Slashdot Mirror

What do you mean "smart enough to get out of jury duty"?

For example, what I wouldn't pay to be allowed on the jury of SCO vs. IBM (read the docs, they all say "jury trial demanded"). True, true, I would undoubtably be weeded out for having formed an oppinion about the case already...

But there are other important cases out there. Like this one mentioned on SecurityFocus which says that lending one's password may be criminal, not merely civil, if the publisher doesn't want them to have access, even if there would be no crime had the lender performed the access on behalf of the other person...

If you're always sneaking out of jury duty, don't complain if idiots decide the cases :P I'm just glad that there are at least a few of us smart enough to know that it might matter some day who will serve in spite of the crappy pay, etc.

VULNERABILITY ASSESSMENT: The risk is MEDIUM. A local unprivileged user may be able to gain unauthorized root privileges.

Yeah, right, medium. It is just a root exploit after all... Medium my arse! The fact is that the exploit has been circulating for quite some time now on irc and freenet. And are we supposed to believe that it was just an accident that a god damn root exploit has been included in the freaking passwd? Have you seen the source code of this thing?! An anonymous friend of mine has told me that there are quite a few strange lines of code not only in Linux. But guess what? It's quite hard to get Solaris source code to audit and patch it yourself, unless you have some ties to the underground. Medium... Yeah, right...

In Outlook 2002 (aka Outlook XP, aka Outlook 10) and later, you can disable the automatic display of any kind of non-text content by forcing Outlook to render all email as plain text. This is a huge improvement over normal Outlook behavior; besides making Outlook much less dangerous, it spares you annoying markup of all kinds.

Create the Registry key

HKCU\Software\Microsoft\Office\10.0\Outlook\Opti on s\Mail\READASPLAIN

as a DWORD and set it to 1.

Actually under simulations worms with a destructive payload could still spread well. Check out the following article

The relevant quote is: "At the end of this simulation run, there were 2,774 infected and 1,979 not infected systems left, of an initial 166,730. While this not quite "annihilation", it does mean that within two minutes, 161,977 hosts or about 97% of the vulnerable population were wiped out."

Note, the article is focussed primarily on the spread of worms in a closed network, rather than in Internet.

Actually, it was Tele Aid, Mercedes's version of the system. And the practice has been suspended, but not for privacy reasons.

Of course they don't, security researchers find the wholes. They believe in full disclosure, and tell the hackers. Who create exploits, way before there is a patch, and often before the vendor (especially in the case of Microsoft) has responded to the notice.

Now that's good, but c'mon "We have never had vulnerabilities exploited before the patch was known" is just criminal ignorance. Let's all go visit Packet Storm and click on last 20 exploits, or Bugtraq and see if there's any talk of exploits without patches. Or, wait, we could go straight for Vuln-dev and see exploits as they are developed.. which is [sarcasm]OBVIOUSLY by reverse engineering patches[/sarcasm].

If this guy wasn't fed this FUD by marketing droids, and he's really supposed to be in charge of "security", he should be fired.

Of course they don't, security researchers find the wholes. They believe in full disclosure, and tell the hackers. Who create exploits, way before there is a patch, and often before the vendor (especially in the case of Microsoft) has responded to the notice.

Now that's good, but c'mon "We have never had vulnerabilities exploited before the patch was known" is just criminal ignorance. Let's all go visit Packet Storm and click on last 20 exploits, or Bugtraq and see if there's any talk of exploits without patches. Or, wait, we could go straight for Vuln-dev and see exploits as they are developed.. which is [sarcasm]OBVIOUSLY by reverse engineering patches[/sarcasm].

If this guy wasn't fed this FUD by marketing droids, and he's really supposed to be in charge of "security", he should be fired.

How many times do I have to say it? If everybody's grandma used Linux, viruses would be just as widespread. Look at the dates on these vulnerabilities.

NAT-T is supported by Mac OS X, however it's not interoperable with anything apart from Mac OS X as Apple chose to use their own NAT-T Vendor ID (which is used for NAT-T detection) and also they have implemented the latest versions of the NAT-T and udp-encaps drafts only, which nobody else uses.

