...implying that this lawsuit is frivilous, when it doesn't sound frivilous to me.
Nike is negligent for not using crypt-pw or PGP authentication to protect its domain records from being hijacked. That negligence lead to someone else's site from being hammered. If that person happens to pay extra for extra traffic to their site (as I once had to--most folks pay based on how much traffic their Internet pipe uses), shouldn't Nike be held accountable?
NSI allows you to select the level of security you want to protect your domain changes. If you choose an insecure, easily spoofed option, it's your fault! With all the news stories about domain hijacking, are Nike's security folks just asleep at the wheel?
But killing for food is distinct from killing for any other reason. The rats killed on Survivor were for eatin' since they hadn't caught any fish, IIRC (I didn't watch it).
We'd better be sure FADB is not a trademark before we register fadb.org;-)
BTW, animals are tasty and PETA folks are extremist wackos! They were arguing on a Seattle talk radio show that the Survivor show was irresponsible in showing the participants eating rats they had killed on the island and that kids can't tell the difference between killing rats and their family pet. Idiots.
I agree with everything, save the commercial thing. They have a few commercials that get me. The main one is the one where the "hackers" have broken into the company payroll server. As a security professional, I thought it was typical marketing fearmongering.
At any rate, IBM is doing some awesome things. They seem to be leading the way in HD technology. I've got a 6.4 gig UDMA drive that I need to upgrade to a bigger one and I'll definitely go with another IBM.
I have a degree in EE and work for a cellular company (although not on the cellular side).
There are many reasons that this probably wouldn't work:
Cell phones probably wouldn't work very well at 30,000 feet (5 miles) above the earth and all cells because of the distance from your handset to earth. You only have a.7 watt transmitter, at full battery, so getting your phone signal to the earth at 800 or 1900 MHz is stretching things. Also, at that height, the phone would have a very difficult time differentiating between cells since they are very close together and the difference in distance from your handset to any given cell on the earth would be fairly small. Cellular design assumed you are on the ground in close vertical proximity to the antennas (and their antenna patterns are very strong toward the ground and weak up in the air to maximize coverage). Also, the plane is going at up to 600 mph so you would be potentially constantly cell-hopping since they are so close together. Also, the skin of the airplane tends to shield you from outside RF and resonate internal RF inside the airplane. That could cause signal degradataion and is one of the reasons that interference with airplane systems can actually be exacerbated.
Airplane phones, OTOH, have many fewer base stations (read: larger cells) and have different antennas with their antenna patterns maximized in the air. They also have higher powered transmitters and antennas mounted on the _outside_ of the plane.
I've heard urban legends that people have actually successfully used their cell phone on a plane. Given all of the above, it's doubtful though.
Even though you weren't transmitting with your radio, it could have interfered with airline electronics. That's why portable radios are not allowed to be used _at all_ on flights--they are banned by the FAA. IIRC, they have various oscillators that can interfere with many frequencies directly and many indirectly through harmonics.
An old IEEE article in Spectrum from a couple years ago discussed this.
A common mistake, but perhaps you meant "==" instead of "=";-)
Patch below.
-core
--- slashdot_article_orig.txt Mon Jun 12 14:11:29 2000 +++ slashdot_article_new.txt Mon Jun 12 14:11:47 2000 @@ -1 +1 @@ -Cell Phone Usage on Airplaces = Bad Idea +Cell Phone Usage on Airplaces == Bad Idea
It is never a good idea to "hack back" for many reasons:
* How can you be sure that a) the attacking site(s) are the real attackers and b) that the attacking sites are _knowingly_ attacking? IP spoofing or using zombies to a ttack are generally very easy. * If it's illegal to be hacked, it is illegal to retaliate. You can't steal someone's lunch because they steal yours. * It could only exacerbate your problem if you piss off the attacker(s). You don't know who you are dealing with. * You are then legally and criminally liable if you, for example, DoS amazon.com because you detected an attack from them and they sue you or the Fibbies come knocking on your door. * What if you trace an "attack" to a single IP you assume is a desktop computer and turns out to be an AOL proxy and you DoS 10,000+ lusers? AOL won't like that nor will their customers.
The people, like the one in the article, who gloat about "hacking back" make my skin crawl. 7h3y ar3 such 31337 d00dz n 7h3y g07z such ski11z...NOT! *gag*
BTW, I've seen most often people getting IP addresses slightly wrong when they complain about a supposed hacker coming from my Company's network so what if you get the IP or hostname a bit wrong and attack the wrong site?
