Here's a good piece on Vmyths about mi2g. They're full of it. I wouldn't be surprised if the entire "report" was based on a sample of two machines. On a home network. With an inquisitive teenager around:)
IMHO, a typical default Linux install would be lucky to last 24 hours on a broadbank connection. Even an OpenBSD honeypot was opened the other day, the story was here... (I'm sure the Honeynet Project have some stats but haven't time to look em up, sorry)
...for a web dev position with cross training to network security (which I was, and still am, very interested in.) This was in 1998, IIRC. The head geezer is one D.K. Mattai. He told me they did consultancy for a lot of City (financial) firms, including info-sec work, and that I'd be paid a small basic (about 20K IIRC, not much even then) with substantial commission on any sales I made. Between the man himself, his dodgy "lounges" microsite idea (he wanted a "carlounge" site, a "videolounge", etc, but had dodgy ideas about advertorial as a revenue stream), the very non-technical, "hobby job" feel of the place (I only met him, and saw little evidence of anyone else using the rather flashy offices in Battersea - right on the Thames in fact, not a cheap location!)... just weirded me out a bit. I remember walking along the embankment afterwards, looking at the sun on the river and thinking "I know I hate Logica, but I'm not sure I trust this set-up - in fact I don't think I'd take it if he offered me the job." He tried to pressure me into signing up on the spot, too, IIRC. Oh yeah, and he thought NT4 and IIS were the bee's testes for secure servers.
Anyway, over the next four years or so I kept coming across sitings of him in Need To Know. Search for mi2g or "D.K. Mattai" and you'll see what I mean. He puts up some new FUD release every six -12 months, and presumably reaps some consultancy fees from the credulous and ill-informed. The other day I saw he'd even got himself onto the BBC with some nonsense "survey" about virus attacks by Al Qaeda... before that, it was anti-globalisation protesters who were going to make the sky fall.
> >"Computer (esp. network) security isn't really something that can be >learned in a class. It's more of an ongoing awareness of what the >threat of the week is. If history has shown us anything, it's that any >useful networked system has flaws and can be broken into. As such, >it's important to always keep on the forefront of what the enemy is up >to. > >"Irritatingly time-consuming? You bet. A pain in the ass to keep up >with? Oh yeah. The only effective way to keep systems and networks >secure? Unfortunately." >
Are you out of your mind?! Keeping up with stuff is the best excuse I ever found to lurk on (counts mail filters) Bugtraq, Incidents-l, ISN, vuln-watch, nanog, SANS newsbytes, CERT, NTBugtraq, sec-focus, (and even... Slashdot, 'cos you'll hear about the new IE/ IIS hole-du-jour faster here than anywhere;)
Seriously, I really enjoy following the changing scene, the constant arms war between the kiddies and the defenders. I just wish *I* could find someone to pay me to do it. As it is I'm off work this week and spending most of my time catching up with list backlog. And loving it.
"DRM will not make it on to desktop PC's. Try telling a user that the
new computer they are thinking of purchasing has less features than
their current one."
It might just be possible that Microsoft, Intel and AMD have already thought of that. It might just be that they will market it as a new feature. Indeed, in the original NYTimes Steven Levy piece it was interesting to see Gates saying (words to the effect of) "we started thinking about this technology in connection with music and video, but then we realised we could position it as a general purpose security feature." Apart from killing one of the last remaining sectors where ISVs still make money writing for the Windows environment (a/v, security, personal firewalls and so forth), you can bet that they'll be trumpeting Palladium as the pay-off from the much hyped "trustworthy computing" hype. Come to think of it, that abuse of the word "trust" - a term with a specific meaning in info-sec, crypto and other areas - as a marketing term is classic Microsoft double-speak. Or do I mean newspeak? "Palladium is watching YOU!"
Oh, and what's in it for Microsoft? Control. The same thing they've always been about. It's the same reason the MPAA are attempting to suppress deCSS: nothing to do with copy protection, everything to do with control of the distribution channel.
