Slashdot Mirror

← Back to Domains

Domain: wiretapped.net

Stories and comments across the archive that link to wiretapped.net.

Comments · 57

  1. Re:Um, no. by Anonymous Coward · · Score: -1, Troll · on Does 802.11n Spell the 'End of Ethernet'?

    So get a wireless-N card, hack their network and use their connection. Seriously, that's what I'd do. cracking WPA video What in the world is a wireless nigger card??? does it automatically steal your neighbor's bandwidth?
  2. Re:Um, no. by Anonymous Coward · · Score: 0 · on Does 802.11n Spell the 'End of Ethernet'?

    So get a wireless-N card, hack their network and use their connection. Seriously, that's what I'd do. cracking WPA video

  3. Re:Progressive decoding by PhunkySchtuff · · Score: 1 · on Seagate To Encrypt Data On Hard Drives

    You're thinking of something like Rubberhose a cryptographically deniable transparent disk encryption system...

  4. Re:Crypto system for human rights watchers by richie2000 · · Score: 1 · on A Move to Secure Data by Scattering the Pieces

    a crypto system intended for people like human rights observers working in the field.

    That would be Rubberhose.

    It scares me that Bruce said he didn't know about it. That means he doesn't want anyone to know. Please tell my kids to be good to their mom and that I love them.

  5. Re: Anybody know of a system that works like that? by karlandtanya · · Score: 2, Informative · on UK Government Wants a Backdoor Into Windows

    Yes.
    Marutukku, pronounced rubberhose.. (or is it rubberhose, pronounced maru tukku? I forget...)

    Any politically active programmers out there want to take a crack at maintaining it?

  6. Re:GPG/PGP: Thunderbird and Enigmail by eyeye · · Score: 1 · on How To Enable Mom w/ Encrypted E-Mail?

    I think herbivore should be built into thunderbird (and all mail clients, but thunderbird is open source so in theory its more likely )

    http://www.mirrors.wiretapped.net/security/cryptog raphy/apps/mail/herbrip/intro.html

  7. Rubberhose by Anonymous Coward · · Score: 0 · on How Long to Crack an 'Encrypted' HD?

    So what happens if you're running Rubberhose?

    Even if they break out the rubber hoses and you give up a passkey to an aspect they won't know how many or if there are any other aspects on the disk.

    P.S. Official site has been gone for some time, but it's still on archive.org

  8. Re:Plausible deniability... by Aaton · · Score: 1 · on Police Need 90 Days To Crack Hard Drives
    So then you need a method of being able to hide precisely what is encrypted and what is not. Look around and you'll find systems for filling a file system with chaff files to make finding the real data more interesting.

    Sounds good but I remember playing with a deniable cryptography package called Rubberhose.

    http://web.archive.org/web/20021124210754/http://w ww.rubberhose.org/

    It looks like the original site has been gone for awhile but you can still find the source. It would appear that it does what you want.

    "Rubberhose works by initially writing random characters to an entire hard drive or other dynamic storage device. This random noise is indistinguishable from the encrypted data to be stored on that disk. If you have a 1 GB drive and want to have two Rubberhose encrypted portions of 400 MB and 200 MB, it assumes that each aspect (as the encrypted partitions are called) will be 1 GB and fill the entire drive. It will keep doing this until the drive is really filled to capacity with encrypted material. It breaks up the pieces of each aspect into small pieces and scatters them across the entire 1 GB drive in a random manner, with each aspect looking as if it is actually 1 GB in size upon decryption."

    Then when you "have" to hand over your passphrase you can. That passphrase will only grant them access to one encrypted portion. The other encrypted portion would have another password. You could have multiple encrypted portions thus making it harder for the people asking for your passphrase if they got all the data unencrypted...

  9. truecrypt (rubberhose?) Re:They're morons by speculatrix · · Score: 1 · on Police Need 90 Days To Crack Hard Drives
    is truecrypt what was once called "rubberhose" (was at www.rubberhose.org, which seems to have disappeared). There's a reference at wiretapped about it.

    rubberhose allowed multiple levels of encrypted data, so that it would never be possible to find out what how many hidden/encrypted file systems were in the virtual disk. Moreover, you could set up a plausible-deniability virtual disk, with two passwords, one for normal access, the other which then triggers erasure of the more secret volumes.

    the intention was to be able to send researchers into rogue/enemy nations, allow them to gather secret information, yet protect that information at multiple levels of secrecy.

  10. Re:what we need is a multi-key system by Anonymous Coward · · Score: 0 · on British Police Demand Access To Encryption Keys

    There was, for awhile, the rubberhose encrypted filesys which did just this. key #1 unlocks 100mb, #2 500mb.. etc... but until you enter all the keys, the remaining encrypted data looks just like empty space.. not sure what happened to it, though.

    http://www.mirrors.wiretapped.net/security/cryptog raphy/filesystems/rubberhose/rubberhose-README.txt

  11. Re:I feel pretty safe under Fedora. by Wwolmack · · Score: 1 · on How the Secret Service Cracks Encrypted Evidence

    Anyone know how that steganographic filesystem is coming?

