They dont need to give web browsing a bad experience, as its quite hard to do. You either limit monthly data yse (=very unhappy users) or throttle bandwidth (often too subtle to notice on a busy site).
What they can do is give VoIP packets a bad experience, and drop VPN packets on the floor altogeher. Want SSH? pay more. Want IPSec? Pay much more (in theory Comcast charge a premium for this BTW). But VoIP? you just slow down the packets. Bandwidth can be maintained, but suddely google talk and yahoo phone start working worse than bellsouth approved partners.
The other latency-sensitive market is gaming; I wonder how much they want off the X-live people for X-box players.
Imagine if web sites got the bellsouth.net IP addresses and just blocked them out algother, "we are blocking out bellsouth because it wants to charge more for less unreliable TCP"
Bellsouth are saying "we have enough customers that you need to pay us for decent QoS", so a response back, "if you want to be silly, go build your own web sites/apps" would be a test to see who would blink first.
It also explains why things go so badly wrong at conferences.
All it takes is one laptop to suddenly go out of range of the AP and it becomes an adhoc network *with the same name as the conference network*. Then laptops that are in range and dont have "connect to ad-hoc networks" disabled, also start binding to that node, as suddenly there is a choice between the real and ad-hoc network, both with same fucking name.
This isnt a security risk, any more than running unencrypted protocols over a WLAN in the first place, but it just makes the windows laptop experience that much worse for everyone involved, at least those who dont know that turning off ad-hoc networking makes sense. Maybe now a fear of a security vulnerability will help people to do that.
And lets be ruthless: if it gives windows users a worse experience than apple or, say, ubuntu laptop owners, well, serves them right. (My laptop is actually running winXP; it is my last non-vmware windows image. I keep in in DOS-land as it runs those apps I need at work (Exchange, MSWord), and it helps test that the apps I write do actually work on XP as well as unix. But I could do the latter with vmware-based testing, so maybe this is the year to migrate to a good linux laptop distro.
The way MS could do it is have the updater app run separately from the browser, and have AX enabled in there.
In the absence of that, you can run Windows/Microsoft Update by going to zone security -turning off download/run activeX controls in the Internet zone -Go to the trusted zone and mark it as medium security, with prompted activeX enabled. [Why does trusted zone exist, is there some web site you really trust to unstall unsigned activeX?] -turn off "require https" for trusted sites, and add *.microsoft.com .
The result is to turn off ActiveX except for microsoft.com
As an aside, being a Vista beta tester, I can assure you that while phishing and popups are more locked down (you can even disable turning off status bar and location bar in new windows), ActiveX is still set to prompted download in the Internet. That is just plain silly. ActiveX is one of the primary attack channels into IE, the one that doesnt even need to exploit unofficial back doors (its a "front door" ).
I remember running 3.51 on my 486/66; it was slick. It had the win3.x gui, "program manager", rather than the win95 one, but it just kept going.
One reason for it potentially being so good is it was the closest NT ever was to a microkernel; the gui really was user mode code running in the win32 subsystem. A duff display or print driver could never bluescreen the system, just the win32 subsys. Which was bad enough, but t least you could normally shut it down.
Nt4 pulled drawing kernel side, so any print/display driver will toast the OS.
Only a little one, that issues degrees and doctorates by email. you may have got some of our adverts in your inbox.
We specialise in a limited number of courses -nigerian banking -0EM software -Phishing; basic and advanced.
The Phishing course is becoming more popular, as we actually offer a discount on the degree if you successfully collect the SSNs and banking details of a thousand new individuals. You may also be interested in a doctorate, though as PhDs require actual work, you'll need to spend time writing and monitoring the phishnets that I'm devising.
Most optical mice have a chipset from agilent (look for the * logo on the bottom). It was originally designed for a portable scanner, HP Capshare, that had battery+scanner+IR link on it.
The trick in the box is stiching software; you would scan back and forth, turning it on a page without lifting it, and the firmware would work out what the content was. Like optical mice, it doesnt work on shiny pages.
The product crashed and burned, but at least the silicion could be turned into mouse silicon instead, and in the process actually increasing the selling price of a mouse. Who wants a no-good ball mouse, the junk you get bundled with a PC?
