Cross-Site-TRACE

quackking writes "Uh-oh! Looks bad for RFC 2068! Kudos to WhiteHat out of Santa Clara, CA for this one. ALL current web servers comply with this RFC, which means they ALL are vulnerable to this newly named attack - XST - cross-site-trace. When misused, TRACE, part of the HTTP protocol, allows an unauthorized script to be passed to a Web server for execution even if the server is secured against running such scripts. Even devices like web-managed routers are open to this."

He gets the word around..

[Gortbusters.org]

Let's see... he's got the blog, online sellers, copies of it online in all the great formats, a blog, and even the desire to put it on P2P sharing services. Don't forget the /. post.

Not many look to writing books for fun these days, perhaps I shall click on his advertisements to give him some support.

Re:He gets the word around..

[Machine9]

I suppose that if your server can take it, there's no better publicity than a /. post huh?

sure beats tel-sell...

Re:He gets the word around..

[Casca]

Just finished reading it. Pretty good short story. There were a few style issues I didn't care for too much, but then they might grow on me if I read it a couple more times. It had a rough amateurish quality to it that I liked (even though the author isn't an amateure). Think I'll go buy it now.

Whuffie++ to the author for being different.

obligatory /.-ted remark

[selderrr]

highly popular blog
apparenlty a bit to popular right now:-)

Re:obligatory /.-ted remark

[Jodrell]

Just in case, here's a mirror. No PDF but bzipped versions of the HTML and text versions.

Sweet

[mschoolbus]

... he's also doing a bit of groundbreaking with the release of this book. He's selling it, and, distributing it under a Creative Commons licence at the same time. You can download it in TXT, HTML and PDF here.

So he isn't getting raped by a publishing company? Thats a good thing, a friend and I talked about this type of thing yesturday...

Most science fiction

[Amsterdam+Vallon]

Seems to use neither science nor fiction.

I find that most stories I peruse contain such far-out "scientific principles" that the events that occur could never happen anywhere on this planet.

Then again, some parts (even in Doctorow's 0wnz0red series) are simply stolen facts from things that have already happened and been talked about in the news.

I find it ironic that the best new science fiction works are not science and barely contain any fiction.

Re:Most science fiction

You must be a liberal, based on your use of an ad-hominem attack rather than actually trying to refute something you don't agree with :-)

Rush Limbaugh is a liberal?!

Re:Most science fiction

[metlin]

I had commented on exactly this in the previous mention of the 0wnz0red series here.

Offlate, good science fiction has become so very rare, more of Sci-fi and SF stuff (as some poster corrected me).

I shall refrain from ranting, but if 0wnz0red is the best of modern science fiction that we can get today, its sad. Incidentally, I remember that Doctorow had mentioned it as just fiction, not science-fiction.

*sigh* Hope springs eternal.

Re:Most science fiction

[bdr1]

rather than just sitting there like a turd on a log, belching out criticism, write your own novel. otherwise, stop your croaking.

Re:Most science fiction

[nEoN+nOoDlE]

as Kurt Vonnegut once said (paraphrased), good science fiction writers don't know anything about science. Personally, I would agree with him since Vonnegut is my favorite writer and I read science fiction not for the scientific facts, but for the writers interpretation of the "human condition" with perhaps the future or some crazy invention thrown in as a plot device. If I wanted a view of the future, I'd read science journals.

Re:Most science fiction

[schlach]

I can't figure out why the reaction to the 0wNz0red story in August was so bad on slashdot. I thought it was a very entertaining, enjoyable, and thought-provoking read, in the grande style of good science fiction.

I think most of it was a reaction to the language, which strikes me as bizarre. This is how we think! Maybe shutter-geeks are intolerant of words coined after 1960, but I hate to tell you folks, look how many pieces of language we owe to Gibson's contribution.

Check out Tales for the 1337 presents: Romeo & Juliet". That's funny shit, because of the way it illustrates how language is changing with the kids. Before you dismiss them as punks, remember that in ten years they'll be dismissing us as foges.

It's always been the case that language is purely the spoken word, and that writing is only linguistically interesting in the sense that it helps us track the progress of language. That's not exactly what I mean, but close enough. Anyway, what's come to be known as '1337' (but I'll generalize as "chat colloquialisms" b/c ppl ph34r th4t w0rd) is the first time that writing is dictating language. kewl.

When you find yourself saying - outloud - "bbl", or "brb", or "haxor, fuxor, suxor", or "warez, filez, skillz" in 'real life', you know you're part of the change. Hell, when I say "owned" wrt computer security, I know it's spelled with a zero. Writing is leading language in this case, unlike others, because within this particular group of people, writing has become the dominant communication medium. Otherwise, it would follow the same slang-path that you are probably more familiar with, like "cool", "sweet", "rock", etc, which progresses from within spoken circles to the dictionary in an orderly fashion.

Quoth sirinek,

I'd like to thank the submitter of the story for calling it a "weblog" instead of some lame-ass made-up-for-the-sake-of-making-a-name-up name like a "blog" or a "wiki". :)

I'm sure I'm not alone in my praise :)

He's right, he's not alone. But I'm not with him. I have a blog. I blog things on my blog. This comment will probably be blogged in some shape or form. And I'm thinking about starting a wiki for a different project. 'Wiki' is the only word there is for a wiki. The only way I can think of to avoid using it is to not think about the idea that 'wiki' represents ... which just seems faulty.

Interrobang,

It's nice to see someone play with language, and it's nice to see someone who apparently knows a little bit of something (instead of a whole lot of nothing) about computers writing speculative fiction, for a change. Or don't you guys get a little bit annoyed about totally impossible (instead of wildly improbable) computers (and/or technology) in speculative fiction?

Aren't we progressive? Aren't we adaptive? I've got a lot of hope riding on this generation of geeks, to look forward to the future, optimizing the world, if you will... I shudder to think that, underneath it all, we geeks think that our own language and the way we think should be constant and unchanging throughout our (adult) lives...

Re:Most science fiction

[metlin]

Okay before I go ahead, I'll admit to one thing - I have been brought up in a very Indo-British style background, hence my opinions could be a reflection of that.

I've grown to appreciate literature which a significant segment of the Slashdot would perhaps consider, well, unconventional, and perhaps even archaic.


I thought it was a very entertaining, enjoyable, and thought-provoking read, in the grande style of good science fiction.


But that is not everything! You are forgetting one thing - a merely descriptive work, with certain figments of the contemporary Hacker Culture thrown in does not constitute good science fiction.

I can still read HG Wells or Jules Verne and be awed. If you look at true classics, they would not be descriptive, indeed, they would consist little of that, and a lot to do with how people react to technology. How the various societies and cultures would perchance evolve.

The reason why Asimov's Foundation series strikes a chord with most people is not because he was able to portray futuristic technology. The reason was because his descriptions were based on realistic societies. For example, the Solarians reflect the Ancient Japanese culture, the fear against Robots is something that reflected the world in general at that time - fear of technology.

Let us look at Frank Herbert. How often does he talk technology? Almost nowhere, he discusses PEOPLE and cultures, in a setting that could almost be here on Earth. His references are based on real cultures, and that is all he talks about. Let alone Dune, even the lesser known works of Herbert like The Jesus Incident follow this pattern.

I urge you to read Arthur C Clarke's The Star, if you have not already done so. He hardly talks technology. He talks how PEOPLE REACT to science. To technology. And why!

Technology Augments! Please remember that it is not the end, it is just a means.

This is true for all the great writers - they realise that technology sounds all nice and good, but for someone who is familiar with it, there will not be much fascination. A poster above suggested Vonnegut - that is so very true. It does not set your thought processes into motion in the same way an analytical description of the future would.


Writing is leading language in this case, unlike others, because within this particular group of people, writing has become the dominant communication medium. Otherwise, it would follow the same slang-path that you are probably more familiar with, like "cool", "sweet", "rock", etc, which progresses from within spoken circles to the dictionary in an orderly fashion.


That is incorrect. Complex written linguistic expressions seldom make it to the spoken language, although the other way might be true. A significant percentage of Celtic lanaguges, as well as those from South America have had significantly varied writings, which have been preserved for the sake of posterity, but otherwise are confined to just that.

Historically, linguistic evolution from a niche group to the many is unlikely, especially given the fact that it demands addition of expressions and language external to the group. Else, we would all be learning English with Umlauts and perhaps a dozen other addendums.

Let us leave that alone for a while. Coming to Blogs and Wikis. Yes, I fully agree with Sirinek. Why should I go on to coin another word, when weblog is so very descriptive and serves the purpose? The trouble is, opinions would swing either way, and this is more of one's choice rather than that of language.

And oh, being an NLP & Data-mining researcher, I would pay a penny to shoot dead every damn guy who would use such fancy words and trouble us :-)

What made William Gibson special was that his use of language was creative, not hackneyed. Jack out is such an expression - it fits the context perfectly. Cyberspace? Wintermute? Given the storyline, it blended in very well, and more than anything it was a change. His world was reminiscent of those by Philip K Dick, and used technology to AUGMENT! More than that, you would notice that he had again talked of PEOPLE reacting to technology, and more than that, how TECHNOLOGY(!) reacted to people.

For that matter, take Eric S Nylund's Signal to Noise. So wonderfully written, lots of technology, but again it is HOW people react, how things happen and WHY! That is essential.

Where has the style of writing that used to induce thinking gone? I do not want technology, I can read scientific literature if I were on the lookout for that. I do not need a rundown on the contemporary culture that I'm a part of. I need inspiration, I need to think!

To Think. I wonder where that generation of writers have gone.

Re:Most science fiction

I think you are the author looking for some quick publicity?

Re:Most science fiction

[schlach]

Responding in the general to your science fiction argument -> "I guess so." You've got valid points, but you're comparing a short story to novels. I dunno, I find myself enjoying many different kinds of things, and I'm sure that if Cory was going to expand his short story into a novel, he'd concentrate much more on the characters than the description. You'll find that a lot. Wasn't Johnny Mnemonic in a similar way?

As for language... I think we're disagreeing about the same thing.

That is incorrect. Complex written linguistic expressions seldom make it to the spoken language, although the other way might be true.

That's exactly what I'm saying. That's always the way it's been, which is why the modern case is a departure from the norm.

Historically, linguistic evolution from a niche group to the many is unlikely, especially given the fact that it demands addition of expressions and language external to the group

Well, I would argue that most of "historically" is human pre-history. Less glib, and more recently, advances in mass-communication have made it much more likely that expressions used by a small external group are adopted by others. Example: kwyjibo. Google returns 4120 hits. This is a "word" that was made up by a fictional character and used once on a single episode... and has entered the lexicon of Simpsons watchers, which includes our entire community. Fascinating. Otherwise, look at the French efforts to prevent English from "corrupting" their language, ala Spanglish. And even the words I cited, like "cool", and "rock n' roll", and "hip hop", so much slang originates from a small hip or urban group and is distributed through media channels... shouldn't be a surprise. How much of your vocab wasn't in your parents' dictionary? Your grandparents'?

And oh, being an NLP & Data-mining researcher, I would pay a penny to shoot dead every damn guy who would use such fancy words and trouble us :-)

I'm guessing the Linguists you work with don't agree...

Re:Most science fiction

[kesuki]

you'd be better off looking into a crystal ball.
just off hand where are the fusion power plants? right where they were before in space really far away.
the only way to see the future is wake up tomorrow and see it for yourself as it unravels into the present. Sci-fi books are no better at predicting the future than science journals. joules vernes, HG wells both have some stories that mirror the capabilities of modern technology. and yet they're not really showing the future.
Just as george orwells vision of the future in 1984 is vagualy similar to corperate america, except he got the economics wrong, as well as a few other minor points. he nailed the 'picking an enemy this month' thing on the head, although we tend to invent wars on things rather than specific targets eg: war on drugs, or terrorism. so they never really have to end.

Re:Most science fiction

[metlin]

Responding in the general to your science fiction argument -> "I guess so." You've got valid points, but you're comparing a short story to novels.


I would not say that, a lot of good short stories have been instrumental in becoming novels in the days to come. Take Asimov, Clarke, David Zindell... their futre works were based on the short stories that they started their careers with.

I dunno, I find myself enjoying many different kinds of things, and I'm sure that if Cory was going to expand his short story into a novel, he'd concentrate much more on the characters than the description.

I think I come across as someonewho is not too fond of Cory :-) That is not the case, he is a wonderful writer, but just that I diagree with his style of writing.

If Cory can pull it off, more power to him! What more can I say?


That's exactly what I'm saying. That's always the way it's been, which is why the modern case is a departure from the norm.


A little too early to say, isn't it?

Besides, I do agree with your factoid of certain words getting adopted. I have in fact written a paper on this particular phenomenon - consider medireview and anyways. Both these are such examples, too.


I'm guessing the Linguists you work with don't agree...

Well, I'd not blame them! :-P

Re:Most science fiction

[schlach]

And oh, being an NLP & Data-mining researcher, I would pay a penny to shoot dead every damn guy who would use such fancy words and trouble us :-)

Haha. From your journal:

Oh well, discovered this new Slashdot journal thingy! Isn't it amazing? Umm.. now you can expect to see some bloggish journal entries in here.

