Slashdot Mirror
Hacking Web Services
siduri writes "Udi Manber, chief scientist at Yahoo!, gave a great talk on the kinds of hacks that Yahoo sees at the IEEE's Symposium on Security and Privacy. I wrote an overview of his talk for Dr. Dobb's Journal. While some of the message is well-known stuff (like that people will spend a lot of time hacking the most trivial things), the details of what Yahoo has to deal with are really pretty interesting."
im no 1 :p
Security In Web Services: An Evolving Threat Model 2002-05-20
Shannon Cochran
Udi Manber, chief scientist at Yahoo!, apprised security researchers at the IEEE's Symposium on Security and Privacy about attacks likely to become commonplace in the emerging era of large-scale, distributed web services. "The kind of attacks that we're seeing are not a traditional security attack," he warned. The threat to web services is not about something like root access; it's more about repeated violations and exploitations of the service -- small cheats and hacks that are individually insignificant, but a huge problem in the aggregate. Spam is an example of this kind of hack. A web-based e-mail service does not suffer if one of its accounts is used for mass-mailing. When tens of thousands of accounts are abused in this way, the service can be brought to its knees. Manber calls this the "penny jar" effect, likening it to a thief who comes to a cash register and empties the penny dish every five minutes. The pennies are meant to be given away, and each instance of the loss is trivial; but if the theft continues unchecked, the service will be destroyed.
And money is far from the only target of attack. Buyer and seller ratings in auction sites are often forged, and so are rankings on game sites. "If you have any kind of rating, people go to all kinds of trouble to get that rating in an illegitimate way," Manber reported.
The more services are offered, the more vulnerable the provider becomes. "Someone can steal some money over here, go to Shopping and buy something, then go to Auction and sell it," said Manber. "This really happened."
Internationalization is a further weakness, because patches must be distributed over multiple systems around the world. Even one overlooked server leaves the provider vulnerable; but in a world of web services, the integrity of the network isn't nearly as valuable as the time and effort that skilled employees spend combating abuse. "I'm not even worried sometimes about the machines I buy," Manber clarified. "I'm worried about the time...There are more of them [attackers] than there are of me. They have a lot more time."
Interactivity poses a new set of risks. "Whenever we get content from users, it's a problem," said Manber. Advertisers will attempt to sneak their content into forums like the Personals, or go to the trouble of creating an informative site, only to change the content to advertising after the site is accepted into Yahoo's directory. Or they may add Yahoo redirects to their own sites in order to gain an appearance of legitimacy.
Services can also be stolen and resold. Yahoo found that the finance sites were plagued by screen scrapers running every few seconds to grab real-time stock quotes. Manber says that traffic on the finance sites dropped by 80% after the screen-scrapers were blocked. "You provide a premium service, people will sign up for it maybe once, put a proxy server up, steal the information, and bang! Now they provide the service."
Some of the exploits are darkly ingenious. During hotly contested auctions, some users will mount password attacks on other bidder's accounts an hour before the end of the auction -- not to actually gain access, but merely to trigger a security lockout, thereby ensuring that the legitimate user cannot place last-minute bids. Once Yahoo had to deal with a virus spread through a file download, with the twist that the virus would only become destructive if the file was removed from Yahoo's servers. And on the social engineering front, there's the list of instructions for "hacking a Yahoo account" that direct would-be hax0rs to send the e-mail address of the account they'd like to access, along with a gobbledegook string of code and their own account name and password, to a plausible-sounding address like passbot_return@yahoo.com.
"I've seen Ph.D. level cleverness," Manber admitted. In response, Yahoo has developed some sneaky countermeasures of its own. But although Manber provided examples of his algorithms, he asked attendees of the conference not to publicize them. The conflict between secrecy and openness is one that, as a former academic researcher, Manber feels keenly. On the one hand, he is fully aware that real progress in security comes through full disclosure and open, shared research. On the other hand, he knows that his company will suffer real and immediate damage if hackers learn the details of his methods.
"The kind of countermeasures that we're doing are pretty weak. If you compare it to cryptography we're a hundred years behind," he said. "Feedback is always a major issue for us. I always think about 'Should I do this? Will I tell them what I'm doing?...I'd rather see what they're doing. The way you win an arms race is not by building bigger and bigger weapons. Sometimes the best move is not to play the game.'"
One amusing example Manber gave is in the field of rate limiting -- Yahoo's attempt to throttle the rate at which users can sign up for new accounts. Although successful techniques to weed out bots have been developed -- like asking users to retype a random word displayed in an image designed to be impossible for OCR to process -- Manber has found that people are still registering for massive numbers of accounts. "As far as I can tell, they're just doing it by hand. They're sitting there all day doing it by hand," he said. So he's considering changing the registration test to a simple arithmetic problem. It won't stop the mass registrations, but he might be able to get the abusers to perform distributed computing tasks for him.
Number one on the list of open problems in web services security is the difficulty of differentiating users from bots. Though he called it "imperfect," he acknowledged that one solution would be to require an ID number or a credit card number. If anonymity disappeared from the web, "a lot of the problems would go away," he said. But even more than authentication, Manber wants reverse authentication: "I want a protocol that proves that someone is not a particular person."
