Maybe that could have helped me with my RSI - I am writing these lines with minimal right-hand movement, as my wrist is covered with a large elastic bandage.
KaZaA are supposedly acting in accordance with the court decision by stopping download of their software - BUT - this will not stop the network from existing.
In order to really stop the network from existing, the KaZaA guys nead to really break it - for instance, force a download of a newer version of KaZaA media desktop and disable it on a particluar date.
Thinking about it, maybe the versions we all have contains a remote control code which disables them, thus disabling the entire network.
It is enough that the network is inactive for a few days or fragmented enough to make it stop. There are some mechanisms built into KaZaA to prevent that from happening, but it is not impossible.
Outcome one: Larry Alison wins a multi milion dollar contract.
Outcome two: The public gets stuck with yet another piece of plastic to walk around and lose and so on.
Outcome three: Next attack will include cards stolen from legit. people and checked only briefly by a minimum salary security guard.
Even the best card is still a single-factor security device - it identifies you by what you have. To actually use this security you have to compare some biometric parameter (what you are) or some PIN (what you know) to the card, which brings up the problem of secure terminals and MITM attacks... Can be solved, but it will take a lot more than a card.
... are at large. There are sources in Phrack somewhere. It is easy to guess the next sequence number on the traffic - if it's a terminal session it's 1+ the previos one, if it's data it's the MTU + the previous ones, the rules are really simple.
There is no problem, today, to hijack a connection once you can sniff it. The tools are there.
Question is will there be tools to hijack a connection and inject data into it when you can't sniff it. Unpredictable (not necessarily 'purely' random) come into play here, and since it is 'as old as the hills', most TCP implementations already do some sort of activity to make it so. Not that hard to do.
All the best
The future of hacking and computer security
on
Microsoft Cracked
·
· Score: 2
Hello all
I'd like to jump into conclusions. Bear with me for a second here.
Say that the recent high profile cracks (a.k.a. hacks) are only the beginning of a tidal wave, where companies are attacked for fun and profit. The world cries for help, and out goes the countries (US and Europe, for starters) and
Ban hacking tools (burglary tools)
Ban hacking conventions (subversive activity)
Ban hacking discussion forums (subversive, of course)
Mandatory licensing and auditing system administrators (holders of forbidden knowledge)
Mandatory deployment of monitoring tools allowing full accountability, complete with phone record cross references
Etc.
What will happen? At first, things will look promisingly better:
Hacking sites will be banned and closed. The few which will remain will go on-line and off-line quite a bit, and spend their time mirroring and evading law enforcement
The script kiddiez will be gone! What used to be a game will have some kids arrested, and the rest will be scared s***less and cease to function
High profile cracks will become the sign of stupidity, as the cracker is sure to find the feds outside his place in a matter of hours
But in the long run, we will start to see, IMHO, deeper influences:
Underground groups would form. They will use the Internet for communications, just as before, but will probably be more closely-knit and use steganography and/or encryption as standard means for communications.
Most of these groups would be benign, acting with the spirit of true hacking, but some will be malignant secret societies. I'm speaking of highly intelligent people, with the know-how and intention to commit those cyber-crimes, and some form of fscked up ideology about how "we must hurt them to prove they can't touch us".
All kinds of those groups will work feverishly in research of new technologies to subvert security systems, which will be slower but continue nevertheless, while
OTOH the security systems development will shift into lower gear. After all, the hackers are gone, right? The high profile dudes are in jail or on the run. Let's leave the door open at night, who cares?
A dark era is coming. Information will be limited to the few who dare have it. The majority will live in the bliss of ignorance, while the few will silently loom in the shadows, waiting for their chance. Some will treat it as a game, knowing they control the power and get high on the feeling. Some will silently slip into places and perform subtle acts which will really pass unnoticed, like long range logic bombs and backdoors. System administrators will grow lax and less educated, while hackers-crackers will rummage their systems undisturbed.
Call me paranoid and pessimistic. Flame like hell.