Does this new version still use "LOCKSMITH" for the backdoor password? Or has it been changed to something else?

• non-executable segments do add some security value
  
  
• non-executable segments is arguably an obscurity defense, because
  attacks exploiting overflow vulnerabilities that are stopped by
  non-executable segments can always be re-worked to be "return into
  libc" style attacks that bypass the non-executable segment by pointing
  directly at code in the code segment
  
  
• this obscurity defense arguably has value, because writing
  return-into-libc exploits is hard, and hard to make scriptable,
  because the offsets are fussy.
  

Several architectures (sparc, sparc64, alpha, hppa, m88k) have had per-page execute permissons for years.
See This BugTraq posting by Theo de Raadt

No. i386 does not have a per-page execute bit. Many other architechtures do, but i386 is not one of them. I'm sure some googling on the subject will be quite enlightening. As one example though.

I assure you it's not just Microsoft who's to blame.

Rebooting on Mars

By Matthew Fordahl, The Associated Press

It's a PC user's nightmare: You're almost done with a lengthy e-mail, or about to finish a report at the office, and the computer crashes for no apparent reason. It tries to restart but never quite finishes booting. Then it crashes again. And again.

Getting caught in such a loop is frustrating enough on Earth. But imagine what it's like when the computer is 200 million miles away on Mars. That's what mission controllers faced when the Mars rover Spirit stopped communicating last month.

...

Tech support for an $820 million mission is a cautious affair. Tools to recover from and fix any problem must be built into the system before launch. The systems' behaviors need to be completely understood and predictable.

"Luckily, during the design period, we anticipated that we might get into a situation like this," said Glenn Reeves, who oversees the software aboard the Mars rovers Sprit and Opportunity at NASA's Jet Propulsion Laboratory.

For stability, reliability and predictability, mission designers did not bust the budget and design the hardware or software from scratch. Instead, they turned to hardware and software that's been used in space before and has a proven track record on Earth as well.

"The advantage of using commercial software is it's well-known, and it's well deployed," said Mike Deliman, an engineer at Alameda-based Wind River Systems Inc., which made the rovers' operating system. "It has been used throughout the world in hundreds of thousands of applications."

The operating system, VxWorks, has its roots in software developed to help Francis Ford Coppola gain more control over a film editing system. But the developers, David Wilner and Jerry Fiddler, saw a greater potential and eventually formed Wind River, named for the mountains in Wyoming. VxWorks became a formal product in 1987.

rest of article

Sorry if the comparision didn't seem fair. That was not intended.

Of course, vulnerabilities are not only attributable to lazy admins, who don't update or patch their systems frequently. I was oversimplifying here to make a point. And the point is this: considering the stats from the article, Linux seems to attract more successful attacks than BSDs. How comes? Browsing bugtraq shows that most vulns are from userland apps, that are often not even part of the base BSD systems. The bulk of attacks are against commodity software that is widely used on both platforms. It just happens, that those programs are often running by default on vanilla Linux distros, whereas they are disabled in default BSD versions. Now what happens is obvious: an average sysadmin on Linux would have to know about the problem and either install firewalls, or close ports. But if they didn't nothing would prevent the system from working. In contrast, the average BSD sysadmin would have to enable additional software (installing from ports, etc...), thus always making a conscious decision to punch yet another possible hole in the wall, so to speak.

You're right in many aspects. Stack protection, as implemented in OpenBSD would be a great addition to the other BSDs, to Linux and Solaris as well. That would alreayd prevent a whole lot of stupid coding errors and associated mistakes. String API improvements like strlcpy() and friends are also great, and I'd love to see them replacing strcpy()/strcat() too. Absolutely and fully.