    See for yourself:

  12. Re:The woes of encrypted partitions by stdarg · · Score: 1 · on BayTSP Provides Automatic DMCA Notices

    Hey, I had the same idea a few years ago when I read an article on chaffing and winnowing. It turns out there is a filesystem that implements something similar called rubberhose. It doesn't seem to be in development (www.rubberhose.org doesn't work) but this mirror has the last version and readme file that explains the principle.

    Here's another program based on rubberhose.

  13. Re:Armed forces and open source by Anonymous Coward · · Score: 0 · on U.S. Army Research Lab Opens BRL-CAD Source

    Be my guest, dig it up yourself if you don't believe me: Illustrative Risks to the Public in the Use of Computer Systems and Related Technology.

  14. Deja Vu All Over Again by SiberianPgmr · · Score: 1 · on Comair Done In by 16-Bit Counter

    It has happened before and it will happen again. The biggest case of a transaction counter overflowing a 16 bit signed integer was in 1985 at the Bank of New York - they came up 32 billion dollars short and nearly caused a collapse of the financial system. A description of the problem - Washington Post, 13 December 1985, p. D7 - Computer Snarled N.Y. Bank - $32 Billion Overdraft Resulted From Snafu - can be found in a message at: http://www.mirrors.wiretapped.net/security/info/te xtfiles/risks-digest/1/risks-1.31

  15. Re:It's good that they didn't call this pentium 5 by espo812 · · Score: 1 · on Intel to Dump Pentium 4 in Favor of Pentium M
    Thus the 5th generation of the 5th generation chip would have been kind of dumb.
    What's wrong with the fifth release of the fifth release? Sendmail version 5.5, PGP 5.5, Internet Explorer version 5.5, AOL Instant Messenger version 5.5.
  16. It's somewhat open by eyeball · · Score: 3, Insightful · on Cross-platform, Easy-to-Use Local LAN Chat?

    I'm no expert in rendezvous, but it uses open (although not too commonly used) protocols like multicast-DSN. See Apples FAQ on Rendezvous

    As for iChat LAN (which I'm pretty sure is much different than AOL's protocol). Looks like these guys reverse engineered and built a LAN iChat plugin for Proteus (the multiprotocol IM client). They have the source available for download.

    It would be possible to port the rendezvous+iChat protocol to a Jabber server plugin.

  17. Re:Way ahead of you. by Anonymous Coward · · Score: 0 · on FBI Can Inspect Bank Records w/o Court Orders

    Or how about reading the fucking book?

  18. Well... Were there security holes??? by Yahnz · · Score: 1 · on Replaced by Outsourcing -- What's a Geek to Do?
    I do a fair bit of work with various government organizations, mostly outside of the US. The thing to remember is that there are plenty of organizations that *must* obey very stringent infosec rules.

    If the infosec audit did find that the organization is not up to par, they may well lose government contracts. This is generally very bad news.

    It is also important to remember that there is much more to security than your firewall rule set - look into Common Criteria, or the Australian Defence Signals Directorate - ACSI 33 regulations (this is a good read for any network admin BTW).

    It is entirely possible that our fellow reader had no clue what to do, was untrained, etc. etc. How to apportion the fault is another matter, but do realize that most network admins have no idea what infosec means.

    Jan

  19. Linux _is_ written in Visual Basic ! by BokLM · · Score: 1 · on Kernel Exploit Cause Of Debian Compromise

    Look at this this.

    LaSt YeAr WhEn I wAs HaXoRiNg OuT a PrOgRaM wHiCh Is NoW cAlLeD lInUx SlAcK wArE a CoUpLe Of LaYmUrZ pUt A gUn To My HeAd AnD sAiD tO gIvE tHeM tHe SoUrCe CoDe To ThIs NeW oPeRaTiNg SyStEm (It WaS wRiTtEn In ViSuAl BaSiC)

  20. Re:How does one revoke a PGP key from keyservers? by greck · · Score: 1 · on OpenPGP Meetup

    You need to create and distribute a revocation certificate... the docs for your PGP tool should tell you exactly how. See section 7 of the comp.security.pgp faq for general details.

  21. The Orwellian Vision by EnigmaticSource · · Score: 1 · on Palladium's Power To Deny

    Read It

    -
    Anything man has conceived is weakest at the base.
    Subversion is the key, Weakness your Strength.
    Feel the power, fight the system, wake your dreams.
    Infiltrate, Eradicate, and Make your Presence Known.
    - The 1&(!0) Enigma

  22. Re:And there's a new song, too by Anonymous Coward · · Score: 0 · on OpenBSD 3.2 Available

    Please use a mirror, yeah, har har. Thanks, buddy. As of now, of course, none of the mirrors have updated, possibly because people post links right to the master.