He also wants obfuscated HTML, which is particularly ironic since, in his days in academia, Manber wrote one of the first screen-scrapers. He wants the ability to detect passive vulnerabilities in a system. And he wants better ways to fight back. "I have huge pipes," he laughed. "It's very easy for me to go after them. Unfortunately, it's not legal."
But he dismissed legal solutions altogether, saying that measures like anti-spam legislation are completely ineffective. "This has to be solved technically, not legally," he warned. "If we can't solve these problems, we'll see less and less services."
-- Adam
turd. third. ahahahahaaaaa!!!!!1111
I don't know about you, but this is pretty cool.
check out this hack site http://hotmailhacks.tk
Security In Web Services: An Evolving Threat Model 2002-05-20
Shannon Cochran
Udi Manber, chief scientist at Yahoo!, apprised security researchers at the IEEE's Symposium on Security and Privacy about attacks likely to become commonplace in the emerging era of large-scale, distributed web services. "The kind of attacks that we're seeing are not a traditional security attack," he warned. The threat to web services is not about something like root access; it's more about repeated violations and exploitations of the service -- small cheats and hacks that are individually insignificant, but a huge problem in the aggregate. Spam is an example of this kind of hack. A web-based e-mail service does not suffer if one of its accounts is used for mass-mailing. When tens of thousands of accounts are abused in this way, the service can be brought to its knees. Manber calls this the "penny jar" effect, likening it to a thief who comes to a cash register and empties the penny dish every five minutes. The pennies are meant to be given away, and each instance of the loss is trivial; but if the theft continues unchecked, the service will be destroyed.
And money is far from the only target of attack. Buyer and seller ratings in auction sites are often forged, and so are rankings on game sites. "If you have any kind of rating, people go to all kinds of trouble to get that rating in an illegitimate way," Manber reported.
The more services are offered, the more vulnerable the provider becomes. "Someone can steal some money over here, go to Shopping and buy something, then go to Auction and sell it," said Manber. "This really happened."
Internationalization is a further weakness, because patches must be distributed over multiple systems around the world. Even one overlooked server leaves the provider vulnerable; but in a world of web services, the integrity of the network isn't nearly as valuable as the time and effort that skilled employees spend combating abuse. "I'm not even worried sometimes about the machines I buy," Manber clarified. "I'm worried about the time...There are more of them [attackers] than there are of me. They have a lot more time."
Interactivity poses a new set of risks. "Whenever we get content from users, it's a problem," said Manber. Advertisers will attempt to sneak their content into forums like the Personals, or go to the trouble of creating an informative site, only to change the content to advertising after the site is accepted into Yahoo's directory. Or they may add Yahoo redirects to their own sites in order to gain an appearance of legitimacy.
Services can also be stolen and resold. Yahoo found that the finance sites were plagued by screen scrapers running every few seconds to grab real-time stock quotes. Manber says that traffic on the finance sites dropped by 80% after the screen-scrapers were blocked. "You provide a premium service, people will sign up for it maybe once, put a proxy server up, steal the information, and bang! Now they provide the service."
Some of the exploits are darkly ingenious. During hotly contested auctions, some users will mount password attacks on other bidder's accounts an hour before the end of the auction -- not to actually gain access, but merely to trigger a security lockout, thereby ensuring that the legitimate user cannot place last-minute bids. Once Yahoo had to deal with a virus spread through a file download, with the twist that the virus would only become destructive if the file was removed from Yahoo's servers. And on the social engineering front, there's the list of instructions for "hacking a Yahoo account" that direct would-be hax0rs to send the e-mail address of the account they'd like to access, along with a gobbledegook string of code and their own account name and password, to a plausible-sounding address like passbot_return@yahoo.com.
"I've seen Ph.D. level cleverness," Manber admitted. In response, Yahoo has developed some sneaky countermeasures of its own. But although Manber provided examples of his algorithms, he asked attendees of the conference not to publicize them. The conflict between secrecy and openness is one that, as a former academic researcher, Manber feels keenly. On the one hand, he is fully aware that real progress in security comes through full disclosure and open, shared research. On the other hand, he knows that his company will suffer real and immediate damage if hackers learn the details of his methods.
"The kind of countermeasures that we're doing are pretty weak. If you compare it to cryptography we're a hundred years behind," he said. "Feedback is always a major issue for us. I always think about 'Should I do this? Will I tell them what I'm doing?...I'd rather see what they're doing. The way you win an arms race is not by building bigger and bigger weapons. Sometimes the best move is not to play the game.'"
One amusing example Manber gave is in the field of rate limiting -- Yahoo's attempt to throttle the rate at which users can sign up for new accounts. Although successful techniques to weed out bots have been developed -- like asking users to retype a random word displayed in an image designed to be impossible for OCR to process -- Manber has found that people are still registering for massive numbers of accounts. "As far as I can tell, they're just doing it by hand. They're sitting there all day doing it by hand," he said. So he's considering changing the registration test to a simple arithmetic problem. It won't stop the mass registrations, but he might be able to get the abusers to perform distributed computing tasks for him.
Number one on the list of open problems in web services security is the difficulty of differentiating users from bots. Though he called it "imperfect," he acknowledged that one solution would be to require an ID number or a credit card number. If anonymity disappeared from the web, "a lot of the problems would go away," he said. But even more than authentication, Manber wants reverse authentication: "I want a protocol that proves that someone is not a particular person."