There are apparently a *lot* of lemming investors out there. priceline.com (PCLN) lost 6.99/share and has a P/E ration of 0 still. They're still building their business by leveraging their ridiculous "reverse auction" patents so their not making a profit yet is not that alarming. I wonder what's going to happen when a competitor challenges their patents? That's really all they have is their "intellectual" property. Has the motley fool done a writeup on PCLN? I'd be interested in their thoughts.
Probably the same inability to reason that allows the US crypto export regulations to exist instead of being discarded as utterly ridiculous because the regulations are trying to control the export of something that has already been exported and is widely available all over the world. I've been asking the same question about the crypto regs:
"What is the response of the proponents when asked what good does this do in light of the contrary evidence?"
I have never seen Louis Freeh or any of those yahoos pushing for crypto regs give an answer to this. The reason? Maybe they aren't being point blank asked the question. The reason for that? We're back at square one.
I can't _believe_ something as generic as showing a user a portion of their credit card number and telling them which portion can be patented (Secure method and system for communicating a list of credit card numbers over a non-secure network). This is *patently* ludicrous!
How is this novel? Microsoft is sounding like a *real* innovator once you read Amazon's patents...
I've only looked at this one other patent and I can't look at anymore less I become sick...
You're using something like s/key to protect your password from sniffing, yet you aren't concerned about TCP hijacking?
Anyone in a position to steal your password off the wire by sniffing can just as easily wait for you to authenticate and then hijack your session (they probably would wait until you 'su' to root though so they'll have that password after hijacking your session).
Encryption has more benefits than just confidentiality of passwords and sessions! It is a key ingredient in preventing session hijacking.
hackers will take advantage of y2k problems to mask attacking systems.
Let's explore this a bit:
hackers will pick the one night that everyone in the world is actually *monitoring* their sites carefully to break in--way 2 go! Many hackers are stupid and there will surely be stupid hackers trying things during y2k. They've been duped by the same hype that y'all have been fed!
It would be much smarter to wait until after y2k and then attack after everyone thinks it's clear...
The other part of the claim is that y2k problems will be used to mask attack attempts.
Hmmm. I can't think of a y2k problem that would cause massive portscanning and buffer overflow attempts to my systems. That would be some screwed up system to log that kind of information due to y2k! "Someone is pingflooding our systems. We must have not caught that y2k bug!".
Do you see how ridiculous this is?
People need to look at these fearmonger claims RATIONALLY. Don't just react--use your heads and make your own decisions based on reason and fact!
My ISP is shutting down as well claiming fear of power problems. This is equally as ridiculous:
When you power your systems back on, are they any more immune to power problems???
This answer is NO! Nothing is different. You are still just as vulnerable to power surges.
If you don't have enough faith in your existing UPSs and power surge equipment to protect you, why will you ever power back up? Do you shut down whenever there is a lightning storm? By your logic, you should. There's millions of volts flying around the air that might come bite you;-) You purchase UPSs with surge protection to protect you against any surge. An unsubstantiated, unknown y2k surge is not going to be any different...
(BTW, everyone should have a surge protector at your circuit panel as added protection--they're only like $30 and protect everything on the panel by creating least-resistance to ground. You don't need any other surge protector with one of those.)
I'm a security specialist so I've dealt with this already in my company:
It is ridiculous to shut down sites as a precaution against "hacker" or virus attacks. Ask yourself this question:
When I bring the site back up, has the risk of compromise gone away?
The answer is a resounding "NO". There is always a risk of compromise. If the Internet is so dangerous that you have to occasionally disconnect from it to protect yourself, then why do you even reconnect?!?! When you reconnect, nothing has changed except the calendar. Also, how do you know that the hacking hype wasn't designed to get you to disconnect now, and then reconnect days later only to have a false sense of added security since y2k is over and get 0wn3d on the 5th?? Isn't this an unknown, unsubstantiated risk too? You'd better never reconnect then...
The idea of disconnecting due to a y2k virus trigger is equally as ridiculous. April 1 is a more common day for virus and hoax triggers. Should every company disconnect then as well? Also, out of the thousands of viruses, only a handful have been very widespread. A massive virus infestation is historically unlikely.
Disconnecting due to some unknown, unsubstantiated threat is especially ridiculous (look at Seattle shutting down the y2k party...). It's CYA for lame IS and security people, IMHO. There are always going to be unknown, unsubstantiated threats. IS and security folks' jobs are to set up defenses to protect from day to day--that will work regardless of the amount of attacks. Shutting a site down for fear of someone breaking in is a self-induced DoS. E.g. the military sites that are being shut down (see http://www.hackernews.com for yesterday and today) during y2k are still going to have the same holes they did on the 1st....
