Slashdot Mirror
Geek Flavor
snowphoton told us to check out http://www.geekflavor.com. "It seems to be an 'open source' Web site, in that people are allowed to ftp anything they want to the site, or use ssh to modify the contents." I took a quick look at this, and it looks like a really cool net experiment. The word 'geek' is getting kind of over-used (CT:KIND of overused! Sheesh), but this seems like a lot of fun, and a nifty way to waste time when you should really be working.
Cell phones ring, pagers beep and people hold converstations at normal speaking tones on their cellphones.
Vermifax
Vermifax
Logout
Says quite a lot, unfortunately, about your average Slashdotter. :(
Open Source. Closed Minds. We are Slashdot.
Well at least document the experiment in its entirety. What went wrong? What went right? I'd say giving anyone ssh access to anything is bad news (local exploits vs. remote exploits). In fact, i can't really think of a way you could allow people to execute code without opening huge security risk. Maybe give everyone a virtual server?
I'm specifically worrying about Signal:Noise ratios and illegal content...
Small potatoes make the steak look bigger.
No. There exists a solution! The basic idea is to give the people who want to use it the means to observe what others are doing and to secure the system against abuse.
In fact, that is exactly what people did in the ``good old days'' in the AI lab before ``strict security'' was built into systems as a standard.
In a lecture about the history of GNU, RMS even complains about the use of passwords and "strict security". He writes about people damaging the system by accident and about outsiders using MITs computers:
On ITS [the old, anarchist Incompatible Timesharing System -- Yaakov] we evolved other means of discouraging people from doing those things by accident, but on Twenex [the new "secure" system -- Yaakov] you didn't have them because they assumed that there was going to be be strict security in effect and only the bosses were going to have the power to do them. So they didn't put in any other mechanism to make it hard to do by accident.
Maybe we can reconstruct some of the features that the AI lab used to secure ``tourism''? Maybe we can develop new mechanisms?
Of course, nowadays the job is harder than it was. Now, more people have just bad intentions and the ability to act anonymously and fast. Worse, the ``save tourism'' features haven't been developed for a long time.
Here are some suggestions how ``save tourism'' could be revived.
The following features would give a responsible person an advantage over intruders: First, allow spying what others do and save logs on another server where they can be read but not destroyed.
Second, create alerts and delays when important files are changed: Say, the changes take effect only after ten minutes during which observers have the right to veto the change. Once one person vetos another one, a trusted person can override the veto if it is not a matter of an attack.
This policy would not stop legitimate users from working with and improving the system. But an attacker would be noticed before he can take over control.
A third feature would be to back-up data on a safe account (which just serves the files) so that an original state can be rebuilt quickly after an attack.
One way to combine these features would be to request users to keep their sources and configurations on another (their own) WWW server. 10 Minutes after they notify the free system about changes, the changes are downloaded and installed. Checksums of the installation are stored safely so that the same files can be re-installed without delay when the user wants to roll back.
Finally, we would need some distributed system of trust such that a person can loose his reputation by attacking the system or recommending attackers to be trusted. Here, the PGP trust system springs to mind.
Any more ideas?
Yaakov
hotline server is a program similar to an ftp client and server.
you can get more information on hotline at http://www.hotlinesw.com or http://www.bigredh.com
used primarily for pirating. created by a teenage australian, but then he got in a shady deal with a canadian co. (that now owns the product) and there was a huge legal battle, rumors of his sister being kidnapped, and the original programmer on the run.
Appears to be cracked, or at least broken. Front webpage has the title "hello. i own u." and an impressive piece of ascii art (Tux, made from what appears to be Linux kernel code), but no way to progress beyond that first page.
Christopher A. Bohn
cb
Oooh! What does this button do!?
Login: geekflav
Password: dnzvmsii
FTP site: ftp.geekflavor.com
Small potatoes make the steak look bigger.
Which OTO? There are at least three at last count.
sig:
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.
sig:
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.
Slashdot's name is a killing word!
saaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaLASHDOT!
"Reactionaries must be deprived of the right to voice their opinions; only the people have that right." - Mao
Google has a cache of geekflavor.com/index.html. Albeit, there's nothing much to look at.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Absolutely nothing: It's running SunOs :)
Somehow I don't think that this is even all that relevant, you ALREADY have root access. You can delete/modify anything you want.