I still have a capshare scanner; its actually quite useful for discreetly scanning bits of books at the local university. I have an inherited
I just upgraded my PII/300/256MB laptop to Suse10.0
Its my home music sever, running the slimserver stack, its the public postfix and http daemon for the domain. Its the SSH/CVS server for code I do. Now, KDE does crawl, but its rare that I use that; more often I just ssh in and run apps on the remote machine, that being the miracle of X11. By having a single OS image across all my linux boxes, home and work, I can shovel binaries around more easily.
To conclude: new Linux distros do run on old boxes, you just cant expect to have the same experience running the OS on a two cpu Xeon core with 1GB of memory. Yet, with linux, you can do interesting things with old boxes. With an old windows box, all you have is a security hold.
OEM versions of the product go out there way to be pathologically bad here. By storing the restore image somewhere on the HDD, they let the rootkits find and contaminate that too.
If you have an MSDN subscription (like windows developers do), you can pull down ISO images to burn. but it still takes ages to install and patch windows+apps to work, compared to say the afternoon it took me to get suse 10,0 on.
I dont think things will improve either. I installed vista onto a vmware image and the virtual HDD was up to 9GB after install. 9GB, and still shipping with outlook express as the mail client. If they were security conscious, they'd have shipped Thunderbird.
word and write files can host and render WMF files internally. the fact that nobody has written a file that uses that as an attack vector doesnt mean that it isnt possible, only that there is such an easy (and consistent) route to owning winxp that nobody has bothered with the older systems yet.
After all, if you are a bot author, would you rather build and test for winXP or support legacy Win98 boxes with their weaker networking stack, device driver problems, etc. Think of all the support calls:)
The code is only 200 lines, and is primarily patching logic with a switch in there. The biggest risk is that it patches the wrong place and doesnt provide protection, the next that it doesnt uninstall. Those are hard to test.
Win31, still 16 bit, used the intel segments to manage memory. you had to alloc separate code and data segments, and use an API call, PrestoChangoSelector to flip it. The segments were only 64K and special 'huge' pointers were needed to do the proper arithmetic on a set of sequentially allocated segments.
That went away in 32 bit mode, because 32 bits was all we needed, and because 'flat' is simpler to work with. And because security in winnt was about untrusted users on trusted 'enterprise' systems, not trusted users with untrusted data.
Windows Metafiles are a file representation of drawing commands. They are more flexible than bitmaps and get used quite a lot in things like for caching images of every OLE object embedded inside a MS word or powerpoint document. There just happens to be one operation to set a callback when a printing aborts which can be saved to a WMF file, which, when followed by something to abort the rendering, lets you jump to the nominated location.
This back door is built into windows from version 3.0 onwards. Any app that displays WMF images from untrusted sources (lotus notes, maybe msword, even google desktop search) is vulnerable. This is potentially code red for the desktop.
I have the patch on all my systems, the author works for IDA, the debugger tool, and is well respected. I dont care whether IT central will push it out or not; I think they ought to before the back to work/school event causes major worm attacks using it. It will be pretty embarrassing for microsoft though -a third-party emergency fix for windows, in the same year that Vista, "Windows Secured" is due to ship.
I've been running the latest Vista preview on vmware, works well, though you need to install the vmware display drivers to get out of 16 colour VGA mode, a mode where the install GUI really sucks:
VMware can only emulate "trusted" hardware like TPM units if it has a private key of a unit, one that can be somehow linked to a "trusted" TPM authority. That is the key that TPM units never ever provide to the outside world, so you are left with a reverse engineering or brute force cryptography problem.
XP encrypts the crypto keys with the current password value, so if you reset the password, you still dont have access to encrypted bits of the HDD. Unless, of course, the system you have acquired is a laptop/PC in hibernate mode, in which case they will probably be stored in the clear somewhere (I guess:)
I have a TCPA chip on my laptop. What does it do? It stores the private keys for whenever I encrypt bits of the NTFS hard drive. What bits of the HDD do I encrypt? The directory containing all my SSH public keys, anything that may contain financial info (like PDF receipts of purchases, other things).