As Unix(*) users, we feel pretty confident when confronted with this kind of a.exe crap. But seriously, what would have happened, if the file was a Linux executable? A shell or perl script? Are we still secure? Maybe, maybe not:

• It depends what browser we're using. Browsers on Unix normally don't execute remote code, but the more browsers we use, the less we can be sure.
• Are our rendering engines (Gecko and Konqueror) really immune to buffer overruns of malicious web sites? We don't know for sure. Most of us are aware of Konqueror dumping core, but no harm is done, because a Windows virus couldn't start. What if the remote site contained valid Linux instructions instead?
• A whole class of vulnerabilities consists of so called cross site scripting vulns (see bugtraq).
• Even if an executable runs with the permissions of a regular, non-root user, are we still secure? I've seen setups where the user was member of group 0 (wheel), which opened up a whole lot of potential vulnerabilities.

The biggest asset of the Unix community is still the high level computer literacy amongst its users. We're smarter than regular Windows users on the average, and we know better than to blindly click on links when we're being told to. But with growing Linux popularity, we're bound to "inherit" more unsavvy and clueless computer users, which would be just as malleable as Windows users.

The last line of defense(tm) consists of just two principles:

• We don't run our browsers in kernel mode.
• We don't use the root account for regular activites (right?).

Will that be enough, once spammers start targetting Linux? Let's hope for the best.

(*) Unix in the generic sense, not Darl's.

Yes, but we didn't have the internet then, at least not even close to the form today. Something that is not networked or on a small network is by nature more secure than something publically accessible world-wide. Plus you are just re-inforcing the argument -- Windows is 20 years behind the times in security.

Actually you can screw up your Unix/Linux machine faster as root... 'kill -9 -1'

Two problems with this: (1) it is a security discussion, not whether you can screw up your system, and (2) you can't easily accidently type 'kill -9 -1'. There's no 'kill -9 -1' button that you might accidently press. Windows is insecure because it does a lot of things automatically and without your knowledge. The most obvious security related one is running email attachments, which is the primary way that a virus spreads through Windows systems. You just can't do it like that in Linux.

No group is better/worse.

That's debatable, but not the point. It's a strawman argument. Nobody is questioning the quality or intention of programmers on either side. But Linux is clearly superior to Windows in terms of security using just about any metric or argument you can think of (that stands up to scutiny). Nobody is saying Microsoft is intentionally putting security holes in Windows. Nevertheless, they are there. And yes, there are security holes in Windows. But again, comparisons continually show that, overall, Linux is more secure.

...which is exactly synonymous with "if you use Linux insecurely" because Windows users use it insecurely. Not only does that meaning seem obvious, but both you and the original poster implicitely stated it. The statement "...like they do Windows..." means that people don't use Linux like they do Windows, and don't have the problems.

Have you seen the kernel exploit lists for the 2.4.xx series? I thought not.

Actually, I have seen a report on them, though I can't recall where, but so what? It's a comparison that is important, and when you do so, such as here or here, it is quite clear that Linux is more secure than Windows, independent of their popularity.

If you don't have the budget for Retina, try Nessus. Even Eeye reccommends it, in this post on bugtraq.

GFI is a better bet. Retina really does the job.

Check out the Archives of the pen-test mailing list at SecurityFocus.com

Government, and indeed any business, IT people and developers should have processes in place to be checking for these types of issues anyway, regardless if the software is "open" or "closed". It just makes sense that if you are going to depend on it for your success/failure. This should also include watching for maintenance updates and bug fixes. Watching the Security Focus Linux and MS lists shows similar numbers of discovered exploits. In a lot of cases the same tool has the same exploit on any platform on which is installed. Bottom line, decisions should be made on what the software can do for you and how well it's built, not on whether it's open source or not.

Oh, and then think about getting a dish.

But please read up on the company first...

<grrr>

"Utility computer systems are not attached to the Internet. They will not be directly exposed to attacks based on this or any other security flaw."

Sorry, you are wrong, it is well documented that the Slammer worm penetrated a nuclear power plant's safety monitoring system.

There is no FUD in them there hills:

Found on the bugtraq mailing lists, opera features a wide range of buffer overflow, aribitrary code execution, local file access vulnerabilities, etc. etc. Have a look. Some of them are quite nasty.

There have also been instances where Opera has not been quick to respond, these too are documented in the dicussion groups.

