. Re:Typical lies... by burns210 · · Score: 1 · on Sun Chief Calls Out IBM, Demands Compatibility
    Read point #2 on that site. The technology that makes 'Trusted Solaris' Trusted, is being incorporated into Solaris 10's standard version for a single codebase. "Trusted Solaris 10" will be certified(NSA's Trusted OS cert), and have Sun's support contracts, etc.

    All the major OSs, Mac OS 10,4 Tiger is getting ACLs, with SELinux, Linux will get ACLs, Sun's free version will have ACLs.

    What about Windows?

  43. Re:But will people use it? by harky77 · · Score: 1 · on Ciphire, A Transparent, Easy PGP Alternative

    Maybe we need a couple more of these: http://www.securityfocus.com/news/10271 before the general public wakes up

  44. Re:a better question by harky77 · · Score: 1 · on Ciphire, A Transparent, Easy PGP Alternative

    just found that on ciphire's forum, seems like a good reason: http://www.securityfocus.com/news/10271

  45. Re:Details??? by armypuke · · Score: 3, Informative · on 'Evil Twin' Threat to Wireless Security

    Perhaps you should read WEP: Dead Again, Part 1. It compares various WEP cracking tools to see how fast they can crack WEP keys with varying amounts of packets. While the popular AirSnort usually needs over 10 million encrypted packets to crack a WEP key, aircrack usually needs around 500,000. That's the difference between being able to gather enough packets in a day versus a week or more.

  46. It's a good thing Firefox is secure! Oh wait... by Anonymous Coward · · Score: 0 · on Firefox Reviewed in the Globe and Mail

    http://www.securityfocus.com/bid/12234

  47. What about the budget by digitalgimpus · · Score: 3, Interesting · on Carnivore No More

    They budgeted quite a bit of hard cash to develop Carnivore...

    so who is going to be held responsible for that wasted cash due to bad planning?

    IMHO that's a ton of money that can be used for many useful things... it was taken from our taxes... and now just sits on some cvs server (assuming they save it).

    That cash could have been used to pay for some armor for troops deployed in Iraq. Or perhaps fund development of improved airline security equipment... something that would be beneficial.

    Why the hell did this get approved if commercial equivilants were in the works? What seriously ill planning went into that?

    If the FBI were a company... heads would roll. This wouldn't be acceptable.

    BTW: This page has a small image of the carnivore logo (for anyone interested).

  48. Oh, the humanity! by Lisandro · · Score: 4, Interesting · on Carnivore No More

    Check this little image from the article. "Carnivore's official logo shows bload-soaked incisors closing over a stream of data". EVIL!

    It's a packet sniffer that reconstructs data (mail and web sites, as it seems from the article), not a boogieman! I agree, it can be a dangerous tool for privacy in the wrong hands, but still, it's not like you can just put it in your PC and start reading your neighour's mail.

  49. Re:M$ from /www.dsps.net/History.html by lkcl · · Score: 1 · on Open Group Releases DCE 1.2.2 as Free Software

    you'll like this, then :)

  50. Is it just me? by Celt · · Score: 0, Offtopic · on New Attacks on Spam

    Is it just me or half the story is one big long link??

    AttackOfTheDictionaries writes "Project Honey Pot started operating back in November. The Project provides its participants with a script that generates fake webpages with unique honeypot email addresses. The end
    result is that Project Honey Pot can connect email harvesters' IP
    addresses with the spam received by those honeypot email addresses. Which is pretty nifty, but left some people asking how that would help legal attacks on spam. Well, it seems that some lawyer over at SecurityFocus has an answer."