For me, the TPM lets me lock down a box more securely. Admittedly, there could be other ways to do it, like having the whole HDD encrypted (including swap/hibernate files) and requiring a smartcard+pin to be entered before booting the box. But with the TPM in the corporate laptop, its actually a good way of securing personal data.
Incidentally, hardware vendors dont care about piracy, all they worry about is cost of goods sold (CoGS), annualized failure rate, and the Microsoft WHQL PC guidelines (the ones you need to pass to get the MS logo and the corresponding rebate). TPMS are going in to corporate laptops, because they let the IT dept lock down the box against, spyware, trojans and end users. They are not (currently) going into consumer PCs, because $3 there is better spent on improving the graphics. If and only if MS demand it on the WHQL guidelines, then it goes in.
As someone who keeps their network wide open (it stops you being complacent about per-machine firewalls and intra-box protocol), i'm interested too.
One thing is that there is that ongoing work about machine fingerprinting based on random numbers in TCP sequences, clock skew, etc. Even behind a NAT system, it is likely that you are exposing some unique machine information. Enough that with the machines in your possession, they can say "this is the machine that did it". Of course, if their experiments dont show a match, they probably are not going to mention it.
Another point: given how insecure WEP encryption is, having a WEP-enabled WAP is effectively having an open WLAN, except you are pretending that it is somehow locked down. If you are liable for any downloads that happen on your lan, then you should not connect any WEP WLAN AP to the network.
hey it cuts both ways. We in the EU get spam telemarketing junk from US companies. Do you think the DNC list made all those telemarketers give up their careers and switch to spamming people for "OEM" software? No, they just take advantage of voip and low cost international dialling to annoy us Europeans.
And no, there isnt really anything we can do about it either. The best bet is to put them on speaker phone and have a long and fruitless conversation. If you argue they hang up, but if you sound interested but distracted by local crises (small children, kitchen fires, etc), they go on hold for a bit. The trick is to get their hopes up before you put them on hold.
you dont need to wait that long. Civilian GPS is neither encryped or signed. You could create a fake gps base station and create false coordinates within the coverage range to see what drastic effects it would have on the system,
Just like the UK experiments, these trials are bogus. They are giving some tech to volunteers to see "does this make you drive at the speed limit". Better to force it on some consistent speeders as an alternative to license removal to see if changes their behaviour or discover how much effort it will take to attack the system.
possible attacks:
-snip the antenna when you are in a freeway tunnel; last known location was a 70mph zone. -take the car abroad (or generate the GPS signals to simulate germany), then snip the antenna. -load in a fake map with all road speeds set to 150mph.
Oh, you could have so much fun here. It'd be like region-free DVD players. "Hello, I'd like a Audi S3". "yes sir, will that be with GPS speed control, or would you like that feature disabled". "Disabled please", "Certainly, $500 more".
yeah, my VW passat 1.8T was limited to 130mph, which is exactly what the tires were up to; I only encountered it once when it was fairly new, as I discovered mid-overtake that the turbocharger engages at 95mph in top gear.
My current VW touran 1.9Tdi minivan doesnt have an explicit top speed, but doesnt like to go above 100mph due to air resistance, even in countries (france, germany) where you can get away with it. In exchange for lower performance it does 45mpg at 70-75 mph. (UK gallons==4.5L)
realistically, both top speeds are moot in most countries.
The lego 'bots came from the MIT Media Lab -they used to give away the PCB with a parts list, long before it was commercialised. That was a display-less design, but they had other interesting things instead: ir badges on people so they could be identified, solar powered room beacons so 'bots could tell where they were -it was a full infrastructure built on dirt cheap parts.
If lego dont do mindstorms well then yes, maybe we should get out there and so an OSS-like hardware family. The hard part is integration with the rest of the build kit, and here, to be ruthless, I'd go for fischer-teknik (spelling?) over lego.
Slashdot Mirror
Yeah, then the BSD and Linux security teams. If there is such a thing.
Nice, I hadnt thought of a sponsored link to every Bellsouth user, but its really easier than doing regional advertising.
They dont need to give web browsing a bad experience, as its quite hard to do. You either limit monthly data yse (=very unhappy users) or throttle bandwidth (often too subtle to notice on a busy site).
