Okay, wrong reply (Yes, I scanned the article and saw the words 'microsoft' 'security' 'ask' 'question' and 0 comments, started typing like a wildman to be the first to type an intelligent question... and realised just a bit too late that it wasn't a call for questions).
Please mod me down before to many people notice my dumbness:)
The question that will be asked by a zillion of people: what is your (personal) opinion on the full disclosure issue? Let me phrase that more specifical with an example: the latest security bug concerning the download of possibly malicious code by IE, when the download box shows a different file type. When this was originally posted on Bugtraq, the advisory was very limited in details, to quote one of his replys on this matter:
Some details needed for reproducing and exploiting the flaw were left
out of my posting because there is no good workaround or a patch
available, and the flaw could be quite easily used maliciously. Using
those details it would be relatively easy to create a worm that infects a
system when a user "opens" a plain text file from an infected website,
for instance. For the same reason there wasn't any test page URL included
in my posting. That, and technical details will be published later.
Unfortunately for those who oppose full disclosure, the issue was discussed on Bugtraq, which finally led to the details of the vulnerability. This means that the Microsoft-supported way of disclosing bugs (Do issue an advisory but do not publish any details that could be used in creating exploits) apparently didn't work out. Ofcourse, there was a (small) delay, but eventually everybody knew about it before the patch was released.
My question regarding this issue is: how do you feel about this issue? Do you really think that not fully disclosing a vulnerability will prevent exploits to be made? One of the arguments for full disclosure is that sysadmins are able to reproduce the error so that they can test if their system is vulnerable, but with limited disclosure this will only be possible for a small (and probably malicious) public.
Site down, but google saves!
on
Uplink
·
· Score: 5, Informative
The site
http://www.introversion.co.uk/ gives a 403 error, but thanks to google we can still do some kind of browsing:
Main site: http://www.google.com/search?q=cache:HF4gZfFTKQQ:w ww.introversion.co.uk/uplink/+&hl=en
How to browse the site? Easy: just hoover your mouse over a link, copy-paste the URL in google, and click the 'view google's cache' link. Browsing has never been more easy!:)
"Redflag Joins Hands with EdgeMatrix of Singapore to Tap China?s Multimedia Communication Market", nice to know that the linux distro taps communication.
ControLinux finds application in lottery machine?s operating system, yeah, it must be coincidence that the name is 'Control-inux'
I am connected to the net through surfnet, but I can't say I notice any differences. According to the surfnet website the link is done through TeleGlobe, and my traceroute shows teleglobe hops. Unfortunately my ping to America (specifically www.internet2.edu and www.uic.edu ) are still over 100ms... so much for low pings.
Since this link was established half a month ago, it can't be routers that need to ajust their tables. Too bad, no high-speed pr0n^H^H^H^Hresearch material for me.
I am in the process of writing a paper about why it is a Bad Idea(tm) for governments to do more on the internet than just providing information. The dutch government is busy with plans that would enable one to do the things mentioned here (pay tax, applying for funding, etc.). They have huge plans with lots of buzzwords like 'iris scan' and 'smartcard', but they forget that the johndoe behind the screen doesn't know what a computer does.
He doesn't know that clicking on an e-mail attachment (that seems to come from secretary@dutchgovernment.nl) could let a trojan loose on his system, one that becomes active AFTER authentication with smartcard/iris scan, one that changes keystrokes but doesn't show that to the user.
Doing things like this is acceptable for companies, because they are profit based and take risks all the time. For governments, it is totally unacceptable that this is possible, but unfortunately they have spent literally millions of euro's on pilots and can't reverse the process. Somebody has to make clear to them that the internet + computers == not a secure infrastructure, but well... is there anybody who will listen?
I just returned from a night (it's now 5:43AM) of meteor-watching. Unfortunatel the radar images didn't look too good: clouded all over europe. We considered driving a few hundred miles for a while, but because that would give us much certainty, we decided to stay where we are.
