Yeah, I seem to remember once ordering computer parts from an e-tailer called "GoogleGear.com", which was an infringement upon Google's name and promptly shut down.
Shame... without such a recongizable name, my search for "motherboards" have wound up at some other e-tailer (but it wasn't "DisneyGear.com" either).
A guy suggesting, seriously as far as I can work out, that you can replace Outlook with TELNET! is marked "informative?"
All jokes aside, if their shop is running Exchange 2007, SMTP won't be accessible for him. He'll need to talk MAPI to the exchange server, which technically isn't even a protocol itself, but instead runs over M$ RPC.
Anyone know how to send MAPI commands using TELNET?
With 20.6 MILLION data points, these are laughable results at best.
Define "attack". Then go define "originate".
If "attack" comes back as "unknown intentions" and "originate" comes back as source IP Address, all we can say for certain is that the Internet is no safe place in 2008.
Actually, if neither the GOP or the Dems are on the ticket, and Bob Barr is (and he wins because there's nothing left to choose from), that's great for third parties in general. It will get publicity to the other people out there that there are more choices than "red" or "blue" (violet?).
It's not like it will totally throw the election, there are still 49 other states to win (and the crypto hocus pocus numerology we call the electoral college). Either Obama or McCain will still be elected, but maybe we might just have a significant amount of folks who stand up and say "hey, I have at least one more option here".
Where do you work? I'd just like to know, so that I don't deal with your firm. If they're hiring such unskilled talent, I don't think I could trust them to store my personal and private data securely.
This is flamebait because... ?
Seriously, if the OP included his employer's name, you'd all be thinking the same thing (and probably sending mass emails to all of your friends & family-- you geeks!). This AC just took the time out to beg the question we were all thinking.
Assembler. Forget about Slackware and all the other already-coded distributions. Learn assembler and code everything yourself. It's the only way to learn.
Chicken$h!t, weenie! The best way is to read instructions in binary op-codes. All that hand-holding, high-level abstraction in assembly prevents you from knowing what is REALLY going on in your registers.
It already exists. It denies the "Digital Rights" referred to as "Read-Only" and "Read-Write". It's commonly referred to in the vernacular as "access denied". It requires the pre-condition of "no read access".
Haven't you ever seen that commercial where the girl keeps trying to pull down her picture off the bulletin board but a copy of it remains?
Well, there is another way of controlling information post-read-access, but it's considered illegal and unethical in most nations (timely murder and brain-washing).
Slackware. Forget about Redhat and all the other GUI-fied distributions. Install Slackware and do everything yourself. It's the only way to learn.
This is good advice. I did the same back when I was in school thinking it was pre-requisite knowledge for an IT job. Then I got my first IT job and became disillusioned at all the idiots that were making more money than me that had no clue how it all worked. They kept looking for the next--> next--> finish buttons.
Back when I learned, Google was around. Turns out, it still is.
Most of the modern linux distributions have excellent package management. Most of them take care of 99% of the deploy "correctly" or "securely" issues. The only downside is that no two packages put everything in the same place on the local file system. But that's no big deal, especially if you compare/contrast to other distros.
Shoot, you can get an Ubuntu server installed as a VM in 15 minutes. (I don't see the need for dedicated server hardware, unless you're focusing on nuances of driver and hardware setup.)
Follow these steps:
1) Install base
2) Install app from package
3) Add custom content to package
4) Scan with the whole slew of freebie security scanning tools
5) Realize that at this point, you're better than most orgs already.
In related news, most companies admit they run Windows.
Wow. What a text book troll. Didn't know you still existed (your slashdot ID suggests you're an original slashdot troll).
Disclaimer: I am no MS fanboy. [This is typed on FF3 on Leopard, but I also run Windows and Ubuntu in VMs.]
Are you just trying the laffy-taffy equivalent of a slashdot joke from 1999? Or do you seriously believe that this security is still a "Microsoft problem"? The problem is that nobody can "comprehend" their large pile of software which is comprised of the foundational pile (languages, APIs, frameworks, etc.) and their own additional pile. To do "security" you really have to do "correctness". Most software vendors cannot even define "correct" behavior for their apps (they're so unwieldy), let alone prove their implementation follows the "correct" behavior model. Here are a couple examples to refresh your aging memory...