Lots of people here don't seem to get it. If Palladium is to work, it must be incorporated in all CPUs, including those running MacOS, linux, BSD or FrobOS. Can't imagine how big business and the State could slip that through so it becomes illegal to use a "pirating operating system"? Think again...
> If this guy sold PGP five years ago, what authority > does he have now to suggest the change?
"This guy" developed the PGP protocol, and it's first implementation, then released it freely on the Internet when it seemed likely the US Govt. was about to criminalise *all* personal encryption.
So, only moral authority... which doesn't seem to be worth much on the free market, these days.
>Why should we care what Network Assosciates's >proprietary privacy software does? There's no good >reason one can't write their own Public Key >Encryption software
Because another Free implementation - of anything - will always be useful.
...who the fuck is Elizabeth Smart? I read multiple news sources every day and I've never heard of this. Oh wait, I'm not American. Guess I don't exist huh.
ahhhh... a fellow Spiritualized fan.. and you've HEARD of the Beach Boys? You can't possibly be American...:)
Here are my best guesses at the lyrics - any idea about the missing ones? or corrections? I mailed back the card for lyrics but they never arrived. 12 Steps in particular is hard to make out.
Re:Why is important infrastructure online?
on
Cyber-Attacks?
·
· Score: 2
(1) critical infrastructure (eg: the DoD) needs internet access too. (Guess who their preferred NSP was? A clue: it rhymes with "huge con".
(2) the networks themselves are built of routers and switches. These devices, which are scattered around the world (often in cold, dark, inaccessible ops centers or datacentres) need to be managed remotely. Your standard one-modem-per-rack emergency device is only that, really - for routine stuff you want to go in-band (so you can ssh onto your cat 5500 and do `sh ip bgp' or whatever from the comfort of a quiet, airconditioned NOC (net ops centre) where you have access to docs, r&r, other engineers and so on.
(3) the internet ITSELF is critical infrastructure these days. I don't think they're seriously saying that terrorists are going to crash ATC systems from an internet cafe in Peshawar (well, OK, maybe they are implying that to the general public, but of course that's pure FUD.) Traditional DDoS attacks of the mafiaboy style have the power to significantly fsck up the world economy however. Did you know Mafiaboy only stopped cos he got bored? If he'd been motivated enough he could have carried on for weeks or months whilst net ops painstakingly backtraced every attacker through the chain of abuse desks and LEAs... Imagine if, say, Akamai's content distribution network were attacked.
(4) Finally, there are some interesting new toys for attackers to use: pulsing zombies, warhol worms, and (the thing we don't really want to mention which is a big vulnerability: network peeps know what I mean) in many, many networks.
When stuff like the Worldcom farce can lead to the excellent and strategically vital UUNET backbone potentially going dark, what on *earth* do they think Al Quaida can do?! This sounds like "electronic Pearl Harbour" b/s - if you don't know, that phrase is a common code-phrase meaning "give us more money and power!" often heard in Washington over the last decade or so.
What do they think a terrorist organisation could do, that groups of script kiddies with a few botnets couldn't do? Have they really got any idea what sort of DDoS stuff happens every day of the week out there in IP land?
> everyone - the accountants, the analysts, and the >investors - had their eyes closed to the obvious.
...unless you read NANOG-l, where the network engineers, architects and hackerish observers of the network industry have been saying for (literally) years "Bernie Ebbers is a crook, what a shame UU will probably go down in the wreck when it finally comes."
By all accounts (and from some personal experience as a customer) UUNet have a pretty solid, reliable, professionally run network. I just hope the receivers realise a lit network complete with engineering teams is worth a lot, lot more than a dark network with no engineers.
Of course, elements from the fringe have been arguing there is/has been water there for ages. It seems that it is only now the the official scientists are starting to say "well, there could be", or even "look at our new discovery."
Examples of how strange this get are seen here [enterprisemission.com]. Ignoring the junk science nonsense, the pictures are interesting. If you scroll about halfway down, there is one mars photo, conveniently linked to the nasa archive, that looks for all the world like an actual sea shore. So much so it is startling.
