Slashdot Mirror
Slashback: Efficiency,Observation,WEP
Sargon Deep Fritz playing a person may be more cutting edge (and take a lot more processor power), but it seems like an awful lot of resources to spend on playing chess. Alex Bischoff writes: "From the February 1983 issue of "Your Computer", it's chess in 1 KB (for your brand-new ZX-81)."
But sir, even the judges are objecting! saulgood writes "the NY Times is carrying a further article here, about the revolt amongst some judges over their ability to look at Britney Spears and download Metalica mp3's at work... that's right - Power to the People Baby!!! No justice, No peace..."
Take that -- no, please, take that. Bob Lee writes:
"I authored the open source program Code Red Vigilante. This is an open effort to inform the public about the dangers of the Code Red worms and to specifically notify the owners of infected machines ... Vigilante is featured on Incidents.org, OnJava.com, TheServerSide.com, and it will be on the ScreenSavers on TechTV on next Monday.
Not to put too fine a point on it ... Jeffrey Fanelli of Sniffer Technologies writes: "Just to clarify on your story, that intern didn't crack 802.11x, but WEP in a 802.11b environment. 802.11x is a recently developed standard extension to Radius and 802.11 to allow for dynamic keys to be generated per user session. 802.11x uses the same WEP RC4 encryption, but makes it far more difficult to crack given the fact that all nodes associated with a particular Access Point will have a unique session based KEY (a key which, I might add, the user of the Mobile Unit in question cannot themselves identify).
I enjoy your analogy, and I must say I've had similar thoughts myself; however, I do believe that so-called 'vigilante' viruses could be of benefit.
In the natural world, we use, as you indicate, antibiotics to ward off bacterial infection. One point you may have overlooked is the source of these treatements is overwhelmingly products of other microbes. That is, the antibiotics we use are derived from organisms such as fungi, or other bacteria.
If we take from this analogy that fact, then we may expect that altering a harmful virus such that it attacks and destroys other harmfuls could be a very successful way of fighting it. As for your point that this could result in effective DOS attacks, measures could be taken to ensure that this would not happen. How? Because we (the good guys) would have full control over the distribution of the 'vigilante', just as we do for drugs in a patient. Writing a 'vigilante' to distribute itself in the same manner as the original would fall off the board in being analogous to a vaccine (which is a weakened virus incapable of replicating itself extensively); instead, it would just be another form of the virus itself. So, constructs such as web watchdogs could be used to identify vulnerable machines first. Then, they could be checked for infection. The infected "patients" could then be used to alert the watchdog of other machines to check for vulnerability (via mail list), and repeat. The key point is: watchdogs could be trained NOT to check machines that have already been checked (by catalogging checks to a large DB), thus ending a DOS attack scenario. It would be a large task to accomplish, but it is not out of the question.
We already have 'protection' against attacks in machines that are given frequent security updates. While downloading the latest patches doesn't insure one from recieving a brand new virus, it does hedge the spread of that virus. The main problem, as I see it, is that incompetent Admins often fail to realize that they are vulnerable, or that they should download a security patch post haste. I guess they never learned: an ounce of prevention is worth a pound of cure.
So does that mean I can go to the local library and go dl some pr0n?
Viruses are proliferating, and many of them are not as flagrantly destructive as Code Red or SirCam. For instance, there was a report on Jerry Pournelle's site (I can't find it now, sorry, and I also apologize for the inaccuracies of memory) about a virus that infected PCs and switched their Wordpad file that transmitted the IP address of the infected computer to hackers in Russia. I could easily have three or four viruses on my PC of this insidious type and never realize that they were there unless the Russian hackers made a move against my PC. Inside me now are a few types of virus that never gave me a fever or other symptom and probably never will unless AIDS or something else compromises my immune system. I think taht computer viruses of this type are far more interesting and potentially dangerous. While I Love You, Code Red, and SirCam may be the Ebolas and Smallpoxes of the computer virus world, the more insidious types have the potential to be the Epstein-Barr or the HIV of computer viruses. Just as much of HIV's lethality and danger come from it's insidiousness and lack of early symptoms, I think a virus that could truly damage the internet would be insidious and slow. Viruses that are destructive in crude and quick fashion like I Love You are quickly eradicated. To do real harm, a computer virus, like a real one, must have time to spread.