Check. And. Mate. =)

Bloggish? I don't think I've ever heard that use of "blog" before. You just make that up? ; )

It works? It works! It works! It works!

Indeed it does, my friend, indeed it does...

Re:Most science fiction

[metlin]

That's so bloody unfair :-(

*sigh*

why would i buy?

[bje2]

first off, i remember when slashdot posted his short story "0wnz0red", and i really enjoyed reading it...

secondly, not that i'm saying i'm cheap or anything, but why would i go buy the book, when i just downloaded the pdf for free?

Re:why would i buy?

i don't know. maybe you get halfway through reading the pdf, and need a book to go on holiday with.

also. you could repay him by telling your friends how good it was (I'm assuming it's good here ;-). Not all of them are gonna be so cheapskate they're prepared to read a pdf.

finally, who says you'll want to read his second novel this way?

Re:why would i buy?

[bje2]

"i don't know. maybe you get halfway through reading the pdf, and need a book to go on holiday with."

well, first of all, it's a 67 page PDF file, it looks like each PDF page is two actual pages, so, the book overall is about 134 pages...not very long by normal "book" standarads...

in any case, as for taking it on holiday, or somewhere else with you...well, it's a "printable pdf", they even advertise it as that on the download page...i can print and take it with me anywhere i want...

i did enjoy the "0wnz0red" story, and i'll probably like this one...problem is, most of my friends are non-techies, and i doubt would find the same interest in the stories (assuming this one is similiarly geared towarads techies as 0wnz0red was)...none the less, i really enjoyed his writing the first time...

Re:why would i buy?

[Erasmus+Darwin]

"why would i go buy the book, when i just downloaded the pdf for free?"

For the same reason that you'd go see a concert of a band that allows you to trade bootlegs of their concerts. The content may be the same, but the presentation of the for-pay version is in a format that is usually considered more desirable.

Re:why would i buy?

[gotroot801]

For that matter, why wouldn't I buy the book, when the dead-tree edition would probably reach me quicker than the free download on the slashdotted server? :)

Re:why would i buy?

[madgeorge]

Because you want to take your old-fashioned dead trees to the park and read them underneath the living ones. As much of a techie addict as I am, I just can't bring myself to haul a laptop to someplace as nice as a park.

-madgeorge

Re:why would i buy?

in any case, as for taking it on holiday, or somewhere else with you...well, it's a "printable pdf", they even advertise it as that on the download page...i can print and take it with me anywhere i want...

That is true, but there is a certain something to be said for buying a bound book instead of making your printer grind out 67 loose pages.

Re:why would i buy?

[linuxhack_utk]

Well, other authors have put books online for free, such as Bruce Eckel, who as many know is the author of the immensely popular "Thinking in [Java|C++|...]" series. He always releases electronic, free copies that are fully hyperlinked, come with all the code, etc., at the same time as the bound copy. He says that the electronic books are an enhancement to the book, not necessarily a replacement for it, and that ultimately electronic books are targeted at a slightly different audience. In any event, he also says that he still gets brisk sales of the "real" books even with the very open availability of the electronic ones. Personally, I like having a copy on my laptop for quick reference that is not watered-down, but I much prefer the true codex format for general reading, portability, sharing, etc.

Re:why would i buy?

[bje2]

true, when you consider printer ink, printer paper, etc, the book might end up being cheaper after all...but then again, i can just print it out at work, and do away with all that overhead for me...

Re:why would i buy?

[bje2]

again, i could just print out the pdf if i wanted to haul a "dead tree" edition down to the park...granted, it's not as nice as a boud copy, but still...

Re:why would i buy?

[fucksl4shd0t]

For the same reason that you'd go see a concert of a band that allows you to trade bootlegs of their concerts.

Why would I do that in the first place if I know they're just gonna make a big move later on to stop file sharing after they're successful?

Re:why would i buy?

[OldStash]

That must be the most ridiculous comparison I have ever heard. There is a world of difference between attending a live performance and listening to the CD. The difference between reading a bound book and a bunch of printouts is minimal.

Giving away free copies is a great way to gain some publicity. It is also a noble cause. But I'll bet diamonds to dumplings that it's a short-term money pit. Do it until you've made a name for yourself and then start publishing the old fashioned way.

Re:why would i buy?

[entrippy]

Because you don't know they'll do that until after the fact, obviously.

Or are you trying to say that you suspect Cory will do something similar? If so, you're not thinking this through very well.

Re:why would i buy?

[fucksl4shd0t]

No, actually I was trolling. :)

I don't know anything about Cory, I just felt that his example was a tad contrived. One thing that has been demonstrated time and time again, especially with people that work in entertainment, is that success corrupts. A band (or an author) that starts out with high ideals frequently drops them later on when they're looking a huge chunk of cash in the face. When a band (or an author) is able to resist the cash and keeps their ideals, it is the EXCEPTION and NOT the rule.

I don't know enough about Cory to even be able to take a guess that I would feel good about taking, but I remain cynical. I'm also cynical that both RedHat and Mandrake will continue to offer free download versions of their OSs. I'm a cynic. :)

Re:why would i buy?

[entrippy]

Well, at least this book has been distributed under the Creative Commons licence, which means it's never coming out of the public domain (well, the specific public domain in which it exists, anyhow). This sort of licence (and the opensource licences that Redhat et al operate under) are great for ensuring exactly what you fear doesn't occur - ie, free things becoming non-free due to greed after success.

And yes, I knew you were trolling. You just happened to also be talking out your arse, so I brought you up on it.

Re:why would i buy?

[fucksl4shd0t]

Well, at least this book has been distributed under the Creative Commons licence, which means it's never coming out of the public domain (well, the specific public domain in which it exists, anyhow). This sort of licence (and the opensource licences that Redhat et al operate under) are great for ensuring exactly what you fear doesn't occur - ie, free things becoming non-free due to greed after success.

It's not uncommon to offer the first hit(s) for free, and charge later. I'm talking about free as in speech, here. :) In fact, it's a common marketing tactic, so its easy to justify even after the fact. And not entirely a bad tactic, either. In fact, he could get a large audience this way and then take some new work to a publisher and say "It's a guaranteed revenue stream, now give me exactly what I want and nothing else." and have some backing from a tested market.

Then he would have works out that are not free anymore, and he would be in a position to go after anybody who turns around and "pirates" them.

The specific band I referred to did exactly that, even with the after-the-fact justifications and the explanations about how it was different than what they had allowed.

And yes, I knew you were trolling. You just happened to also be talking out your arse, so I brought you up on it.

not talking out of my ass, just speaking my mind. :) That is what these forums are for, right?

Re:why would i buy?

[entrippy]

Speaking your mind? What the forums are for? God, no!

Well, okay, yes.

My point is - does it matter to you if he writes further non-free work and makes some money out of it? This book is free - and that's what you were promised. At no point did he say "Everything I do for the rest of my life will be free, even if it turns out I'm taking a massive hit on potential profits for my future livelyhood as an author."

Don't condemn people for the (actually quite reasonable) steps they may or may not take in the future when they're doing the right thing now. More than the right thing, in fact - blazing a trail for others to do the right thing.

It's like saying "Well, yes Linus developed Linux, but one day he might work for Microsoft - that sucks! Steer clear of Linux!"

Re:why would i buy?

[fucksl4shd0t]

My point is - does it matter to you if he writes further non-free work and makes some money out of it? This book is free - and that's what you were promised. At no point did he say "Everything I do for the rest of my life will be free, even if it turns out I'm taking a massive hit on potential profits for my future livelyhood as an author."

Simple answer: No it does not matter to me.

Don't condemn people for the (actually quite reasonable) steps they may or may not take in the future when they're doing the right thing now. More than the right thing, in fact - blazing a trail for others to do the right thing.

I wasn't condemning the author, I was pointing out to the poster of the comment to which I was replying that he hasn't done anything new--yet. If he continues this way and dedicates his life to writing in this fashion, sure. He's broken ground then. The license itself is a bit unique, but not really new. I've taken poetry and crap from kids standing on the street corner "trying to get their name out so a publisher will notice them". What's the difference here, besides that it's offered electronically?

It's like saying "Well, yes Linus developed Linux, but one day he might work for Microsoft - that sucks! Steer clear of Linux!"

Not exactly, because *if* LInus goes to work for Microsoft (or some other company that makes him stop working on GPLd stuff), we will have the very last version of the kernel before he left the project to *continue developing*. We just won't have linus anymore. Authoring and making music (these are both in the discussion as a result of the post to which I originally replied) are different than software development. Someone else can write a Sherlock Holmes story, but it won't be the same as reading something from SIr Arthur Conan Doyle. The style will be different, no matter how good an imitator he is. With Free Software, we can keep working on the code. With Free Novels, we have to depend on him to make his *next* novel free.

And as you pointed out, we can't expect that. Furthermore, as I said, I don't know anything about the author we're actually discussing. AMong the things I don't know: I don't know if he has made a big public to-do about how he writes his stuff and it's Free (as in speech) for the readers. I don't know if he's said that he intends to keep writing stuff and making it available under this license. If he has, then my comments are a real concern. If not, then it may well be his intention to change his model around when he can attract a publisher's attention.

Just keep in mind I wasn't condemning the author, because I don't know anything about the author (I haven't even read one of his stories). I was replying to a post that seemed to indicate some sort of celebration over an author adopting this type of licensing, but I hadn't yet read anything about the author adopting it. It appears to me that he has just used it, but has made no commitment to continue using it. So there doesn't appear to me to be a commitment to celebrate.

Re:why would i buy?

[Grizzlysmit]

Heck, I've got to say it, some of you guys are so stingy!!!

"why would i go buy the book, when i just downloaded the pdf for free?"

Well to start with, at the moment I cannot afford to buy books as I'm on a benifit due to a break down: but reading is one of my greatest loves, and hence is therapeutic for me, so I need books to read, so what do I do. The loverly folks at Baen books let people download stuff free, so I get to read lots of loverly scifi & fantasy (my favorite's), so how do I feel about them, well would you believe it Grateful, so what will I do when I'm back in the work force, you've got it buy those awsesome books.

Other reasons for buying those books,

• A physical book is just nicer than one on my box.
• I'm not a stingy bugger like some of you.
• I believe in rewarding people for doing good.
  (same as I intend to reward my open source brothers/sisters by writting OSS, [all true open sourcers should contribute some how, some time.])

Re:why would i buy?

[WNight]

Because part of being a useful member of society is taking responsibility. If you wish to see the series continue, take responsibility for a part of that and help finance it.

It's not a theft issue or anything, the author isn't harmed by you reading it. You have no obligation to pay, otherwise it wouldn't have been a gift, it'd have been a guilt-trip. But stand up and be counted. If you like something, make sure it keeps happening.

Support the author. If you don't want the book (and someone who doesn't re-read them probably wouldn't) then just send what you think is a fair price (a buck or two probably is more profit than he'd see from an actual sale) through paypal. Then pass the e-book on to someone else who might like it.

Personally, I wouldn't buy the book (in paper form anyways). Paper is becoming more and more obsolete. I read on the computer with preference to paper. When I re-read 1984 I did it on the computer, when I read the last honor-harrington novels, I read them on the computer instead of from the hard-copy book I had. I like having Baen books on CD though, and if the price of that is to buy a little obsolete paper every now and then, so be it.

Re:why would i buy?

[WNight]

You should take the laptop. If we want to see old ways of life continue we need to make them relevant in our new lives. Laptops aren't going to go away, or cell-phones, or PDAs. If we don't integrate them into our nature experience it's the nature experience that'll go away.

Reading a book, on a laptop, under a tree, is as much better than reading it, on a laptop, on a couch, as it would be for a paper book. If the paper book is worth the trip to the part, so is the e-book. And if you get tired of reading, you can play GTA3 on the laptop. Try doing that on the paper book! You just get inkstains everywhere.

Re:why would i buy?

[Robotech_Master]

You might want to say, "Hey, man, right on, kudos!" and support him with some money. (Heck, you don't even have to buy the book to do that; you could probably paypal him a few bucks and say it's pay-back in lieu of buying the book.) Or you might simply like the book enough that you want to have a professional-looking dead-tree version to stick on your shelf, or to lend to someone who doesn't like reading electronically and wouldn't understand being handed a bound printout.

You probably find it hard to conceive of paying for something you could get for free, but not everybody does...not by a long-shot. In fact, as I mentioned in this comment, doing something quite similar has worked wonders for Baen. Blockquoth Jim Baen:

Baen has experienced a mysterious 50% increase in gross dollar sales in the previous year. Also, our "sellthrough" (percentage of books placed in the market that sell to end-point customers) has improved from the rather startling 63% to the truly stunning 74%. I'm tentatively blamiing this on my wacko e-net proclivities. (Insert a Crazy Eddie ad pastiche here)

People who prefer print books but wouldn't otherwise look at Baen's titles in the store are taking free ganders (or even buying the e-versions first!), reading for long enough that they like it, and going out to place an order. Judging from what he says on the linked page and in the introduction to the free e-version of his book, Doctorow seems to be hoping that much the same thing will happen to him...and who's to say that it won't?

