Slashback: Efficiency,Observation,WEP

Slashback brings you updates and additional notes on recent Slashdot stories. Tonight that means more on computers playing chess, on judges who don't like being monitored in the workplace (too bad!), and on the (less totally spectactular, still bad) cracking of 802-Errr, something.

Sargon Deep Fritz playing a person may be more cutting edge (and take a lot more processor power), but it seems like an awful lot of resources to spend on playing chess. Alex Bischoff writes: "From the February 1983 issue of "Your Computer", it's chess in 1 KB (for your brand-new ZX-81)."

But sir, even the judges are objecting! saulgood writes "the NY Times is carrying a further article here, about the revolt amongst some judges over their ability to look at Britney Spears and download Metalica mp3's at work... that's right - Power to the People Baby!!! No justice, No peace..."

Take that -- no, please, take that. Bob Lee writes:

"I authored the open source program Code Red Vigilante. This is an open effort to inform the public about the dangers of the Code Red worms and to specifically notify the owners of infected machines ... Vigilante is featured on Incidents.org, OnJava.com, TheServerSide.com, and it will be on the ScreenSavers on TechTV on next Monday.

Not to put too fine a point on it ... Jeffrey Fanelli of Sniffer Technologies writes: "Just to clarify on your story, that intern didn't crack 802.11x, but WEP in a 802.11b environment. 802.11x is a recently developed standard extension to Radius and 802.11 to allow for dynamic keys to be generated per user session. 802.11x uses the same WEP RC4 encryption, but makes it far more difficult to crack given the fact that all nodes associated with a particular Access Point will have a unique session based KEY (a key which, I might add, the user of the Mobile Unit in question cannot themselves identify).

Code Red Vigilante and the Natural World

[Atreides4]

Computer viruses are becoming more and more like real viruses and other pathogens. Inside all of us, there are viruses and bacteria that our body tolerates, because they either are symbiotes or are clever and elusive enough to avoid total destruction. I think this is the model that computers are moving toward.

Viruses are proliferating, and many of them are not as flagrantly destructive as Code Red or SirCam. For instance, there was a report on Jerry Pournelle's site (I can't find it now, sorry, and I also apologize for the inaccuracies of memory) about a virus that infected PCs and switched their Wordpad file that transmitted the IP address of the infected computer to hackers in Russia. I could easily have three or four viruses on my PC of this insidious type and never realize that they were there unless the Russian hackers made a move against my PC. Inside me now are a few types of virus that never gave me a fever or other symptom and probably never will unless AIDS or something else compromises my immune system. I think taht computer viruses of this type are far more interesting and potentially dangerous. While I Love You, Code Red, and SirCam may be the Ebolas and Smallpoxes of the computer virus world, the more insidious types have the potential to be the Epstein-Barr or the HIV of computer viruses. Just as much of HIV's lethality and danger come from it's insidiousness and lack of early symptoms, I think a virus that could truly damage the internet would be insidious and slow. Viruses that are destructive in crude and quick fashion like I Love You are quickly eradicated. To do real harm, a computer virus, like a real one, must have time to spread.

In response to the computer virus threat, we've created an immune system for computers, in the form of anti-virus software and now maybe in the form of anti-virus worms. Speaking as someone who's had anti-virus software make their computer unbootable, a cancer of the virtual world is possible too. Let's say there's a new virus, the "I sorta like you" virus. So, some enterprising individual sets up a program to respond to an "I sorta like you" email with anotehr worm that fixes the vulnerabiltity. Now let's say this program gets widely distributed, so when poor User X's computer becomes infected everyone in his address book has the program. So, poor User X gets this worm from everyone in his address book. For many people, this may constitute an effective DOS attack, as it will overwhelm their mailboxes. It may very well also increase the strain on internet capacity by doubling the volume of bad email flowing. (Assuming it isn't widely distributed enough to stop the initial outbreak) There is also the potential for all kinds of mischief in "helpful" worms.