Yeah, but there are "fringe scientists" out there who claim they've spotted Banyan trees(!) and vegetation in the JPL archives... IIRC Arthur C. Clarke decided to make an idiot of himself by backing these claims. I can just about stretch to contemplating a hypothesis that some sort of primitive, unicellular slime mould manages to eke out a precarious existence in the sub-zero temperatures, extreme aridity and all-round Antartica conditions. After all, there are bacteria that manage to survive by living on the bottom of pebbles in Antarctica. But Banyan trees?... sorry, you lost me there...
permissions? The best permission attributes I'm aware of are those of Netware, followed by NT/W2K. Unix sucks in that respect I'm afraid. User space vs. kernel space - not sure what you mean; obviously any modern OS (even including Windows, now that 9x has been phased out at last) will grasp the distinction between user and kernel space... did you mean something different?
worked in Ghana for five years - mostly up country (out in the rain forest living in a terrapin hut) building bridges for Mabey and Johnson. When he made it back to the capital, Accra, we could exchange email pretty straightforwardly and without any massive delays. This was back in '98 or so. He really loves the country, in fact he married a Ghanian woman so he's going to be going back pretty regularly for the rest of his life I guess.
The problem is that the bastardized movie incarnation of Starship Troopers is not only vastly inferior to the printed subject matter, it actually perverts Heinlein's message in the book. [...]
What Verhoeven and his cronies did with the movie was turn the Federation into an actual fascist state.
I haven't read the book either; does it have the same concept that you only become a full citizen (with the right to vote) if you join the military? See, over here in euro-weenie land, that's what we call "fascism". Vorhoeven's Dutch isn't he?
No, no, no. In the film, Vorhoeven makes it pretty clear that that he's showing a bitter satire on the politics of war. The asteroids have nothing to do with the bugs. Remember at the end when the guy who went into the Intelligence Corps (the geezer with the sinister Gestapo-type leather overcoat) says that they knew that this planet was going to be heavily defended, but that they had to sacrifice lots of troopers so that they didn't give away how much they knew in advance? Rather like Pearl Harbour in fact... the Buenos Aires rock might even have been aimed at Earth just to trip everyone into a war footing (so that every musclehead rushes to sign up as cannon fodder...)
'Course, none of this has any bearing at all on recent events. It's pure fantasy. Oh yes.
Here in London UK the cheapest skanky 1 bed apartment is well over £100K. If you want a HOUSE, well, forget it. I shan't be able to afford to buy a house at all unless I win the lottery, or if my parents die and turn out to be ten times richer than I think they are.
Slashdot Mirror
Here's a good piece on Vmyths about mi2g. They're full of it. I wouldn't be surprised if the entire "report" was based on a sample of two machines. On a home network. With an inquisitive teenager around :)
Reference, please?!
IMHO, a typical default Linux install would be lucky to last 24 hours on a broadbank connection. Even an OpenBSD honeypot was opened the other day, the story was here... (I'm sure the Honeynet Project have some stats but haven't time to look em up, sorry)
mi2g are FUDsters, and crap FUDsters at that.
Check some of these out...
http://www.ntk.net/index.cgi?b=02001-09-28&l=12
http://www.ntk.net/index.cgi?b=02001-04-27&l=4 6#l
http://www.ntk.net/index.cgi?b=02001-04-27&l
http://www.ntk.net/index.cgi?b=02000-02-25&l
http://www.ntk.net/index.cgi?b=01999-12-24&l
http://www.ntk.net/index.cgi?b=01999-11-05&l=7 9#l
http://www.ntk.net/index.cgi?b=01999-11-05&l
just search NTKfor mi2g, there are plenty more where they came from.
...for a web dev position with cross training to network security (which I was, and still am, very interested in.) This was in 1998, IIRC. The head geezer is one D.K. Mattai. He told me they did consultancy for a lot of City (financial) firms, including info-sec work, and that I'd be paid a small basic (about 20K IIRC, not much even then) with substantial commission on any sales I made. Between the man himself, his dodgy "lounges" microsite idea (he wanted a "carlounge" site, a "videolounge", etc, but had dodgy ideas about advertorial as a revenue stream), the very non-technical, "hobby job" feel of the place (I only met him, and saw little evidence of anyone else using the rather flashy offices in Battersea - right on the Thames in fact, not a cheap location!)... just weirded me out a bit. I remember walking along the embankment afterwards, looking at the sun on the river and thinking "I know I hate Logica, but I'm not sure I trust this set-up - in fact I don't think I'd take it if he offered me the job." He tried to pressure me into signing up on the spot, too, IIRC. Oh yeah, and he thought NT4 and IIS were the bee's testes for secure servers.