Rami
--
rJames.org - illustration
A discussion between some users logged in as geekflav:
...
/etc/passwd /etc/passwd... Wonder why ;)
/etc/passwd /usr/openwin/bin/xauth -q -
Broadcast Message from geekflav (pts/16) on vux2 Tue Jul 25 07:59:59...
At least you can't change the password easily
Broadcast Message from geekflav (pts/20) on vux2 Tue Jul 25 08:00:14...
Is kill -9 -1 stupid enough?
;-)
Broadcast Message from geekflav (pts/6) on vux2 Tue Jul 25 08:00:21...
well it took about 10 mins for someone to erase the index.html (spot the twit that can't read). [Mike]
Message from geekflav on vux2 (pts/21) [ Tue Jul 25 08:00:21 ]
Broadcast Message from geekflav (pts/13) on vux2 Tue Jul 25 08:00:53...
This takes me back 10 years!
Broadcast Message from geekflav (pts/4) on vux2 Tue Jul 25 08:01:03...
And I was watching top hoping to see some major slashdotting.. har when there's no page
Broadcast Message from geekflav (pts/26) on vux2 Tue Jul 25 08:01:08...
will you lot shut the fuck up!
Broadcast Message from geekflav (pts/13) on vux2 Tue Jul 25 08:01:22...
Nah!
Broadcast Message from ??? (pts/4) on vux2 Tue Jul 25 08:01:40...
root pts/18 7:57am vi
oops
Broadcast Message from ??? (pts/7) on vux2 Tue Jul 25 08:01:44...
Hmm, root is editing
Received disconnect: Command terminated on signal 9.
And here is some w(1) output:
8:01am up 19 day(s), 3:38, 28 users, load average: 1.27, 1.25, 0.90
User tty login@ idle JCPU PCPU what
amzmusic pts/1 10:21pm 9:26 -csh
geekflav pts/3 7:47am 1 2 -tcsh
geekflav pts/4 7:49am 16 w
geekflav pts/5 7:50am 10 -tcsh
geekflav pts/6 7:54am 1 -tcsh
geekflav pts/7 7:51am 1:06 -tcsh
geekflav pts/8 7:51am 1 2 -tcsh
geekflav pts/9 7:54am 3 more index.html
geekflav pts/10 7:53am 3 -tcsh
geekflav pts/11 7:53am 1 bash
geekflav pts/12 8:00am 1 -tcsh
geekflav pts/13 7:55am 1 wall
geekflav pts/14 7:56am -tcsh
geekflav pts/15 7:56am 2 1 -tcsh
geekflav pts/16 7:56am -tcsh
geekflav pts/17 8:00am vi index.html
root pts/18 7:57am vi
geekflav pts/19 7:57am 1 ftp ftp.bitchx.com
geekflav pts/21 7:58am 1 -tcsh
geekflav pts/20 7:58am -tcsh
geekflav pts/22 7:58am 2 -tcsh
geekflav pts/23 7:58am -tcsh
geekflav pts/24 7:59am -tcsh
geekflav pts/25 7:59am 1 -tcsh
geekflav pts/26 7:59am -tcsh
geekflav pts/27 7:59am vi index.html
geekflav pts/28 8:01am26days
geekflav pts/29 8:01am -tcsh
--
Niklas Nordebo | nino at sonox.com | +46-708-405095
That's solved easily: any file uploaded becomes read-only.
Now, as far as deleting/editing content you've sent... Can you make a script that allows deleting of files uploaded ONLY if the IP/IP range matches between the uploaded file and the delete request?
Or, of course, you can have registered users each with their own folder. Then again, that's Geocities (or Tripod, etc.).
Bottom line, this doesn't work, and we've been proved right. Anyone else have some suggestions so this DOES work? There has to be some point in-between full/root access and Slashdot moderation/separate accounts where this can work. I'm curious to see if this, eventually, can work.
Small potatoes make the steak look bigger.
I will admit that I didn't exactly idiot-proof the project. I was hoping that by giving complete control to everyone, something truly interesting might develop, but I failed to take into account the power of a single ignorant admin.