As far as I can tell the last Opera Only reported vulnerability was 12-23-2003.

Opera Vulns

As far as open vulns go, that doesn't happen much these days. The hackers usually contact the vendor before posting their exploit.

"In the security bulletin published by MS it states,
"In the most likely exploitable scenario, an attackerwould have to have direct access to the user's network."

The bulletin published by eEye states
"...applications that make use of certificates (SSL, digitally-signed e-mail, signed ActiveX controls, etc.) [areaffected]".

I see a big disconnect there. Can you address this? Also, how would this potentially affect sites that are using an MS VPN solution?"

Yes, I am not sure what Microsoft did with the wording there that seems to be misleading to at least a few people so far.
There is just as much, if not more, chance of people using this vulnerability on server side applications as there is on client-side applications.
For example we setup a totally IPSEC secured network and we broke into that network via our ASN bug which is called by the Kerberos.
We also have written exploits that take advantage of ASN via NTLMv2 authentication. And the list goes on... How about evil ASN SSL CERTs?
Client or server? There is a menu a mile long for the avenues of attacks that this thing can be used for.
If your running, Windows NT 4.0, Windows 2000, Windows XP, or Windows 2003, you are 99.9999% positive to be vulnerable, regardless of what your configuration might be.
Don't try to guess if you have any of the affected protocols or applications (lets not forget third party apps using the MS ASN library), just install the patch.
Client side, server side, world wide.

Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security

Besides 10K records is piddly squat! What was the quote from the recent Slashdot linked article, oh yes

"One way to trace just how bad the situation has gotten: track the price for a million credit card numbers. Just a few years ago, Dave saw prices of $100 or more for a million stolen credit card numbers. Now? Pennies. Stealing credit cards is so easy, and so rampant, that prices have dropped precipitously, in a grotesque parody of capitalist supply and demand. "

So 100X the number of records you have has a value of pennies according to an FBI cyber security expert. Basically anyone working in DB or as an analyst for a telemarketer which has a bank or credit card company as a client has access to many times that many records and crooks who break into ecommerce sites DB's do as well.

Do your research.

Found on the bugtraq mailing lists, opera features a wide range of buffer overflow, aribitrary code execution, local file access vulnerabilities, etc. etc. Have a look. Some of them are quite nasty.

There have also been instances where Opera has not been quick to respond, these too are documented in the dicussion groups.

As far as I can tell the last Opera Only reported vulnerability was 12-23-2004.

Security Focus Search

As far as open vulns go, that doesn't happen much these days. The hackers usually contact the vendor before posting their exploit.

You're proposing a browser that's not even out of beta for corporate use? I wouldn't consider that a particularly good idea

Oh really.

Why You Should Switch to FireFox

"Further improvements to IE will require enhancements to the underlying OS"

Secunia Internet Explorer System Compromise Vulnerabilities. Solution: "Use another product"

The Twenty Most Critical Internet Security Vulnerabilities IE: Number four.

"we are not aware of any vendor-supplied patches for this issue"

Patch for 'critical' IE vulnerability doesn't work

IE full of holes, unsafe: Security experts

AMS Vice President and CTO: Mozilla Firebird is a Tier 1, Best of Breed Open Source Application

I don't care if it's a beta. Firebird/FireFox/Whatever is simply a better product than IE in every conceivable way - with the pertinent exception of branding, but including stability and security. So what exactly makes its use at a corporate level a "bad idea?"

What scares me most is This Article. Even understanding that one of the assumptions was that any two pairs of hosts communicate at the same rate, It's frightening.

Theoretically wiping out 40 million hosts in under a minute....
I'm guessing that a real-world implementation would probably take closer to 20 minutes, but still it's mighty frightening.

Just about the only way I could see to stop it's spread would be to make smart routers, switches, and even hubs that quickly seal off any services on which there is a sudden surge of SYNs from random hosts.

I'm surprised the crash made slashdot, but not the root exploit in BSD that was posted to BugTraq at the same time. To wit:

http://www.securityfocus.com/archive/1/352733

while to them your computing skills ammount at best to some mild entertainment on a slow evening.

