Slashdot Mirror
Slashback: Subterfuge, Rejoinder, Caution
Good things come in hidden pictures. Intrepid strongman Dug Song writes, in reaction to the "fairly thin" piece earlier today on Steganographic anlysis:
"The only cutting edge, practical work being done today in steganalysis and steganography is by Niels Provos, who gave a talk at HAL2001, and is also presenting at the USENIX security symposium tomorrow: He's been developing several interesting tools to do steganalysis during the course of his universal stego engine development: (http://www.outguess.org/) including stegbreak (which can detect images produced by all popular stego tools -- except outguess), crawl (which he's used to download 2 million jpeg's from eBay to analyze), discern (his distributed computing platform), etc."
Hushing up is not such a good answer sometimes ... Reader Brian McWilliams <brian@pc-radio.com< notes regarding the thread on Slashdot about the costs of full disclosure, "you might want to add an update linking to this story Newsbytes did a couple days ago about the Richard Smith posting. Contains responses from eEye & full disclosure advocates, as well as some more ammo from Smith."
Smith doesn't take kindly to being blamed for damages caused by security holes he publically aired.
So you want to patent "bacon and eggs"? I guess that's OK then. You recently read about the McAffee patent on a seemingly overbroad stretch of computing transactions. Well, it's raised quite a few eyebrows among people interested in a fair computing marketplace. geoa points to this article in which "Neil McAllister in The Gate takes too long to say we shouldn't let another monopoly in the playpen."
It was soooo old ... For everyone enjoying the recent upswing in retro computing interest, Silicon Avatar writes with another tidbit: "Although not necessarily new news, I found a link today when someone mentioned Roland MT-32 to me. Starting with Space Quest IV, Sierra games were written to use either the Adlib soundcard or the Roland MT-32 'soundcard.' Quest Studios seems to have repository of MANY of those songs, including the 'lounge tape' I once had but lost!"
Put that in your souped up underclocked emulator and smoke it.
Actually, if you're really into the music from the Nintendo, Super Nintendo and other old console games, you really should check out Zophar's Domain.
You can download music rips from the actual games and download special players (many come in the form of a Winamp or even an XMMS plug-in :)
Join the TWIT army now!
Wouldn't their estimate also include (a) average hourly rate of administrators fixing the problem multiplied by average number of hours required to correct the problem, (b) productivity loss due to downtime of systems? We rely on our NT server at work pretty heavily (SourceSafe etc), when it goes down half of our programmers either can't work, or can work but in an impaired way that wastes quite a lot of time. And programmers aren't that cheap :) If you have twenty people getting paid 20$/hour, and they all can't work for two hours, thats $800 lost, not to mention that you're probably ending up further behind on a project that was already running late anyway. Another factor is that when the server is down, people often find it a convenient excuse to take a break. Yet another thing is that for many companies, it usually takes something like CR to get the management to realise that they *need* to spend money on things like antivirus software, and you need to have someone keeping the server patched etc. Management often think they're saving money here and there, until something like this happens. So some companies may end up hiring an administrator. And often, not only will an antivirus be installed on the server, but on everyone's systems (hmm .. this is pretty much what happened at our company a few weeks back with SirCam). Installing on everyones systems takes yet more time and money and productivity loss. And of course, you need meetings - you have to have one of those meetings where everyone is present, where everyone has explained to them (by managers who now think that all email attachments should be banned, because they don't understand the technology) the dangers of using email attachments, or running unmanaged web servers, how to keep their antivirus software up to date etc. Many companies are also probably going to go purchase firewall software now too, after CR. Heck, I wouldn't be at all surprised if the cost did approach $2600. I mean, if a large company with 500 desktops suddenly decides to install antivirus software on all 500 desktops just because their server was hit with CR, thats expensive. Professional firewall software can be very expensive too, as well as the training and time required by the administrator(s) to set up and install all the stuff.
I got plenty of "Code Red" attempts in my web log from the speakeasy.net domain. Maybe they should've blocked port 80!
Here is a quick sound timeline:
1987 AD-LIB soundcard released. Not widely supported until a software company, aito, released several games fully supporting AD-LIB - the word then spread how much the special sound effects and music enhanced the games. Adlib, a Canadian Company, had a virtual monopoly until 1989 when the SoundBlaster card was released.
1989 Release of Sound Blaster Card, by Creative Labs, its success was ensured by maintaining compatibility with the widely supported AD-LIB soundcard of 1987.
1989 World Wide Web invented by Tim Berners-Lee
1990 MPC (Multimedia PC) Level 1 specification published by a council of companies including Microsoft and Creative Labs. This specified the minimum standards for a Multimedia IBM PC. The MPC level 1 specification originally required a 80286/12 MHz PC, but this was later increased to a 80386SX/16 MHz computer as an 80286 was realised to be inadequate. It also required a CD-ROM drive capable of 150 KB/sec (single speed) and also of Audio CD output. Companies can, after paying a fee, use the MPC logo on their products.
1991 Linux is born
1992 Introduction of Windows 3.1
1992 Wolfenstein 3D released by Id Software Inc.
1992 Sound Blaster 16 ASP Introduced.
1993 MPC Level 2 specification introduced This was designed to allow playback of a 15 fps video in a window 320x240 pixels. The key difference is the requirement of a CD-ROM drive capable of 300KB/sec (double speed). Also with Level 2 is the requirement for products to be tested by the MPC council, making MPC Level 2 compatibility a stamp of certification.
1994 Doom II released - Command & Conquer released - Netscape 1.0 released - Linux Kernel. version 1.0 released
- - -
White House Selected Vegetables Coffee Mug
"It is a greater offense to steal men's labor, than their clothes"
(Joke, joke, thank you Mr. Modstick)
I wonder how far into the ground they will bash Napster before giving up; perhaps they just don't want to have to admit that there are hundreds of other P2P networks out there, and that they cannot stop them all...
Security through promiscuity is no better than security through obscurity.
Does this mean... that if i dont go there with an internet browser, i "worked around" the patent ? Lets take Microsoft and their .NET software... If I'm not totally wrong here, the idea there is to provide these types of services. You run programs of the servers, and maybe pay per use. So, Microsoft just integrates a .NET browser, (instead of an internet browser), a client software that can search the MS.NET for .NET applications out there.
Or the open-source approach ? Use a peer2peer-style software. You start GnAppliTella, enter search for "word processor", and voila, you have a bunch of servers providing you with an online word processor. And.. since the patent seems to require some password authentication, what if you provide these online software services for free ?
What I'm trying to point out, is that this patent is only useful if you use an "internet browser". I dont really think the online future lies within the restrictions of a web browser of todays style. They are big, sometimes filled with advertisements, they crash, they have security flaws, etc etc etc. Perhaps this patent seems like a big deal right now, but my guess is that tomorrow will tell different.
Probable impossibilities are to be preferred to improbable possibilities.
Aristotele
What part of "infected server" don't you understand?
You've got a server with an open, exploitable remote hole, and evidence that it's been advertising itself to the net as "exploitable server here!" in thousands of web logs.
If you just patch that server and go on with life, you're an idiot. You need to either do a full audit to make sure it's clean, or (far cheaper) rebuild the damn thing from a wiped HD. You don't know what somebody else has done on it.
This is especially true if it's Code Red II.