He also wants obfuscated HTML, which is particularly ironic since, in his days in academia, Manber wrote one of the first screen-scrapers. He wants the ability to detect passive vulnerabilities in a system. And he wants better ways to fight back. "I have huge pipes," he laughed. "It's very easy for me to go after them. Unfortunately, it's not legal."
But he dismissed legal solutions altogether, saying that measures like anti-spam legislation are completely ineffective. "This has to be solved technically, not legally," he warned. "If we can't solve these problems, we'll see less and less services."
I hacked MS Hearts, and it yelled at you after every move, and if you lost, it would throw up offensive images, and continue making fun of you, it was damn funny! muahahahha
all part of my master plan though
--JonnyBlog
^one of the ways to say "I'm a flaming cocksmocker!!!" to thousands across the world.
If Dr Dobbs was slashdotted, it might be understandable. As it is, you're just being an asshole.
Best Slashdot Co
1) he talked about countermeasures instituted against hackers, but doesn't want them openly published (security through obscurity, anyone?)
2) In an effort to thwart mass account creation, they're thinking of instituting arithmetic questions to "be able to get the abusers to perform distributed computing tasks for him." Except that this affects users as well... shady and they'll be approximating the power of an XT to boot.
3) "He also wants obfuscated HTML, which is particularly ironic since, in his days in academia, Manber wrote one of the first screen-scrapers. He wants the ability to detect passive vulnerabilities in a system. And he wants better ways to fight back. 'I have huge pipes,' he laughed. 'It's very easy for me to go after them. Unfortunately, it's not legal.'" Good luck Balkanizing the web, champ.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
2 1/2 pounds rattle snake, dead
1 cup buttermilk
1 cup cornmeal
1 cup flour
1 tablespoon salt
1 tablespoon chile powder
1 tablespoon garlic powder
1 tablespoon paprika
1 teaspoon cayenne pepper
1 teaspoon ground cumin
1 cup vegetable oil
Cactus-Corn Succotash, recipe follows
Using a sharp boning knife remove the meat from the snake by cutting down the back, just slightly to 1 side of the spine from the head to the rattle. Using the tip of the knife peel the meat from the ?rib cage?. Once you removed the 2 long strips of meat, lightly pound them with the back of the knife to tenderize them. Cut the strips of meat into 1-inch pieces and place in a bowl with the buttermilk. Mix to coat well. In a large bowl combine the cornmeal with the flour and the spices. Heat the oil in a large skillet on medium high heat. Dredge the snake pieces in the flour mixture and fry for 2 minutes or until golden brown and then transfer to a paper towel lined plate. Repeat until all the snake pieces are cooked. Serve with Cactus-Corn Succotash.
Cactus-corn succotash:
2 tablespoons olive oil
1 cactus pad, thorns scraped off, cut into small dice
2 ears corn, shucked
1 red onion, peeled, sliced in rings, grilled with olive oil and chopped in small dice
1 bunch scallions, grilled and chopped
1 chayote squash, sliced 1/4-inch thick, grilled with olive oil and chopped in small dice
1 tablespoon minced garlic
2 tablespoons minced jalape?o
1/2 cup diced red bell pepper
4 tablespoons butter
1 cup chicken stock
1 cup diced, peeled and seeded tomatoes
1/2 cup chopped cilantro
Salt and pepper
Grilling the vegetables first gives another great layer of flavor, however, it is not absolutely necessary. Just omit that step and cook the vegetable right in the pan. In a skillet on high heat saute the vegetables except the tomatoes in the olive oil for 2 minutes. Add the stock and butter and cook until mixture reduces by half. Add tomatoes and seasoning and serve with the warm snake nuggets on top.
Yield: 4 servings
This is an important warning to all slashdotters. CmdrTaco has been luring people (mainly underage males) into the slashdot compound to eat his "special taco".
You may be wondering what CmdrTaco's "special taco" is. You will be wishing that you hadn't been wondering after you finish reading his post. To make his "special taco", CmdrTaco takes a taco shell and shits on it. He then adds lettuce, takes out his tiny withered dick (otherwise known as his "Commander"), puts his "special taco sauce" on it which means he jacks off on the taco, and adds a compound to make the person who eats the taco unconcious. Of course, the compound does not make the person unconcous until the taco is fully eaten. Thus CmdrTaco force feeds the taco to the unsuspecting victim. After all, who would knowingly eat shit and CmdrTaco's jizz.
After the victim is unconcous, he is held against his will and used for CmdrTaco's nefarious homosexual purposes. This includes shoving taco shells up the victim's ass, taco snotting, and getting JonKatz involved. Trust me, you do not want JonKatz anywhere near your unconcious body. Also, rumor has it CmdrTaco is looking for a new goatse.cx guy. Don't let it be you!!!!!
The last thing you may be wondering is how this goes along with "taco snotting", or what "taco snotting" is. George WIPO Bush and The WIPO Troll have been doing considerable work explaining what "taco snotting" is. Please see his FAQ on "taco snotting" which can be found as a -1 rated comment on most slashdot stories.
Please, if CmdrTaco offers you his "special taco", RUN LIKE HELL!!!!!!!!