Re:why would i buy?

[alphaseven]

secondly, not that i'm saying i'm cheap or anything, but why would i go buy the book, when i just downloaded the pdf for free?

Good question. Also, why not just go to the library then?

There are a number of reasons people buy books

• Convienence. A PDF is about as convienent as having a book on microfilm.
• Incentive for Reading. Having purchased a book gives a nagging feeling to a person that they should read it.
• Showing off. Sure I'm never going to read that Proust box set or the new translation of Tale of Genji, but they look great on a bookshelf.

BoingBoing is amazing

[TerryAtWork]

When this was a physical magazine, it was one of the most fun, intelligent and readable cyber magazines ever. I bought my copies at the short lived Binary Cafe in Toronto (three computers on dialup to the net...) - and now I can't find them.

Kind of like Mondo 2000, Wired and National Lampoon (jeez - anyone here remember when those were good?) all rolled into one. Now it's a web site and a HECK of a mail list.

Highly recommended and I'm looking forward to DLing the book. (As soon as the /. effect ends.)

Re:BoingBoing is amazing

[PCM2]

Kind of like Mondo 2000 ... (jeez - anyone here remember when those were good?)

Didn't Mondo 2000 begin life under the name Reality Hackers? I remember it as being sort of a cross between the Conde-Nast version of Wired (which, of course, didn't exist yet) and the text files from some warez BBS. They were on glossy paper and had full-page ads for cellular automata software from Autodesk (!). The end result of technology was, apparently, that you were going to be able to plug something into your brain so that your life could be like an acid trip, forever.

Return to Pleasure Island

[AndroidCat]

Got his little chapbook right here, signed even. And if you flip though the pages, the donkey changes into a boy, or is that the other way around?

Re:Return to Pleasure Island

[AndroidCat]

Although, in review Cory, perhaps you should have left out that one goat frame on page 51...?

How could this happen?

I thought the Magic Kingdom was the happiest place on earth? If you cry Mickey will give you free gifts.

Re:How could this happen?

[AndroidCat]

According to the author, theme parks are one on his obsessions, along with boredom thresholds and transhumans.

What Disney doesn't tell you about is all the kids who disappear there after a haircut and change of clothes. Walt wasn't frozen, he's undead and hungry! For more proof, search here

Re:How could this happen?

The "urban legends" cottage industry is a front. For example, if you shoot down the stupidest Disney legends, the shit that actually goes on flies right under the radar. You want astroturf? You can't HANDLE the astroturf.

Re:How could this happen?

[carlos_benj]

I thought the Magic Kingdom was the happiest place on earth?

My kids once accompanied a friend, who is blind, to a convention near Disney Land. One member of the party also had other physical problems that made it difficult to walk and was constantly falling down. His demeanor was such that he would refuse all offers of assistance and grumpily told people to leave the blind, fat, crippled man alone. In fact, the only way he said anything was 'grumpily'. He was aware of his reputation for grmupiness and played it up at every opportunity.

There was one day set aside during the convention to go to Disneyland. Having fallen down several times on the way to the park and bellowing out his protests to all within earshot, the entire party lost it when he fell down in front of the sign stating that this was "The Happiest Place on Earth" and he began to roll around and shout, "I HATE this place!"

Re:How could this happen?

NOoooooo.....

The Mouse is evil. He will take all of your money and steal your children's minds.

Run away!

Run away!

It's a joke. Get it?

[joebagodonuts]

I started to rely to this with a post telling the parent to "save the phony B.S.". Then the light came on. Whoops, I'm a little serious today.

Re:It's a joke. Get it?

[joebagodonuts]

The real joke is the parent is modded (Score:-1 Interesting)

Site holding up well

[karrde]

Supprisingly, while the click to page view is a little slow, the site is holding well under the strain. And my d/l of the book screamed. Someone was ready :)

Started reading the prolouge on the screen, but just decided to print it out. Starting out as a neat story. Although the continued lack of specifics might drive me nuts.

Re:Site holding up well

[awful]

he is inventive. too bad he can't write very well. "plodding" is the best description for his prose.

Slashdotted.... I've mirrored the PDF

[Tyler+Eaves]

Grab it at Mirrored on an OC3

Re:Slashdotted.... I've mirrored the PDF

[JasonUCF]

Bless you, sir! Bless you and the bits you rode in on!

Intelligent linking

[muyuubyou]

If you look at the link, it's http://www.craphound.com/down/

Yep, that's exactly how it is, "down".

Didn't OWNZ0RED get panned??

[Njoyda+Sauce]

IIRC the slashdot crowd or at least the ones modded 2+ hated his short story on salon. I thought it was ok, though a bit contrived. I'm all for a new sci-fi author getting his works out, and his distribution methods seem very /. friendly; I still have to wonder if the content is all that good though. Guess I'll be reading it myself.
sigh.

Re:Didn't OWNZ0RED get panned??

I still have to wonder if the content is all that good though. Guess I'll be reading it myself.
sigh.

Yeah, it sucks to have to think for yourself instead of defering to the slashdot hivemind.

And here in palm TealDoc .pdb format

[ka'arl]

I converted the text file over to TealDoc format for easy reading on the Palm. Enjoy.

http://www.mit.edu/~dmark/palm/

Re:And here in palm TealDoc .pdb format

[fucksl4shd0t]

I converted the text file over to TealDoc format for easy reading on the Palm. Enjoy.

THAT'S how we get electronic books and read them in the park or on vacation without killing trees. :) (I'm ignoring the effects of electronic devices on the environment in order to make this blatantly tree-loving post)

P2P download

[mlinksva]

Tickets below list MAGNET (some gnutella clinets), ed2k and fasttrack links:

• Cory_Doctorow_-_Down_and_Out_in_the_Magic_Kingdom. htm
• Cory_Doctorow_-_Down_and_Out_in_the_Magic_Kingdom. pdf
• Cory_Doctorow_-_Down_and_Out_in_the_Magic_Kingdom. txt

It's just like Neal Stephenson

except without the talent! Oh boy!

Doctorow has a tin ear.

Re:It's just like Neal Stephenson

Stephenson has talent?

The PDF File is NOT Secure

By the way, the PDF file of this book is not secure. It has no Adobe security applied. So, you can make changes, extract text, add whatever you want to the "book" Now was that on purpose or by accident, Cory. Enquiring minds want to now.

Re:The PDF File is NOT Secure

[Gibbys+Box+of+Trix]

The essence of the license at Creative Commons is:

• Attribution. The licensor permits others to copy, distribute, display, and perform the work. In return, licensees must give the original author credit.

• Noncommercial. The licensor permits others to copy, distribute, display, and perform the work. In return, licensees may not use the work for commercial purposes -- unless they get the licensor's permission.

• No Derivative Works. The licensor permits others to copy, distribute, display and perform only unaltered copies of the work -- not derivative works based on it.

The last term would imply that the lack of security is either an accident, or Cory trusts us to abide by the license. He certainly doesn't intend us to change the text...

Re:The PDF File is NOT Secure

[CableModemSniper]

ITIHBT but the ascii and html versions should give you a clue as to whether or not the lack of "security" is intentional.

Re:The PDF File is NOT Secure

The Creative Commons license should not be confused with Digital Rights Management (DRM) and so has nothing to do with the security of the PDF format.

Most publishers print books on paper and trust you not to copy and resell them. In a few instances this copyright is enforced by lawyers. Here the electronic file is being distributed freely so you are trusted to copy it and redistribute it verbatim but not to resell it.
If you do, you get into trouble with lawyers.

Can you handle that?

If it was panned, it deserved it ..

I don't know how others were rated for their comments, but I would agree, the short story on Salon, "Ownz0red" or whatever he called it was poorly written.

The plot was rather weak and contrived, the story flat and barely interesting. It just wasn't a good story. I think folks here "liked" it because it was superficially about tech, human-cyborg stuff (programming your DNA) and the millitary industrial complex (yeah, those bad CIA/NSA/millitary guys programming super soldiers).

Sorry, I've seen better stories and plots on Amateur's night on the Sci-Fi channel. It certainly doesn't make me want to try reading anything else by the same author.

Re:If it was panned, it deserved it ..

Agree.

The premise wasn't very strong and the writing was contrived to use whatever 1337 buzzwords he could think of (ownz0red, CVS privillages revoked, etc.).

Fair play if he's making money off this pulp.

Slashdot humour

[Pac]

Isn't it funny to read the words "You can download it here" in Slashdot's Front Page, when we all know you can count in the fingers of one hand the number of instances of "here" capable of surviving the honor?

Am I the only one

[sentientbrendan]

who noticed the first (0wnz0r3d) book sucked? Just think about the premise for a second: suddenly it's possible to completely manipulate human phsysiology on every level, not because of some miracle scientific advancement but simply because programmers with little to no medical knowledge get a crack at it?
Oh No! better watch out or those 1337 h4x0rs will hack into your DNA and turn you into a flying monkey!

to / too

From Here to Eternity...

Your schlong is much too long, dear.

Too bad for you!

Who are you giving that present to?

To be or not to be...That question is just too damn difficult to answer!

Yeah!

Me too!

I agree!

Right on.

Besides, critics should rarely be taken seriously; they tend to pan creators because they themselves cannot create.

shameless promotion

OK, I've seen at least eight posts from Doctorow about his own literature on BoingBoing. The shameless self-promotion is getting old. Now this?

An AC's brief review, no spoilers

Well.. I just finished reading it, only took about three hours.
It had more than it's fair share of netizen and unix speak,
but the writing style and story rocked my casbah.

Highly recommended by this AC

Not really all THAT groundbreaking...

[Robotech_Master]

Technically, Baen already broke the ground. Hey, they've given away an entire CD-ROM of books, under the same terms. Granted, they didn't use a specific license, but it says right there on the disk that you're allowed to copy and share but not sell its contents.

It sure is nice to see Doctorow jumping on the bandwagon, though.

Just a few thoughts

[ColGraff]

Finished reading "Down and Out", and it's pretty good. Not brilliant or classic or anything like that, but more than good enough that I'd be willing to pay for the dead-tree version, even though it's pretty short (67 pages). It's got a very nice, twisted sense of humor, definately worth the read.

Descriptivism R teh suX0R, lol urfuct

Preaching to the choir, half of whom are asleep and the other half can't sing. The pews are empty. You GO, boy.

Interesting possibilities...

[Schnapple]

I see lots of interesting possibilities if this "thing" catches on.

It would appear that the publishing industry and the recording industry are similar in that they are difficult to get into and tend to "stiff" new artists/authors. Of course the recording industry is difficult to get into because they're looking for the next 18-24 year old Britney Spears clone and the publishing industry is difficult to get into unless your work has something that will sell (for sci-fi your works these days either have to be attached to a franchise or be militaristic in nature).

The main difference, as far as I can see, is that this author and, say, Bruce Eckel, is that they also publish their works through major book publishers. There's lots of websites wherein you can download the entire CD of a small artist, usually the ones who press their own albums on CD-R. But as soon as these guys sign to a major record label, this practice goes away. How it is that TOR is allowing Doctrow to do this is beyond me. No way would they let Robert Jordan release Wheel of Time 10 this way.

But something occured to me - this is a book that's like 136 pages (though Amazon says the hardcover is 208). And it's being published in hardcover for $22.95. That's more than most DVD's or CD's. You can usually pick it up for less than that, but doesn't that seem a little pricey to anyone else? I know that hardcover first issue books are steep, like $29.95 for Wheel of Time 10, but that's a 700 page book whose target audience is rabid about it. Shouldn't a 136 page hardcover book be a little cheaper?

Even better question - how come no one complains about this? People complain about the price of a lot of things - CD's, DVD's, Movies, etc. but they never complain about the price of books. Of course you can download your music if you really want to, you can wait for the movie to hit DVD, you can download the DivX of the movie/DVD if you can find it, and the DVD is loaded down with extras so you don't feel jipped. Could uneasy accessibility to books in digital form be the reason no one complains about their prices?

And what will this do to the mix? Will authors release their material this way in the future in the hopes that being noticed will land them a book deal so they can sell copies to all of those who want a keepsake of something they read for free? Will this guy sell a ton of copies of this book because he was on a Slashdot story? Will this work on a fiction document (Eckel's works are programming books)?

Can the recording industry learn a thing or two from the publishing industry? Or is it the other way around? And whose cause does it help if the Slashdot community buys a ton of this book?

Re:Interesting possibilities...

[Pepebuho]

The reason nobody complains about the cost of hardbound books is because there are LIBRARIES. You can go to a library, borrow a book, read it and returning it without paying a cent to anybody. The author was compensated just on the purchase of the book from the library.

RIAA wants to charge you for every time that you listen to a song.

Re:Interesting possibilities...

[Robotech_Master]

Actually, they do complain. Funny thing is, though...

Nonetheless, for those who remember the 1970s, the escalation in prices does appear substantial. Figures obtained from R.R. Bowker, the company of record for information about the publishing industry, show that, from 1975 to 2000, the price of the average hardcover book of fiction went up 200 percent to $24.96. Average prices for hardcover poetry and drama books increased 211 percent to $33.57. Nonfiction hardcovers went up 123 percent to $40.29. The largest increase was in the juvenile category, which climbed 227 percent to arrive at the current average of $18.40.