Debian OpenSSL - SSH keys
Redhat's tight-lipped, who-knows-how-bad-of-shape-we're-in incident that at least required new code signing keys.
Apple's constant delay in shipping patches to all the open source software in their large pile of code they call "OS X"
The stream of iPhone security bugs (and this is our next generation of enterprise messaging portables?)
And the daily deluge of SQLi, Command Exec, XSS, CSRF, PHP file includes, etc., on Milw0rm.
Not even the academics can help us (at least not at the moment). Proving that a program is "safe" for any possible input turns out to be as difficult as the Halting Problem (which is undecidable).
This is all EXACTLY why all the comments that said ~ "I'm more concerned about the security pros who said unauthorized disclosure wasn't possible" are DEAD ON. So, use the following pseudo code to create the correct response...
Select $why CASE ($why == luddite): try {admit you have no clue about the state of software security in the early 21st century}
CASE ($why == badjoke): try {put away your slashdot laffy taffy}
CASE ($why == needattention): if (parents.exist) try {make ammends with disapproving father} if (generalAnger) try {attract with honey !vinegar} if (!friends) try {make friends && influence people} if (!hobbies) try {join charity} ESAC
1) Introduce factors to mitigate the risks against an asset.
2) Reduce the value of an asset.
They have tried for years to do #1. When will they try #2 (as in a new business model that doesn't involve digital media as expensive/valuable assets)?
I can't claim to match the 40 years LOGO has, but I can claim that my first computing experiencing was making the turtle do what I wanted on the good ol' Commodore 64. I was 7 years old. By about the time I was 9, my computing curriculum included replacing the turtle with custom single-color bitmaps. If you did it right, you could feign animation-- one image with a guy who is taking a step, one image with the guy's legs together; "pick up the pen", move a few pixels in the positive direction, replace the cursor bitmap, move a few more pixels replace with the original bitmap; repeat.
It was great fun while it lasted. A digital (but so low tech to today's standards) picture flip book. And it taught me procedural coding techniques. I'm glad the "turtle" was part of my past.
Just from looking at your post history it's like you refuse to RTFA and continue with your denial. What's in it for you? Worried about stock price or profit sharing or something? Or do you work there and this is your bad design/feature that's being ripped?
Don't let the troll keep this post down. Just because the troll doesn't understand that there are threats involving this "feature" that really can expose data on disk without knowledge of the password, doesn't mean that the rest of us don't want to read this AC post.
This is flamebait... why??? Why can't there be a version with the feature and a feature without-- it's one component of an array of components. It's changing out a couple of binaries during the packaging process. That's it. What's wrong with that?
Besides, even if somebody disagreed that a fork was a good idea, it's one opinion on how to attempt that. Who has a vendetta for 'camperdave' and why choose to act on it at one of the most obvious times?
Either you still don't understand the feature, or you are willfully misinterpreting it. Once again, you must know the passphrase in order to unlock the data on the disk. If you know the passphrase, you already have access to the data on the disk, with or without this feature. Hence it is NOT a backdoor. A backdoor would mean you didn't need to know the passphrase. Knowing the passphrase is the FRONT door.
Sheesh.
Hey idiot! Go back to watching your "Full House" re-runs ('sheesh').
I did not say that somebody who DOESN'T have a passphrase could turn the feature on. RTFA and realize that any USER (get it? Not "admin") can use this feature, enabling the bypass. Sure, today, (again, you near-sighted idiot) the only way to use this is through the command line, but this is a crypto operation, not a connection to your mom's website, meaning there is no record of who makes crypto operations. It might be a trojan (which yes, I get it, it's got your passphrase), but imagine this: a worm like the storm worm gets modified to (in addition to the myriad of things it does) capture users' passphrases, add the bypass, and modify the PGP Boot Guard to not remove the bypass... ever. Then a random theft (get it? by somebody who doesn't know squat about PGP WDE) has access to data whilst admins think all is safe. What users will report that the nagging pre-boot auth dialog stopped working (as if they'd ever even notice)???
And of course, (again I'll get enjoyment for calling you an idiot) an admin who uses this feature but has an adversary pick up the device PRIOR to the reboot happening and the oh so magical PGP Boot Guard removing the bypass... well, that suddenly is unauthorized access by somebody who doesn't know the passphrase and didn't social engineer a user into giving it up.