I know that someone has been hacking google for the past few years about once a week. Always changing the google logo(jk). I guess google is just powerless to protect themselves
from the article: "If you have any kind of rating, people go to all kinds of trouble to get that rating in an illegitimate way,"
hmm. sounds like they're describing karma whores
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Why on earth does this guy call "violating security" of web services "hacking?" I read this article expecting to hear about some nuanced application hacks for XSLT or SOAP or general "Web Services" not a security "lookout!" article. This should be filed in the "no shit" department. If you leave a service open which can be connected to, be it a socket or a web form, somebody will start passing date to it to see what works and doesn't work.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
at least according to the yahoo guy.
my personal site (which is) grabs headlines and quotes from yahoo for my personal use using a perl script. solution? simple.
yahoo (like the record companies) should provide a resource for me to get this text cheaply (and quickly), and i'll pay them for it. the demand is there. basic economics dictates that people provide a supply.
now, i understand they are talking about thieves, on the whole, but it seems easy enough to track massive hits from another server and then to block it. i mean, it's 2002. let's fix these problems.
go get it
Go bash some gays or niggers instead, you bigots.
The IEEE Symposium on Security and Privacy is one of the longest-running forums on this topic and is well worth being aware of. The papers for the 2002 session are on CD-ROM; so is a compilation of those from 1980-1999...
Taco's getting married. Thus, by definition, he's not some fucking fecal freak faggot.
* TROLL HIGH COMMAND *
* SPECIAL OPERATION 4A72FGSE - Q7 *
* CONFIDENTIAL * FOR YOUR EYES ONLY * CONFIDENTIAL *
Special mission: saving private Goatse
Soldier, your mission is to penetrate the enemy lines
and resue the private X.C. Goatse.
His brothers Penisbirdman, WIPO Troll, Hot Grits and his
naked and pertified sister Natalie Portman have
already been killed in this war against censorship and
bigotry at the slashdot frontpage theater.
We want to save his troll family from another tragic loss
and therefore remove him from the war and return him to
his home.
You have to find this private. He is member of the 2nd
troll parachuters who were dropped behind the enemy lines
to open a 2nd front and support our main attack at the first
post. His exact location is unfortunately unknown.
The objective of his team was to infest a BSD post and hold
the thread with *BSD is dying posts until our main forces arrive.
However, due to heavy moderation his team couldn't jump into the right
thread so we have only a very vague idea of his whereabouts.
After our primary attack at the first post, you have to penetrate
the enemy lines and search for this private.
This mission is very dangerous - we expect much bitchslapping
at the first post and zealot pro-linux moderation in the back.
Best luck soldier.
If you die in action, you'll be honored posthumus by a PWP crapflood.
General Borgus Trollus Trolligulus
Troll High Command
Special Operations
Hack = a clever solution or temporary fix
No spam, viruses, exploits, or anything. It's nice to hear about the stuff going on in the background to make it this way. I will happily continue to use Yahoo, while all the unwashed masses continue to use hotmail. They can be the front line of unfortunates, and save me from the scipt kiddies. (That and my Mac :)
How should they then go about dealing with those who abuse the system?
It's easy to raise complaints (though I'm not sure I agree with you on 1 & 2). Unless we can come up with better solutions, we will have to live with the solutions you complain about...
What do you know I wrote a novel
I just got here... what's goin' on?
reality timed out @ 11:11
I've always had an extreme hate for Yahoo, Hotmail, AOL, etc in regards to the amount of spam I get from them, but now that I've read that article, and see prolly 1/10th of what they have to deal with... I don't blame them that much anymore.
Can all fish swim?
Interestingly enough, by copy-and-pasting the whole text of this story from Dr. Dobbs to Slashdot, you have unwittingly done one of the more common "hacks" that Udi Manber describes as being dangerous. Information stealing is easy to do, and sometimes doesn't even feel like it's a crime.
Congratulations for illustrating his points so directly.
--Mid
You said that you were doing it for personal use. His problem is with people who do it, and then re-sell it, or give it away, to the world.
Best Slashdot Co
He seems a little....I dunno, weird... Whassup wit dat?`
reality timed out @ 11:11
> If you have any kind of rating, people go to all kinds of trouble to
;)
> get that rating in an illegitimate way,"
What?! I people really without any moral!?! I would never, ever, and never have for example posted an article without real content just to gain a few karma points. Never!
you, my Cowardly Anonymous friend, are either very naive or very dishonest.....
It's kinda cute actually : )
reality timed out @ 11:11
Siskel: Jesus Kee-rist! This troll not only sucks, it sucks COCK!
Ebert: Thumbs Dizzzzzown! Pass me that blunt, Gene.
Yahoo's problems are massive, and I think it's good that at least SOME people at Yahoo realize it, even though I'm still not convinced they are aware of the full scale of the problem.
After all, if you chat with Yahoo's service, you're eventually going to be booted off by another user. Some of the methods users use to exploit the system and kick off other users are clever, some are not so clever.
One method involves running a program easily downloaded off of the internet and typing in the desired victims name. It's your basic "Punter". Some of the programs available are effective at removing users of Yahoo's Messenger, while a few of the more recent ones do a good job taking out users who use 3rd party Yahoo clients, or even Yahoo's web-based Java client.
These methods of exploitation are half-way understandable, though I don't see why Yahoo hasn't worked to block the attacks in the same way that AOL has with AIM.
The other method, plain old boot-text, is simply unacceptable.