Check out more specific information on y2k virus hype, "precautionary disconnects", etc. at the following links and see what:
The underlying point is well taken. However, if *I* wanted to commit credit card fraud, I wouldn't want the credit card of someone dining at Red Lobster! Get a job where the patrons don't check their bills or the amounts on the menu (better yet--where the menu doesn't even have amounts!). I'd rather get numbers on cards with $50-100k limits than $500 or $5000 limits;-)
For example, I want to drag that CDE-ripoff of a desktop changer out of the panel and replace it with kpager. It is really annoying to have kpager hidden underneath windows on the desktop so having it dock into kpanel in lieu of the desktop changer would be way cool.
I'm concerend about the integrated web browser from a security standpoint, just as I'm concerned about IE being seamless with local files and remote files. Now, adding active content like java and javascript to the same application that is going to be your graphical file manager sounds like the same recipe for disaster...
IE tries to use "zones" to prevent content in one arena from compromising security in other areas. Of course, this is a flawed concept as the end user cannot decide the best settings and the default settings are too lenient. How will Konqueror keep users any more secure than IE from active content, frame spoofing, etc? I sure hope that, unlike MS, KDE folks have learned from past mistakes in design. What is Konquerer's security model? Can active content be easily disabled/controlled?
I know of a company that is "leasing" boxes running modified linux & squid and they don't think that they need to supply source since they aren't "selling" the box. I think that this is a clear violation of the GPL. Does anyone concur? I'd like to see them taken to task if they are violating...and get their source! We can't have companies sucking off the open source community (taking & not giving).
Okay, we're being asked to believe that the Xing encryption key was compromised because it was not stored encrypted. This is asinine. If they had stored the key encrypted, that means that the decryption key for that would be somewhere in the clear. This would only be simplistic obfuscation that should be easily subverted. -core
Slashdot Mirror
...implying that this lawsuit is frivilous, when it doesn't sound frivilous to me.
Nike is negligent for not using crypt-pw or PGP authentication to protect its domain records from being hijacked. That negligence lead to someone else's site from being hammered. If that person happens to pay extra for extra traffic to their site (as I once had to--most folks pay based on how much traffic their Internet pipe uses), shouldn't Nike be held accountable?
NSI allows you to select the level of security you want to protect your domain changes. If you choose an insecure, easily spoofed option, it's your fault! With all the news stories about domain hijacking, are Nike's security folks just asleep at the wheel?
-core
Methinks there's a bug in the posting code here:
news = Old_news;
It's cool a second time anyhow....
-Jason
But killing for food is distinct from killing for any other reason. The rats killed on Survivor were for eatin' since they hadn't caught any fish, IIRC (I didn't watch it).
We'd better be sure FADB is not a trademark before we register fadb.org ;-)
BTW, animals are tasty and PETA folks are extremist wackos! They were arguing on a Seattle talk radio show that the Survivor show was irresponsible in showing the participants eating rats they had killed on the island and that kids can't tell the difference between killing rats and their family pet. Idiots.
-core
I agree with everything, save the commercial thing. They have a few commercials that get me. The main one is the one where the "hackers" have broken into the company payroll server. As a security professional, I thought it was typical marketing fearmongering.
At any rate, IBM is doing some awesome things. They seem to be leading the way in HD technology. I've got a 6.4 gig UDMA drive that I need to upgrade to a bigger one and I'll definitely go with another IBM.
-core
My 'sense of humour' fuse must have blown. I'll check it and reread ;-)
Tx.
-Jason
I have a degree in EE and work for a cellular company (although not on the cellular side).
.7 watt transmitter, at full battery, so getting your phone signal to the earth at 800 or 1900 MHz is stretching things. Also, at that height, the phone would have a very difficult time differentiating between cells since they are very close together and the difference in distance from your handset to any given cell on the earth would be fairly small. Cellular design assumed you are on the ground in close vertical proximity to the antennas (and their antenna patterns are very strong toward the ground and weak up in the air to maximize coverage). Also, the plane is going at up to 600 mph so you would be potentially constantly cell-hopping since they are so close together. Also, the skin of the airplane tends to shield you from outside RF and resonate internal RF inside the airplane. That could cause signal degradataion and is one of the reasons that interference with airplane systems can actually be exacerbated.
There are many reasons that this probably wouldn't work:
Cell phones probably wouldn't work very well at 30,000 feet (5 miles) above the earth and all cells because of the distance from your handset to earth. You only have a
Airplane phones, OTOH, have many fewer base stations (read: larger cells) and have different antennas with their antenna patterns maximized in the air. They also have higher powered transmitters and antennas mounted on the _outside_ of the plane.
I've heard urban legends that people have actually successfully used their cell phone on a plane. Given all of the above, it's doubtful though.
