Slashdot Mirror
Slashback: Blaster, Sabers, Canada
Art of the Saber Jagaast writes "As a counterpoint to all the hype about the Star Wars kid, here's a Star Wars fan film that's actually very well done. Art of the Saber is 'a light saber fight sequence with the flavor of a Hong Kong martial arts action movie.' Well worth watching." Update by J : I've made torrents available.
Vote early, often, and reversably. An anonymous reader writes "As a follow up to a previous story here on Slashdot on electronic voting, Excite has a story on the same subject with a bit more information including this amazing quote from Deborah Seiler, Diebold's West Coast sales representative: '"These activists don't understand what they're looking at," Seiler said.'"
GSM-crack paper online morcheeba writes "Copies of the GSM-crack paper described in last week's Slashdot article are now available online (PDF) thanks to John Young's Cryptome"
Mandrake ads...take 2 *no comment* writes "Apparently there has been some controversy over the ads in the upcoming Mandrake 9.2. I thought it was pretty cut & dried, but apparently Mandrake thought it was enough of a controversy to to release a written statement about it. I wonder how many flames were posted in the slashdot forum using the download version of Opera."
Blaster Worm still alive and well on MIT campus fwc writes "MIT still has 900 network drops disabled due to the Blaster worm infection. Of particular interest is that MIT network security requires users to reformat their hard drive and re-install their operating system before they get back on the network. Sounds like a good excuse to reinstall something other than a Microsoft operating system."
A big AWOOOGAH for Canadian file sharers.
Rumor writes in response to a recent story suggesting that Canadian users could swap files scot-free: "Listen, Canadians, don't go using your p2p apps and thinking you are immune from lawsuit, you are liable for copyright infringement if you share files on p2p apps.
To wit: a fellow law student and I have written an
analysis of s. 80 of the Copyright Act and we've
concluded that one can download music safely under the Private Copying provision, but no one can share or upload files without infringing on copyright.
In a nutshell, Private Copying allows anyone to make a
copy of a song purely for their own use. As you
probably know, when you share files and someone
downloads from you, what actually happens is that
their computer makes a request and your computer
actually sends the file to them. Thus, you're copying
for someone else's use and infringing. It doesn't
matter if you didn't realize that's what happens,
either... intent is not required for infringement.
The upside is that you can accept copies from other
people (ie. download) all you want. Although there
might be an issue of contributory infringement to
worry about... I won't go into analyzing that, since
so far the record companies are only suing uploaders.
The article can be found on greplaw.
I've recently confirmed this analysis with an IP law professor at my university, so I'm pretty damn sure of it. So, please, be aware of this danger. Downloading cool, uploading/sharing not. I
guess the situation still better than nothing."
Why not ask for your money back? zaaj writes "There are several articles out about a newly found/fixed(openssh.org) buffer management bug in OpenSSH and some derivatives. Cisco's Advisory only mentions DoS attacks against certain of their SSH-enabled devices, but ZDNet's article hints at rumors of long-existing root exploits. Regardless, RedHat's got their typical list of updated packages with the patch back-ported. A few other distro's have info in the vendor section of Cert's advisory CA-2003-24"
Any reason this is in the Apache section?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2003-0682
may I suggest a nice bottle of '01 -fstack-protector?
That's a draconian policy if I've ever heard of one!
To reformat you need to backup - and if you have more data to backup than some puny CDRs? and you can't get on the network to backup onto your friend's gigantic file server that he has kindly carved out a nice chunk for you for a week? and I have a laptop so it's not exactly a good idea to be pulling drives out?
all practical concerns I'd face if I was part of the MIT network - but glad that I am not on the MIT network, and that blaster didn't come my way. heh...
poor suckers who'd have similar problems with me, though - maybe that kind of explains why there are still so many people un-connected... they are all looking for used tape drives...
My life in the land of the rising sun.
Wow! A whole TCPIP packet to carry the question, one for the ack of the question, a 3rd for the response, and a 4th for the ack of the response.
.1 seconds for each packet to get from end to end (could be more over dial up).
Assume about
While a neat idea (and sarcastic at that!) the usability people may raise questions.
jason
Well you could ask for everything at once. All you'd have to do is generate a text file 9238472093847 lines long saying:
...
...
Is bit 0 a 1?
Is bit 1 a 1?
Is bit 2 a 1?