In DDOS attacks, (such as the ones reported on GRC) we see another similiarity to the natural world. We see one type of OS acting as a reservoir to attack computers running another OS. Masses of Windows machines are used to attack machines that I suspect probably run Linux or a UNIX variant. Almost like the mice that act as a reservoir of the Hanta virus that attacks humans. (The mass sending of packets also seems to resemble in many ways the mass multiplication used by "hot" viruses)

So how do we prevent the kind of suffering that characterized the human expierience with disease from being visited on the modern world virtually? We need vaccines in the virtual world, in the form of the companies that make OSes and email programs taking responsibility for making them more resistant to viruses. We also need health education of the virtual world, in the form of ways to inform newbies about the myriad security holes that exist in their Windows boxes. Finally, we need an antibiotics of the virtual world, in the form of better anti-virus programs and more rapid and efficient distribution of anti-virus patches. One day, we may make our PCs healthier than we are.

Re:If judges are restricted on a state-owned machi

[larien]

Because they'd still be using their employer's network, at a cost to them.

Basically, I have no problem with staff of any organisation at any level being disciplined for inapproriate use of computers, whether that be porn, MP3 or whatever. The firm puts the computers there so the employee can do their job, not so they can see tits and ass (and whatever else!).

If an individual wants to look at porn or listen to MP3, do it at home on your own PC using your own network/modem.

code red vigilante

[perdida]

See the Kuro5hin.org story on this issue..here

Basically you are penetrating an already 0wned computer, but this still exposes you to liabilities. It's a precipitation of the libertarian or wild wild west version of the Internet. The thing to do is to get a respected authority, such as the FBI or the police, to notify the 0wned, hence saving yourself from accusations of propagating Code Red or being a cracker yourself.

Re:code red vigilante

[jeffy124]

it took me a moment to figure it out too, so dont feel bad ....

what the program does is set up a listener on port 80 of your machine. When GET requests come in matching that of Code Red trying to spread, the program drops those requests, then connects back to that machine via it's IP address and exploits the same hole Code Red does, but this time it causes a simple dialog box to suddenly appear on the infected deskop, telling the person who's currently sitting in front of the machine of the problem and what to do. He has screenshots of that dialog at the bottom of the page.

the author of the program says hes already gotten an email from someone saying that he asked his ISP about Code Red, they told him he shouldn't be concerned because code red doesnt infect "home machines." go figure :/

Re:code red vigilante

[jeffy124]

You are not penetrating the remote system...

Correction: By using that software, you ARE penetrating the remote machine. The Java code takes the Code Red http attempt to spread and drops it, then fires back at the same hole Code Red exploits and causes the pop-up. The software is causing a pop up to appear on that machine, which can be viewed as a penetration from your machine into the remote machine. This is can be viewed as illegal because you are knowingly making access to a computer system which you have not been authorized.

I agree that negligent admins are to blame at this point. But that doesnt matter to the legal system (at least in the US).

At least in theory, if company Z's SA gets such a pop-up and wants to sue the guy ran Code Red Vigilante and caused the popup, the press could gobble up this as company Z failing to follow good security practices and result in a bad taste for Z's customers. So in reality, no lawasuit suit or other legal action may actually come out as a result.

Pr0n me baby one more time!

[Rudeboy777]

...revolt amongst some judges over their ability to look at Britney Spears and download Metalica mp3's at work.

I think we have a new champion for the dictionary definition of irony!

Clarification

[Sheldon_Brown]

At issue is whether it is legal and ethical for officials in Washington to check to see if any of the judiciary's 30,000 employees, among them nearly 900 active judges and hundreds of semiretired ones, use their computers for pornography, streaming video or music.