    Australia (Canberra, .au only) http://mirror.aarnet.edu.au/pub/OpenBSD/songs/song 32.ogg
    Australia (Melbourne) http://www.openbsd.aba.net.au/ftp/songs/song32.ogg
    Australia (Sydney) http://ftp.planetmirror.com/pub/OpenBSD/songs/song 32.ogg
    Australia (Sydney) http://the.wiretapped.net/OpenBSD/songs/song32.ogg
    Austria (Vienna) http://gd.tuwien.ac.at/opsys/OpenBSD/songs/song32. ogg
    Belgium (Ghent) http://openbsd.rug.ac.be/ftp/pub/OpenBSD/songs/son g32.ogg
    Canada (Edmonton) http://sunsite.ualberta.ca/pub/OpenBSD/songs/song3 2.ogg
    Canada (Sherbrooke) http://gulus.usherb.ca/ftp/OpenBSD/songs/song32.og g
    Finland http://ftp.fi.debian.org/OpenBSD/songs/song32.ogg
    Finland (Jyvskyl) http://ftp.jyu.fi/ftp/pub/OpenBSD/songs/song32.ogg
    Germany (Esslingen) http://ftp-stud.fht-esslingen.de/pub/OpenBSD/songs /song32.ogg
    Germany (Frankfurt) http://pandemonium.tiscali.de/pub/OpenBSD/songs/so ng32.ogg
    Germany (Stuttgart) http://ftp.uni-stuttgart.de/pub/OpenBSD/songs/song 32.ogg
    Italy (Napoli) http://ftp.openbsd.it/OpenBSD/songs/song32.ogg
    Sweden (Uppsala) http://ftp.sunet.se/pub/OpenBSD/songs/song32.ogg
    Sweden (Uppsala) http://mirror.pudas.net/OpenBSD/songs/song32.ogg
    Taiwan http://openbsd.nsysu.edu.tw/pub/OpenBSD/songs/song 32.ogg
    TamSui, Taiwan http://ftp.tku.edu.tw/pub/OpenBSD/songs/song32.ogg
    USA (Batesville, AR) http://gandalf.neark.org/pub/distributions/OpenBSD /songs/song32.ogg
    USA (Sunnyvale, CA) http://east.dl.sourceforge.net/mirrors/OpenBSD/son gs/song32.ogg
    USA (Tallahassee, FL) http://mirror.csit.fsu.edu/pub/OpenBSD/songs/song3 2.ogg
    USA (Lake in the Hills, IL) http://rt.fm/pub/OpenBSD/songs/song32.ogg
    USA (Indianapolis, IN) http://archive.progeny.com/OpenBSD/songs/song32.og g
    USA (West Lafayette, IN) http://ftp7.usa.openbsd.org/pub/os/OpenBSD/songs/s ong32.ogg
    USA (Cambridge, MA) http://openbsd.mirrors.netnumina.com/songs/song32. ogg
    USA (State College, PA) http://carroll.cac.psu.edu/pub/OpenBSD/songs/song3 2.ogg
    USA (Fairfax, VA) http://mirrors.rcn.net/pub/OpenBSD/songs/song32.og g
    USA (Fairfax, VA) http://openbsd.secsup.org/songs/song32.ogg
    USA (Springfield, VA) http://www.tux.org/pub/bsd/openbsd/songs/song32.og g
    USA (Madison, WI) http://mirror6.cs.wisc.edu/pub/mirrors/OpenBSD/son gs/song32.ogg

  23. Re:mirror by gimpboy · · Score: 2, Informative · on New Linux Worm Found in the Wild
    here is the list of mirrors from the main page:


    here is my mirror of the source:
    http://sage.che.pitt.edu/~harrold/tmp/chr ootkit.ta r.gz
  24. In case of slashdotting .. by Anonymous Coward · · Score: -1, Redundant · on Build a Cisco PIX for 800 Australian Dollars
    hax0r the b0x

    What you'll need:

    hardware:
    • Intel SE440BX-2 motherboard

    • 2 - 4 Intel 82557/82558/82559 Intel NICs (Dime a dozen)
      Cisco 16MB PIX Flash card (most expensive bit and the hardest to source)
      Floppy drive
      Case/power supply
      128MB PC100 SDRAM
      350MHZ Processor w/ 512K cache (clock speed doesnt really matter, but watch out over 750 as the board may not support it)
      Serial->Console adaptor (for console access)(you might also want an AGP video card to start with, to make sure the bios doesnt have any whacky settings - but be warned, the pix WONT boot with a video card inserted.

    software:

    • Pix OS (obtainable from CCO, or your nearest Cisco warez monkey)

      Pix Boothelper (Ditto)

    The Howto:
    First thing to do is to create the boothelper floppy disk. Get the bh61.bin files (thanks monkeys :) and use rawrite.exe / ntrw.exe / fdimage.exe on Windows or dd on Unix or workalike to create the bootdisk. Sample command lines:

    • Using dd (on Unix or workalike):

      • dd if=bh61.bin of=/dev/fd0a (/dev/fd0 on Linux)

      Using ntrw.exe (on Windows):

      • ntrw bh61.bin A:

    Then get all the pix bits and connect them up like you would any other system, making sure the floppy is connected, the ram and processor are seated well, and the power is all hooked up. To start with, I just put the system into a regular case, just until Ii was comfortable that it worked etc. (down thet rack, make the move over to a rackmount case, because rackmount cases get you chicks). Plug your video card in, and boot it up into the BIOS. Set it to boot from floppy and to NOT halt on any errors (lack of kb etc) and then shut the beast down. Attach the console adaptor to com1 and plug your console cable into your management machine and fire up a terminal emulator program (I just used HyperTerminal under Windows or minicom from Unix, but any will do). The settings need to be 9600 8-N-1. Remove the video card and boot the mofo up. It'll beep at you, letting you know it doesn't have a keyboard or video card, but it will continue to boot (if you followed the instructions). It should boot from the floppy disk, and then your terminal app will start spewing out the Pix boot information. It has ended when you have the following prompt:

    • pixboothelper>

    Now you need to get the fully-fledged Pix OS onto the flash card.. and now that the
    image is bigger than a floppy disk, the only way to do this is over TFTP.
    Cisco provide a tftp server (which I use), but other options exist, including
    Pumpkin (by Kin) or the regular tftp
    built into most Unix and workalike operating systems. Dump your pix622.bin file (or similar; the version number may be different) into the root directory of the tftp server. Almost there.
    Back on the pix, you now need to configure the inside interface to connect to the server -
    by default the inside interface is the 2nd one along. (I'm assuming you all know how to wire up a network, so i'll skip that). Use the following commands:

    • address ip-address (ie "address", followed by the IP address of the inside interface (same subnet as tftp server)

      server tftp-ip-address (ie "server", followed up the IP address of the tftp server)
      file pix-os-filename (ie "file", follwed by the Pix OS filename (eg pix622.bin))

      then type:tftp

      and hit enter to begin the transfer.

    Now you have the Pix OS software on the firewall. You can begin configuring the interfaces as usual, and you're away. Cisco.com is filled with useful documentation, so knock yourself out.

    If I get sufficient requests I might document how I constructed the rackmount case, but I suspect the most interest to be focused on the actual guts of it :)

    So here's a page with some pix pix.

    If you want a Pix 16mb card for $400US, give me a shout and I'll see what I can do.

    peace out

    Send props to:
    routermonkey[at]wiretapped.net
  25. Why not just use IPSec? by jerkyjunkmail · · Score: 2, Informative · on Microsoft and Wireless Authentication

    I posted this in some other discussion the other day but.........

    Why not just use IPSec? My co worker and I have been trying to figure out how to securely deploy 802.11b around the office and I came up with the idea of using IPSec. I'm the lone Macintosh island in a sea of Windows desktops and laptops at the office so I'm waiting for next week(when I get my copy of Jaguar and hence IPSec support) to really get to hack on this but the current plan is use an IPSec VPN(and throw WEP out the f'ing window) to secure the line of communication. I will set up either an OpenBSD, FreeBSD or Linux(preference in that order, yeah I know I've got a BSD partiality) firewall between the AP and the wired LAN and only allow traffic over the IPSec VPN. From my initial research I found some docs on doing wired IPSec communication but in theory that should apply to the wireless as well.

    here's some useful links. I hope to be able to adapt some of the information to suit using OS X.
    OpenBSD IPSec
    FreeBSD IPSec
    Windows 2000 to FreeBSD
    DaemonNews Article
    FreebsdDiary Article

    After pondering the "secureness" of using IPSec in lieu of WEP I've come up with one weakness and one side affect since clients get DHCP addresses in the clear and any communication to the wired LAN is encrypted. Say jane sales chick shows up with her personal laptop and tries to use the wireless network in the office she gets a IP address but can't get into the wired net because she can't establish a IPSec VPN. Joe cust service has his laptop in the office too. he get an IP but gets blocked by the IPSec Firewall. as a side affect there is nothing stopping Joe and Jane from swapping music, warez or pr0n. The only weakness I can think of is that Johnny hacker could try to exploit one of the wireless clients(if there are any) and use that as a jumping off point to the LAN or to his/her credentials. Another thing I've given some thought to is depending on the overhead of IPSec you could take the onion skin approach making the side effect a little more difficult to non tech type(we all know how secure WEP is) by also using 64 or 128 bit wep in addition to IPSec.

    Since this is all theory until next week when I get Jaguar, feel free to point out any stupid lines off thought, inaccuracies, etc. I've got going on here. If I'm successful I'll probably document it and post on the Web.