In response to the computer virus threat, we've created an immune system for computers, in the form of anti-virus software and now maybe in the form of anti-virus worms. Speaking as someone who's had anti-virus software make their computer unbootable, a cancer of the virtual world is possible too. Let's say there's a new virus, the "I sorta like you" virus. So, some enterprising individual sets up a program to respond to an "I sorta like you" email with anotehr worm that fixes the vulnerabiltity. Now let's say this program gets widely distributed, so when poor User X's computer becomes infected everyone in his address book has the program. So, poor User X gets this worm from everyone in his address book. For many people, this may constitute an effective DOS attack, as it will overwhelm their mailboxes. It may very well also increase the strain on internet capacity by doubling the volume of bad email flowing. (Assuming it isn't widely distributed enough to stop the initial outbreak) There is also the potential for all kinds of mischief in "helpful" worms.
In DDOS attacks, (such as the ones reported on GRC) we see another similiarity to the natural world. We see one type of OS acting as a reservoir to attack computers running another OS. Masses of Windows machines are used to attack machines that I suspect probably run Linux or a UNIX variant. Almost like the mice that act as a reservoir of the Hanta virus that attacks humans. (The mass sending of packets also seems to resemble in many ways the mass multiplication used by "hot" viruses)
So how do we prevent the kind of suffering that characterized the human expierience with disease from being visited on the modern world virtually? We need vaccines in the virtual world, in the form of the companies that make OSes and email programs taking responsibility for making them more resistant to viruses. We also need health education of the virtual world, in the form of ways to inform newbies about the myriad security holes that exist in their Windows boxes. Finally, we need an antibiotics of the virtual world, in the form of better anti-virus programs and more rapid and efficient distribution of anti-virus patches. One day, we may make our PCs healthier than we are.
I posted and all I got was this stupid sig
...and all for naught if "standard procedures" become so ingrained (perhaps even burned into the ROMs) that exceptions can't be made. Which happens a lot in government agencies - like, say, the judiciary.
Correct me if I'm wrong, but downloading pornography, streaming video (mostly pornography again) and music are NEVER job-related activities, unless you're (a) a professional musician or (b) a hooker. Since few judges fall into these categories, I think we can safely say that filtering porn and music downloads will not affect the judges' ability to use the web for research and make informed decisions.
Of course, if the filtering is broken then it will. But some reasonably smart filtering (better than the crap the libraries decided to use) would solve that. Alternatively, just set the software to forward a list of "suspicious" pages to the admin. A few hits on "sex" will be ignored; a few dozen hits will be checked. The basic knowledge that you can be found out will be enough to stop ppl using it for that. This is the way most companies work, and it works just fine.
You want to do it on your home machine, go ahead. It's your machine, your network connection, and your money paying for the dialup. You want to use someone else's network, you have to play by the rules for that network.
Grab.
Actually, it does its a transitive verb.a dm inistrate
http://www.dictionary.com/cgi-bin/dict.pl?term=
Any other ways to non-maliciously get someone's attention in NT or 2K if you merely know their IP address?
+5:offtopic,but anti-American
Of course, it's gotten worse; now even the dumbasses who operate the registers are mystified.
It doesn't work with Netscape 4, but if you're interested in seeing a chess playing program in 5k of ECMAscript, take a look at this entry to this years 5K website competition (there are some other stunningly creative sites on there, as well).
-- Help Digitise the Public Domain at DP.
What the non-tech-savvy judges are finally grasping (and you have yet to understand), is that the entire range of surveillance activities that employers perpetrate may, in fact, be illegal. The reasoning is simple and obvious; it's illegal to fuck with the mail or tap people's phones, outside of narrow exceptions, so there is an obvious conflict between the law and the frighteningly common view that mere ownership of equipment by an employer abrogates all rights of citizens of this once free country.
So there.
Expanding a vast wasteland since 1996.
Can we (as a community) reverse engineer the 2K 'net send' protocol and create a (probably java-based) popup generator for 95/98/NT/Linux?