Slashdot Mirror
Yeah, I seem to remember once ordering computer parts from an e-tailer called "GoogleGear.com", which was an infringement upon Google's name and promptly shut down.
... without such a recongizable name, my search for "motherboards" have wound up at some other e-tailer (but it wasn't "DisneyGear.com" either).
Shame
Informative?
A guy suggesting, seriously as far as I can work out, that you can replace Outlook with TELNET! is marked "informative?"
All jokes aside, if their shop is running Exchange 2007, SMTP won't be accessible for him. He'll need to talk MAPI to the exchange server, which technically isn't even a protocol itself, but instead runs over M$ RPC.
Anyone know how to send MAPI commands using TELNET?
With 20.6 MILLION data points, these are laughable results at best.
Define "attack". Then go define "originate".
If "attack" comes back as "unknown intentions" and "originate" comes back as source IP Address, all we can say for certain is that the Internet is no safe place in 2008.
But we already knew that.
OK, but what about cold boot attacks?
Creative Commons - Attribution
Actually, if neither the GOP or the Dems are on the ticket, and Bob Barr is (and he wins because there's nothing left to choose from), that's great for third parties in general. It will get publicity to the other people out there that there are more choices than "red" or "blue" (violet?).
It's not like it will totally throw the election, there are still 49 other states to win (and the crypto hocus pocus numerology we call the electoral college). Either Obama or McCain will still be elected, but maybe we might just have a significant amount of folks who stand up and say "hey, I have at least one more option here".
That just might keep both parties more honest.
This is why philosophy should be taught (again) at the high school level.
Do you know how to get the Philosophy PhD off of your doorstep?
Pay him for the pizza!
<rimshot>
Grrr! *mumble* *mumble*
And I would have gotten away with it, too, if it wasn't for you meddling kids and that dog!
Where do you work? I'd just like to know, so that I don't deal with your firm. If they're hiring such unskilled talent, I don't think I could trust them to store my personal and private data securely.
This is flamebait because ... ?
Seriously, if the OP included his employer's name, you'd all be thinking the same thing (and probably sending mass emails to all of your friends & family-- you geeks!). This AC just took the time out to beg the question we were all thinking.
Assembler. Forget about Slackware and all the other already-coded distributions. Learn assembler and code everything yourself. It's the only way to learn.
Chicken$h!t, weenie! The best way is to read instructions in binary op-codes. All that hand-holding, high-level abstraction in assembly prevents you from knowing what is REALLY going on in your registers.
... GET OFF MY LAWN!
Kids these days
unless a DRM that can't be broken is invented.
It already exists. It denies the "Digital Rights" referred to as "Read-Only" and "Read-Write". It's commonly referred to in the vernacular as "access denied". It requires the pre-condition of "no read access".
Haven't you ever seen that commercial where the girl keeps trying to pull down her picture off the bulletin board but a copy of it remains?
Well, there is another way of controlling information post-read-access, but it's considered illegal and unethical in most nations (timely murder and brain-washing).
Where's the Google Translate tool where "SourceLanguage=PsychoticRamblings"?
Slackware. Forget about Redhat and all the other GUI-fied distributions. Install Slackware and do everything yourself. It's the only way to learn.
This is good advice. I did the same back when I was in school thinking it was pre-requisite knowledge for an IT job. Then I got my first IT job and became disillusioned at all the idiots that were making more money than me that had no clue how it all worked. They kept looking for the next--> next--> finish buttons.
Back when I learned, Google was around. Turns out, it still is.
Most of the modern linux distributions have excellent package management. Most of them take care of 99% of the deploy "correctly" or "securely" issues. The only downside is that no two packages put everything in the same place on the local file system. But that's no big deal, especially if you compare/contrast to other distros.
Shoot, you can get an Ubuntu server installed as a VM in 15 minutes. (I don't see the need for dedicated server hardware, unless you're focusing on nuances of driver and hardware setup.)
Follow these steps:
1) Install base
2) Install app from package
3) Add custom content to package
4) Scan with the whole slew of freebie security scanning tools
5) Realize that at this point, you're better than most orgs already.
In related news, most companies admit they run Windows.