What they can do is give VoIP packets a bad experience, and drop VPN packets on the floor altogeher. Want SSH? pay more. Want IPSec? Pay much more (in theory Comcast charge a premium for this BTW). But VoIP? you just slow down the packets. Bandwidth can be maintained, but suddely google talk and yahoo phone start working worse than bellsouth approved partners.
The other latency-sensitive market is gaming; I wonder how much they want off the X-live people for X-box players.
Imagine if web sites got the bellsouth.net IP addresses and just blocked them out algother, "we are blocking out bellsouth because it wants to charge more for less unreliable TCP"
Bellsouth are saying "we have enough customers that you need to pay us for decent QoS", so a response back, "if you want to be silly, go build your own web sites/apps" would be a test to see who would blink first.
It also explains why things go so badly wrong at conferences.
All it takes is one laptop to suddenly go out of range of the AP and it becomes an adhoc network *with the same name as the conference network*. Then laptops that are in range and dont have "connect to ad-hoc networks" disabled, also start binding to that node, as suddenly there is a choice between the real and ad-hoc network, both with same fucking name.
This isnt a security risk, any more than running unencrypted protocols over a WLAN in the first place, but it just makes the windows laptop experience that much worse for everyone involved, at least those who dont know that turning off ad-hoc networking makes sense. Maybe now a fear of a security vulnerability will help people to do that.
And lets be ruthless: if it gives windows users a worse experience than apple or, say, ubuntu laptop owners, well, serves them right. (My laptop is actually running winXP; it is my last non-vmware windows image. I keep in in DOS-land as it runs those apps I need at work (Exchange, MSWord), and it helps test that the apps I write do actually work on XP as well as unix. But I could do the latter with vmware-based testing, so maybe this is the year to migrate to a good linux laptop distro.
The way MS could do it is have the updater app run separately from the browser, and have AX enabled in there.
In the absence of that, you can run Windows/Microsoft Update by
going to zone security
-turning off download/run activeX controls in the Internet zone
-Go to the trusted zone and mark it as medium security, with prompted activeX enabled. [Why does trusted zone exist, is there some web site you really trust to unstall unsigned activeX?]
-turn off "require https" for trusted sites, and add *.microsoft.com .
The result is to turn off ActiveX except for microsoft.com
As an aside, being a Vista beta tester, I can assure you that while phishing and popups are more locked down (you can even disable turning off status bar and location bar in new windows), ActiveX is still set to prompted download in the Internet. That is just plain silly. ActiveX is one of the primary attack channels into IE, the one that doesnt even need to exploit unofficial back doors (its a "front door" ).
-steve
I remember running 3.51 on my 486/66; it was slick. It had the win3.x gui, "program manager", rather than the win95 one, but it just kept going.
One reason for it potentially being so good is it was the closest NT ever was to a microkernel; the gui really was user mode code running in the win32 subsystem. A duff display or print driver could never bluescreen the system, just the win32 subsys. Which was bad enough, but t least you could normally shut it down.
Nt4 pulled drawing kernel side, so any print/display driver will toast the OS.
> Dude, you're the man - a whole university?
Only a little one, that issues degrees and doctorates by email. you may have got some of our adverts in your inbox.
We specialise in a limited number of courses
-nigerian banking
-0EM software
-Phishing; basic and advanced.
The Phishing course is becoming more popular, as we actually offer a discount on the degree if you successfully collect the SSNs and banking details of a thousand new individuals. You may also be interested in a doctorate, though as PhDs require actual work, you'll need to spend time writing and monitoring the phishnets that I'm devising.
-steve
This is very funny from a historical note.
Most optical mice have a chipset from agilent (look for the * logo on the bottom). It was originally designed for a portable scanner, HP Capshare, that had battery+scanner+IR link on it.
The trick in the box is stiching software; you would scan back and forth, turning it on a page without lifting it, and the firmware would work out what the content was. Like optical mice, it doesnt work on shiny pages.
The product crashed and burned, but at least the silicion could be turned into mouse silicon instead, and in the process actually increasing the selling price of a mouse. Who wants a no-good ball mouse, the junk you get bundled with a PC?