How about smbclient -M in samba? The only problem I see with this is that you're going to need RPC connectivity to the infected system. If the system is behind any kind of firewall, chances are the appropriate ports aren't going to be available....hence the CRV solution of using the 0wn3d box to send itself a popup...
Administer your box -- it's the right thing to do.
This next song is very sad. Please clap along. -- Robin Zander
From the Code Red Vigilante website:
VOCABULARY
(in the context of Code Red Vigilante)
vigilante: (n) a member of the Internet community that enforces an unwritten rule or law.
decaffeinate: (v) to notify, help, and/or aid an infected machine.
hacker: (n) cracker.
Looks like they use the word "hacker" in the article for the plebs and the vocabulary bit is kind of like a disclaimer so that professionals won't get irate.
Pinky: "What are we going to do tomorrow night Brain?"
Brain: "I would tell you Pinky but this 120 char limi
Basically, I have no problem with staff of any organisation at any level being disciplined for inapproriate use of computers, whether that be porn, MP3 or whatever. The firm puts the computers there so the employee can do their job, not so they can see tits and ass (and whatever else!).
If an individual wants to look at porn or listen to MP3, do it at home on your own PC using your own network/modem.
That page does not convincingly demonstrate the story is false. I would not be surprised that any person as famous, wealthy, and busy as former pres. Bush was unfamiliar with grocery store technology of the last 20 years. It's kind of difficult for such a person to go out in public and not draw attention. It's much easier to just have the help run out and pick up the stuff you need. Those who make it to the Whitehouse are almost without exception living insular lives. Once you get that much wealth and political power it's difficult to remain connected to the world of the paeons.
Porn detection is easy. Much of it (SoCal organisations anyway) is fed from a very small number of very large server farms. Any admin connected with the industry can recognise these by their IP. Although this only detects a fraction of all possible porn, any access to numbers in these blocks is a very reliable indicator of at least some porn content.
Statistically, a porn consumer is also likely to have hit at least one of the sites connected with these cartels.
I work with web-streamed video. Talking to porn webmasters is essential to my work, because these are the guys who had to solve all my problems a year before I knew I had them, and (respect due) they're almost the only profitable part of the dot.com game.
PS - Good to see you on Slashdot, Sheldon.
That's funny... the 3600 code red infection attempts that have hit me have ALL been from "home machines". You know, the ones running the copy of Windows 2000 Server that somebody brought home from work? Or the ones that have IIS installed, but don't know what it is, so they haven't removed it?
:)
These are apparently way more common than I thought, because I'm being flooded with hits from Cable/DSL users, and especially Sprint Broadband (my ISP).
Of course I'm running Apache... and I've already had numerous friends who were misinformed similarly about the virus...
One friend heard about it on CNN that it "affected Windows" and he thought he HAD the virus, because he has Windows 98 and it started to slow down.
One friend runs Windows 2000, but he's a bit smarter - he does not have IIS installed, and has a firewall. And his firewall has big logs of people trying to infect him.
...umm...that's how they've "treated" F&M for quite some time. and Anthrax, etc.
The biggest irony is brucellosis in wild animal populations that are overlapped by cattle ranching. While it is the state's responsibility to vaccinate and cull wild animal herds of infected animals, the ranchers do not have to do the same...
Sometimes yes, but that's an incredible minority. Sometimes an investigative reporter will have to as well, but does that mean that every employee of every radio station, TV station and newspaper in the country should be allowed access? If one person needs access a year, out of an organisation of several hundred thousand, it's easier to make a special case for them than to let everyone go hog-wild. Don't forget that all these porn and music downloads will be slowing the network down, so a judge doing REAL work will be impeded!
Common sense, man. If you need access to it, you ring IT, tell them "I'm doing some investigation of XYZ, so don't be surprised if some dodgy pages show up". Job done. Takes 30 seconds at most, and the cost of a phone call. As against months of investigations, hundreds of thousands of dollars wasted...
Grab.