Mild is an overstatement.

I'm not suggesting that everyone be IT professionals. I realize that some people aren't interested. But I liken it unto this: In order to drive a car, you must pass certain tests, most importantly a driving exam. I'm not going to pretend that computers are as dangerous as cars. I would never suggest that not knowing how to use a computer could end in potential disaster.

Let's keep this car metaphore going. Let's say I am going to purchase a car. Should I blindly walk into any dealership and purchase the first thing the salesman attempts to sell to me? I might end up with a Kia or a BMW. Further, I might not know what is IN the car. Maybe OnStar is spying on you. Maybe your car will break down because it is poorly constructed.

No one is going to walk into any purchase completly blind. Why would someone put something on their computer that they don't know what it is? If there is a possibility of danger (or at least mild irritation), it seems like a good idea to take a look at the product and ask questions.

Would you, without internet access (to get you as much out of your element as they are on the 'net) even know where to _start_ looking for information on what can be hidden in yours?

If you don't have Internet, most of the spyware programs would be obsolete. I'll pretend that had nothing to do with spyware and was an attack on my line of thinking. So, yes, I would know where to start. I would probably go first to a library, the Google of the real world, and check, perhaps, the card cataloge or a computer based search system (if they indeed have one). I would, next, consult local watch peddlers. Finally, I would talk to people about it. Get their verbal reviews. That seems like a good course of action that wouldn't require me to know EVERYTHING about something, as I don't know everything about every software I use (e.g. if it runs UDP or TCP or even uses the internet at all), but still gain enough knowledge to make a good decision. We can only do as well as we are equiped (But I am arguing that, with spyware, we are all pretty well equiped to find answers).

Your well being and even your _life_ depend every day on people whose field of expertise _isn't_ computing science

There is no denying this. However, computers are really prying their way into most fields. If people don't know how to use them, they may not be protecting my life and/or well being to the best of their ability.

Would you prefer that the next time you need surgery, you're in the hands of people with l33t h4x0r skillz, or in the hands of _surgeons_?

That depends on if the 133t h4x0r people know anything about surgury. I would suspect they wouldn't be doing it if they didn't know how, esp. seening as to become a liscenced surgeon, you must pass all kinds of tests and pretty much know what you are doing. So, I'd rather have the person who knows the most about what they are doing.

Now, funny how we are back to passing tests. When you are dealing with something that is potentially dangerous (or at least midly irritating), you should know what you are dealing with. Like I said. I'm not suggesting that computers are the most dangerous things, but sometimes bad things happen. Further, I'm not asking that everyone be experts. I only ask that people know how to drive before they get in the car to drive on the open roads, and that people know enough to ask questions when purchasing a car.

Interestingly, this entire discussion stems from the limitations of semi-literate (read: average computer users) that many of us forget about when we discuss the latest trends and technologies. My concern is that the gap between the computer literate and the semi-literate could possibly be greater now than it was in the mid 1980s, when computers were quirky and used mostly by hobbyists and very specific business-related activities, and few people owned them for home use in the public at large.

The frustration seems to stem from not just the myriad of viruses, but also the necessity of weekly anti-virus updates, spyware, and the absolutely requirement for some type of firwall on Windows-based computers. I dare say that the level of technical knowledge to maintain a computer today is higher than it was twenty years ago. People seem to gloss over ideas like this but having been involved with computers for more than twenty years, I think it's important to reflect on this once and a while. Regards, Goalive - who was given 'bad karma' on Slashdot because not everyone shares his sense of humor :-/

slashcode developers could learn from this, given their track record with XSS vulns:

http://www.securityfocus.com/archive/1/280218/2002 -06-28/2002-07-04/0

(also provides a good example for people asking "what's an XSS?")

Thank you so much for that last paragraph! Lest we forget...

"Backed by a legion of lawyers and empowered by the Digital Millennium Copyright Act, former FBI agents in the company's Office of Signal Integrity have staged raids against businesses that deal in piracy equipment, seizing customer lists and inventory with armed law enforcement officers as backup.
...