Still, adjust these figures for inflation and you get a different story, says Robert Sahr, an associate professor of political science at Oregon State University who studies media coverage of complex matters such as budgeting and economic policies. He found that the cost of hardcover fiction in real dollars had actually gone down 2 percent, while poetry and drama and juvenile categories had risen only a few percentage points. Nonfiction hardcovers had decreased in real price by 27 percent.

As for whether authors will release their books this way in the hope of getting "noticed" by a traditional publisher...well, it's already happened, a few times. It's even happened recently, what with John Scalzi's Old Man's War having been picked up by Tor--the very same publisher who's publishing Doctorow's Magic Kingdom--after being posted online. (Though ironically, it's now been removed from the website since Tor's picked it up.) But I think that overall, the chances of such a thing happening are really infinitessimal. After all, how many people who've posted their stuff on the Internet haven't been picked up for publication? I know I haven't.

Re:Interesting possibilities...

[Schnapple]

For that matter you can also go to a Barnes & Noble, grab a coffee, and sit there and read an ENTIRE book without them wanting you to buy it or get out. Try that at Musicland with a CD.

Or...

[GMFTatsujin]

You could download the itsy-bitsy Palm PDB version and read it wherever you go without having to lug around a microforest!

That's freakin' genius, you ask me. In the Beginning was a good read too, and I think it's because I could read it on my Visor that I've enjoyed reading it over and over whenever the mood strikes me. On the bus, waiting in the line at the bank, over dinner... I love it.

out of curiosity...

[bje2]

assuming you're serious about having read a book on your Visor, how much text could actually fit on one screen?, i mean, it seems like it could get pretty annoying having to scroll down after every two sentences or someting like that...

Re:Hello, slashdot!

[mustangdavis]

I haven't laughed that hard in months!

Your journal is hillarious!

Also, I've never seen anyone admit that they had terrible karma ...


For anyone who needs to laugh REALLY hard, check out this journal! I read it five minutes ago, and I'm still laughing!!!

Why books are better :-)

[Wesley+Felter]

"Downloading a novel from the net is not something I'd ever likely do myself, but mainly because reading novels on the screen of a PDA is something I might get into only if I were incarcerated, with no alternative. ... You could have sex relatively comfortably on a platform of books, but not on a platform of PDA's. Hardcover books. Paperbacks might start sliding around. Though I'd still prefer paperbacks to a pile of PDA's." -- William Gibson

Whuffie??

[Any+Web+Loco]

It's called Karma, dude.

Pretty good

[Mike+the+Mac+Geek]

Just read it, and I liked it.

Felt kinda bad for the guy, I was in the exact same situation he was in with Lil. Girl I was with, good friend, you see where that goes.

Story got to me, very well written though.

Re:combine this with photovores and ...

[condour75]

because Whuffie doesn't exist yet. Karma won't buy you a beer, according to my local Tavern owner.

Last Post!

[alpg]

The Three Major Kind of Tools

* Tools for hittings things to make them loose or to tighten them up or
jar their many complex, sophisticated electrical parts in such a
manner that they function perfectly. (These are your hammers, maces,
bludgeons, and truncheons.)

* Tools that, if dropped properly, can penetrate your foot. (Awls)

* Tools that nobody should ever use because the potential danger is far
greater than the value of any project that could possibly result.
(Power saws, power drills, power staplers, any kind of tool that uses
any kind of power more advanced than flashlight batteries.)
-- Dave Barry, "The Taming of the Screw"

- this post brought to you by the Automated Last Post Generator...

relation?

[minddog]

This isn't at all related to whats going on right now is it?

Re:relation?

[wo1verin3]

I haven't been able to find out much on the current outtages, can't get to internettrafficreport.com :(

Re:relation?

[Kylow]

www.internethealthreport.com Major problems tonight. Look at yesterday's internethealthreport to compare (link on the page). Its ugly.

Re:relation?

[lecca]

Check out http://average.matrix.net/Daily/markR.html if you want to really see whats going on in detail.

Re:relation?

[rchatterjee]

Don't know if this is the reason for the internet slowdown right now but it seems likely, from about a few hours ago I've getting tons of incoming traffic on port 1434 which I believe is the port that MS SQL listens on. So it's probably another exploit on MS sever software.

Re:relation?

[walendo]

Same here. Lots of hits on port 1434, currently from .kr and .mx ... sigh.

Re:relation?

[minddog]

Been watching it for a while. It has only been getting worse since 10:30 =/

Re:relation?

[hudmond]

The issue currently happening, from what anyone can tell at any rate is that a flaw in MSSQL has been found, due to everyone noticing a lot of traffic on 1434.. MSSQL port anyhow, I was running MSSQL earlier and my dns crapped out ctrl+alt+del'd and saw 85% cpu used by mssql server, killed it and boom everything was okay, possibly a worm traveling around, http://internethealthreport.com/ UUnet seems absolutely destroyed ;)

Re:relation?

[LinuxPunk]

Oh my god, they killed UUnet! Those bastards!

Sprint seems to be doing very well, though.

Re:relation?

I've been following this for about 40 minutes but can't find anything.

Does anyone know of a site/forum that is covering the outages?

Re:relation?

[mcbridematt]

I've been notified of 3 attempted attacks by ZoneAlarm, all over port 1000
Traceroute to a.root-servers.net:
<snip/>
14 376 ms 340 ms 337 ms so-2-3-0.washdc3-nbr1.bbnplanet.net [4.24.4.109]
15 401 ms 347 ms 336 ms p2-0.vienna1-nbr2.bbnplanet.net [4.24.4.214]
16 345 ms 349 ms 343 ms p1-0.vienna1-cr6.bbnplanet.net [4.0.2.138]
17 494 ms 471 ms 460 ms h2-0.internap5.bbnplanet.net [4.1.9.242]
18 345 ms 334 ms 334 ms border7.ge2-0-bbnet1.wdc.pnap.net [216.52.127.11]
19 * * * Request timed out.
(goes on and on.... Gives up at 30)

So it looks like 1 root server cannot be reached from my location (Geelong, Australia). I was able to reach b.root-servers.net though. I can't be bothered to do all of them.

Re:relation?

[Loligo]

Most of my hits are actually coming from .edu machines.

nd.edu, rpi.edu, psu.edu, syr.edu, ohiou.edu, albany.edu... and from the hostnames, they don't sound like student machines, but real servers.

Sigh.

-l

Re:relation?

[greggish]

http://webhostingtalk.com/showthread.php?s=&thread id=107103

Re:relation?

BBC world are reporting that a root server in Korea is out of comission due to 'unknown reasons'.

The reports are gently suggesting hackers but god only knows their sources on that.

Re:relation?

[LinuxPunk]

Hmmm... Over here (canada) the internet seems mostly fine, only a few sites that i've been to are down, including www.distrowatch.com. In fact, im listening to internet radio right now, and there is no lag at all (digitallyimported.com). This seems like it is a mostly UUnet targeted attack.. according to internethealthreport.com...

Re:relation?

[wo1verin3]

Also this link

Re:relation?

[anubi]

re: hits on Port 1434:

For me, this has just started up... I attach my Zone Labs Log File so you may compare the activity to what you are seeing. ( I am not trying to take up valuable area, but rather am trying to give you another dataset to compare your experiences to. Presently I am getting hit about once every fifteen seconds attempting to connect to my port 1434. As you can see, these are coming from various other IP's on varying ports.

I am on a dialup. DHCP. ( I get whatever IP PacBell assigne me for the duration of my connect).

ZoneLabs Log:

FWIN,2003/01/24,14:23:48 -8:00 GMT,216.161.101.173:62540,67.112.46.155:3525,TCP FWIN,2003/01/24,14:23:48 -8:00 GMT,216.161.101.173:62539,67.112.46.155:3525,TCP FWIN,2003/01/24,14:23:48 -8:00 GMT,216.161.101.173:62541,67.112.46.155:3525,TCP FWIN,2003/01/24,14:30:22 -8:00 GMT,67.112.46.162:1028,67.112.46.155:137,UDP FWIN,2003/01/24,14:30:28 -8:00 GMT,67.112.46.161:1097,67.112.46.155:137,UDP FWIN,2003/01/24,14:37:08 -8:00 GMT,67.112.46.161:1098,67.112.46.155:137,UDP FWIN,2003/01/24,14:38:54 -8:00 GMT,67.112.46.161:1096,67.112.46.155:137,UDP FWIN,2003/01/24,14:40:16 -8:00 GMT,4.62.221.54:0,67.112.46.155:0,ICMP FWIN,2003/01/24,14:48:20 -8:00 GMT,67.112.46.161:1025,67.112.46.155:137,UDP FWIN,2003/01/24,15:03:22 -8:00 GMT,200.64.172.254:1084,67.112.46.155:137,UDP PE,2003/01/25,00:32:57 -8:00 GMT,Netscape Navigator application file,206.13.29.12:53,N/A

and this is when the crap started flying

PE,2003/01/25,00:33:08 -8:00 GMT,The Proxomitron,206.13.29.12:53,N/A FWIN,2003/01/25,00:37:22 -8:00 GMT,128.205.156.40:3537,67.112.46.156:1434,UDP FWIN,2003/01/25,00:38:42 -8:00 GMT,67.112.251.186:2991,67.112.46.156:80,TCP FWIN,2003/01/25,00:40:02 -8:00 GMT,211.13.231.200:4216,67.112.46.156:1434,UDP FWIN,2003/01/25,00:41:00 -8:00 GMT,63.254.129.14:4632,67.112.46.156:1434,UDP FWIN,2003/01/25,00:41:32 -8:00 GMT,207.97.136.48:4899,67.112.46.156:1434,UDP FWIN,2003/01/25,00:44:32 -8:00 GMT,64.239.122.46:53342,67.112.46.156:1434,UDP FWIN,2003/01/25,00:45:10 -8:00 GMT,207.46.200.139:2126,67.112.46.156:1434,UDP FWIN,2003/01/25,00:51:02 -8:00 GMT,62.149.128.35:1235,67.112.46.156:1434,UDP FWIN,2003/01/25,00:54:58 -8:00 GMT,63.240.201.75:1478,67.112.46.156:1434,UDP FWIN,2003/01/25,00:56:36 -8:00 GMT,216.97.147.185:1706,67.112.46.156:1434,UDP FWIN,2003/01/25,00:58:12 -8:00 GMT,129.250.226.100:3581,67.112.46.156:1434,UDP FWIN,2003/01/25,00:58:28 -8:00 GMT,24.30.207.206:4096,67.112.46.156:1434,UDP FWIN,2003/01/25,01:01:10 -8:00 GMT,212.219.8.246:4686,67.112.46.156:1434,UDP FWIN,2003/01/25,01:01:48 -8:00 GMT,10.208.128.97:4222,67.112.46.156:1434,UDP FWIN,2003/01/25,01:05:42 -8:00 GMT,164.67.192.239:4850,67.112.46.156:1434,UDP FWIN,2003/01/25,01:06:12 -8:00 GMT,64.15.237.180:1459,67.112.46.156:1434,UDP FWIN,2003/01/25,01:08:36 -8:00 GMT,66.230.209.230:3513,67.112.46.156:1434,UDP FWIN,2003/01/25,01:09:46 -8:00 GMT,130.94.19.249:2482,67.112.46.156:1434,UDP FWIN,2003/01/25,01:09:56 -8:00 GMT,65.118.242.70:3108,67.112.46.156:1434,UDP FWIN,2003/01/25,01:10:30 -8:00 GMT,62.129.134.253:1226,67.112.46.156:1434,UDP FWIN,2003/01/25,01:12:40 -8:00 GMT,64.210.7.98:4182,67.112.46.156:1434,UDP FWIN,2003/01/25,01:13:04 -8:00 GMT,66.28.8.72:3420,67.112.46.156:1434,UDP PE,2003/01/25,01:13:09 -8:00 GMT,Netscape Navigator application file,127.0.0.1:8080,N/A FWIN,2003/01/25,01:14:00 -8:00 GMT,210.214.8.133:1025,67.112.46.156:137,UDP FWIN,2003/01/25,01:16:06 -8:00 GMT,205.243.25.86:4181,67.112.46.156:1434,UDP FWIN,2003/01/25,01:17:24 -8:00 GMT,217.160.133.189:1098,67.112.46.156:1434,UDP FWIN,2003/01/25,01:18:48 -8:00 GMT,139.134.5.239:2274,67.112.46.156:1434,UDP FWIN,2003/01/25,01:19:26 -8:00 GMT,80.13.193.122:1026,67.112.46.156:137,UDP FWIN,2003/01/25,01:19:38 -8:00 GMT,145.101.195.133:2886,67.112.46.156:1434,UDP FWIN,2003/01/25,01:24:00 -8:00 GMT,62.20.108.24:1291,67.112.46.156:1434,UDP FWIN,2003/01/25,01:24:12 -8:00 GMT,65.160.127.210:2722,67.112.46.156:1434,UDP FWIN,2003/01/25,01:26:20 -8:00 GMT,157.169.10.11:3281,67.112.46.156:1434,UDP FWIN,2003/01/25,01:26:48 -8:00 GMT,129.125.140.178:2536,67.112.46.156:1434,UDP FWIN,2003/01/25,01:27:16 -8:00 GMT,193.140.134.125:1033,67.112.46.156:1434,UDP FWIN,2003/01/25,01:28:32 -8:00 GMT,216.29.52.98:3466,67.112.46.156:1434,UDP FWIN,2003/01/25,01:28:56 -8:00 GMT,129.242.210.240:1574,67.112.46.156:1434,UDP FWIN,2003/01/25,01:32:00 -8:00 GMT,212.141.84.123:1954,67.112.46.156:1434,UDP FWIN,2003/01/25,01:33:16 -8:00 GMT,65.209.2.2:1062,67.112.46.156:1434,UDP FWIN,2003/01/25,01:37:22 -8:00 GMT,203.251.202.13:1576,67.112.46.156:1434,UDP FWIN,2003/01/25,01:38:16 -8:00 GMT,63.215.151.135:1970,67.112.46.156:1434,UDP FWIN,2003/01/25,01:38:30 -8:00 GMT,61.61.104.231:1028,67.112.46.156:137,UDP PE,2003/01/25,01:41:18 -8:00 GMT,OPERA.EXE,127.0.0.1:8080,N/A FWIN,2003/01/25,01:41:34 -8:00 GMT,128.186.85.26:1757,67.112.46.156:1434,UDP FWIN,2003/01/25,01:43:00 -8:00 GMT,195.194.95.160:4327,67.112.46.156:1434,UDP FWIN,2003/01/25,01:43:10 -8:00 GMT,63.243.24.97:1107,67.112.46.156:1434,UDP FWIN,2003/01/25,01:45:18 -8:00 GMT,202.125.128.100:1603,67.112.46.156:1434,UDP FWIN,2003/01/25,01:45:38 -8:00 GMT,67.35.15.77:0,67.112.46.156:0,ICMP