Being in the Information Security department for a large brokerage house...I can speak "authoritativly" on this. One: Why in the world would a judge be doing something confidential over the net?! If so, it should be encrypted, which the individual monitoring wouldn't be able to read anyway. Two: Since when do people have the "right" to surf porn at work on company time on computers they don't own? I have no problems with people surfing porn or downloading mp3's...but doing it at work is just irresponsible. Besides, the judges should know the legal aspects of surfing porn at work and sexual harassment laws. Just a couple of points I think people tend to overlook...
Encryption over the 'Net won't stop, say, keyboard monitoring, which this could be expanded to.
Thats what our beloved Tony has done to all our livestock, so it must be a good plan. Foot and Mouth was decided to be so important the Govt ignored the law so...
Or should we just wait for some malicious little hacker to trash all vunerable machines for us.
--I would be working but my license ran out :-)
from the IEEE 802.11 website:
Note: the Security portion of the TGe PAR was moved to the TGi PAR as of May 2001
makes it 802.11i by now I guess...
More propoganda. It was the people of Florida themselves that admitted they couldn't follow simple voting instructions.
You are wrong. The New York Times makes that clear. Not the page. Read the page again. If you still don't understand, repeat until you get it.
Jesus Christ I can't stand it sometimes...
"When the going gets Weird, the Weird turn Pro." - HST
Then how does CRV handle machines infected with Code Red I? The method you cite will only work for machines carrying CR II.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
There are a lot of people out there (/. is where I've been following this) that are reluctant to initiate remote access to a machine. I have done a little digging around at work, where we have most different versions of Windows, and figured this much out:
You can use the 'net send ip.ip.ip.ip message' to initiate a popup window on an NT or 2K box, but you can only specify an ip address from 2K. NT will only work with locally networked machine names, not ip addresses, and 98 doesn't have net send.
I have a few ideas on this, to protect those of us who are squeamish about using an 0wned box. I do a little embedded stuff, but am not a programmer per se, especially not Java or Windows, but:
Can we (as a community) reverse engineer the 2K 'net send' protocol and create a (probably java-based) popup generator for 95/98/NT/Linux? This will send a message from your computer to theirs, without using their cracked box to do it. This would be a more favorable solution, as it would keep the workload distributed rather than client-server.
Or, can we create a java-based tattle tale app that reports offending IPs to someone outside the US or who just doesn't give a crap? ;) They could then
send the LOCALHOST message. I suppose this could be done very easily with some 2K servers which provide some (limited!) access to the 'net send' command, and each java client could access that command (with the admin's permission of course, that's my whole point).
+5:offtopic,but anti-American
then fires back at the same hole Code Red exploits and causes the pop-up.
Not completely correct. The Java code is not using the hole that Code Red exploits. It's exploiting the hole that Code Red creates.
"The software is causing a pop up to appear on that machine, which can be viewed as a penetration from your machine into the remote machine. This is can be viewed as illegal because you are knowingly making access to a computer system which you have not been authorized." So can I sue perpetrators of popup Ads then?
I realized a possible faw with the AI plan. If the server is code red infected, attempts to look at the website will most likely return a "Hacked by Chinese" page.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Ok, so somebody go make a servlet out of this. I am already running a web server with a servlet engine (tomcat), so I can't just set up a standalone program listening on port 80.
It's 10 PM. Do you know if you're un-American?
"This is the kind of attitude that supports the automatic patching/formatting of code-red infected machines."
I'm sure I remember someone telling me about a specific Worm or Virus (maybe a Torjan Horse, I can't remember - damn my crap memory) that when it entered your system, looked for a specific security hole, extracted the patch for it from its built-in code, patch your security hole for you and then spread itself out across the rest of the Internet...
Hmmm, maybe this could be a way for Microsoft to actually have secure systems all over the world, by patching everyone's buggy, insecure systems with stealth patches while they're not looking? :-)))
Ceci n'est pas une
did you read the article?
The 9th circuit is all but in revolt over the very kind of constraints of fredeom that /. gets worked up about
They are certainly gong to all be far more aware of the issues once this is all over.
'There is a Light that never goes out.'
Give me a break. If there are layoffs and they want to get rid of you, they'll come up with something. Be it email or the time you punched in 1 minute late. The email rules are there to protect THEM, and to put you in your place if needed.