If I were chatting with someone using Yahoo Messenger and they annoyed me, all I would have to do is send them a single URL with an unrealistically long domain name in it, and their Yahoo Messenger will crash. A URL such as www.xxxxx.com with about 400 to 500 X's in the name will work nicely.
It's a relatively simple matter for the end user to set up a personal word-filter on their messenger and block out all occurences of "www." which effectively makes them invulnerable to this attack, but that is not the issue. The issue is, that if Yahoo has such easily exploitable end-user software, I'm very worried about the quality of their security as a whole.
Think about it.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
I find this comment a little bit insulting as it implies a "higher than thou" intelligence or cleverness about those holding or pursuing a Ph.D. I'd love to see some stats on the intelligence and/or problem solving ability of Ph.D.s, and intuition tells me that it will fall within the norm of intelligence workers, with at best a slightly higher dedication.
Check out Taco's +1 Informative Site!
reality timed out @ 11:11
try browsing @ -1...
Netcraft confirms: *BSD is dying
Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant demise of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any question doubt: FreeBSD is continuing its slow downward spiral into darkness.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dead FACT: Yahoo! is dying!
Conformity is the jailer of freedom and enemy of growth. -JFK
"Oh! somebody stole your credit card number from our database...Sorry...we've been trying to fix that. In the meantime, here's a coupon for a free CD."
The only way to secure a transaction/service is to use physical ID/presense. So go shopping at the mall, and share ideas online. Simple solution to a complex problem.
"Make it by hand, break it by hand"
HTH !
reality timed out @ 11:11
by wiredog on Monday May 20, @03:04PM (#3552639)
(User #43288 Info)
You know it's a blatant copyright violation. You trying to get slashdot shut down?
If Dr Dobbs was slashdotted, it might be understandable. As it is, you're just being an asshole.
[ Reply to This | Parent ]
people are still registering for massive numbers of accounts. "As far as I can tell, they're just doing it by hand. They're sitting there all day doing it by hand," he said. So he's considering changing the registration test to a simple arithmetic problem. It won't stop the mass registrations, but he might be able to get the abusers to perform distributed computing tasks for him.
HAH! That is really clever. Of course there isn't much computing power there, and if Yahoo! did harness it they would resell it and/or generally become sleazy about it, but at first blush, that's pretty funny. He should patent it (ha ha).
I HERD YUO COUD HAXOR ADN CHAT ON TEH INTARWEB? Apparently having to scroll down to read this is less lame than just the above line of caps text.
Karma: Good (despite my invention of the Karma: sig)
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin [amdest.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All majr surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at ll it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is ying
I am unsure if here he is saying that anti-spam legislation will be ineffective, or if the "right to spam" should not be outlawed by lawmakers. I would imagine the former is what he meant, since obviously, having the U.S. outlaw spam will do nothing to stop spammers in other countries, and probably do little to stop spammers here in the states either....
Solving the spam problem technically seems to be impossible though. People have been trying to do that forever. I find it very poignant that in the same passage he says that spam could kill off services if it continues to be unstoppable.
---------------rhad
Slashdot needs to interview Natalie Portman.
What is this idiot babbling about? Why should I care?
Yahoo!'s problems are no different from those brick-and-mortar retailers have with loss leaders and promotions: if you give something away at a loss, there is a good chance that others will find it profitable to get lots of it and resell it. It's not a security problem, it's a problem with the business model. Welcome to the real world.
Yahoo! may want to continue to bask in the glory of having many millions of users, but if they want stop these problems, all they have to do is charge for all of their services. The choice is really theirs.
Don't get me wrong: I like Yahoo! services and I think it would be great if they continue to be free. But I really worry when Manber uses terms like "theft" and "security" for a problem that has very little to do with "theft" and "security". Fortunately, Manber himself isn't calling for a legal solution, but management and lawmakers may be less understanding of the issues involved.
During hotly contested auctions, some users will mount password attacks on other bidder's accounts an hour before the end of the auction -- not to actually gain access, but merely to trigger a security lockout, thereby ensuring that the legitimate user cannot place last-minute bids.
I realize how ridiculously easy it is to get a new IP address on a dialup system or in a facility where someone has access to many addresses but wouldn't a simple IP block after so many attempts help discourage the casual DoS but still allow the legitimate user access when they come to make their last minute bid?
If not this then what about using a login name which is different then the displayed account name? This way the login name is not available to people viewing a particular account's public details for their use in a DoS. I know this is an added step of complication but may be necessary to eliminate bad side effects.
I have decided to let my yahoo mailbox fill with the spam that they allow. I figure that if they have to pay for the space, storage, and backup of spam for all these accounts, they will eventually figure out that they need to do something.
I only use the account for testing mail from the *outside* world. If they shutoff that account, I will get one from somewhere else. God, I may even break down and open an account on Hotmail...
Quick, help, I may be slipping into the clutches of the M$ beast....
And now for something completely different...
What OS do you want to abuse today?
Dude, you slashdotted yourself! :-)
In 1998, we had started a company with the sole purpose of proving who and who is not a robot on line. We developed a range of techniques for detecting bots and stopping spammers -- images, rate limits, statistical techniques, etc.
The two most important techniques were what we called the "Visual Turing Test" and a reapplication of a cypherpunk scheme called HashCash.