And they will release the NanoWussname, and they will roam around the Internet, eat away your firewall, your NAT box, your Windows box, and live to tell the tale.
Purely speculating, I would presume that what they send are fragments of packets, source routed IP packets, etc. etc...
They say they maintain a connection with the probed host - IMO they use a legit way to pass your NAT (for instance a web server inside your private network) and then embed their special "hand crafted" packets inside the stream which try to fool the server itself to route the packet elsewhere, inside the network. The "swarm" concept indicates they will probably scanning your internal IP range using this technique or some other.
May be routers or firewalls should nowdays remove any interesting IP options, or even deny them.
A good point to ponder: Can you make a system social-engineering proof?
My bank works by identifying you by phone using a challange-response mechanism. The clerk on the phone CANNOT access any information about your account except for your name until he or she enters the correct response to the challange into the computer (which blocks your account after two unsuccessful attempts at that, requiring an alternativwe method).
Is it possible to go along these lines and plan a system in which the human factor cannot affect security?
What the question asks is, actually, what if I want to look for words from the context of my search subject, and from there go up to the entire subject. For instance, I might be looking for songs by "Eagles", and specify "Welcome to the hotel California" as my search string. Database driven lyrics server would not reveal this information to the random robot.
But, on the other hand, if I look for a subject using words that describe the subject (for instance - "lyrics", "song", "band", I would find the content search engine itself rather than the song, because the search engine should (and will) contain such words in its static parts.
So IMHO there are two complementing and distinct solutions to the problem presented:
Making sure our database driven content search engine describes itself to a good extent and with sufficient keywords for the indexing search engine spider to index efficiently for a typical query, and
exporting an index of keywords in an HTML which redirects to the search engine, letting the spider pick it up and index it to its liking. Many xxx sites do that to increase their popularity.
The first solution is obvious and should be widely in use today. The second solution puts the load on the spider, and seems "un-nettic" (ethic).
The best way to set up your machine so you can log in remotely, is, IMHO, Mindterm.
If you set up a web page on that machine which runs the Java applet, you will always be able to securely login to your box from any machine with a compatible browser. And you can download the applet and use it locally to login to wherever.
My "strong" passwords (the ones I care about, root, etc.) are usually acronyms of famous sayings or song titles, garbled to my liking. The not-so-strong passwords are usually composed from IBM acronyms related to MainFrames, and believe me, they are in the plenty. It is rumored that IBM has registered trademarks on all 3-letter acronyms, so I just take two and add a digit. The really weak passwords are usually related to web sites, and it is some variation on the site name or address.
Slashdot Mirror
RSI = Repetitive Strain Injury, just in case you didn't know.
--Arik
KaZaA are supposedly acting in accordance with the court decision by stopping download of their software - BUT - this will not stop the network from existing.
In order to really stop the network from existing, the KaZaA guys nead to really break it - for instance, force a download of a newer version of KaZaA media desktop and disable it on a particluar date.
Thinking about it, maybe the versions we all have contains a remote control code which disables them, thus disabling the entire network.
It is enough that the network is inactive for a few days or fragmented enough to make it stop. There are some mechanisms built into KaZaA to prevent that from happening, but it is not impossible.
-- Arik
Outcome one: Larry Alison wins a multi milion dollar contract.
Outcome two: The public gets stuck with yet another piece of plastic to walk around and lose and so on.
Outcome three: Next attack will include cards stolen from legit. people and checked only briefly by a minimum salary security guard.
Even the best card is still a single-factor security device - it identifies you by what you have. To actually use this security you have to compare some biometric parameter (what you are) or some PIN (what you know) to the card, which brings up the problem of secure terminals and MITM attacks... Can be solved, but it will take a lot more than a card.
Security is a process, yada yada yada.
You are more likely to be killed by a car accident than by a terrorist attack, with the odds being 5:1 against.
Yes, there are terrorist attacks. Yes, they kill us, and we kill them. Yes, we live our daily lives, and so do they. Don't panic, folks.
You just can't have Telnet do that, because you need instant feedback on your keystrokes.