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
Why would you want to save WEP? It was a bad protocal to begin with, and it was an incredibly weak encryption.
The people who designed it knew that it would be broken, and it was only a matter of time.
The point is that you are supposed to use strong encryption in software over such a link, if you care about security at all. WEP was really a false sense of security in the first place.
And a false sense of security (non-broken WEP) is worse than no security at all (broken WEP).
Yup, and to further convolute things, the wireless specific implementation of this is 802.11e
Think outside the... Hey, where'd the friggin' box go?
maybe it is any maybe it isn't. your company has a right to do this, but chances are they won't use it against you -- ever -- and if they do, do you want to be working for them? 10-1 odds suggest that they keep that shizz for their own protection (like if I, an employee of Johnson Wax, had the need to email Glad, and let em know about some new products I had seen) .RAM radio will probably be more noticeable. (believe it or not, I actually found out our secretary used to do this, what a fortune in bandwith that must have cost! 8hours/ day * 5 days a week *....)
Stay out the porn, and high-bandwith and it probably wont be an issue. Just be kinda inconspicuous -- some dumb people at your company listening to
________________________________________________
If you think about it, the vigilante code is really just sending a message to the owner of the system. Passing messages would not normally be considered breaking in.
As an analogy, consider it the equivalent of laying a message inside of an open door.
Software sucks. Open Source sucks less.
See the Kuro5hin.org story on this issue..here
Basically you are penetrating an already 0wned computer, but this still exposes you to liabilities. It's a precipitation of the libertarian or wild wild west version of the Internet. The thing to do is to get a respected authority, such as the FBI or the police, to notify the 0wned, hence saving yourself from accusations of propagating Code Red or being a cracker yourself.
Goat sex free since 2001
Esperanto estas bona!
...revolt amongst some judges over their ability to look at Britney Spears and download Metalica mp3's at work.
I think we have a new champion for the dictionary definition of irony!
From hell's heart I fstab at /dev/hdc
"We are going to have to rule on the legality of this," he said, "because employers all over the country are doing this."
Are, were, have been for the last ??? years... This reminds me of Sandra Day O'Connor's contempt that people in Florida couldn't follow allegedly simple voting procedures (the folks at the country club where she votes just mark "Republican" all down the ballot for you and hand you a martini), or George Bush the First's amazement a infrared scanner at the grocery store late in his term (he hadn't been to a grocery store in years). Welcome to Everybody Else's America, judge!
At issue is whether it is legal and ethical for officials in Washington to check to see if any of the judiciary's 30,000 employees, among them nearly 900 active judges and hundreds of semiretired ones, use their computers for pornography, streaming video or music.
While this is certainly what the esteemed newspaper reporter has printed, we must ask ourselves: is it true? That is, is the monitoring program they have installed so brilliant, so incredibly artificially intelligent, that it can distinguish these three things: "pornography, video, and music" from everything else the judges might be looking at? Or is it (as I might believe to be the case) that the program is far less intelligent than the reporter claims, that the program simply monitors what web pages are viewed, and reports & tracks this at a central authority. Perhaps the judges don't wish any central authority to know that they are reading www.2600.com? Or perhaps that they are posting to weblogs as "Anonymous Coward", writing tracts such as "IANAL", which we all know means "I am not a lawyer (i'm a judge)" but which might be construed as pornography (I ANAL).
I think we must petition the reporter to check his facts at once.
"A coward is incapable of causing destruction; it is the prerogative of the brave" - Mahatma Ghandi
Sure it's 1K but it's what, 500 lines of code? I can create a 350 K executable under microsoft visual c with three includes and an int main() {return 0;}. What's more, there's probably a chess-playing example somewhere that accidentally makes it into my executable each time...now that's what you call bloatware....
The vote stems from a conflict that has been simmering since this spring. At issue is whether it is legal and ethical for officials in Washington to check to see if any of the judiciary's 30,000 employees, among them nearly 900 active judges and hundreds of semiretired ones, use their computers for pornography, streaming video or music.
So I guess the judges are forbidden to actually see the capabilities of the internet, but merely listen to half baked descriptions and accusations from the various special interest groups?