The Visual Turing Test is widely used today, it's the image generated with a code that you have to type in. Our technique started with that, but went much further to defeat OCRs by including AI-level questions, such as displaying an image with a dog, a cat, and a horse, with instructions in the image that say "click on the one that is not a house hold pet."
Back then, we ran a free webmail service for people, without adds, using these techniques to stop email spam.
We were a very poor start up, working over a year with no pay. We went to Yahoo and had a meeting with their engineers and biz-dev people, under a *nondisclosure agreement*, we demoed all this anti-spam, anti-fraud technology. We were looking to sell them the scalable image generation server software we wrote, statistical analysis software, and our services, and potentially our patent on these techniques.
Yahoo basically said "not interested" after several meetings, and one yahoo engineer basically said "We could implement this all myself, why do we need you?" We never heard from yahoo again, didn't get any more meetings. But magically, about a year later, we noticed yahoo using our techniques.
Our company was eventually bought by one of those "pay to watch ads" companies, because they had massive fraud of people installing fake clients, and signing up for hundreds of accounts. Unlike Yahoo's fraud problem, these companies were paying out tens of millions of dollars in cash to people who were signing up bogus accounts.
But it still doesn't take away from the fact that Yahoo is a dishonest shark. If it wasn't for the fact that I am morally opposed to using software patents against people (only had one to make our biz plan look good for investors), I would have sued them.
Word to the wise. Don't present your ideas to yahoo as a small startup and expect they will abide by an NDA.
Even if you didn't enjoy his work, there's no denying his contributions to evolutionary biology. Truly an American icon.
So it would be a great boon to web services if there were a way to somehow have a way of confirming that a person hasn't already signed up for a service. It'd allow many boards to weed-out their troll population while maintaining an open sign-up. On one forum I was on, the problem was so bad that registration was completely closed then later moved to a pay-only model.
The problem is that I can't see any way to do it without compromising the identities of the people. For example, I don't see a problem with Slashdot knowing that 'Erasmus Darwin' is my only Slashdot account, but I don't want to create a system where they could theoretically share records with another entity and use that to determine my identity there. Perhaps the identity token I provide to Slashdot could be some sort of one-way hash of my identity combined with '@slashdot.org', thereby limiting it to a single area.
One downside of this system is that a government-type institution with a search warrant could use my secret identity information to reproduce my Slashdot token and verify my identity. I don't see any way to prevent the identification from somehow serving to find-out who I am. Still, that theoretically pushes the identification process off to a similar level of difficulty to tracing the user's IP (i.e. Slashdot couldn't do it on its own). Thus, if we pretend that no one uses anonymizing web proxies, it's the same level of anonymity.
Also, there'd be a problem of issuing the secret identity keys. Presumably, this would be handled by the companies that already do encryption/security certificates. That means there'd be a cost associated with such keys, which would turn away a number of people. If only a small percentage of people fork over the $XX/year for a personal identity certificate, most sites won't be able to require their use for signup. Furthermore, it'd be difficult for the issuing agency to verify the uniqueness of each request, especially when we consider that this would have an international audience. I also wouldn't be surprised if some of the countries that have whored out their ccTLDs decided to also start selling their equivilent of SSNs to people interested in extra identities.
Finally, there'd be the issue of identity theft. Having a single, computer-based identity key would be a very tempting target for various malicious programs. If I were an evil spammer type and such an identity system were in place, I'd definitely try and steal as many identities as possible for sign up use.
I think it's pretty silly to imagine that the solution to spam will be through technology. It would be very hard to differentiate spam and legitimate mailing lists.
And of course a legal solution can work...to the extent that other laws work and are enforceable. Many forms of mail fraud are illegal, but that doesn't mean you won't get mail scams and such sent to you. However it severely reduces the amount that you receive and also determines a path for you or the goverment to prosecute offenders.
Who did you get that bullshit .sig from, Noam Chomski?
...obviously. ;-)
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
One more crippling bombshell hit the already beleaguered Linux community when IDC confirmed that Linux market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that Linux has lost more market share, this news serves to reinforce what we've known all along. Linux is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] [samag.com] in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin [amdest.com] [amdest.com] to predict Linux's future. The hand writing is on the wall: Linux faces a bleak future. In fact there won't be any future at all for Linux because Linux is dying. Things are looking very bad for Linux. As many of us are already aware, Linux continues to lose market share. Red ink flows like a river of blood.
Debian Linux is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time Debian Linux developers Ian and Deb only serve to underscore the point more clearly. There can no longer be any doubt: Debian Linux is dying.
Let's keep to the facts and look at the numbers.
SuSe leader Theo states that there are 7000 users of SuSe. How many users of Slackware are there? Let's see. The number of SuSe versus Slackware posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 Slackware users. GNU/Linux posts on Usenet are about half of the volume of Slackware posts. Therefore there are about 700 users of GNU/Linux. A recent article put Red Hat Linux at about 80 percent of the Linux market. Therefore there are (7000+1400+700)*4 = 36400 Red Hat Linux users. This is consistent with the number of Red Hat Linux Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, Red Hat Linux went out of business and was taken over by Mandrake who sell another troubled OS. Now Mandrake is also dead, its corpse turned over to yet another charnel house.
All majr surveys show that Linux has steadily declined in market share. Linux is very sick and its long term survival prospects are very dim. If Linux is to survive at ll it will be among OS dilettante dabblers. Linux continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, Linux is dead.