I still have a capshare scanner; its actually quite useful for discreetly scanning bits of books at the local university.
I have an inherited
I just upgraded my PII/300/256MB laptop to Suse10.0
Its my home music sever, running the slimserver stack, its the public postfix and http daemon for the domain. Its the SSH/CVS server for code I do. Now, KDE does crawl, but its rare that I use that; more often I just ssh in and run apps on the remote machine, that being the miracle of X11. By having a single OS image across all my linux boxes, home and work, I can shovel binaries around more easily.
To conclude: new Linux distros do run on old boxes, you just cant expect to have the same experience running the OS on a two cpu Xeon core with 1GB of memory. Yet, with linux, you can do interesting things with old boxes. With an old windows box, all you have is a security hold.
OEM versions of the product go out there way to be pathologically bad here. By storing the restore image somewhere on the HDD, they let the rootkits find and contaminate that too.
If you have an MSDN subscription (like windows developers do), you can pull down ISO images to burn. but it still takes ages to install and patch windows+apps to work, compared to say the afternoon it took me to get suse 10,0 on.
I dont think things will improve either. I installed vista onto a vmware image and the virtual HDD was up to 9GB after install. 9GB, and still shipping with outlook express as the mail client. If they were security conscious, they'd have shipped Thunderbird.
word and write files can host and render WMF files internally. the fact that nobody has written a file that uses that as an attack vector doesnt mean that it isnt possible, only that there is such an easy (and consistent) route to owning winxp that nobody has bothered with the older systems yet.
:)
After all, if you are a bot author, would you rather build and test for winXP or support legacy Win98 boxes with their weaker networking stack, device driver problems, etc. Think of all the support calls
I built my own release.
The code is only 200 lines, and is primarily patching logic with a switch in there. The biggest risk is that it patches the wrong place and doesnt provide protection, the next that it doesnt uninstall. Those are hard to test.
Win31, still 16 bit, used the intel segments to manage memory. you had to alloc separate code and data segments, and use an API call, PrestoChangoSelector to flip it. The segments were only 64K and special 'huge' pointers were needed to do the proper arithmetic on a set of sequentially allocated segments.
That went away in 32 bit mode, because 32 bits was all we needed, and because 'flat' is simpler to work with. And because security in winnt was about untrusted users on trusted 'enterprise' systems, not trusted users with untrusted data.
I have the december beta on vmware; I need a safe version of the exploit to test it. I bet all vista does is stop the third party hotfix from working
F-Secure has more on it: http://www.f-secure.com/weblog/#00000761
Windows Metafiles are a file representation of drawing commands. They are more flexible than bitmaps and get used quite a lot in things like for caching images of every OLE object embedded inside a MS word or powerpoint document. There just happens to be one operation to set a callback when a printing aborts which can be saved to a WMF file, which, when followed by something to abort the rendering, lets you jump to the nominated location.
This back door is built into windows from version 3.0 onwards. Any app that displays WMF images from untrusted sources (lotus notes, maybe msword, even google desktop search) is vulnerable. This is potentially code red for the desktop.
I have the patch on all my systems, the author works for IDA, the debugger tool, and is well respected. I dont care whether IT central will push it out or not; I think they ought to before the back to work/school event causes major worm attacks using it. It will be pretty embarrassing for microsoft though -a third-party emergency fix for windows, in the same year that Vista, "Windows Secured" is due to ship.
I've been running the latest Vista preview on vmware, works well, though you need to install the vmware display drivers to get out of 16 colour VGA mode, a mode where the install GUI really sucks:
C BA3641CC871A2CB415A27D142C
http://www.1060.org/blogxter/entry?publicid=45137
VMware can only emulate "trusted" hardware like TPM units if it has a private key of a unit, one that can be somehow linked to a "trusted" TPM authority. That is the key that TPM units never ever provide to the outside world, so you are left with a reverse engineering or brute force cryptography problem.
-Steve
XP encrypts the crypto keys with the current password value, so if you reset the password, you still dont have access to encrypted bits of the HDD. Unless, of course, the system you have acquired is a laptop/PC in hibernate mode, in which case they will probably be stored in the clear somewhere (I guess :)
This is a very subversive article. Oceania has always been at war with Eurasia. To think otherwise is a crime.