My Grandmother had a saying "Believe none of what you hear, half of what you read, and all of what you see". This filtering bullshit will SERIOUSLY impede the judges ability to make an INFORMED decision.
Feed the need: Digitaladdiction.net
One thing that would be really cool would be to use my ZX spectrum to play against the really good players at Freechess. Maybe I could beat them just ONCE! :-)
Find nice cocktail recipes @ www.spitzy.net
"My biggest concern is that signing off on these proposals opens the field to allow monitoring of every keystroke and basically makes an individual's computer an open book," And all along I had assumed that when at work, the computer I was working on was my employer's property, and they could monitor it. Maybe all laws should be tested on the legislators (and judicial branch that upholds such laws) so they can feel the effects. Heh, maybe it would even lead to police and the US President following some of the laws that the rest of us have to live under.
http://www.codewolf.com - Just good stuff to waste time
I've figured out how to save WEP. All we have to do is stop those damned scientists from posting their findings. So all we have to do compose a little tune, encrypt it with WEP, and then sue them to prevent them from presenting their findings under the premise that it is an illegal code-breaking program designed to deprive us of our rights under the DCMA.
beyond the fact that I don't what to get in legal trouble.
Is it possible to bounce the "Code Red Vigilante" http requests via a web anonymizer service over SSL?
Any moral problems here a minor, ultimately if a machine you own is sending a potentially harmful http request to my machine, I don't see any problem sending a less harmful one back.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
The security standard in question is 802.1x, not 802.11x, because it is theoretically not specific to wireless, although the distribution of per-session WEP keys is. You could, for example, use 802.1x to authenticate conference attendees to use ethernet ports in conference rooms.
I'd protest for my right to view pr0n, too, if the only way to forcibly remove me from my job is through impeachment. These judges literally have nothing to lose, the best the people in DC can do is bitch and moan.
Some times Judges have to use the internet for reasons that are proper, but copuld be construed as "bad"
The judge in the napster case would have to use napster and download music to make a informed descision.
The judge in Flint Vs US had to look at pornos
and the judge in State Vs Micro$oft had to use IE.
Judges should be trusted to make thier own descisions about what they look up. If they are afraid of accessing material to make an informed choice, because of possible bad publicity, that is BAD
...then why don't they just buy their own box to use in the office?
"Leave the strategizing to those of us with planet-sized brains." -Tycho
What an idiot! I have zero sympathy for this clown who found exactly the trouble he was looking for.
I'd grab FP on Jon Katz's follow-up about geek oppression and the tyranny of global corporations but I got bored after trying to imagine the eleventh paragraph.
I just found out that my company logs all email messages going through our server. They have them zipped up and archived from since the company existed. Should I be shocked by this or this standard practice?
You're Just Jealous Because The Voices Are Talking To Me.
The author of the Vigilante software cites an email he got from an infected user, saying that his ISP said he was not vunerable to the code red worm.
This is the kind of attitude that supports the automatic patching/formatting of code-red infected machines.
If someone could write another virus, that spreads like the code red worm that shuts down the effects of the worm and then tries to "infect" other machines, passivly or activly, for say a months time, it would greatly reduce the number of machines out there that are infected
So, if the judiciary were to file a lawsuit against workplace monitoring, would any judge in the USA be able to oversee the case as, well, an impartial judge? What if it got appealed to the Supreme Court, yet all nine sitting judges there were part of the plaintiffs?
;)
Actually, thinking about it for a bit, I'm pretty sure what the practical result would be, regardless of what the law (currently) says: Court of Public Opinion.
If the Judges need to download music from napster as research for the napster case, they could simply tell the IS Department that. I find it hard to believe that they would not be given the chance to defend their actions while on the Internet.
What I REALLY find hard to believe is that the IS Department let them get away with disabling software on their computer. Their computer is company property.. actually Government property. If something like this happened where I worked the IS Director would just disconnect them form the Internet. No where in the Bill of Rights does it say we have the right to surf while on the job. There are a lot of people working at your local gas station that don't get to surf the web while on the clock and if some Judge decides he should have control over his company's (actually the Governments, therefore YOUR) computer systems, he should not be allowed to use them.