Actually, while I type this, I have had ZoneLabs notify me each time I get a hit, and I am now up to hit #12 or so. Weird! Its gonna be interesting to read on Slashdot just what this thing is.

Re:relation?

eh, what's the IP for webhostingtalk.com? ;)

Re:relation?

[anubi]

I dug this up.. it may explain why port 1434 is under attack. It appears to be a Microsoft SQL server exploit.

http://www.der-keiler.de/Mailing-Lists/Securiteam/ 2002-07/0115.html

Re:relation?

[hudmond]

excerpt taken from http://www.internet.com/

Microsoft Promises a More Secure 2003 After a year of working on its security issues, the company's Trustworthy Computing initiative is taking more of a 'push' approach starting with Windows Server 2003. -internetnews

Anyone else find this laughable? I'm slightly entertained I'll admit.

Re:relation?

[amigaluvr]

hrm kevin mitnick is allowed back o the net and the net goes fubar

hrmmmmmmmmmmmmmmm????

Re:relation?

[Big+Mark]

Would make sense if this is a MS-SQL Server exploit, all the uni's servers would be getting buggered, but none of the students' computers would be running the server, so no pingage from them.

-Mark

Re:relation?

Check out http://www.digitaloffense.net/worms/mssql_udp_worm /

Re:relation?

[lildogie]

> This isn't at all related to whats going on right now is it?

That depends. Are you wearing your tinfoil hat?

maybe...

...this is responsible for the massive DDoS attack happening right now.

Re:maybe...

Here I thought it was just me, my ISP and my hosting provider, but there is definitely something afoot.

What is going on, and why isn't there a slashdot article on it right now!!?!

Re:maybe...

[greggish]

Because Slashdot aint worth spit anymore! Been talking about this for awhile on WebHostingTalk.com http://webhostingtalk.com/showthread.php?s=&thread id=107103

not related

[benh57]

This vulerability is about sites getting access to other sites' cookies.

It is not likely to be related to the current DDOS, which seems to be this MS vuln.

Re:not related

[benh57]

Oops, 2nd link should be to CERT.

Re:not related

Hmmm..My firewall log shows that I'm getting probed on this port (1434) every few seconds from 20 or more different IP addresses...I'm on AT&T's "broadband" network...

Re:not related

[thestu]

I'm also getting pounded here on 1434... Thank god for firewalls...

Re:not related

[shannara256]

It is not likely to be related to the current DDOS [http://average.matrix.net/], which seems to be this MS vuln [http://www.kb.cert.org/vuls/id/370308].

I don't believe that that vulnerability is what's being exploited at the moment. From the CERT article:

Overview
Microsoft SQL Server 2000 contains a vulnerability that allows remote attackers to create a denial-of-service condition between two Microsoft SQL servers.

I'm getting hammered, and I am not a Microsoft SQL server. It's probably not too unreasonable to assume that SQL Server is what's been exploited, but I don't think it's the exploit you mentioned.

Re:not related

[h2odragon]

this is a new exploit; beginning with a buffer overflow related to the referenced CERT, and then proceeding to another buffer overflow ....

Disassembly of the current probe packets available here for what its worth. This is a nasty little sucker.

Re:not related

http://webhostingtalk.com/showthread.php?s=&thread id=107128

Re:not related

[nukey56]

this is a new exploit

Speaking of new exploits, how about reposting a bad link to get uber karma? Or has this one been in the bag for awhile already?

Re:not related

Took the words right out of my mouth. Preview before posting, lamers!

The write-up is misleading

[Admiral+Burrito]

When misused, TRACE, part of the HTTP protocol, allows an unauthorized script to be passed to a Web server for execution even if the server is secured against running such scripts.

The script is not executed on the server. It is executed on the client.

This is a sort of cross-site scripting vulnerability, not an "execute arbitrary commands on any web server" vulnerability like the writeup suggests.

Re:The write-up is misleading

[dirkx]

Or in more detail; TRACE simply echos back wath the client send to the server; i.e. what the client fundamentally already *knows*. The server reveals nothing to the client than what it already knows; namely the request it just send.

It is just that on the client, to prevent cross side scripting, there is some sandboxing; which is now violated.

That is called cross site scripting.

/!\ Security Alert _ [] [X]

[Seehund]

Your Computer Is Currently Broadcasting An
Internet IP Address. With This Address, Someone Can
Immediately Begin Attacking Your Computer! [ OK ]

Shut up Slashdot. I get all the Security Alerts I need from media*.fastclick.net.

This story is crap

[evilviper]

This story is utter alarmist crap. There is nothing wrong with TRACE, and the internet is not falling apart. It's just another IE cross-site scripting vulnerability. Here's a few choice links from the discussion on bugtraq:

http://online.securityfocus.com/archive/1/307778/2 003-01-22/2003-01-28/0
http://online.securityfocus.com/archive/1/308165/2 003-01-22/2003-01-28/0

Re:This story is crap

AND here's a few more:

http://online.securityfocus.com/archive/1/308034 /2 003-01-22/2003-01-28/0
http://online.securityfocu s.com/archive/1/308161/2 003-01-22/2003-01-28/0

The article mentions that this was confirmed by CERT Dec. 10, and is indeed real. All that remains to be seen is exactly how cannibalistic te security community can get.

Re:This story is crap

[eyeball]

This story is utter alarmist crap.

Hey, don't knock alarmist crap. It's a real cash cow for some people!

Re:This story is crap

[MSZ]

Well, maybe I should make it MY cash cow and sue these who describe this as a server side problem for time wasted going thru their boring writeup only to learn that they are clueless morons? And I will not forget "emotional distress", it's worth few millions in damages alone.

Re:stuff

[u38cg]

Well, Microsoft's track record clearly shows that security through obscurity has proven to be an excellent model to chose Wrong!

Back to the drawing board, methinks. >p>Seriusly, yes, it's always an issue with a vulnerability discovered by a white hat - but on the whole, it's probably better that folk know about it than have to start figuring out what happened *after* they got hit with it.

CRAP! (If it's not Scottish, it's...)

This report is just nonsense. TRACE causes the web server to send a reply containing a 'body' part consisting of the request headers. Well, so what. Getting to the cookies enclosed with said request is not made any simpler by this method. The TRACE request method makes life no more joyful for those who would do your system harm. (Juicier than ActiveX and straight-ahead annoying VBScript/ECMACrap? Nope. More satisfying than polluting p2p with trojans? Nope.)

Well.....

I just finished reading this so-called whitepaper and the press release, and
all I can say is hyped, sensationalised snakeoil.

The HttpOnly cookie feature, a proprietary Microsoft extension designed to
mitigate a single aspect of XSS, can be circumvented in myriads of ways. In
fact, reading the HTTP response in any other way than through the
document.cookie property immediately exposed through JS will return the
cookie to you. Calling from JS to a Java applet that in turn parses a HTTP
response, using a Flash movie (or most any other plugin) or even needlessly
complicating matters by parsing the BODY of a TRACE response received
through XMLHTTP - such as this 'whitepaper' suggests.

By design, HttpOnly makes the cookie available only through the HTTP
headers - which, among many others, the XMLHTTP control can read.

What we end up with from WhiteHat Security is a way to circumvent the
HttpOnly cookie feature in IE6SP1, nothing else. In itself, worthy of a note
in a roundup of browser problems or a comment in a reply to the posting
announcing the HttpOnly feature on Bugtraq - but hardly a whitepaper,
pressrelease and blurbs such as comparing this to Code Red and Nimda or
calling this a flaw in all web servers worldwide. This is simply not "a new
class of web-app-sec attack" or a flaw in TRACE, as hyped by WhiteHat
Security.

System administrators should most definitely not waste their precious time
on implementing the silly workarounds suggested, such as disabling
TRACE/TRACK requests. The one, and only, impact the discovery from WhiteHat
Security has is that it re-enables cookie reading from JS despite if you had
already cared to specifically alter your webapplication to accomodate this.

in short, absolute FUD dreamt up by some "whiteHatSecurity" bahaha

Re:Well.....

[doubleyewdee]

Well. That was kind of silly. I see you borrowed the text from this posting on bugtraq to whore a little karma. That's fine, but shouldn't you have been logged in?

Re:Well.....

http://www.kb.cert.org/vuls/id/867593

This is the CERT advisory - were they dreaming too?

Re:Well.....

[sheriff_p]

Mod parent down. It seems our friend doesn't quite understand slashdot yet - the reason people post stuff like that anonymously is because they think it will be useful, but aren't looking for karma. Try a little harder next time.

Re:Well.....

Someone posted this as an AC, so there's no karma whoring going on, just plaigerizing.

Re:Well.....

[doubleyewdee]

If it was a faithful reproduction I guess it would have been different. I just found it odd that the poster decided to tack on the extra line at the bottom, with no indiciation that every other portion of the message had been copied. As another post said, it was a good troll. ;)

Of course I, unlike you, never demanded anyone or anything be "modded down." I didn't care that much. It's not like karma actually.. you know.. matters.

Re:Well.....

[mackstann]

it does matter! mine is "Excellent"!

but not for long, with this comment!

but since i said that, people won't mod me down!

but now they will!

my brain hurts!

Re:Well.....

shut it, nigger.

Opera effected?

[(rypto*]

From the article: users of both Internet Explorer and Netscape are equally at risk to the same vectors of attack.
will it effect Opera browser?

.

Re:Opera effected?

No, but it might affect it.

Re:Opera effected?

Its an IE bug again

Re:Opera effected?

[edox.]

What we end up with from WhiteHat Security is a way to circumvent the
HttpOnly cookie feature in IE6SP1, nothing else.
-cutout bugtraq

Re:Opera effected?

[edox.]

Check this out ---
[how]
(real show)

first, realize MS programmers are lazy(= "too busy") and they prefer to
look wise, so you can doubt that they generate a page to load a multimedia
file.
then, check it: i played a small trick: typing
javascript:alert(document.body.innerHTML)
in the address field when the content of MSIE is a JPG file.
soon after confirmation, try the trick and you'll find it doesn't work on
a JPG file because the URL is encoded properly.(that programmer must have
been fired for his defence)
now you may lose self-confidence -- MS is not that foolish.
but thinking about "document.open" hole(not "flaw") will encourage you.
(the essential point!)
then after several tries, you have this document.

(very few steps)

[more?]
this trick may work on other browsers, but i can't test it at present.

Re:Opera effected?

[netsharc]

Somebody set us up the Zig!!!

What the hell is that document trying to say?? In english please.

THE XSL VULNERABILITY IS SNAKE OIL

[defile]

If your applications aren't vulnerable to XSS, you have nothing to worry about w.r.t. HTTP TRACE. If your applications ARE vulnerable to XSS, you have bigger problems than HTTP TRACE.

If users visiting other sites somehow have untrusted code running in them, which performs an HTTP TRACE to your site, the user's browser is broken for not enforcing domain restrictions.

Ignore this advisory, it's sensationalist snakeoil. Leaving HTTP TRACE enabled is harmless (although you probably don't use it, so disable it anyway).

Re:CRAP! (If it's not Scottish, it's...)

[J.+Random+Software]

Browsers routinely keep secrets from local scripts, like authentication responses or cookies for other realms. I wonder if Sun thought about this when they designed the sandbox (an applet needs to be granted the privilege of sending requests to any server other than the one it's hosted on).