People have always used technology for destructive purposes -- the thrill of anonymity is intoxicating, and people often lose sight of their everyday code of conduct. Once little Timmy Smith because |)Ar|I never expected this project to amount to much. I just had some webspace and a domain, and decided to give it a shot. I think, though, that perhaps this experiment deserves another chance, although with a better plan on my part.
If anyone out there has some suggestions on how this "Open Source" website experiment could work better, please contact me at ibn_qalb@arabia.com (not my usual address, if you were wondering). I'd love to have some help in creating a new, sturdier site that would actually be built to handle something like this.
Thanks everyone! It was fun while it lasted - Keep an eye out for the Alpha release!
I bet the sys admin are not happy. I would think this could be a great security risk for them. A better way to do something like this would be in a controlled enviroment like a Wiki. go to http://minnow.cc.gatech.edu/squeak/ to see what I mean. I think it is great but I don't know
-- Tyler >+++++++[-]++++.---------.+.++++.++.
There was a posting by a guy over on Kuro5hin who had set up an open file area for his web users to put their files so that they could be accessed anywhere in the world. Unfortunately he set it up so that anyone could acess anyone else's files. People put copyrighted programs and fonts there, and apparently people were downloading them. The vendors complained and the FBI came and seized his computers and the U.S. attorney was considering prosecuting him. He may or may not have been in the right, but he faces some heavy legal bills nevertheless.
The last I saw was:
/etc/passwd... Wonder why ;)
Broadcast Message from ??? (pts/7) on vux2 Tue Jul 25 08:01:44...
Hmm, root is editing
> Received disconnect: Command terminated on signal 9.
I doubt his ISP likes having people logged on anonymously.
Ward Cunningham designed the first such web site of which I am aware (called a Wiki, or a Wiki-Wiki) several years ago. Co-webs have been in use for quite some time, though they tend to be somewhat more sophisticated than a mere place to dump ftp -- usually providing editors and "smart" pre-parsers to facilitate collaboration by newbies.'
See, e.g., this swiki page.
Despite the skepticism, these things work very well and are rarely the subject of abuse. A sandbox is provided for people who just want to play, and folks are generally quite courteous as a matter of practice. We use one for the Squeak Smalltalk open source community, which you can access from the main (traditional) web site page for Squeak.. The Swiki is one of the primary repositories of information for the Squeak community.
We have found cowebs an excellent vehicle for collaboratively creating documentation for open source projects that have run too long without doco support.. While it is not a great place to build final documents, it is a great place to gather information, and over time mold into the same.
This probably would have been fun and cool--if it hadn't been posted on Slashdot. Face it, Taco, your project now has a lot of intertia--you can't tiptoe delicately into something anymore. Once you mention it, it is toast.
How many times have we seen things like this on cool websites posted to Slashdot: "Well, we got mentioned on Slashdot. Sorry I have to take this down, but my bandwidth can't handle it." Pretty soon people are going to start thinking twice before even creating sites like this. Slashdot will be "stifling innovation".
--
Give us our karma back! Punish Karma Whores through meta-mod!
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Somebody just fscked it up:
"r0x0r" - that's the content of the index page.
Good luck.
http://dtum.livejournal.com
The admin of Geekflavor posted something as AC, so it's score 0. Please find it and mod it up. ZP
Got Rhinos?
This idea has been implemented for awhile in a more elegant fashion via WikiWikiWebs. To see how they work, check out The Portland Pattern Repository
To set up one yourself, I recommend checking out phpwiki.
Oh, wait, what's this about GeekFlavor? I was ruminating about something else *cough* /. *cough*
Small potatoes make the steak look bigger.
...and I hope this ain't it. As evidenced by the number of posts as I write this (9) this article hasn't been up more than a few minutes and already someone's been clever enough to disable it. Props to your mad skillz, d00d...
Not that I in any way agree with web page defacements, but at least I can understand how taking down or modifying a secured web page that a lot of people will see has a certain publicity stunt appeal to it - defacing Seti@Home and putting your h4x0r nick on it is kind of like spraypainting your name atop the world's biggest water tower. But what does it say about human nature when the very first thing people want to do to a supposed community collaboration project is to anonymously make it unavailable to everyone else?