There is no problem, today, to hijack a connection once you can sniff it. The tools are there.
Question is will there be tools to hijack a connection and inject data into it when you can't sniff it. Unpredictable (not necessarily 'purely' random) come into play here, and since it is 'as old as the hills', most TCP implementations already do some sort of activity to make it so. Not that hard to do.
All the best
I'd like to jump into conclusions. Bear with me for a second here.
Say that the recent high profile cracks (a.k.a. hacks) are only the beginning of a tidal wave, where companies are attacked for fun and profit. The world cries for help, and out goes the countries (US and Europe, for starters) and
What will happen? At first, things will look promisingly better:
- Hacking sites will be banned and closed. The few which will remain will go on-line and off-line quite a bit, and spend their time mirroring and evading law enforcement
- The script kiddiez will be gone! What used to be a game will have some kids arrested, and the rest will be scared s***less and cease to function
- High profile cracks will become the sign of stupidity, as the cracker is sure to find the feds outside his place in a matter of hours
But in the long run, we will start to see, IMHO, deeper influences:- Underground groups would form. They will use the Internet for communications, just as before, but will probably be more closely-knit and use steganography and/or encryption as standard means for communications.
- Most of these groups would be benign, acting with the spirit of true hacking, but some will be malignant secret societies. I'm speaking of highly intelligent people, with the know-how and intention to commit those cyber-crimes, and some form of fscked up ideology about how "we must hurt them to prove they can't touch us".
- All kinds of those groups will work feverishly in research of new technologies to subvert security systems, which will be slower but continue nevertheless, while
- OTOH the security systems development will shift into lower gear. After all, the hackers are gone, right? The high profile dudes are in jail or on the run. Let's leave the door open at night, who cares?
A dark era is coming. Information will be limited to the few who dare have it. The majority will live in the bliss of ignorance, while the few will silently loom in the shadows, waiting for their chance. Some will treat it as a game, knowing they control the power and get high on the feeling. Some will silently slip into places and perform subtle acts which will really pass unnoticed, like long range logic bombs and backdoors. System administrators will grow lax and less educated, while hackers-crackers will rummage their systems undisturbed.Call me paranoid and pessimistic. Flame like hell.
Purely speculating, I would presume that what they send are fragments of packets, source routed IP packets, etc. etc...
They say they maintain a connection with the probed host - IMO they use a legit way to pass your NAT (for instance a web server inside your private network) and then embed their special "hand crafted" packets inside the stream which try to fool the server itself to route the packet elsewhere, inside the network. The "swarm" concept indicates they will probably scanning your internal IP range using this technique or some other.
May be routers or firewalls should nowdays remove any interesting IP options, or even deny them.
My bank works by identifying you by phone using a challange-response mechanism. The clerk on the phone CANNOT access any information about your account except for your name until he or she enters the correct response to the challange into the computer (which blocks your account after two unsuccessful attempts at that, requiring an alternativwe method).
Is it possible to go along these lines and plan a system in which the human factor cannot affect security?
Cling goes my 2c...
The creative minds that were being used for commercial purposes might decide to do something for free.
But, on the other hand, if I look for a subject using words that describe the subject (for instance - "lyrics", "song", "band", I would find the content search engine itself rather than the song, because the search engine should (and will) contain such words in its static parts.
So IMHO there are two complementing and distinct solutions to the problem presented:
The first solution is obvious and should be widely in use today. The second solution puts the load on the spider, and seems "un-nettic" (ethic).
Just my 2e-2$.
If you set up a web page on that machine which runs the Java applet, you will always be able to securely login to your box from any machine with a compatible browser. And you can download the applet and use it locally to login to wherever.
My "strong" passwords (the ones I care about, root, etc.) are usually acronyms of famous sayings or song titles, garbled to my liking. The not-so-strong passwords are usually composed from IBM acronyms related to MainFrames, and believe me, they are in the plenty. It is rumored that IBM has registered trademarks on all 3-letter acronyms, so I just take two and add a digit. The really weak passwords are usually related to web sites, and it is some variation on the site name or address.