Nukes & ResComp

[PetWolverine]

Sheesh, I thought my university's Residential Computing department was to blame. They've been pretty damned unreliable all year, but if everybody's having this problem I guess it's not their fault.

So the Internet, which is supposedly impervious to a nuclear barrage, has succumbed to a simple attack from some moderately skilled hacker(s). Amazing how much more damaging sheer traffic volume can be than a physical destruction of the network, eh?

At least people will soon be able to continue downloading things like this. (Beware, it's > 3 gigs--a long download from my slow connection!)

Re:Nukes & ResComp

[Mmmrky]

I too was blaming this on my university network. Pretty damn bad. My firewall is blocking requests (mostly from Europe, but lots of Asia too) at an amazing rate. I can barely read my logs fast enough.

Makes for an interesting evening I guess.

Re:Nukes & ResComp

So the Internet, which is supposedly impervious to a nuclear barrage, has succumbed to a simple attack from some moderately skilled hacker(s)

huh? myths all around.

Amazing how much more damaging sheer traffic volume can be than a physical destruction of the network, eh?

damaging? or constraining? once i ctrl-c my trinoo, is there permanent damage somewhere? once a backhoe stops digging up fiber, is there permanent damage somewhere?

At least people will soon be able to continue downloading things like this [dhs.org].

if the title is any indication, Hemanshu Nigam will be contacting you shortly.

PetWolverine

ResComp.... Wolverine...
you UofM? better start learning, fast!

Re:Scary thing

[PetWolverine]

Why do people make posts like this? Mod this guy down!

Re:maybe...Massive DDoS toDay

Yes .. A massive DDos is going on...
40% of the sites on the net are not responding...

Re:This story is crap:/.up date

[(rypto*]

January 22, 2003
Web Vulnerability Puts Internet Users, Sites At Risk
ByDavid Worthington, Freelance Writer, special to ExtremeTech

January 23,2003 9:10AM
IE Vulnerability Puts Internet Users, Sites At Risk
BugTraq-Thor Larholm
--

the TRACE vuln has nothing to do with it....

[eecue]

Resent-From: mbac@romulus.netgraft.com From: Michael Bacarella Date: Fri Jan 24, 2003 11:11:41 PM America/Los_Angeles Resent-To: bugtraq@securityfocus.com To: nylug-talk@nylug.org, wwwac@lists.wwwac.org, linux-elitists@zgp.org Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! I'm getting massive packet loss to various points on the globe. I am seeing a lot of these in my tcpdump output on each host. 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0 It looks like there's a worm affecting MS SQL Server which is pingflooding addresses at some random sequence. All admins with access to routers should block port 1434 (ms-sql-m)! Everyone running MS SQL Server shut it the hell down or make sure it can't access the internet proper! I make no guarantees that this information is correct, test it out for yourself! -- Michael Bacarella 24/7 phone: 646 641-8662 Netgraft Corporation http://netgraft.com/ "unique technologies to empower your business" Finger email address for public key. Key fingerprint: C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055

A couple choice quotes from the "whitepaper"

[jeremie]

Typical Sky-Is-Falling (tm) propoganda, this is so 90's:

"Scenarios assume the following:
A user visits a malicious web site or views malicious content hosted by a trusted source (message board, web mail, etc..)"

"To resolve this limitation, we had to utilize extended client-side scripting technologies to create and send a specially formatted HTTP request to a target web server." (this must pass through the web browser which must foolishly attach authentication cookies in question (which properly implemented secure systems don't rely on anyway))

"To restate, all the sensitive information is still accessible even over an SSL link." (what the hell? it's just the friggin headers! cookies and weak basic auth (they didn't even show and I'm not convinced the (broken) browsers send the auth headers in such forged requests)

"There is however at this point a limiting factor preventing wider a danger escalation. The TRACE connection made by the browser, will NOT be allowed by the browser, to connect to anything other than the domain hosting the actual script content... To increase the exposure of the exploit, we are in need of a domain-restriction-bypass vulnerability" (MAKE THIS CLEAR, IT ONLY WORKS IN A CROSS-SITE SCRIPTING VULNERABLE BROWSER)

To re-iterate: your web server or site isn't vulnerable because it supports trace, that's about as silly as blaming ping packets for the ping-of-death problems on early windoze systems, sheesh.

This is all a bunch of crap that requires a browser to be vulnerable to cross scripting, and for the user to have visited a malicious site just beforehand.

sorry about the lack of breaks...

[eecue]

Resent-From: mbac@romulus.netgraft.com
From: Michael Bacarella
Date: Fri Jan 24, 2003 11:11:41 PM America/Los_Angeles
Resent-To: bugtraq@securityfocus.com
To: nylug-talk@nylug.org, wwwac@lists.wwwac.org, linux-elitists@zgp.org
Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

I'm getting massive packet loss to various points on the globe.
I am seeing a lot of these in my tcpdump output on each
host.

02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0

It looks like there's a worm affecting MS SQL Server which is
pingflooding addresses at some random sequence.

All admins with access to routers should block port 1434 (ms-sql-m)!

Everyone running MS SQL Server shut it the hell down or make
sure it can't access the internet proper!

I make no guarantees that this information is correct, test it
out for yourself!

--
Michael Bacarella 24/7 phone: 646 641-8662
Netgraft Corporation http://netgraft.com/
"unique technologies to empower your business"

Finger email address for public key. Key fingerprint:
C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055

Re:sorry about the lack of breaks...

[ender81b]

There is a patch available for this and it has been available for 6 months. So if your server is infected it is because you weren't paying attention/lazy/whatever. Go Here for the patch, or Here to read the CERT bulletin.

Re:sorry about the lack of breaks...

[happystink]

That's great if your server is INfected, but unfortunately, for most people their server is AFfected due to the ensuing mess the DDOS is causing, and most aren't running MSSQL.

Re:sorry about the lack of breaks...

[amigaluvr]

piss off with the goddamned MS bashing will you all? This could have happened to ANY server out there, but once again due only to the POPULARITY of mssql is it targeted. It would hardly make sense from an attacker point of view to spend all the time finding a vulnerability in a rarely used system now would it?

this is fud

Re:sorry about the lack of breaks...

"Could have happened to ANY server" is an assertion that all other servers are just as poorly written in equally brittle languages. That's incorrect.

Re:sorry about the lack of breaks...

[greggish]

yeah... like mysql... that's hardly used, so I guess that's why we haven't seen this kind of DoS exploit with that right...

Re:sorry about the lack of breaks...

[amigaluvr]

compared to ms-sql then yes it probably would be if its been targeted less, and if there is just as much of it installed then expect it to be targeted next, that much is obvious

Re:sorry about the lack of breaks...

[dagyo]

02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0

That ICMP packet is not indicative of a ping flood, that's an ICMP unreachable message from the host saying it can't get to 150.140.142.17 on UDP 1434. Since its UDP, which is not stateful, you probably have some sort of access control preventing your host from making outbound UDP connections on 1434.

OT: So, I'm not the only one?

So, I'm not the only one noticing this evilness? That makes me happy, for some odd reason.

I was pondering if my ISP was have a seizure or something...

If it's a MS exploit, then that doesn't explain why at least one website I tried to get to is down, but it explains the rest of them.

Re:OT: So, I'm not the only one?

[White_Lightning]

If it's a MS exploit, then that doesn't explain why at least one website I tried to get to is down, but it explains the rest of them.

Are you sure about that? I mean, any port that isn't accepting connections should send a "Connection refused by host" message, shouldn't it?

So, if the server machine is getting hit hard on an inactive port, the machines tcp/ip stack, at least, would still have to respond to each and every connection attempt, wouldn't it?

I guess I shouldn't have slept through class.

Re:OT: So, I'm not the only one?

Yeah, you're probably right. Maybe it's doing a better job at DoS'ing than I'd guessed it would.

I feel so blind about this situation being behind a firewall I can't really control ;).

Re:OT: So, I'm not the only one?

[White_Lightning]

I feel so blind about this situation being behind a firewall I can't really control ;).

Tell me about it. I'm a DSL subscriber, the DSL modem uses NAT, and it does not have any kind of reporting abilities. Port forwarding is turned off, so I have no idea if the problems I'm having are because of my ISP, or my DSL modem working so hard.

How I wish everyone was still using BBS's. At least then, when you got a busy signal, you knew what the problem was.

Re:OT: So, I'm not the only one?

The UDP/1434 MS-SQL traffic is so heavy it's bringing down big chunks of the internet. I just finished tracking down a number of servers in my company's network that were perpetrating this attack. One of our core routers was brought down by more than 25,000 packets a second trying to exit our network from one of our own server segments. A large number of small packets, whether UDP or TCP, will bring down any router, L3 switch, or firewall.

Re:OT: So, I'm not the only one?

If you can ping the gateway for your default route, your modem and circuit aren't the problem. If you can reach your servers (DNS, news, mail, whatever) the problem is probably entirely upstream from your ISP.

Re:OT: So, I'm not the only one?

[White_Lightning]

Apparently, my ISP has gotten it resolved. The place I work at hasn't.

At least...

[mraymer]

...they didn't provide a link to an example script for this exploit. ;)

Can you imagine the royal slashdotting that RIAA/MPAA/MS/etc would receive if the thousands of script kiddies that read /. suddenly had access to such a thing?

Perhaps this is what Obi-Wan was talking about when he felt the tremor in the force, and the whole Alderaan blowing up thing was just a bizarre coincidence...

Re:At least...

[dytin]

Actually, its funny, but the riaa's site is currently down. But its proably due to the ms sql exploit, as they are running IIS.

Re:At least...

[jx100]

I believe it's been down for a while, even before the DDoS began. I actually tried earlier to get to their site (checking if a label was a member) and their site was down then.

Read BugTraq

[Goodbyte]

As been discussed on BugTraq the latest days, this is not a 'general' vunerablility, rather a bug in Microsoft's XMLHTTP component (nomatter what the whitepaper says).

References: RE: TRACE used to increase the dangerous of XSS.
Original posting to Bugtraq

Internet Slowdown Due to /.

Tomorrow headline will read:
Internet Slowdown Due to Slashdot Readers.
What was actually thought to be a DoS attack turned out to be the insomniac slashdot readers believing there is a problem on the net. The /. effect, as it is known, was determined to be the cause after the servers started rejected requests from the referrer "slashdot.org". In related news, 98% of DNS lookups are not necessary.

Turn Javascript, activex, java off

[TheLink]

Without them on 99% of the recent browser/http/www problems go away. And 100% of the popups go away too. Sure you stop being able to view many sites, but most of those sites that lock you out when you don't have this stuff on are full of junk anyway.

Given what this attack can do, you have to 100% trust any site which you visit with these active stuff on, because they can use the active stuff to snarf your cookies and info for other sites.

In this light, how should you treat a site which absolutely _requires_ you to turn such dangerous stuff on in order to use their site? Is it worth all that potential hassle just to see some stupid shockwave which only the PHB likes?

Is there a javascript/activex/java program that will turn off javascript/activex/java support in a viewer's browser?

I also proposed a tag to mark regions of HTML as unsafe so the browser ignores any javascript/active stuff that slips through the site's filters. But there wasn't any interest. This doesn't help if users visit malicious sites, but it helps decent sites protect their users from stuff slipping through.

Re:Turn Javascript, activex, java off

[(rypto*]

what about cookies? other scripts? .pl?

Re:Turn Javascript, activex, java off

how does one do that?

Re:Turn Javascript, activex, java off

[Yorrike]

.pl (perl), is executed server side. it's cgi. Java, javascript and activex scripts are executed on your local machine, which is why they can be so dangerous.

Cookies... well, to secure your cookies, the best policy is to turn all the aforementioned capabilities of your browser off. I for one prefer a little more security while browsing as opposed to seeing stupid sites with badly written/unnessesary scripting.

Re:Turn Javascript, activex, java off

[djmurdoch]

Sure you stop being able to view many sites, but most of those sites that lock you out when you don't have this stuff on are full of junk anyway.

For the last couple of weeks, IE has been popping up warnings that my security settings may not allow Slashdot to display properly, because I don't have ActiveX scripting enabled. I do allow Slashdot to use Javascript, but don't allow everything it wants to do.

The stupid warnings are really irritating, but the only things I'm losing are the banner ads at the top of the page. I think the offending code is this:

var prs="ads.PointRoll.com/PRServe/?ad=424m20021219174 23&pub=osdn&num="+prInst+"&size=728_90&code=no&red ir="+pr_redir+"&defredir="+pr_redir_def+"&r="+Math .random();

document.write("<scr"+"ipt language='JavaScript' src='http://"+prs+"'></scr"+"ipt>");


Any suggestions on how to get rid of this irritant?

Re:Turn Javascript, activex, java off

[TheLink]

Usually in your browser options/preferences.

In Internet Explorer, javascript= activescript.

Re:Turn Javascript, activex, java off

[jjon]

Privoxy could handle that (but you might need to write your own filter rule). http://www.privoxy.org/

Or switch to Mozilla.