-core
Even though you weren't transmitting with your radio, it could have interfered with airline electronics. That's why portable radios are not allowed to be used _at all_ on flights--they are banned by the FAA. IIRC, they have various oscillators that can interfere with many frequencies directly and many indirectly through harmonics.
An old IEEE article in Spectrum from a couple years ago discussed this.
-core
A common mistake, but perhaps you meant "==" instead of "=" ;-)
Patch below.
-core
--- slashdot_article_orig.txt Mon Jun 12 14:11:29 2000
+++ slashdot_article_new.txt Mon Jun 12 14:11:47 2000
@@ -1 +1 @@
-Cell Phone Usage on Airplaces = Bad Idea
+Cell Phone Usage on Airplaces == Bad Idea
It is never a good idea to "hack back" for many reasons:
* How can you be sure that a) the attacking site(s) are the real attackers and b) that the
attacking sites are _knowingly_ attacking? IP spoofing or using zombies to a ttack are generally
very easy.
* If it's illegal to be hacked, it is illegal to retaliate. You can't steal someone's lunch
because they steal yours.
* It could only exacerbate your problem if you piss off the attacker(s). You don't know who you
are dealing with.
* You are then legally and criminally liable if you, for example, DoS amazon.com because you
detected an attack from them and they sue you or the Fibbies come knocking on your door.
* What if you trace an "attack" to a single IP you assume is a desktop computer and turns out to
be an AOL proxy and you DoS 10,000+ lusers? AOL won't like that nor will their customers.
The people, like the one in the article, who gloat about "hacking back" make my skin crawl. 7h3y
ar3 such 31337 d00dz n 7h3y g07z such ski11z...NOT! *gag*
BTW, I've seen most often people getting IP addresses slightly wrong when they complain about a supposed hacker coming from my Company's network so what if you get the IP or hostname a bit wrong and attack the wrong site?
-core
There are apparently a *lot* of lemming investors out there. priceline.com (PCLN) lost 6.99/share and has a P/E ration of 0 still. They're still building their business by leveraging their ridiculous "reverse auction" patents so their not making a profit yet is not that alarming. I wonder what's going to happen when a competitor challenges their patents? That's really all they have is their "intellectual" property. Has the motley fool done a writeup on PCLN? I'd be interested in their thoughts.
;-)
Priceline.com stock quote
I'd have to agree--software industry has lots of vapor-ware--stock market has even more "vapor-share"
-core
Probably the same inability to reason that allows the US crypto export regulations to exist instead of being discarded as utterly ridiculous because the regulations are trying to control the export of something that has already been exported and is widely available all over the world. I've been asking the same question about the crypto regs:
"What is the response of the proponents when asked what good does this do in light of the contrary evidence?"
I have never seen Louis Freeh or any of those yahoos pushing for crypto regs give an answer to this. The reason? Maybe they aren't being point blank asked the question. The reason for that? We're back at square one.
-core
I would answer you on that, but the Amazonoresponder technology is "patent pending"
-core
I can't _believe_ something as generic as showing a user a portion of their credit card number and telling them which portion can be patented (Secure method and system for communicating a list of credit card numbers over a non-secure network). This is *patently* ludicrous!
How is this novel? Microsoft is sounding like a *real* innovator once you read Amazon's patents...
I've only looked at this one other patent and I can't look at anymore less I become sick...
-core
You're using something like s/key to protect your password from sniffing, yet you aren't concerned about TCP hijacking?
Anyone in a position to steal your password off the wire by sniffing can just as easily wait for you to authenticate and then hijack your session (they probably would wait until you 'su' to root though so they'll have that password after hijacking your session).
Encryption has more benefits than just confidentiality of passwords and sessions! It is a key ingredient in preventing session hijacking.
-core
This is another ridiculous claim:
hackers will take advantage of y2k problems to mask attacking systems.
Let's explore this a bit:
hackers will pick the one night that everyone in the world is actually *monitoring* their sites carefully to break in--way 2 go! Many hackers are stupid and there will surely be stupid hackers trying things during y2k. They've been duped by the same hype that y'all have been fed!
It would be much smarter to wait until after y2k and then attack after everyone thinks it's clear...
The other part of the claim is that y2k problems will be used to mask attack attempts.
Hmmm. I can't think of a y2k problem that would cause massive portscanning and buffer overflow attempts to my systems. That would be some screwed up system to log that kind of information due to y2k! "Someone is pingflooding our systems. We must have not caught that y2k bug!".
Do you see how ridiculous this is?
People need to look at these fearmonger claims RATIONALLY . Don't just react--use your heads and make your own decisions based on reason and fact!