  26. Re:IPsec with AirPort by jerkyjunkmail · · Score: 1 · on Jaguar Brings Back AirPort Software Base Station

    IPSec is really the big thing that got me excited about 10.2(and Windows network browsing and Quartz Extreme and CUPS and PAM blah blah.) My co worker and I were trying to figure out how to securely deploy 802.11b. I'm waiting for next week to really get to hack on this but the current plan is use an IPSec VPN(and throw WEP out the f'ing window) to secure the line of communication. I will set up either an OpenBSD, FreeBSD or Linux(preference in that order, yeah I know I've got a BSD partiality) firewall and only allow traffic over the IPSec VPN. From my inital research I found some docs on doing hardwired IPSec communication but in theory that should apply to the wireless as well.

    here's some useful links. I hope to be able to adapt some of the information to suit using OS X.
    OpenBSD IPSec
    FreeBSD IPSec
    Windows 2000 to FreeBSD
    DaemonNews Article
    FreebsdDiary Article

    After pondering the "secureness" of using IPSec in lieu of WEP I've come up with one weakness and one side affect since clients get DHCP addresses in the clear and any communication to the wired LAN is encrypted. Say jane sales chick shows up with her personal laptop and tries to use the wireless network in the office she gets a IP address but can get into the wired net because she can't esablish a IPSec VPN. Joe cust service has his laptop in the office too. he get an IP but gets blocked by the IPSec Firewall. as a side affect there is nothing stopping Joe and Jane from swapping music, warez or pr0n. The only weakness I can think of is that Johnny hacker could try to exploit one of the wireless clients(if there are any) and use that as a jumping off point to the LAN or to his credentials. Another thing I've given some thought to is depending on the overhead of IPSec you could take the onion skin approach making the side effect a little more difficult to non tech type(we all know how secure WEP is) by also using 64 or 128 bit wep in addition to IPSec.

    Since this is all theory until next week when I get Jaguar. Feel free to point out any stupid lines off thought I've got going on here. If I'm successful I'll probably document it and post on the Web.
    --

  27. Re:Healthy versions still available..? by Anonymous Coward · · Score: 0 · on OpenSSH Package Trojaned

    The copy on Wiretapped.net is also clean.

    This mirror will not be updated from ftp.openbsd.org until it is cleared by the OpenBSD team.

    ftp://ftp.wiretapped.net/pub/OpenBSD/OpenSSH/porta ble/openssh-3.4p1.tar.gz

  28. Also available, cache of the pdf by morcheeba · · Score: 5, Informative · on TCP/IP Sequence Number Analysis

    All the pictures are included in this pdf mirror: http://www.mirrors.wiretapped.net/security/info/pa pers/networking/strange-attractors-and-tcpip-seque nce-number-analysis.pdf [1MB].

    It doesn't display correctly with my version of KDE's PS/PDF Viewer, but good old ghostview works great.

  29. crypto.radiusnet.net is a joke by Anonymous Coward · · Score: 4, Insightful · on DMCA Attacks: NAI Tells Sites To Remove PGP (Updated)
    Hi all,

    I think we'll all find that this ends up being less of a problem than it seems to be, and certainly one unworthy of Declan's attention. The first thing to consider is that of the couple of security/crypto archives out there (Wiretapped, munitions.vipul.net, the old zedz.net site, Packetstorm), the crypto.radiusnet.net one is the only one of the group that is out of date, disorganised and discourages mirroring. Look over the site, and you'll see what I mean. The second thing to consider is that (as another poster has already mentioned) PGPi.org has the explicitly freeware versions of the software available on a number of mirrors worldwide, and does not appear to have been made a target here.

    Conspiracy theories aside, if they were mirroring commercial versions of the product, NAI is well within their rights to pursue them, and I'm sure the other legitimate crypto/security archive sites will be glad to see crypto.radiusnet.net stop sullying their good names by association.

  30. Re:Mirror of ad by questionlp · · Score: 2 · on Apple's Response to Microsoft: Unix Ads?
    Not exactly a tutorial, but one of the tools that you can use to mirror a site is GNU wget. I use wget to make an internal mirror of Postfix.org as well as the Jargon File on a weekly basis. A quickie on how to use wget can be found here.

    HTH

  31. UnixArchive mirror online at Wiretapped by Dogcow · · Score: 1 · on Caldera releases original unices under BSD license
    If you're finding that poor old minnie is getting a bit hammered with downloads, try here:

    http://www.mirrors.wiretapped.net/UnixArchive/

    ftp://ftp.mirrors.wiretapped.net/pub/UnixArchive/

    Non-authoritative answer:
    Name: www.mirrors.wiretapped.net
    Addresses: 203.220.0.25, 210.9.80.201

    (If anyone else is mirroring from minnie, you may like to add the --links -and -safe-links flags to your rsync command, and make sure the filesystem you're writing to is mounted "nodev" as there's a bunch of character/block special devices in the 2.11BSD trees)

  32. UnixArchive mirror online at Wiretapped by Dogcow · · Score: 1 · on Caldera releases original unices under BSD license
    If you're finding that poor old minnie is getting a bit hammered with downloads, try here:

    http://www.mirrors.wiretapped.net/UnixArchive/

    ftp://ftp.mirrors.wiretapped.net/pub/UnixArchive/

    Non-authoritative answer:
    Name: www.mirrors.wiretapped.net
    Addresses: 203.220.0.25, 210.9.80.201