Anyway, over the next four years or so I kept coming across sitings of him in Need To Know. Search for mi2g or "D.K. Mattai" and you'll see what I mean. He puts up some new FUD release every six -12 months, and presumably reaps some consultancy fees from the credulous and ill-informed. The other day I saw he'd even got himself onto the BBC with some nonsense "survey" about virus attacks by Al Qaeda... before that, it was anti-globalisation
protesters who were going to make the sky fall.
In short: nothing to see here, move along please.
>
;)
>"Computer (esp. network) security isn't really something that can be
>learned in a class. It's more of an ongoing awareness of what the
>threat of the week is. If history has shown us anything, it's that any
>useful networked system has flaws and can be broken into. As such,
>it's important to always keep on the forefront of what the enemy is up
>to.
>
>"Irritatingly time-consuming? You bet. A pain in the ass to keep up
>with? Oh yeah. The only effective way to keep systems and networks
>secure? Unfortunately."
>
Are you out of your mind?! Keeping up with stuff is the
best excuse I ever found to lurk on (counts mail filters) Bugtraq,
Incidents-l, ISN, vuln-watch, nanog, SANS newsbytes, CERT, NTBugtraq,
sec-focus, (and even... Slashdot, 'cos you'll hear about the new IE/
IIS hole-du-jour faster here than anywhere
Seriously, I really enjoy following the changing scene, the constant
arms war between the kiddies and the defenders. I just wish *I* could
find someone to pay me to do it. As it is I'm off work this week and
spending most of my time catching up with list backlog. And loving it.
"DRM will not make it on to desktop PC's. Try telling a user that the
new computer they are thinking of purchasing has less features than
their current one."
It might just be possible that Microsoft, Intel and AMD have already thought of that. It might just be that they will market it as a new feature. Indeed, in the original NYTimes Steven Levy piece it was interesting to see Gates saying (words to the effect of) "we started thinking about this technology in connection with music and video, but then we realised we could position it as a general purpose security feature." Apart from killing one of the last remaining sectors where ISVs still make money writing for the Windows environment (a/v, security, personal firewalls and so forth), you can bet that they'll be trumpeting Palladium as the pay-off from the much hyped "trustworthy computing" hype. Come to think of it, that abuse of the word "trust" - a term with a specific meaning in info-sec, crypto and other areas - as a marketing term is classic Microsoft double-speak. Or do I mean newspeak? "Palladium is watching YOU!"
Oh, and what's in it for Microsoft? Control. The same thing they've always been about. It's the same reason the MPAA are attempting to suppress deCSS: nothing to do with copy protection, everything to do with control of the distribution channel.
Lots of people here don't seem to get it. If Palladium is to work, it must be incorporated in all CPUs, including those running MacOS, linux, BSD or FrobOS. Can't imagine how big business and the State could slip that through so it becomes illegal to use a "pirating operating system"? Think again...
Be very afraid.
> If this guy sold PGP five years ago, what authority
> does he have now to suggest the change?
"This guy" developed the PGP protocol, and it's first implementation, then released it freely on the Internet when it seemed likely the US Govt. was about to criminalise *all* personal encryption.
So, only moral authority... which doesn't seem to be worth much on the free market, these days.
>Why should we care what Network Assosciates's
>proprietary privacy software does? There's no good
>reason one can't write their own Public Key >Encryption software
Because another Free implementation - of anything - will always be useful.
...who the fuck is Elizabeth Smart? I read multiple news sources every day and I've never heard of this. Oh wait, I'm not American. Guess I don't exist huh.