-core
My ISP is shutting down as well claiming fear of power problems. This is equally as ridiculous:
;-)
When you power your systems back on, are they any more immune to power problems???
This answer is NO! Nothing is different. You are still just as vulnerable to power surges.
If you don't have enough faith in your existing UPSs and power surge equipment to protect you, why will you ever power back up? Do you shut down whenever there is a lightning storm? By your logic, you should. There's millions of volts flying around the air that might come bite you
You purchase UPSs with surge protection to protect you against any surge. An unsubstantiated, unknown y2k surge is not going to be any different...
(BTW, everyone should have a surge protector at your circuit panel as added protection--they're only like $30 and protect everything on the panel by creating least-resistance to ground. You don't need any other surge protector with one of those.)
-core
I'm a security specialist so I've dealt with this already in my company:
It is ridiculous to shut down sites as a precaution against "hacker" or virus attacks. Ask yourself this question:
When I bring the site back up, has the risk of compromise gone away?
The answer is a resounding "NO". There is always a risk of compromise. If the Internet is so dangerous that you have to occasionally disconnect from it to protect yourself, then why do you even reconnect?!?! When you reconnect, nothing has changed except the calendar. Also, how do you know that the hacking hype wasn't designed to get you to disconnect now, and then reconnect days later only to have a false sense of added security since y2k is over and get 0wn3d on the 5th?? Isn't this an unknown, unsubstantiated risk too? You'd better never reconnect then...
The idea of disconnecting due to a y2k virus trigger is equally as ridiculous. April 1 is a more common day for virus and hoax triggers. Should every company disconnect then as well? Also, out of the thousands of viruses, only a handful have been very widespread. A massive virus infestation is historically unlikely.
Disconnecting due to some unknown, unsubstantiated threat is especially ridiculous (look at Seattle shutting down the y2k party...). It's CYA for lame IS and security people, IMHO. There are always going to be unknown, unsubstantiated threats. IS and security folks' jobs are to set up defenses to protect from day to day--that will work regardless of the amount of attacks. Shutting a site down for fear of someone breaking in is a self-induced DoS. E.g. the military sites that are being shut down (see http://www.hackernews.com for yesterday and today) during y2k are still going to have the same holes they did on the 1st....
Check out more specific information on y2k virus hype, "precautionary disconnects", etc. at the following links and see what:
"Precautionary disconnect" -- a disturbing new trend
OVERBLOWN: "Y2k Viruses"
Y2K viruses: "It's Orson Wells all over again"
Fearmonger vs. skeptic: a Y2K virus conversation
The virus grinches who tried to steal Christmas
-core
The underlying point is well taken. However, if *I* wanted to commit credit card fraud, I wouldn't want the credit card of someone dining at Red Lobster! Get a job where the patrons don't check their bills or the amounts on the menu (better yet--where the menu doesn't even have amounts!). I'd rather get numbers on cards with $50-100k limits than $500 or $5000 limits ;-)
-core
The old carpentry saying
"Measure twice, cut once"
has some important, useful information that it would behoove us in the information age to take heed of:
"Think twice, click once".
...and be civil!
I'd highly suggest reading the slashdot article mentioned in this posting Thoughts from the Furnace
-core
For example, I want to drag that CDE-ripoff of a desktop changer out of the panel and replace it with kpager. It is really annoying to have kpager hidden underneath windows on the desktop so having it dock into kpanel in lieu of the desktop changer would be way cool.
-core
I'm concerend about the integrated web browser from a security standpoint, just as I'm concerned about IE being seamless with local files and remote files. Now, adding active content like java and javascript to the same application that is going to be your graphical file manager sounds like the same recipe for disaster...
IE tries to use "zones" to prevent content in one arena from compromising security in other areas. Of course, this is a flawed concept as the end user cannot decide the best settings and the default settings are too lenient. How will Konqueror keep users any more secure than IE from active content, frame spoofing, etc? I sure hope that, unlike MS, KDE folks have learned from past mistakes in design. What is Konquerer's security model? Can active content be easily disabled/controlled?
-core
I know of a company that is "leasing" boxes running modified linux & squid and they don't think that they need to supply source since they aren't "selling" the box. I think that this is a clear violation of the GPL. Does anyone concur?
I'd like to see them taken to task if they are violating...and get their source! We can't have companies sucking off the open source community (taking & not giving).
-core
Okay, we're being asked to believe that the Xing encryption key was compromised because it was not stored encrypted. This is asinine. If they had stored the key encrypted, that means that the decryption key for that would be somewhere in the clear. This would only be simplistic obfuscation that should be easily subverted. -core