Here I am, always an advocate of privacy and anonymity, and yet when I see people do stuff like this it makes me want to rethink all of those positions. On the one hand I'm cynical enough to think a whole lot of people would want to nuke a site like this; on the other hand even after I've had my coffee and am no longer quite so misanthropic I realize that with total anonymity even a single idiot can ruin a lot of other people's day with total impunity.
Makes ya think...
THE STORY
A while ago, I had a great website called Geekflavor, which had daily-updated geek news. It ran on perl, and recreated itself every few minutes to get the latest headlines from other sites. I tried different hosting services, however, but none of them (this one included) were very perl-friendly. So I gave up, and never got around to finding another one. Maybe one day, when I have more time....
SO WHAT?
So -- I have decided to Open Source this website! I am giving away the password and making it a free-for-all. As long as it's nothing illegal or pornographic, you can upload whatever you like. The site has got good bandwidth, so that's not a problem. All I ask is that you leave this page (index.html) intact, with the exception of adding links to additional pages (which you can do with a text editor).
HOW DO I PLAY?
Login: geekflav
Password: dnzvmsii
FTP site: ftp.geekflavor.com
Simply place all html files in the /htdocs directory, and cgi scripts in the /cgi-bin directory. Perl seems to work well, it's just that my site relied on crontab, which was disabled by the admins.
Shell access is also available, but you have to use SSH software (i.e., you can't just telnet to Geekflavor.com). Try PenguiNet -- It's my client of choice. This is useful for editing existing files (such as adding links from this page to other pages), and tweaking scripts.
RULES
Since it's a free-for-all, nothing is really sacred. Anyone can modify anything that has been uploaded by anyone else. This is meant to be creative and productive, however, rather than destructive. I hope that this site will grow and evolve in an interesting way, rather than simply serving as a giant spamwad. Also, I ask that you leave this text intact for the benefit of others.
Have fun!
[feel free to add anything below this line, such as links to uploaded pages, etc.]
Am I the first to modify this? -Sean
Before it becomes too much of a free for all -Mike
Hot grits rule - Andy
www.cyberia200o.org : cyberia : sub-dir on www.geekflavor.com
MetaBaby has the same thing: pages which are modifiable or creatable by just about anyone.
It was nominated for a Webby Award last year for best personal site. Slashdot was nominated (and won People's Choice) for Community.
-- BlueCalx | http://nickd.org/
I think this is a very interesting experiment in how much freedom you can give people. Everybody would like to be part of a collective (like this site) where the structure is completely bottom-up and decentralized and everybody has a say, in fact a major say, in everything. Unfortunately, this doesn't seem to work too well. There will always be the people who for one reason or another would like to mess it up, and because of the lack of structure, can and will do so.
I guess the reason I'm bringing this up is because this whole concept, the struggle between structure and freedom seems to come up again and again in the computer world. Should software design be centralized or Open Source? Should the Internet have laws? Who decides the structure of the Internet/should there be a structure? It seems to me that any system that has no organization or constraints (like this site) will fail. It seems pretty much inevitable that there will always be the few (or sometimes the majority) who will mess up the spirit and the workings of the project because of spite, carelessness, or greed. That's why although institutions like ICANN need major changes, they are still damn important. Let's not forget that the Internet *does* have structure, and it is this structure (some centralization of naming, routing, etc) that has allowed it to grow to the amazing extent that it has.
How can I FTP a 'u' into Flavor ?
Maybe you live in interesting times
...but this isn't some new community site or grand experiment. The guy's just sticking it to his ISP for not delivering the services he needs on his way out. Slashdot-scale havoc until his credit for this billing period runs out, or they terminate the account.
:)
That said, I'd love to see the looks on the faces of the admins right about now, assuming they don't read slashdot.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
"Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot
Sounds like what www.pagein.com was trying to do.
Just because you're floating doesn't mean you haven't drowned. - They Might Be Giants, Dark and Metric
I also doubt this will work. I've tried something similar myself once, where I made a script allowing people to use my webspace as a sort of BBS system, leaving files and messages for others. I quickly found the need to moderate far greater than was my intention. People just start abusing this much too quickly.
:)
In this case giving away Your account info is just plain dumb. With several hundreds if people uploading whatever they want, giving away the addy for friends, or linking or whatever, and the next guy deleting the files, overwriting them or something else. Nah... This will never work....