Fact: Linux is ying
Have the humans do something that machines can't do very well, say image recognition and/or categorization.
A simple "Tell me about this picture" and an associated image and a text box would do. If the text submitted does not match a previously stored description well enough, no deal.
Every one in five or so, put out a new, previously un-cataloged, image and log the description...That would also be an easy way to beef up their image search engine.
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
More reason to use sniping software. Hide yourself.
He's not relying upon obscurity, but it IS a tactic.
And it's one I'll bet most systems use somewhere in the process. If you have a password, the security is based on the assumption that only you know it. Once it is publicized -- no longer "obscure" -- it is no longer effective. As long as the obscurity you're relying on is sufficiently difficult to guess, it's effective.
Nope, no sig
So he's considering changing the registration test to a simple arithmetic problem. It won't stop the mass registrations, but he might be able to get the abusers to perform distributed computing tasks for him.
I wouldn't get my hopes up. If the calculation he needs is really complex, he should get himself a pocket calculator. I suspect that would be one hell of a lot faster.
Besides, I wouldn't want a bunch of pr0n hounds working out the reentry trajectory of the next-gen space shuttle.
Blearf. Blearf, I say.
Just curious. A few months ago the trash folder on my Yahoo mail stopped being automatically emptied. Yahoo support only replies 'your mail account is working correctly'.
I wondered if it was a push for the paid extra space because it increases the likelyhood of someone seeing the 'Your mailbox is almost full' message.
In general, I think the Yahoo free stuff is a pretty good service.
Pardon my French, but that is foolish! You would rather hand your credit card to some checkout clerk who turns around and runs it through a machine and "accidentaly" does something like press it on carbon copy paper, as opposed to sending it over 128-bit encryption?
check this out:
http://slovakia.sh.cvut.cz/images/snapshot2.png
it's about half year ago...
michal medvecky
The social problem is that we expect strangers to read our emails to them without any verification. This worked great fifteen years ago, but not now.
The solution is for email clients to send simple challenges to unknown senders, like "tell met the sum of three and four and I'll read your mail." Ie., we change our expectations - if we email a stranger, we should expect to spend a few extra seconds introducing ourselves. People stuck in the old mindset don't like this idea, but the old system doesn't work, and this solution would eliminate spam completely, while taking very little user time.
There are a few extra details to take care of to make it a complete solution, but think about it a bit and you can see what to do.
The moderation at Slashdot is seriously broken, and there needs to be a system that permanently revokes anyone's moderation priviledges when their pathetic mods are metamoderate reversed. There are too many gankers out there that moderate anything they disagree with as a troll or offtopic (or the hilarious overrated).
We are a large company that ships in excees of 6000 packages per day via UPS. UPS by their own addmission fails to deliver in exccess of 1% of their packages. In our case that's between 60 & 100 packages per day. Since UPS will refund shipping charges on packages that are not delivered on time, we have a perl script that hammers away at ups.com everynight. We get the tracking info just verify whether the package was delivered on time. By 6 AM we have a report of all undelivered packages. We simply submit these to UPS and get a $200-$500 refund from UPS each day. In essence we use UPS's web site to send us refunds.
Now that UPS is attempting to charge us for "excessive use" of their web site, we track or competitors shipments too. On a good night we can hit UPS.s web site a couple of million times with the tracking numbers of our competitor. In other words our competitors get a bill for exceesive use becausse we looked up all of their shipments, several hundred times.
Naughty aren't we?
You really are a simple bastard aren't you.
If I get enough information on you to get my own credit card in your name, then you will never see a bill.
Once I get my (your) limit high enough, then I run it up to the max, and skip town.
Now this has just devistated your credit rating. All your creditors will start hounding you, and no one will give you a new loan. Also, no one, including the cops, will believe you that it wasn't you, since nothing had been reported stolen. The credit card company will require you to pay for the merchandise.
This may get resolved, but it won't be at any small inconvenience to you. It won't be a matter of calling up the credit card company and saying, "I don't know why you insist I owe you $15,000 for a credit card you say I had, as I never had it."
If it was this easy, then no one would ever file bankruptcy, they would just claim that they never had that credit card.
So what they steal isn't your identity, you have that right, but they do steal your credit rating.
Also credit card theft isn't victimless. If someone runs up hundreds of dollars of merchandise on your credit card, who pays when you report it? the credit card company (assuming they don't find the perpetrator). And where does the Credit Card company get the money that they pay for this merchandise with? Their pockets? No, they bill it back to you in the form of incredibly high interest rates.
Credit card theft does exist, and cost you, and I, money.
Identity theft also exists. No they didn't steal your essence, or anything that IS you. But once they decided to leave, your credit rating is in shambles, and no easy fix in site. This was a really big problem before the problem became more wide spread, and people started realizing that these people (the ones that had their 'identity' stolen) weren't trying to defraud the creditors.
Your attitude is both simple and annoying. Your ability to ignore problems at hand makes it easier for perpetrators to get away with them.