    (If anyone else is mirroring from minnie, you may like to add the --links -and -safe-links flags to your rsync command, and make sure the filesystem you're writing to is mounted "nodev" as there's a bunch of character/block special devices in the 2.11BSD trees)

  33. Mirror for SNARE downloads by Anonymous Coward · · Score: 0 · on Security Auditing for Linux
    http://the.wiretapped.net/security/host-security/s nare/

    ftp://ftp.wiretapped.net/pub/security/host-securit y/snare/

  34. Mirror for SNARE downloads by Anonymous Coward · · Score: 0 · on Security Auditing for Linux
    http://the.wiretapped.net/security/host-security/s nare/

    ftp://ftp.wiretapped.net/pub/security/host-securit y/snare/

  35. Re:OK, help me out here. by Anonymous Coward · · Score: 0 · on Blaming Encryption

    Mirror wiretapped (20 gigs) or CryptoArchive.

    They've been up and running for a while, and I'm just rambling 'cos of the lameness filter which stops me posting short, pertinent UI...

  36. Re:The slightly more detailed changelog... by Dogcow · · Score: 1 · on Linux 2.4.8 is Out
    Oh, and if you're going to have a look, click on some of the filenames and bring up some diffs of various files to see what changes have been made.

    For example, the MAINTAINERS. Once you've clicked on this, click on the "Diff to previous" option and you can see what changes were made between 2.4.7 and 2.4.8 (click here). Or, click "Select for diffs" on one kernel and then on "to selected" on another further down on the same page. For example, check what changes were made in the MAINTAINERS file between 2.4.6 and 2.4.8 here.

    "No more hidden changes" :)

  37. Re:The slightly more detailed changelog... by Dogcow · · Score: 1 · on Linux 2.4.8 is Out
    Oh, and if you're going to have a look, click on some of the filenames and bring up some diffs of various files to see what changes have been made.

    For example, the MAINTAINERS. Once you've clicked on this, click on the "Diff to previous" option and you can see what changes were made between 2.4.7 and 2.4.8 (click here). Or, click "Select for diffs" on one kernel and then on "to selected" on another further down on the same page. For example, check what changes were made in the MAINTAINERS file between 2.4.6 and 2.4.8 here.

    "No more hidden changes" :)

  38. Re:The slightly more detailed changelog... by Dogcow · · Score: 1 · on Linux 2.4.8 is Out
    Oh, and if you're going to have a look, click on some of the filenames and bring up some diffs of various files to see what changes have been made.

    For example, the MAINTAINERS. Once you've clicked on this, click on the "Diff to previous" option and you can see what changes were made between 2.4.7 and 2.4.8 (click here). Or, click "Select for diffs" on one kernel and then on "to selected" on another further down on the same page. For example, check what changes were made in the MAINTAINERS file between 2.4.6 and 2.4.8 here.

    "No more hidden changes" :)

  39. The slightly more detailed changelog... by Dogcow · · Score: 1 · on Linux 2.4.8 is Out
    Linux Kernel in CVS:

    http://orbital.wiretapped.net/cgi-bin/cvsweb.cgi/l inux-kernel/2.4/

    (nmap is also in CVS http://orbital.wiretapped.net/cgi-bin/cvsweb.cgi/n map/)

  40. The slightly more detailed changelog... by Dogcow · · Score: 1 · on Linux 2.4.8 is Out
    Linux Kernel in CVS:

    http://orbital.wiretapped.net/cgi-bin/cvsweb.cgi/l inux-kernel/2.4/

    (nmap is also in CVS http://orbital.wiretapped.net/cgi-bin/cvsweb.cgi/n map/)

  41. 2600.org.au response to the CyberCrime Bill by Dogcow · · Score: 1 · on Aussie Bill Would Ban Hacking Tools, Virus Code
    http://www.2600.org.au/cybercrime-bill-response.tx t

    There's also a Senate Legal and Constitutional Committee inquiry into the legislation, at:

    http://www.aph.gov.au/senate/committee/legcon_ctte /cybercrimebill01/cybercrime.htm

    2600 Australia will be making a submission to this committee. If you'd like to discuss this legislation prior to our submission (which must be lodged by the 20th of July), please join the 2600-law mailing list, by sending an empty email to 2600-law-subscribe@wiretapped.net. There are also public hearings in Sydney on 19th July and in Canberra on 9th August.

  42. Re:Is an ISO available? by azimir · · Score: 3 · on OpenBSD 2.9 Released
    Yes, Theo can do this.

    Here's how I believe it works.
    The *source* is available for anyone to take, change, and otherwise use with the BSD liscence. You can do whatever the hack you want with it.

    The *ISO* layout that is sold by the OpenBSD group is copyright to Theo - that means that you have to get his permission to distribute it. Now, that doesn't mean that you can't make your own ISO and distribute that, but you can't distribute the *official* release. In this case it would be the 2.9 release. I believe this distinction is made so that anyone who wants to get an ISO needs to buy the official one, or make their own.