Wow. What a text book troll. Didn't know you still existed (your slashdot ID suggests you're an original slashdot troll).
...
...
Disclaimer: I am no MS fanboy. [This is typed on FF3 on Leopard, but I also run Windows and Ubuntu in VMs.]
Are you just trying the laffy-taffy equivalent of a slashdot joke from 1999? Or do you seriously believe that this security is still a "Microsoft problem"? The problem is that nobody can "comprehend" their large pile of software which is comprised of the foundational pile (languages, APIs, frameworks, etc.) and their own additional pile. To do "security" you really have to do "correctness". Most software vendors cannot even define "correct" behavior for their apps (they're so unwieldy), let alone prove their implementation follows the "correct" behavior model. Here are a couple examples to refresh your aging memory
Debian OpenSSL - SSH keys
Redhat's tight-lipped, who-knows-how-bad-of-shape-we're-in incident that at least required new code signing keys.
Apple's constant delay in shipping patches to all the open source software in their large pile of code they call "OS X"
The stream of iPhone security bugs (and this is our next generation of enterprise messaging portables?)
And the daily deluge of SQLi, Command Exec, XSS, CSRF, PHP file includes, etc., on Milw0rm.
Not even the academics can help us (at least not at the moment). Proving that a program is "safe" for any possible input turns out to be as difficult as the Halting Problem (which is undecidable).
This is all EXACTLY why all the comments that said ~ "I'm more concerned about the security pros who said unauthorized disclosure wasn't possible" are DEAD ON. So, use the following pseudo code to create the correct response
You're just a paranoid android.
What?! Somebody had to make the Radiohead reference.
Security : Paranoid
Gphone : Android
1) Introduce factors to mitigate the risks against an asset.
2) Reduce the value of an asset.
They have tried for years to do #1. When will they try #2 (as in a new business model that doesn't involve digital media as expensive/valuable assets)?
I can't claim to match the 40 years LOGO has, but I can claim that my first computing experiencing was making the turtle do what I wanted on the good ol' Commodore 64. I was 7 years old. By about the time I was 9, my computing curriculum included replacing the turtle with custom single-color bitmaps. If you did it right, you could feign animation-- one image with a guy who is taking a step, one image with the guy's legs together; "pick up the pen", move a few pixels in the positive direction, replace the cursor bitmap, move a few more pixels replace with the original bitmap; repeat.
It was great fun while it lasted. A digital (but so low tech to today's standards) picture flip book. And it taught me procedural coding techniques. I'm glad the "turtle" was part of my past.
Just from looking at your post history it's like you refuse to RTFA and continue with your denial. What's in it for you? Worried about stock price or profit sharing or something? Or do you work there and this is your bad design/feature that's being ripped?
That's why you need to use thin clients in retail environments. No data to steal. It makes PCI compliance easier, too, just for that reason.
Don't let the troll keep this post down. Just because the troll doesn't understand that there are threats involving this "feature" that really can expose data on disk without knowledge of the password, doesn't mean that the rest of us don't want to read this AC post.
Was it on the blue carbon triplicate?
Nice reference.
This is flamebait ... why??? Why can't there be a version with the feature and a feature without-- it's one component of an array of components. It's changing out a couple of binaries during the packaging process. That's it. What's wrong with that?
Besides, even if somebody disagreed that a fork was a good idea, it's one opinion on how to attempt that. Who has a vendetta for 'camperdave' and why choose to act on it at one of the most obvious times?
I did not say that somebody who DOESN'T have a passphrase could turn the feature on. RTFA and realize that any USER (get it? Not "admin") can use this feature, enabling the bypass. Sure, today, (again, you near-sighted idiot) the only way to use this is through the command line, but this is a crypto operation, not a connection to your mom's website, meaning there is no record of who makes crypto operations. It might be a trojan (which yes, I get it, it's got your passphrase), but imagine this: a worm like the storm worm gets modified to (in addition to the myriad of things it does) capture users' passphrases, add the bypass, and modify the PGP Boot Guard to not remove the bypass
And of course, (again I'll get enjoyment for calling you an idiot) an admin who uses this feature but has an adversary pick up the device PRIOR to the reboot happening and the oh so magical PGP Boot Guard removing the bypass
This guy gets it. Why can't you?
Now go say hi to Jesse and the twins for me.