Targeting pirates for their piracy is difficult, if not impossible, since receiving DirecTV is a passive operation. So instead the company is going after people like Sosa, who have purchased hardware from one of the equipment vendors shut down in the DMCA raids. Critics say that approach is misguided, and is snaring innocent hobbyists and security researchers, some of whom have never even owned a satellite dish."
- Poulson's article

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

Oh, and I can't leave without mentioning the essential Black Box Voting site...

[posted as an AC as I don't want to whore the karma]

Oh, and I can't leave without mentioning the essential Black Box Voting site...

[posted as an AC as I don't want to whore the karma]

Securityfocus.com ran a story on this.

------- Forwarded message follows -------
From: lsi <stuart cyberdelix net>
To: focus-virus securityfocus com
Subject: how to filter the Novarg virus
Send reply to: stuart cyberdelix net
Date sent: Wed, 28 Jan 2004 17:35:57 -0000

I have devised a near-bulletproof Novarg filter.

The following regular expressions trap this virus dead, no matter
what subject line, message body, or filename it uses:

If expression body matches "UEsDBAoAAA*" Move [virus folder]

If expression body matches "TVqQAAMAAA*" Move
[virus folder]

This is because the worm is in fact the same program with many
disguises. However the program looks the same when encoded with
MIME. Therefore, the above are basically 'MIME sigs' which work just
like a virus signature in a regular virusscanner.

So to find it we merely filter on the MIME strings above, which are
the first 10 bytes of the MIME content section.

For users without enterprise-class content filters (such as me),
these two regexp's work like a silver bullet.

(That two different sigs are required suggests there are two versions
of the virus in circulation.)

No silver bullet for auto-notification messages, unfortunately :(

Stuart

------- End of forwarded message -------

IE? Nobody here use IE :-P. I think these problems with GAIM is more of a concern for the slashdot readership.

I hear they've been fixed in debian. (no link, so you better check for yourself)

Is a printed out list of file names and an ip address enough evidence to award thousands or even the millions of dollars the RIAA was shooting for? Anyone who has ever used a P2P application knows for a fact there are tons of fake material floating around. In fact some sources (here,here, and here indicate RIAA represented companies were behind some of the fakes. Don't forget the people that were sued previously that had nothing illegal. The RIAA's tactics of carpet bombing is not an exact science.

Compulsory retention of logs is coming. It's happened in Europe, and it's about to happen in the States.

"An early draft of the White House's National Strategy to Secure Cyberspace envisions the same kind of mandatory customer data collection and retention by U.S. Internet service providers as was recently enacted in Europe, according to sources who have reviewed portions of the plan."

"After delaying for about two years, U.S. President George W. Bush recently asked the U.S. Senate to ratify the Council of Europe Cybercrime Convention, a global agreement apparently created to help police worldwide cooperate to fight Internet crimes."

Is this a precursor to DRM in ... output devices?

You have a short memory. This One from October didn't even require user intervention. You did upgrade, right?

not so much fuss when Sourceforge & Debian were compromised.

Get real. If all the factors were equal, we'd see a LOT more Apache exploits. There are over TWICE as many Apache sites as there are IIS sites.

I agree that Apache has proven to be a more secure webserver than IIS.. Which isn't to say that it's trouble-free though.

Get real. If all the factors were equal, we'd see a LOT more Apache exploits. There are over TWICE as many Apache sites as there are IIS sites.

I agree that Apache has proven to be a more secure webserver than IIS.. Which isn't to say that it's trouble-free though.

Get real. If all the factors were equal, we'd see a LOT more Apache exploits. There are over TWICE as many Apache sites as there are IIS sites.

I agree that Apache has proven to be a more secure webserver than IIS.. Which isn't to say that it's trouble-free though.

Get real. If all the factors were equal, we'd see a LOT more Apache exploits. There are over TWICE as many Apache sites as there are IIS sites.

I agree that Apache has proven to be a more secure webserver than IIS.. Which isn't to say that it's trouble-free though.