Re:Turn Javascript, activex, java off

[djmurdoch]

For now I've just turned Javascript off completely for Slashdot, and that seems to have solved the problem. I forget why I had it turned on; there's probably something somewhere that wants it...

Of course, the people at Slashdot who sell the ads might not think this is a good solution, since I don't see *any* ads now.

Re:Turn Javascript, activex, java off

[TheLink]

You should still get some picture ads. Unless you've also blocked images.slashdot.org

Trouble is even tho I have everything off, IE still pops up annoying dialogs on some sites e.g. www.theinquirer.net

Stupid IE. I know the site may not work "properly" with the stuff turned off, that's why I turn it off. Stop bugging me.

I'm not switching to Mozilla/Netscape because Mozilla is bloatware - even more annoying. IE is pretty safe with all that crap turned off - 99% of the vulns won't work even if your browser is unpatched.

What is trace?

[(rypto*]

The TRACE method is used to invoke a remote, application-layer loop-
back of the request message. The final recipient of the request
SHOULD reflect the message received back to the client as the
entity-body of a 200 (OK) response

.

No relation

[The+Tyro]

The article is about a new exploit they are talking about... nothing to do with the current mess.

I'm watching my firewall logs fill up even as I type, and all the 1434 hits are coming from different IPs... no dupes yet that I can see (maybe there are... but I'm not planning on sitting here all night reading logs).

These SQL attacks are coming from a plethora of different ports on the machines that are hitting me... anybody know if this is a normal part of this worm's behavior?

Re:No relation

[Arrgh]

Have a look at this advisory from July 2002 of a "Critical/High Risk" vulnerability in MS SQL Server 2000, involving UDP 1434.

It details stack-based, heap-based and network-based DOS vulnerabilities. Wheee!

SitRep

[mabu]

Two T3s with Quest: DOWN. Port udb traffic 1434 totally flooded. Uplinks have their heads up their asses and have no answers at this point. My uplink says he has a Linux server that when activated starts spamming port 1434. Is this or is this not a MS SQL-related issue?

I'm up because I'm multi-homed and I have no MS servers at all running on my network, but every other network that i know of running some MS servers is having blackouts.

We need to find out what is going on right now, and we need to make sure the media does NOT misrepresent exactly what is at fault. Everyone here has a responsibility!

Re:SitRep

You sir, are an idiot

Re:SitRep

[edinho]

Just saw the scanning originating from my friend's Windows machine. So at least it is not Linux only, if at all.

Cheers,
e.

Re:SitRep

[mabu]

If you have something productive to say, go for it. But calling someone an idiot without any details is counterproductive.

I fully-admit that some of the replies may not be related to the RFC trace issue that the main message applies to, however, the news article was posted right in the middle of a major backbone outage on the Internet. At this point, we're not sure the root cause of this, and so this seems the appropriate forum to post situation reports and news gathered. Slashdot remains one of the few trustworthy sites to check when things like this happen.

Re:SitRep

2nd that.

Nice troll

props man, you got em fired up with the old classic "steal text from site to make it look as if you know what you are saying" gag
watch the small penis/karma whores point it out for you

Re:stuff

Unix does not have a very good security record as of late either, zealot.

Hmm... Why RFC 2068?

[Cin7]

"If you want to be 100% compliant with RFC 2068, a document defining the standard behavior of the world wide web, you must include TRACE." noted Lex Arquette, Chief Technology Officer of WhiteHat. http://www.whitehatsec.com/press_releases/WH-PR-20 030120.txt

Strange... RFC 2068 seems to be obsoleted by RFC 2616 since June 1999... :-)

Re:Hmm... Why RFC 2068?

Good detective work there, Sherlock. RFC 2616 also seems to specify a TRACE message, so what's yer point?

Re:Hmm... Why RFC 2068?

[Cin7]

An obsolete RFC cannot define the standard behavior of the world wide web. Perhaps Mr. Arquette doesn't know the newer (and valid) RFC? :-O

web hosting services.

This would explain why allmost all of the hostways [www.hostway.com]servers (at least their windows servers) are down right now, and through parts of the day. Their excuse what "backbone conectivity".

'net Traffic

[Penguin+Follower]

If someone who is behind a firewall or just wants see the traffic but can't get to it, I've listed what my router has been seeing lately: Click here.

Re:stuff

A Unix with the same feature set as Windows has a better record than Windows.

Unix loses because it comes with more and with too much switched on by default.

Note the story submitter's name

[LinuxParanoid]

Note the story submitters name.

Quack King.

Next!

--LP

Update

[mabu]

Here's what we've been able to learn, at 4:30am Central time.

We have reason to believe that something called the "SQL Worm" is in play. Some sort of DDOS attack which creates overwhelming traffic on port 1434. This is all preliminary stuff, so take it as such but I have one link up and 3 others down.

I don't have confirmation or details on what systems are affected but we have information to indicate that the following networks are currently affected: Quest, Cable & Wireless, Broadwing, Sprint (partially). My Worldcom link seems to be unaffected (which is why I can post). Note that the connectivity interruptions may be regional but that's what we are dealing with in the South Central area of the US. This has been going on now for about 4-5 hours.

What we are seeing is a major outage due to DDOS on port 1434, on portions of the Internet backbone. At this point, the exact pattern of the outage has not been clarified.

Expect the problem to potentially be addressed when the backbone providers start filtering port 1434. However, it's taken them at least four hours to figure this out.

We just got notice (a few moments ago) that Quest finally started filtering port 1434 and everything went back up. So now we need to figure out what vulnerability this was. My information indicates that port 1434 is MS SQL server resolution service (see related CERT advisory. My initial impression is that while this vulnerability was discovered awhile back, someone just recently figured out a very effective exploit using the vulnerability. I am looking forward to hearing more about what people find out.

ummm....

[Penguin+Follower]

Umm no... this happens to be an MS exploit.

In particular, it affects XMLHTTP.
See here and here

Qwest minneapolis

I have 13 internet kiosks around 2 metropolitain citys, all of them are on roadrunner cable and qwest dsl. I have not expierenced any problems with this systems. My hosting provider on the other hand.....

Alarmist crap article!

[EvilStein]

Apparantly "ALL" web servers are *not* open to this "exploit" - here's a post someone made on macintouch.com:

When I read the article on MacInTouch about the TRACE security flaw, I immediately checked our Mac based servers to find out if they support the TRACE option in HTTP. Here's a summary of the servers and the OPTIONS they support. These results were shown after connecting to the server via telnet:

%telnet www.domain.com 80
Trying 123.123.123.123
Connected to www.domain.com.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: www.domain.com

* WebSTAR 3.x answers: 405 Method Not Allowed
* WebSTAR 4.4 and 4.5 allows GET, POST, HEAD
* WebSTAR V allows GET, POST, HEAD
* Apache/1.3.27 (Personal WebSharing MacOS X 10.2.3): GET, HEAD, OPTIONS, TRACE
* Apache/1.3.27 (iTools - MacOS X Server 10.2.2): GET, HEAD, OPTIONS, TRACE
* Apache/1.3.27 (iTools - MacOS X Server 10.2.2 - PHP 4.x): GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE

When connecting to a system that has PHP 4.x installed, a lot more options are available.
This only shows which options are supported by which servers, however as the exact details of the flaw were not published, it's hard to say if you can use those options to exploit a server.

Re:stuff

[JohnFluxx]

Uh, MS told everyone about this ages ago. They produced a patch in MAY 2002.

It's just windows admins aren't as likely to patch their systems as unix admins are. (for various reasons)

What works for linux, might not work for windows.

Likely not related to cross-trace issue

[mabu]

There are two things going on here I suspect. There is a discussion on a cross-trace vulnerability, at the same time, some type MS SQL-based worm was unleashed late Friday which caused lots of problems. Two different issues. Excuse the inter-mingling.

Port 137...

I'm also noticing an equal number of hits on port 137.

Piece of crap

[efagerho]

After reading through the press-release, this seems to be just another way for a pathetic company to try get some publicity.

Re:Why is life so lonely?

Until the sexbots come out, at least.

"ALL current web servers?"

[ites]

Not just inaccurate, but capitalized as well? What happened to basic research? OK, here is the peer review process in action: flame the poster of this misleading and alarmist article. What I would like to see on /. is super mod points that we can use to take down articles that don't meet even the basic requirements of accuracy.
I'm possibly not entirely objective here, since my team makes a web server that is current, fairly popular, and most definitely not vulnerable.

Disabling the Use of Trace in Apache

[EkiM+in+De]

Apache Week has a short piece on this "vulnerability". It also includes this short snippet of configuration code to stop traces against your webserver.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

I haven't tried this yet!

Re:Disabling the Use of Trace in Apache

[pseudonymouse]

I just tried it, and it worked (response to a trace request changed from successful to 403 Forbidden).

The Apache Week article points out that since the vulnerability is in the browser, this doesn't address the issue very well...IE apparently supports other forms of cross-site scripting and header access.

This does contradict the claim in that other article that Apache needed a source code patch if you wanted to block TRACE. Fifteen seconds of editing and a SIGHUP to reread the configuration files are all you need, if that's what you want to do.

Properly secured sites aren't affected

[hyrdra]

Most sites don't store their user password in a cookie, they store a session ID in a cookie that translates to a session ID in a database. Then sensitive information is keyed up with that ID, on the server. The client never recives any of it, unless they are modifying it but it is never put in a cookie or other stateful client storage device.

Upon each page load, the IP address of the original session is checked with the sent cookie ID, and if they don't match, most applications will throw out the session completly. This annoys some with DHCP who like to maintain long sessions, but works a lot of the time for simple ID attacks (since most session IDs are generated from random numbers), because you now need to know both the IP and session ID of the user you want to impersonate. Granted, this can be had with a packet sniffer (for non SSL connections), but so can a lot of personal things. Next they'll be telling us it's quite easy to get into cars: just break the window. That doesn't mean its a security flaw.

Anyway, this is how most [good] sites work. Only fools store sensitive user information in cookies, and I would never subscribe to their site (yes, I check what goes in my cookies).

Also the article/press release (PR for this security company?) seems to be getting client/sever scripting confused, and is generally full of ignorant errors. How can it be trusted with the other claims it makes?

Re:Properly secured sites aren't affected

[ammulder]

How will IP verification help? If the attacker can get the victim's browser to issue the trace, why can't they get the victim's browser to issue the follow-up requests using the information gathered by the trace attack?

Re:Properly secured sites aren't affected

Actually most good sites do not rely on IP verification because of AOL. The AOL proxy servers can make the same user appear to come from a different IP every time.

Re:Properly secured sites aren't affected

[hyrdra]

Actually I don't think that is the case anymore. I remember when something similar was the case, and it messed up a lot of security conscience shopping carts, but other than that, I'm not sure how AOL's proxy system works, but my applications do not appear to break or otherwise malfunction when being accessed via a standard AOL dial-up account.

Associated Press article

[NewsWatcher]

The Associated Press has now written about this attack:
Internet traffic broadly affected by electronic attack World Internet Lead
By Ted Bridis
Traffic on the many parts of the Internet slowed dramatically early today, the apparent effects of a fast-spreading, virus-like infection interfering with Web browsing and delivery of email.
Sites monitoring the health of the Internet reported significant slowdowns globally. Experts said the latest electronic attack bore remarkable similarities to ``Code Red'' virus during the summer of
2001 which also ground traffic to a halt on much of the Internet.
``It's not debilitating,'' said Howard Schmidt, one of President George W Bush's top cyber-security advisers.
``Everybody seems to be getting it under control.'' Schmidt said the FBI's National Infrastructure Protection Centre and private experts at the CERT Coordination Centre were monitoring the attacks.
The virus-like attack sought out vulnerable computers to infect on the Internet using a known flaw in popular database software from Microsoft Corp, called ``SQL Server''.
But the attacking software code was scanning for victim computers so randomly and so aggressively - sending out thousands of probes each second - that it overwhelmed many Internet data pipelines.
``This is like Code Red all over again,'' said Marc Maiffret, an executive with eEye Digital Security, whose engineers were among the earliest to study samples of the attack software. ``The sheer number of attacks is eating up so much bandwidth that normal operations can't take place.''
The attack sought to take advantage of a software flaw discovered in July 2002 that permits hackers to infect corporate database servers. Microsoft deemed the problem ``critical'' and offered a free repairing patch, but it was impossible to know how many computer administrators applied the fix.
``People need to do a better job about fixing vulnerabilities,'' Schmidt said.

SQL Server 2000 SP3

[avij]

Wouldn't it make more sense to download SQL Server 2000 Service Pack 3 instead, which supposedly includes the fix for this problem, among other fixes? See the advisory and click on Additional information about this patch to see that it's included in SP3.

bollocks - just another (IE) cross site vulnerabil

[dirkx]

That web server is just doing what it is supposed to do; it is the client which allows for the cross site vulnerability.

http://www.apacheweek.com/issues/03-01-24

http://online.securityfocus.com/archive/1/308165 /2 003-01-22/2003-01-28/0

Have more details.

1434 is the general connection accept port.

[Otis_INF]

SQLServer listens to 1434 to accept incomming connections. SQLServer 7 would then normally transfer these connections to 1433 by default. SQLServer 2000 would transfer the connection to a random port.