    What are the consiquences?
    • The source is still free - and it will stay that way. The recent IPF fiasco and subsequent removal of IPF from the OpenBSD source is evidence of that.
    • You can do a ftp/http install if you like - no problems there: Ftp download site... The floppy29.fs image is the boot floppy that will allow you to have at it. -Make sure you have a look at the OpenBSD.org site for hardware compatability before beginning.-
    • The ISO of official releases is only distributed by the OpenBSD group - generating them some much needed funding and giving them an idea of how many users they've got.
    • The copyright on the ISO makes it illegal (yeah) to distribute that release ISO right off the CD without permission.
    • Anyone is welcome to fork code, make custom ISOs, use the CD as a coaster, etc. It's still open source.
  43. More than security -- Jamming Echelon?! by jackal! · · Score: 2 · on Security Through Obscurity - Spam Mimic
    (If you haven't, please see the site!)

    A fun form of security is good and all, but they actually have higher aims than that. They want to keep Big Brother busy by forcing him to read spam that might contain whatever naughtiness they're supposed to be watching for.

    Their site continues, linking to: Jam Echelon Day and Jam Echelon Day descends into spam farce

  44. Mirror by new-black-hand · · Score: 2 · on Underground Surfaces

    There is a mirror of the book at:

    http://the.wiretapped.net/security/info/books/

  45. Re:Hardware support for new Macs, but will it inst by Anonymous Coward · · Score: 1 · on OpenBSD 2.8 Released
    The PowerPC boot support is from Open Firmware. You enter open firmware and issue a command something like this:

    boot cd:,ofwboot /2.8/powerpc/bsd.rd

    and you're dropped into a text-terminal with all the usual OpenBSD console messages. The console messages appear to be quite slow even on fast machines but the OS itself is quite fast. The only word of warning is that for X to work, you'll need to set the screen to operate at 1024x768 or 800x600.

    The set of documentation for contents that I submitted just prior to the cd being pressed is at:

    http://www.openbsd.org/cgi-bin/cvsweb/src/distrib/ notes/powerpc/contents?rev=1.23

    The full INSTALL.powerpc file can be viewed here:

    http://the.wiretapped.net/security/operating-syste ms/openbsd/2.8/powerpc/INSTALL.powerpc.

    I was last working with a snapshot from about 3 weeks ago, so I'll load up the release version in a little while and see how it goes...

    One final thing - FTP install works great, so if you're on a fast connection, I can recommend it. Currently supported drivers in 2.8 release are the gm0 onboard controller in iMac, Blue G3, G4, Cube etc and de0 (DEC Tulip 21x40). The only gotcha is that last time I checked, the gm0 in the dual processor G4's would not operate on 10baseT or 1000BaseT - only 100BaseT Half Duplex or 100BaseT Full Duplex. Dale @ OpenBSD has been looking into it.

    Grant
    (who couldn't be bothered getting an account let alone signing in)

  46. RISKS by SJS · · Score: 2 · on eLection '04

    Think it through, folks. Go read the RISKS digests or the comp.risks newsgroup. Pay special attention to issues 21.10 and 21.11 . For balance, you can also read a term paper about using computers in voting; he recommendes a touch-screen type system.

    The advantage of physical ballots are many and clear, especially when something goes wrong. And something will go wrong, even without having to deal with corruption. My big problem with all of these electronic voting schemes is that I have no way to assure myself that my vote is actually being cast the way I want it. If the software is corrupted to change my (actual) vote, how would I know? How could I check?

    Remember, KISS. Computers ain't simple.

  47. RISKS by SJS · · Score: 2 · on eLection '04

    Think it through, folks. Go read the RISKS digests or the comp.risks newsgroup. Pay special attention to issues 21.10 and 21.11 . For balance, you can also read a term paper about using computers in voting; he recommendes a touch-screen type system.

    The advantage of physical ballots are many and clear, especially when something goes wrong. And something will go wrong, even without having to deal with corruption. My big problem with all of these electronic voting schemes is that I have no way to assure myself that my vote is actually being cast the way I want it. If the software is corrupted to change my (actual) vote, how would I know? How could I check?

    Remember, KISS. Computers ain't simple.

  48. RISKS by SJS · · Score: 2 · on eLection '04

    Think it through, folks. Go read the RISKS digests or the comp.risks newsgroup. Pay special attention to issues 21.10 and 21.11 . For balance, you can also read a term paper about using computers in voting; he recommendes a touch-screen type system.

    The advantage of physical ballots are many and clear, especially when something goes wrong. And something will go wrong, even without having to deal with corruption. My big problem with all of these electronic voting schemes is that I have no way to assure myself that my vote is actually being cast the way I want it. If the software is corrupted to change my (actual) vote, how would I know? How could I check?

    Remember, KISS. Computers ain't simple.

  49. RISKS by SJS · · Score: 2 · on eLection '04

    Think it through, folks. Go read the RISKS digests or the comp.risks newsgroup. Pay special attention to issues 21.10 and 21.11 . For balance, you can also read a term paper about using computers in voting; he recommendes a touch-screen type system.