I have a TCPA chip on my laptop. What does it do? It stores the private keys for whenever I encrypt bits of the NTFS hard drive. What bits of the HDD do I encrypt? The directory containing all my SSH public keys, anything that may contain financial info (like PDF receipts of purchases, other things).
For me, the TPM lets me lock down a box more securely. Admittedly, there could be other ways to do it, like having the whole HDD encrypted (including swap/hibernate files) and requiring a smartcard+pin to be entered before booting the box. But with the TPM in the corporate laptop, its actually a good way of securing personal data.
Incidentally, hardware vendors dont care about piracy, all they worry about is cost of goods sold (CoGS), annualized failure rate, and the Microsoft WHQL PC guidelines (the ones you need to pass to get the MS logo and the corresponding rebate). TPMS are going in to corporate laptops, because they let the IT dept lock down the box against, spyware, trojans and end users. They are not (currently) going into consumer PCs, because $3 there is better spent on improving the graphics. If and only if MS demand it on the WHQL guidelines, then it goes in.
As someone who keeps their network wide open (it stops you being complacent about per-machine firewalls and intra-box protocol), i'm interested too.
One thing is that there is that ongoing work about machine fingerprinting based on random numbers in TCP sequences, clock skew, etc. Even behind a NAT system, it is likely that you are exposing some unique machine information. Enough that with the machines in your possession, they can say "this is the machine that did it". Of course, if their experiments dont show a match, they probably are not going to mention it.
Another point: given how insecure WEP encryption is, having a WEP-enabled WAP is effectively having an open WLAN, except you are pretending that it is somehow locked down. If you are liable for any downloads that happen on your lan, then you should not connect any WEP WLAN AP to the network.
hey it cuts both ways. We in the EU get spam telemarketing junk from US companies. Do you think the DNC list made all those telemarketers give up their careers and switch to spamming people for "OEM" software? No, they just take advantage of voip and low cost international dialling to annoy us Europeans.
And no, there isnt really anything we can do about it either. The best bet is to put them on speaker phone and have a long and fruitless conversation. If you argue they hang up, but if you sound interested but distracted by local crises (small children, kitchen fires, etc), they go on hold for a bit. The trick is to get their hopes up before you put them on hold.
you dont need to wait that long. Civilian GPS is neither encryped or signed. You could create a fake gps base station and create false coordinates within the coverage range to see what drastic effects it would have on the system,
Just like the UK experiments, these trials are bogus. They are giving some tech to volunteers to see "does this make you drive at the speed limit". Better to force it on some consistent speeders as an alternative to license removal to see if changes their behaviour or discover how much effort it will take to attack the system.
possible attacks:
-snip the antenna when you are in a freeway tunnel; last known location was a 70mph zone.
-take the car abroad (or generate the GPS signals to simulate germany), then snip the antenna.
-load in a fake map with all road speeds set to 150mph.
Oh, you could have so much fun here. It'd be like region-free DVD players. "Hello, I'd like a Audi S3". "yes sir, will that be with GPS speed control, or would you like that feature disabled". "Disabled please", "Certainly, $500 more".
-steve
yeah, my VW passat 1.8T was limited to 130mph, which is exactly what the tires were up to; I only encountered it once when it was fairly new, as I discovered mid-overtake that the turbocharger engages at 95mph in top gear.
My current VW touran 1.9Tdi minivan doesnt have an explicit top speed, but doesnt like to go above 100mph due to air resistance, even in countries (france, germany) where you can get away with it. In exchange for lower performance it does 45mpg at 70-75 mph. (UK gallons==4.5L)
realistically, both top speeds are moot in most countries.
The lego 'bots came from the MIT Media Lab -they used to give away the PCB with a parts list, long before it was commercialised. That was a display-less design, but they had other interesting things instead: ir badges on people so they could be identified, solar powered room beacons so 'bots could tell where they were -it was a full infrastructure built on dirt cheap parts.
If lego dont do mindstorms well then yes, maybe we should get out there and so an OSS-like hardware family. The hard part is integration with the rest of the build kit, and here, to be ruthless, I'd go for fischer-teknik (spelling?) over lego.