It's best to 'hide' the SQLServer from the internet, and/or disable TCP/IP listening for SQLServer totally when it's connected to the Internet. MS also suggests SQLServer should never be exposed to the Internet directly. You can hide SQLServer (2000) directly, using the Server network utility, shipped with SQLServer. You can there first deselect TCP/IP as a protocol that's active, and if you need it, you can select 'hide' to hide the server on the internet, however it's better to disable TCP/IP totally, since you do not need it when you work with SQLServer from the same box (f.e. a website running on the same box accessing the SQLServer).

Oh, of course it should be mentioned, there is a patch for this available at MS' technet site.

Ahahahaaahahahaahahaha!

That's all.

Ironic...

[weave]

/. runs a story on main page about huge security hole in all web servers that will bring the net to its knees, but it really only affects IE clients. They don't run a story about what may end up the biggest net story of the year, ala code red, the MS SQL worm running wild on the net now and shutting down entire sites and playing havoc with the backbone.

/. posters work around the damage in the story and start posting comments en masse about the SQL attack -- the real story this day -- leaving people who lack reading comprehension to confuse the two issues, therefore causing a DDOS on their brain.

Re:Ironic...

Well said. Perhaps /. will report on it a few times next week.

It's lucky that the worm writer

[caluml]

It's lucky that the worm writer didn't make the worm fire out random traffic on random udp ports with spoofed addresses.

It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter.
You are filtering it out on your firewalls, aren't you?
/sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP

This could have been a lot lot harder to filter out. I expect we'll see ThisWorm v2 soon.

I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...

Re:It's lucky that the worm writer

[weave]

I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...

I dread the day when someone writes a worm exploiting unpatched windows desktops. So far, code red and this one (code blue?! -- would be fitting) have infected only unpatched windows servers. Keeping desktops patched and up-to-date is far more difficult and if a worm hit them, there'd be an insane amount of infected boxes causing havoc on the net.

Re:It's lucky that the worm writer

[caluml]

The only difference between unpatched and patched windows boxes is:
a: whether the exploit is known about (which it was here),
b: whether there was a release (which there was here)
and c: whether admins of these boxes apply it. (which is the age old problem)

Targetting SQL servers is quite clever, as many of them will be in hosting centres with 34Mbs, burstable to 155Mb (for example).

Re:It's lucky that the worm writer

[Tassach]

Targetting SQL servers is quite clever, as many of them will be in hosting centres with 34Mbs, burstable to 155Mb (for example).

Any DBA who lets his database server connect directly to the internet deserves to be drawn and quartered. There's no reason whatsoever for a database server to be talking to the internet; all external SQL requests should be made via a middle tier. You don't run 2 tier client-server apps over the internet without some kind a VPN or some other secure tunnel.

Likewise, you shouldn't be running a database on the same box as your web server for any kind of serious production system - the web server goes on the DMZ, and the database server goes behind the firewall and only talks to trusted machines. Note that this applies to ANY database server, not just MS-SQL Server.

Internet traffic affected by electronic attack

[greggish]

http://www.cnn.com/2003/TECH/internet/01/25/intern et.attack.ap/index.html

Re:SQL Server 2000 SP3 - MAYBE NOT

[guest]

SQL Server 2000 SP3 automatically upgrades MDAC to 2.7(sp1, I think), which could possibly break applications that are based on earlier versions of MDAC.

Microsoft says that it shouldn't break anything, but a developer I know swears that an application of his broke after MDAC upgrade, so you may end up getting stuck applying all of the hotfixes instead.

Ahahahahahaha!

Look who got modded down, troll-bait!

One of my customers was pumping 50mbps out from 1

MS-SQL server. I just shut that interface down but my network saw a HUGE influx of traffic starting around 00:45 EST. One of my customers colo'd machines was hit and started pumping 7.2M Bytes of traffic out to the net. I think it would have done more if he didn't chew up my DS-3 to Sprint.

The interface is down. The customer will be prompty kicked in the ass. There is 50mbps less junk traffic on the Internet now.

Editors ??!

[fw3]

Can't you people puhleze consider doing basic checking on the drivel you choose to post here? This is just embarassing, coming from people who purport to be 'Nerds'.

/. seems to have degenerated to the lowest common denominator between hack journalism(sic) and tech(sic) fluffery.

I've stopped taking the time to M2, why bother when the base quality of this feed has dropped this low. You-all want to enhance quality on this site? Consider an M-system for the original posts/editors.

Maybe it's bin laden

[FIGJAM]

lets blame him anyway

Then call the A-Team !!

gotcha mike, ok ill grab the shimding and sling it operwise to the fubnub if i can hook up the low latent TCX7381b 's and punch in the new local def's we should be able to cope, you just GOTTA keeps us touching base with the gabershwing and ill keep the boys locked and loaded cos this looks like a MAJOR situation we got ourselves down here.

YOU FUCKIN WANKER !

Note - above text is pasted from bugtraq

[phr2]

See here. It's still the best description I've seen of the "problem", but the AC really should have credited the source.

2 words for ya

[Lord+Prox]

Mo Zilla
I know that is not what you wanted to hear... But I had to say it...

Vidomi Killer media player and network distributed media encoder

SQL Worm

[rolandbm]

It looks like if you stop the proccess sqlservr.exe it will take all of the CPU proccess back down to normal. Obviously you dont want to delete this file, but with it stopped you can at least get the box on the network to trouble shoot this stuff.

Alchemy Support
Alchemy Communications

new vulnerability?!?!

shit, Im still getting hit with LAST years micro$oft vulnerability! ;)

[Sat Jan 25 02:26:01 2003] [error] [client 66.57.128.6] File does not exist: /usr/local/www/data/scripts/..À../winnt/system32/ cmd.exe
[Sat Jan 25 02:26:02 2003] [error] [client 66.57.128.6] File does not exist: /usr/local/www/data/scripts/..Á../winnt/system32/c md.exe
[Sat Jan 25 02:26:02 2003] [error] [client 66.57.128.6] File does not exist: /usr/local/www/data/scripts/..%5c../winnt/system32 /cmd.exe
[Sat Jan 25 02:26:02 2003] [error] [client 66.57.128.6] File does not exist: /usr/local/www/data/scripts/..%2f../winnt/system32 /cmd.exe

Need more coffee

[wowbagger]

OK, perhaps I need more coffee this morning, but I cannot see how TRACE would be used to cause harm - perhaps somebody can post this in simple terms.

As I understand it:

1) My browser requests a page from www.evilhaxor.org.
2) ??????
3) My browser sends a TRACE request to slashdot.org.
4) slashdot.org sends back to my browser my cookie data.
5) ????
6) My browser sends ????? to www.evilhaxor.org.
7) ????
8) Profit!

OK, sorry, but having more than one ???? is sufficient to make a plan unworkable.

Besides, I run with Javascript off - so I guess the only real exploitable would be the Flash plugin (damn I will be glad when this bug is fixed!)

Bullshit

[Cally]

This is not an issue. The exploit uses existing, well-known vulns.in MS' IE. Nothing to see here. Move along, move along, read the Full Disclosure list for further background.

Turn off flash too

[TheLink]

And other similar active content plugins your browser might have running.

You can turn cookies off if you want, but that makes it hard to implement sessions between your browser and the site you are using. Implementing sessions by using cgi parameters has disadvantages like if your browser leaves to another site, your browser could send the cgi parameter in the http referrer field.

So if your browser supports it just turn on cookies for selected sites and leave it off for other sites. The risk with cookies - if sites work together they can track where you go and what you do.

Whereas with the active content stuff - javascript, activex, flash etc, you risk losing control over your entire computer, and your online accounts with other sites. Actually Java has been a tad more secure, but so far most java applets are either jokes or toys. You won't miss most of them, and it's likely they'll be ported to your cellphone anyway ;).

Other scripts? They'd probably be just as dangerous, but most people don't have python/perl plugins in their browser, so attackers are less likely to cater for that.

Sure the risks aren't that high, it's just the consequences can be really annoying. You know that spam you get? Those by crooks who think nothing of sneaking in installs of software that dial up international numbers? If you or your cat accidentally clicked one of their urls, how sure are you that these crooks won't abuse this trace flaw to steal info? They can get your browser to send trace requests to the usual sites - banks, ebay, amazon, hotmail, yahoo etc, and collect all the echoed associated cookies and authentication data.

Even turning such stuff off isn't 100%. Last year whilst testing something out I actually managed to create some sort of a virus/worm on a site just by using IFRAME or img src (quite harmless - but in theory could do other nastier things ). Got them to fix it tho. That sort of problem affects the site and info on the site. THe site is responsible for securing their apps to prevent this sort of thing.

You secure your computer and apps and hopefully your favourite site secures their stuff.

Important Considerations

I would like to point out that in order to execute an "XST" attack, you have to be able to able to get JavaScript/Flash/etc executed on the victim's system as a PREREQUISITE.

So, to summarize:

If you can get arbitrary JavaScript/Flash/ executed on a web client, you can use this attack method to get arbitrary JavaScript executed on a web client, in a different zone, *if* their client is vulnerable to other attakcs.

Is this a useful thing to know if you're looking for a way to steal cookies? Sure! Is this a revolutionary tactic that will allow you to compromise the security of any of the webservers listed in the whitepaper? No.

This isn't any different from the many, many, many known ways of violating someone's HTTP client if you can get them to execute Flash or JavaScript or ActiveX of your choice. We've seen dozens of holes in IE's security constraints that allow attackers to view files, steal cookies or execute commands. Unlike Guninski or GreyMagic's advisories, this one has simply been built up to ridiculous proportions with marketting language in the press release and in the ExtremeTech article.

Furthermore, they do not adequately explain how this attack relies on other (more fundamentally mportant) vulnerabilties that WhiteHat did not find and that were announced without a press release, BS whitepaper of a garbage ExtremeTech article.

not so

[spazoid12]

"ALL current web servers comply with this RFC, which means they ALL are vulnerable to this newly named attack "

Not all current web servers are vulnerable. For various reasons. I've written some that do not support TRACE (on purpose). Others exist that do not support TRACE. Others exist that do support TRACE, but do so after first performing their usual security code.

How in the world did these jokers even think that they covered ALL current web servers? There are going to be many dozens that exist that they haven't even heard of. Just one example: at my last job they use a server known as "Remy Web Server". Oh, as well as one I wrote called "Chupacabra" (but that's internal only). Have you ever heard of either? No? Good. You should be so lucky to never hear about RWS.

The discussion on this vuln is important, but claiming that it affects ALL current web servers is naive and serves only as big glossy headline-catching words.

NEW SITREP

OMG Duuds, teh Interweb iz fallingz down! Ring deh ISPee but zey hang up!!!1 Must now post 2 swashdot bout teh problehm ant spreed zeh snake oil in a post abouut zome ozther silly IE bug.

Fucking idiot

Re:CRAP! (If it's not Scottish, it's...)

[Zeinfeld]

This report is just nonsense. TRACE causes the web server to send a reply containing a 'body' part consisting of the request headers.

There can be no security vulnerability in HTTP that is due to cross site scripting PERIOD.

This is because support scripting was never considered in the design of HTTP. Scripting has known security problems. The onus for solving those problems rested and rests today on the idiots who introduced scripting. It has nothing to do with the protocol layer.

TRACE was in the HTTP specs long long before Javascript was cobbled together in two weeks at Netscape. Netscape could not even be bothered to ask for advice from the HTTP community before unleashing their abomination, so why is this supposed to be my fault eh?

Java script sucks, alwasy has always will. It was yet another of those hacks Netscape put in to please the advertisers or whichever customer they were going after that week. As a result we have pop-under adds and sites can screw up the navigation buttons. Oh yes and sites keep coming up 'javascript error class not found'.

None of the uses javascript is necessary for could not have been better supported through extensions to HTML. But the Netscape guys didn't want to do that because they wanted to try to control the standards by simply throwing whatever crap they wrote over the wall and faxing the 'specification' to W3C to they could say that it had been submitted in their press release.

Old news...

[divisionbyzero]

This is old news, but now that it is public I can't wait for the exploits to begin... that was sarcasm in case anyone was wondering...

Re:Old news...

[divisionbyzero]

I thought it was obvious this was XSS from the beginning, that's why it is old news...

Re:SitRep (please mod down)

This has absolutely NOTHING to do with the cross-site trace whitepaper/press release/article/issue. The SQL server worm (which uses a buffer overflow discovered by NGS Software) is 100% unrelated to this. YOUR POST is misrepresenting exactly what is at fault. Go post on the SQL Server worm thread.

who this works on Fuckedcompany.com forums

[linuxislandsucks]

I have seen actual in the file samples of this exploit..

Its crosss bwoser hack..

Here is what was observed on fuckedcompany forums..

You register as poster to fuckedcompany

Hacker A sets up new website with code to gather info via traceroute..

Hacker decode the subscriber cookie from pervious step..

Hackjer A reposts garabge as your nick on fucked company forums..

-Most admins of sites know enough to turn off traceroute.. well except Phil Kaplan it seems..sorry pUd you are soemwhat inept as systems admin..