Freon isn't very good for you...
ahhhh... a fellow Spiritualized fan.. and you've HEARD of the Beach Boys? You can't possibly be American... :)
Here are my best guesses at the
lyrics - any idea about the missing ones? or corrections? I mailed back the card for lyrics but they never arrived. 12 Steps in particular is hard to make out.
(2) the networks themselves are built of routers and switches. These devices, which are scattered around the world (often in cold, dark, inaccessible ops centers or datacentres) need to be managed remotely. Your standard one-modem-per-rack emergency device is only that, really - for routine stuff you want to go in-band (so you can ssh onto your cat 5500 and do `sh ip bgp' or whatever from the comfort of a quiet, airconditioned NOC (net ops centre) where you have access to docs, r&r, other engineers and so on.
(3) the internet ITSELF is critical infrastructure these days. I don't think they're seriously saying that terrorists are going to crash ATC systems from an internet cafe in Peshawar (well, OK, maybe they are implying that to the general public, but of course that's pure FUD.) Traditional DDoS attacks of the mafiaboy style have the power to significantly fsck up the world economy however. Did you know Mafiaboy only stopped cos he got bored? If he'd been motivated enough he could have carried on for weeks or months whilst net ops painstakingly backtraced every attacker through the chain of abuse desks and LEAs...
Imagine if, say, Akamai's content distribution network were attacked.
(4) Finally, there are some interesting new toys for attackers to use: pulsing zombies, warhol worms, and (the thing we don't really want to mention which is a big vulnerability: network peeps know what I mean) in many, many networks.
What do they think a terrorist organisation could do, that groups of script kiddies with a few botnets couldn't do? Have they really got any idea what sort of DDoS stuff happens every day of the week out there in IP land?
>investors - had their eyes closed to the obvious.
...unless you read NANOG-l, where the network engineers, architects and hackerish observers of the network industry have been saying for (literally) years "Bernie Ebbers is a crook, what a shame UU will probably go down in the wreck when it finally comes."
By all accounts (and from some personal experience as a customer) UUNet have a pretty solid, reliable, professionally run network. I just hope the receivers realise a lit network complete with engineering teams is worth a lot, lot more than a dark network with no engineers.
Yeah, but there are "fringe scientists" out there who claim they've spotted Banyan trees(!) and vegetation in the JPL archives... IIRC Arthur C. Clarke decided to make an idiot of himself by backing these claims. I can just about stretch to contemplating a hypothesis that some sort of primitive, unicellular slime mould manages to eke out a precarious existence in the sub-zero temperatures, extreme aridity and all-round Antartica conditions. After all, there are bacteria that manage to survive by living on the bottom of pebbles in Antarctica. But Banyan trees?... sorry, you lost me there...
it's olds for nerds... images from as far back as Pathfinder showed conclusive evidence of catastrophic outburst floods. That's why Mars Odyssey carries the gamma ray spectrometer which is tuned to look for the hydrogen signal from subsurface water in the first place.
Oddly enough, the headline on this article is strangely apt.
Anyway IIS doesn't patch itself into the kernel... does it??!!??
permissions? The best permission attributes I'm aware of are those of Netware, followed by NT /W2K. Unix sucks in that respect I'm afraid. User space vs. kernel space - not sure what you mean; obviously any modern OS (even including Windows, now that 9x has been phased out at last) will grasp the distinction between user and kernel space... did you mean something different?
worked in Ghana for five years - mostly up country (out in the rain forest living in a terrapin hut) building bridges for Mabey and Johnson. When he made it back to the capital, Accra, we could exchange email pretty straightforwardly and without any massive delays. This was back in '98 or so. He really loves the country, in fact he married a Ghanian woman so he's going to be going back pretty regularly for the rest of his life I guess.
Others have suggested that Heinlein was, in fact, a fascist.
I haven't read the book either; does it have the same concept that you only become a full citizen (with the right to vote) if you join the military? See, over here in euro-weenie land, that's what we call "fascism". Vorhoeven's Dutch isn't he?
'Course, none of this has any bearing at all on recent events. It's pure fantasy. Oh yes.
This is shit.