Is bit 3 a 1?
Then gzip it and send it via some standard TCPIP protocol.
The server would then just generate a similar file saying:
Yes, bit 0 is a 1
Yes, bit 1 is a 1
No, bit 2 is not a 1
Yes, bit 3 is a 1
The unofficial
How about protocols like BitTorrent?
Although I might "share" a file, I never give away the whole thing. I only offer very tiny bits of a file to anyone who asks.
AFAIK, copyright law permits giving away small"excerpts" of copyrighted materials.
So provided I never permit upload of the whole file to a single downloader, would I be in the clear?
my
I'm not too suprised to see that Blaster is still running around, even at MIT. I work in an office that's behind a firewall, but it wasn't until yesterday that somebody discovered one of the Blater variants in our internal network. Most likely it was introduced by somebody taking their laptop home, and then back to the office. So what's the big deal? We're a small software house with reasonably intelligent folks working here, but that didn't stop people from a) avoiding the install of Microsoft patches on their office machines, even though these are internal machines and thus "immune" from external traffic, and b) from taking a laptop computer home and using it on a non-firewall protected environment. That we're seeing stuff like this still happening on MIT campus doesn't suprise me. Sure, a good number of /. readers will scoff at this, but there are plenty of intelligent people out there who still think that a firewall will protect them from everything. And that's just the reasonably intelligent people. What about the average, non-technical folks who don't even know what a firewall is? What the heck has to change (other than Microsoft cleaning up Windows, and shutting down all of its stoopid ports) for this kind of things to stop?
OK, so the student reformats the drive and reinstalls windows. Whee! Network access is turned back on.
Of course, no patches have been installed, since they are available as downloads unless MIT is distributing service packs and patches to the students via CD.
So now you have completely unpatched machines on the network, at least for the time it takes to repatch.
I've had rebuilt machines reinfected during that short time (yes, I should have thought of that first).
Maybe they have something in place to prevent this from happening, but that isn't indicated one way or another.
Besides, given the ease of fixing problems like these without reinstalling the OS, why bother forcing a drive wipe?
Just wondering if they're forcing everyone with the SSH hole to reformat and reinstall? (Yes, not as serious since it isn't a worm, but still)
Apple's Quicktime Player v6 wouldn't play it either...
"It's not like your minds are as open as the source you love..." - Me to the majority of Slashdot.
I thought when the story was posted the other day it smelled off. Copyright law here as I understand it says you can LEND a CD to someone and they can copy it, that's legal. If you copy it for THEM though, that's illegal.
The loophole? Okay, on a P2P app, when someone downloads a file from you it is REMOVED from your hard drive. Translation: You've lent it to them. Then you get sent the file back. They've made their copy by "borrowing" yours, and then given it back.
Probably not viable since there'd be wankers who'd download and then kill the software so you don't get your song back (the RIAA would love to abuse that I bet!) but still, there has to be some loophole as the law doesn't take P2P into account.
Why are the MIT sysadmins being so draconian as to require infected computers to be reformatted, without solving the cause of the problem by *requiring* the windows bug to be patched? The article says "Reinfection rates are very high". Unbelievable!
... because it's a heap buffer. Furthermore, it's not a simple buffer overrun, but an error in reallocation. As far as I've seen, there are no known exploits of it either. If there are, please link.
I hereby place the above post in the public domain.
Here is how:
Break up any mp3 files into say 10 RAR and calculate MD5 for each part plus total.
Name the 10 parts equal to their MD5 number
Make small Identity file that contains above plus all of the normal mp3 ID's like Name, artist etc.
Make small plug in that disallows for any more than 3 or so of the parts to be made available for up load and obviously never the total mp3 file.
Make small script that takes Identity file as input and as output automatic tries to find and download all MD5 pieces.
Once retrieved combine and play.
If real fancy you could make the "Encryption" / "decryption" function DMCA proof, so RIAA can not legally tamper with it.
I am sure we can elaborate but you get the idea.
Help fight continental drift.
What you're talking about is "Fair Use" one of the most misunderstood aspects of copyright law.
:-)
Fair Use basically allows excerpting parts of a work for certain purposes such as citation or criticism.
If your purpose for publishing a small chunk boils down to "so the receiver can combine with lots of other small chunks and get the entire work" then clearly you're way outside of fair use.