I read the story on Slashdot's front page, and thought "great, an article about creating web services" and thought it would be about .NET XML-RPC type stuff and hacking together some programs that can make use of it, wishfully thinking that someone had written a good article about doing it on Linux. But oh no, someone just doesn't know what the word "hacking" means, and feels they should use it in the wrong way. That just ruined my day ;-)
Follow me
So why not include non-degreed individuals in your rankings as well? If the primary difference between B.S. and Ph.D. computer science people is some combination of time, money and determination acting independently of intelligence and/or cleverness, then those same differences would apply to non-degreed and B.S people as well, right? It would then similarly apply between B.S. and B.A. folks, or those having an M.S and an B.F.A.
I don't mean to be obtuse (or a troll), but I have to ask: Is a Bachelor's the point at which you begin ranking intelligence? Why not start at a high school diploma? Why not eighth grade (US)? Kindergarten? At which level can one finally claim the title of a "superior being"? Should society be a meritocracy? Can I be a Webelo without all my badges? If not, am I as smart as a Boy Scout or doomed to be labeled simple for all time?
Not that it matters much to anyone, but I never made it out of Cub Scouts and it's far too late in the game to start caring what everyone else in the den thinks...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
If you were any smarter you would have not announced this to all the trolls (like say, me) and spammers on slashdot.
I love feeding webbots, here you guys go!
teamhasnoi@yahoo.com
"I've seen Ph.D. level cleverness" - Ph. D and cleverness are only seen in the same sentence when its spoken by a Ph.D...
This is not the greatest sig in the world, this is just a tribute.
Sometimes, it's much easier to use information if it's not tied down to a browser page-- perl programmers have been parsing web pages for years. Various versions of Excel can do this as well, importing data from Yahoo! Finance 's stock ticker directly into a spreadsheet. Sherlock (for MacOS) parses search engine results. BioPerl parses NCBI webpages (among others) into sequence data...
Obfuscated code makes this type of activity less useful. The trouble is that most of the services are tied to an archaic, and annoying advertising based model. Sherlock gets around this problem by actually parsing the ads and displaying them to a mac user. But most clients are built not to avoid ads so much as increasing the usability of the data. For some things, web browser interfaces leave a lot to be desired.
I remember a time when a scientist was someone who did, uh, science, not program computers to display Web pages.
And he's the Chief? It takes SEVERAL scientists to cook up a search engine?
Well, time to go eat. Maybe I'll go to McDonalds, where some Chief Hamburger Scientist is gonna serve me up some cow.
You left off the end:
...as opposed to sending it over 128-bit encryption to a site whose overworked webmaster left them vulnerable to the credit card hijack hack of the week?
The answer is that they're both more or less risky, depending on the merchant. You choose who to hand over the info to based on their track record.
Your right to not believe: Americans United for Separation of Church and
The 'dissident' attitude - demands for freedom, privacy, anonymity and openess - always evaporate into the thin, hot air they always were as soon as a threat to personal wealth and power is perceived.
... and don't bother replying to this jackass.
You did...
Best Slashdot Co
Subject pretty much says it all. I don't think any wise person would disagree if you were to say that the most heinous intellectual crime is one of unfulfilled potential. Whether fulfilling that potential necessarily means a degree or just living a fruitful life is the sticky bit. I know a lot of people that have the societal measure of success yet haven't stretched themselves mentally in the slightest. I know a lot of people that have the piece (or pieces, in at least one case) of paper, but had to work very hard at it because they aren't that bright. I know some who excelled at rote learning, but failed awfully when asked to integrate two concepts into a novel whole. And I know a lot of very bright, certifiably genius-level people who have decided to do and make stuff instead of spend time learning about other stuff that was done and made. If one is lucky, one gets the choice which road to take.
Sad part is, hard economic times bring out the great equalizer: management knows that individuals who have graduated from a certain institution at a certain level have demonstrably performed to a level which guarantees they themselves cannot be faulted for "taking a chance" on a new hire. It's the way things are always going to be, unless you know people. You either have a degree and hotjobs/monster/dice, or no degree but people who you and know you've done excellent work in the past. Official references don't count, either. I'm talking about people that know you and will hire you because they know what you can do. If you don't fit into neither camp, you stand a hard chance of finding a decent job in today's economy.
And BTW, I was agreeing with your earlier post. I currently work at a university. Before that I worked at a high-dollar startup, before that a Fortune 100 company, and before that a university. I don't have a degree, and that is by choice. I've faced a lot of discrimination because of it. However, I've never had trouble finding a good job at any time in the past 13 years largely because I know people who know me and know what I can do. I know I'm smart, because I'm smart enough to recognize where I fit in what I can do. I'm also smart enough not to care about the ArsDigitia's of the world. I guess I have a self-worth that doesn't depend on other people. Which is probably not healthy....
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
The article is not about (security related to) instant messaging, but e.g. bots signing up for a dozen Yahoo E-mail accounts, which use them for spam, people grabbing their stock quotes every fifth minute and re-publish them on their own site, people who do password attacks on auction accounts to trigger a lock-out, so that the bidder can't place any new bids during the last hour of the action etc.
There's no doubt a pocket calculator would be faster. In fact, anything at ALL would be faster.
Think about it. Let's say the test problem is, say, 2 + 2. The user sarcastically replies that the answer is 42.
Either the computer supplying the question has to accept that answer as being correct, or it actually has to work out the answer itself to check.
If your computers are sending out questions they already know the answers to, or that they plan to compute answers for, in what possible way could this be used as distributed computing?
I just assumed he meant it as a joke.