    The advantage of physical ballots are many and clear, especially when something goes wrong. And something will go wrong, even without having to deal with corruption. My big problem with all of these electronic voting schemes is that I have no way to assure myself that my vote is actually being cast the way I want it. If the software is corrupted to change my (actual) vote, how would I know? How could I check?

    Remember, KISS. Computers ain't simple.

  50. From the current risks digest: by PooF · · Score: 2 · on What Technology Is Used In American Voting?

    From the Risks digest

    Date: Tue, 7 Nov 00 16:43:41 CST From: "Douglas W. Jones" Subject: Thoughts on computers in voting

    It's election day, and as chair of the Iowa State Board of Examiners for Voting Machines and Electronic Voting Systems, it seems like a fair time to pause and think about the state of the art.

    Over the past several years, an important trend has been evident in the voting machines that have come before our board for approval in Iowa. This is the replacement of custom-built software with off-the shelf commodity software, usually some variant of Windows and largely dependent on Microsoft Office.

    Computers in voting machines are old technology at this point, whether they're used for central count systems based on punched cards or mark sense readers, or whether they're precinct count systems based on mark sense or direct recording electronic voting machines. There are still lever machines in use, of course, but those haven't been changed in years and therefore, we don't see them coming up for examination.

    Under the current Federal Election Commission guidelines for electronic voting systems, all custom-built software is subject to examination by an independent third party. On the other hand, "industry standard components" are acceptable, as is. The FEC has no enforcement power, but the FEC guidelines have been enacted into the voting law of numerous states.

    The reason this concerns me is that we see a larger and larger fraction of the software inside the voting system becoming proprietary product of a third party and exempt from the requirement that it be available for a source code inspection. Furthermore, the size of commercial operating systems is immense, so an effective inspection is very hard to imagine!

    What threat does this present?

    If I wanted to fix an election, not this year, but 4 years from now, what I might do is quit my job at the University of Iowa and go to work for Microsoft, seeking to insinuate myself into the group that maintains the central elements of the window manager. It sounds like it might be fun, even if the job I'd need would largely involve maintenance of code that's been stable for years. My goal:

    I want to modify the code that instantiates a "radio button widget" in a window on the screen. The specific function I want to add is: If the date is the first tuesday after the first monday in a year divisible by 4, and if the window contains text containing the string "straight party", and if the radio buttons contain, at least, the strings "democrat" and "republican", one time in 10, at random, switch the button label containing the substring "democrat" with any of the other labels, at random.

    Of course, I would make every effort to obfuscate my code. Obfuscated coding is a highly developed art! Having done so, what I'd have accomplished is a version of windows that would swing 10 percent of the straight party votes from the Democratic party to the other other parties, selected at random. This would be very hard to detect in the election results, it would be unlikely to be detected during testing, and yet, it could swing many elections!

    This is just one example attack! There may be similar vulnerabilities, for example, in the off-the-shelf database packages being used for ballot storage and counting.

    I don't mean to this example to reflect any ill feelings toward Microsoft, but it is true that their software is used in the vast majority of new voting systems I've seen. This threat does not require any cooperation from the vendor of the window manager or other third party component exempt from source code inspection. All it requires is a mole, working their way into the vendor and producing code which is not detected by the company's internal testing and inspection. Obfuscation is easy, and the art of the "easter egg" in commercial software makes it very clear that huge numbers of unofficial features are being routinely included in commercially released software without the cooperation of the software vendors. (OK, I know that some easter eggs are officially approved.)

    Having said this, it is worth noting that Microsoft has indicated a preference about the outcome of today's presidential election, and there are excellent reasons to treat proprietary software produced by a partisan agency with great suspicion when it is included in a voting system!

    My conclusion? The time has come for computer professionals to press for a change to the guidelines for voting machines, asking that all software included in such machines be either open source, available for public inspection, or at least open to inspection by a third party independent testing authority. There are no technical obstacles to this! Linux, Free BSD and several other fully functional operating systems are available and will run on the hardware currently being incorporated into modern voting machines!

    But, this is not the end of the problem! How do you prove, after the fact, that the software in the voting machine is the software that was approved by the board of examiners and tested by the independent testing authority? No modern machine I'm aware of makes any real effort to allow this proof, although several vendors do promise to put a copy of their source code in the hands of an excrow agency in case a question arises.

    Doug Jones http://www.cs.uiowa.edu/~jones/voting/

    [Note: Doug, Rebecca Mercuri is just putting the finishing touches on her PhD thesis on the subject of electronic voting, at the University of Pennsylvania. I highly recommend you contact her for a copy, which should be available very soon. For everyone else, we will announce it here when the thesis is ready. Also, my book *Computer-Related Risks* has lots of background on risks in electronic elections and what to do about them. Rebecca has carried the analysis much further than I did. Her thesis will be a very valuable contribution that significantly raises the bar as to what should be demanded, not just hoped for, plus an analysis of the residual risks that would still remain. PGN]

    --
    From: Aaron "PooF" Matthews