While this is certainly what the esteemed newspaper reporter has printed, we must ask ourselves: is it true? That is, is the monitoring program they have installed so brilliant, so incredibly artificially intelligent, that it can distinguish these three things: "pornography, video, and music" from everything else the judges might be looking at? Or is it (as I might believe to be the case) that the program is far less intelligent than the reporter claims, that the program simply monitors what web pages are viewed, and reports & tracks this at a central authority. Perhaps the judges don't wish any central authority to know that they are reading www.2600.com? Or perhaps that they are posting to weblogs as "Anonymous Coward", writing tracts such as "IANAL", which we all know means "I am not a lawyer (i'm a judge)" but which might be construed as pornography (I ANAL).

I think we must petition the reporter to check his facts at once.

Re:Clarification

[rgmoore]

I don't think that this is an issue of bad research as much as it is one of bad writing. It seems pretty clear from some of the other comments that the author does understand that it's necessary to monitor everything in order to see if the people in question are surfing for pr0n, etc. Take for instance the quote:

"My biggest concern is that signing off on these proposals opens the field to allow monitoring of every keystroke and basically makes an individual's computer an open book," Judge Kozinski said. "I don't think its appropriate for us to be forcing employees to give up rights wholesale without showing any need. If we did this with telephones, people would be outraged."

The problem is one of bad writing. The author doesn't make it explicit that they judges are worried that everything they do is being monitored.

One issue that's potentially pretty scary about this is that judges need confidentiality. The are sometime required to seal documents, rule on the admissability of trade secrets, and generally deal with things that are supposed to be given strictly limited circulation. Putting monitors on their computers so that people back in Washington can see what they're doing has the potential to undermine the confidentiality of their work, and the implications of that are very serious indeed.

Ignorance amongsy the Judiciary

[Jailbrekr]

The vote stems from a conflict that has been simmering since this spring. At issue is whether it is legal and ethical for officials in Washington to check to see if any of the judiciary's 30,000 employees, among them nearly 900 active judges and hundreds of semiretired ones, use their computers for pornography, streaming video or music.

So I guess the judges are forbidden to actually see the capabilities of the internet, but merely listen to half baked descriptions and accusations from the various special interest groups?

My Grandmother had a saying "Believe none of what you hear, half of what you read, and all of what you see". This filtering bullshit will SERIOUSLY impede the judges ability to make an INFORMED decision.

Good, now they can see what it's like to be normal

[codewolf]

"My biggest concern is that signing off on these proposals opens the field to allow monitoring of every keystroke and basically makes an individual's computer an open book," And all along I had assumed that when at work, the computer I was working on was my employer's property, and they could monitor it. Maybe all laws should be tested on the legislators (and judicial branch that upholds such laws) so they can feel the effects. Heh, maybe it would even lead to police and the US President following some of the laws that the rest of us have to live under.

How to save WEP. A modest proposal...

[partridge]

I've figured out how to save WEP. All we have to do is stop those damned scientists from posting their findings. So all we have to do compose a little tune, encrypt it with WEP, and then sue them to prevent them from presenting their findings under the premise that it is an illegal code-breaking program designed to deprive us of our rights under the DCMA.

802.1x, not 802.11x

[Adam+J.+Richter]

The security standard in question is 802.1x, not 802.11x, because it is theoretically not specific to wireless, although the distribution of per-session WEP keys is. You could, for example, use 802.1x to authenticate conference attendees to use ethernet ports in conference rooms.

Judges should use the intenet Unrestricted

[droyad]

Some times Judges have to use the internet for reasons that are proper, but copuld be construed as "bad"

The judge in the napster case would have to use napster and download music to make a informed descision.

The judge in Flint Vs US had to look at pornos

and the judge in State Vs Micro$oft had to use IE.

Judges should be trusted to make thier own descisions about what they look up. If they are afraid of accessing material to make an informed choice, because of possible bad publicity, that is BAD

If judges are restricted on a state-owned machine,

[Decimal+Dave]

...then why don't they just buy their own box to use in the office?