Even geeks will goof it...
--- To err is human... Am I more human than most ?
I am guessing this webhost will be extremely angry at this for having their machine broken into (by some accounts people who sshed in got root, yes?) and possibly try to burn him for violating their terms if they included anything to cover this.
I am not sure if he did it intentionally, but if you were some guy who was mad at you host cause they didn't let you use cron, what better way to get back at them than just running a shell account guaranteed to attract crackers and script kiddies?
So, basically I don't feel sorry for this guy at all. He didn't have any important files he lost or anything, but the workers at his webhost are now going to have to clean up a box because some jackass gave shell access to the readership of slashdot. I would imagine that would be any security team's nightmare, no matter how well they had applied all the latest security patches.
sig:
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.
---------
I'm the guy who did this GeekFlavor thing, and I have to say that I'm very disappointed in how it turned out. It wasn't up for very long at all before some script kiddie had to bust some 1337 moves on it.
I will admit that I didn't exactly idiot-proof the project. I was hoping that by giving complete control to everyone, something truly interesting might develop, but I failed to take into account the power of a single ignorant admin.
People have always used technology for destructive purposes -- the thrill of anonymity is intoxicating, and people often lose sight of their everyday code of conduct. Once little Timmy Smith because |)Ar|I never expected this project to amount to much. I just had some webspace and a domain, and decided to give it a shot. I think, though, that perhaps this experiment deserves another chance, although with a better plan on my part.
If anyone out there has some suggestions on how this "Open Source" website experiment could work better, please contact me at ibn_qalb@arabia.com (not my usual address, if you were wondering). I'd love to have some help in creating a new, sturdier site that would actually be built to handle something like this.
Got Rhinos?
Here are the top referrers to the site. You can get all these stats by going to geekflavor.com/stats. Oh, and although ssh is apparently down, ftp is still up.
Top 23 of 35 Total Referrers
# Hits Referrer
1 954 36.82% - (Direct Request)
2 28 1.08% http://slashdot.org/article.pl
3 8 0.31% http://cgi.zdnet.com/zdpoll/savevote.html
4 7 0.27% http://linuxtoday.com/news_story.php3
5 6 0.23% http://www.nerdperfect.com/
6 5 0.19% http://slashdot.org/yro/00/05/31/1534236.shtml
7 4 0.15% http://slashdot.org/articles/00/07/21/1422251.shtm l
8 2 0.08% http://arcanum.simplenet.com/links.html
9 2 0.08% http://slashdot.org/submit.pl
10 2 0.08% http://slashdot.org/comments.pl
11 2 0.08% http://slashdot.org/interviews/00/05/23/007214.sht ml
12 2 0.08% bookmarks
13 2 0.08% http://slashdot.org/askslashdot/00/07/15/2030252.s html
14 1 0.04% http://slashdot.org/apache/00/05/22/1858206.shtml
15 1 0.04% news://news.sprint.ca/397CFD3F.5FE204BA@metallicaf an.com
16 1 0.04% http://slashdot.org/articles/00/05/17/2136258.shtm l
17 1 0.04% http://slashdot.org/index.pl
18 1 0.04% http://slashdot.org/askslashdot/00/05/09/0131249.s html
19 1 0.04% http://www.greatdomains.com/domains/details.asp
20 1 0.04% http://slashdot.org/science/00/05/04/0816244.shtml
21 1 0.04% http://slashdot.org/articles/00/07/24/1617240.shtm l
22 1 0.04% http://www.zdnet.com/gamespot/filters/
23 1 0.04% http://slashdot.org/articles/00/05/22/1345215.shtm l
www.poak.net
In the middle there. Oh well.
Got Rhinos?
I understand the point of and the lamentation in your post. However, I heard an anthropologist point out an interesting fact, how well humans do get along, better than most other species. Humans are willing to sit quietly next to total strangers in a dark movie theater or in a crowded train. Other animals are mostly not capable of this sort of feat.
How do you know they didn't know it would be posted to Slashdot? If you look at the whois record of geekflavor.com, snowphoton@MINDSPRING.COM is listed as technical and administrative contact. 'snowphoton' was the handle of the person who submitted the story.