You might as well claim that ALL internet trading is legal since no single IP packet contained the whole file!
(IANAL; but clearly neither are you
As someone who works for Network Security, I feel I have to chime in here.
:-p
Basically, what Chris said was right. A format and reinstall is the standard response to a root-level system compromise, which the RPC vulnerability leaves a system open to. It's also enough of a pain in the rear, that people don't want to have to do it again.
Furthermore, Network Security only has two full-time staff members, a handful of student employees (the category I fall under), and a handful of volunteers from here & there. Under normal loads, we don't have the resources to do forensics or any type of individually tailored recovery advice. With the thousands of computers being compromised on campus, it's the quickest (and easiest, believe it or not) solution for everyone.
Give us a break, this thing has generated way more overtime hours than any one (or two now) security hole(s) should be allowed to do.
-------------------------------------------
I like nonsense, it wakes up the brain cells.
-- Dr. Seuss
First, I realize that any action's legality can only -truly- be tested in the courts and we're playing theoretical/law-school games here. But how about this protocol...
:-)
1) Server receives HTTP GET for file.
2) Recognize that (for example) a 3 megabyte file can be described by a 24 million bit long number in base 2, or even shorter numbers in other bases you might prefer.
3) Recognize that numbers are free and can't be copyrighted. Every number can and is used for a multitude of purposes.
4) Respond with HTTP code 401 Unauthorized or a 403 Forbidden or whatever is applicable. Heck, create a new code that informs the client that you can't give them the file requested, since copying a digital work -may- infringe on copyright law.
5) In the body of the response, give an extended error code number as per 2) above. It's up to the client how they interpret or use that number. You're giving them a freely available and multi-purpose number.
Nothing in my response to the client was a copyrighted work, just a free number that is not and cannot be copyrighted.
Okay, my tongue is out of my cheek now...
So basically, you're sending the other peer a file, and asking for a diff between it and the song file. Since you have the random file and the diff output, you would be able to piece together the original song file.
That's an interesting idea, but I don't think it'll hold water in court. Remember, MP3s are also machine-made derivatives of the original music tracks, and quite different data-wise from raw music - but courts have no problems holding that as copyright infringement. In the end, all that matters is what comes out of your speakers. A judge is going to look at whether you 'got' the music from someone illegally, regardless of how it's transmitted.
I realize that this thread is mostly in jest, but you're all missing the bigger point. The problem isn't the actual transfer of the file.. its indexing the files that are available. How can you legally say to the room-temp-IQ crowd that "I have a song here, but its not available.. sorta.." and still get away with it?
Remember those college students that just ran an indexing web page listing all of the songs on their fellow students' shared folders? They didn't share the files themselves, but they're now working their way out of debt thanks to the RIAA.
There are hundreds of ways of actually transfering the file without attracting undue attention (Waste would be my favorite at the moment). But how do I find the person who has that file that I want when he's not telling the world that he has it because the world includes that suit-happy association whose business model it obliterates?
How do I find that person?
Seriously, I want to know. I'd like to borrow some of his/her CDs for personal use. Of course, I have some to lend as well...
I appreciate your opinion, and tip my hat to you for pointing out practicalities of copyright infringement lawsuits against Canadians.
It was beyond the scope of our analysis to consider those issues. We're concerned, in this article at least, purely with a legal analysis of liability of file-sharers.
So, I think the term "flawed" is not particuarly accurate. That aside, we appreciate your enlightening perspective, Robert.
But how do I find the person who has that file that I want when he's not telling the world that he has it because the world includes that suit-happy association whose business model it obliterates?
How do I find that person?
Simple. A P2P client with a licence that specifically disallows use by the RIAA/MPAA, it's employees, agents, etc. If they use it, they infringe the author's copyright, which is what they say they're trying to uphold.
Then, an encrypted protocol that's illegal for them to hack under the DMCA that they lobbied so hard to get.
I'm currently working on one of these. If anybody wants to help, email me at the address on the website in my sig.
Unfortunately, it can't be GPL, because then I couldn't stop the RIAA from using it. It will, however, be free-as-in-beer, and free of adware.
I'd also like a lawyer to help me with the wording of the licence, so it's absolutely bulletproof. I know there are a few lawyers on here, so it you want to help, send me an email.
"City hall" in German is "Rathaus" Kinda explains a few things......