The results weren't bad: at around 1:40UT the sky cleared (it was amazing: from fully clouded to clear in less than 10 minutes) and we could watch for around 1 and a half hour. We saw a total of 60 meteors (55 being leonids) with 3 large ones (one being very spectacular).
We in europe are in a bad position since the maximum is predicted at around 19:00 localtime (when the radiant is still below horizon), but we are going to try again tomorrow. Yes, it's cold, yes, we only see meteors for maybe an hour on an entire night, but when you see a huge meteor giving a trail that lasts for seconds.. you know it's worth it.
The results of this expedition will be put next to our other ones, and can be found at our observatory's website
Transgaming patches are NOT closed source
on
"Lindows" Coming Soon?
·
· Score: 3, Informative
I mean, how many closed WINE forks does the world need?
The transgaming patches are NOT closed source, they are just not Free Software. You can download them (see the winex project on sourceforge) or get them from CVS, you just can't use them for anything commercial. And... as soon as they have enough subscribers, they'll release it all under the Wine license. Okay, I must note here that I don't know the specifics about that one, but it's more Free than the currently used Alladin license.
In #coverage on irc.slashnet.org our operators are posting the latest news on the events. The channel is +m, so please message opers with your (validated) news sources.
(cool graphics coming from another machine over modem are on the screen, yes, this modem is definately broadband, otherwise it would be impossible to show such neat graphics)
Hacker2: It's an 28k8 !!!
Hacker1: Amazing, marvellous, etc. etc.
(forgive me for not remembering the names, the wasn't that good:-)
Re:Will this cause problems for the ISS? - NO
on
Meteor Showers
·
· Score: 4, Insightful
No, it wil not. Meteors you see are actually be little grains of sand, I doubt those will have an impact on ISS.
On the other hand, meteor observations is a piece of astronomy that can easily be done by amateurs but that does have scientific value: new models are generated based on the observations, and these models help predict meteor showers (so that solar panels of sattelites can be turned if huge amounts of spacejunk is expected).
The perseids are relatively small, members of my local observatory saw 13 in 5 hours yesterday (okay, it was partly clouded). With a huge meteor shower as the predicted leonids (they were predicted to shower enourmously for the past few years, but I didn't notice any of that), things may be different for ISS.
This cluster is relatively small: 133 nodes. At my university they had a 250-node cluster up for a day during the lustrumcluster project. They wanted to have a 365-node cluster (the number of years that the university exists), but had trouble getting enough machines. A friend of mine (who was a member of the group that built it) told me that it equaled an 99Ghz intel machine (they used 250 intel machines with procs around 400 Mhz)
The story has only 10 comments the moment I write this, and already the server is responding _very_ slowly. But heck, you could expect that if somebody is shouting 'go slashdotters go!'...:)
Well, after almost everybody got killed in the season finale a few years ago, and Cancerman was killed afterwards, X-files kinda died.
Then Duchovny stepped out of it (the episodes with mr family man (*puke*) still haven't aired in the Netherlands, but I assume they suck bigtime), now Anderson. Going downhill fast.
In my opinion, Carter should've ended the series a long time ago, maybe with a cliffhanger, but the series lost the charm it had a few years ago.
What if i would own (I don't by the way;-) the domain www.microsoff.nl. I register my company 'Microsoff' here in the netherlands, and claim I do window-cleaning (as long as the type of commerce you do is different, you can register a name here).
It should be possible for me to get a Verisign certificate for 'the Microsoff corporation'. Most users won't notice this, so I can trick people into running my code.
Is there anything that can be done against this? Has Microsoft trademarked all 'Microsoft'-alike names? Can Verisign refuse to give out a certificate?
The main reason for introduction of the activation code, is to reduce the amount of illigal copies. Unfortunately for Microsoft, software crackers are usually very intelligent people that are challenged by such a nice new copy-protection schema. Therefore, I estimate that a crack for this new protection will be released within a week after the introduction of the new XP software
A rumor I heard (but I can't validate it, it remains a rumor) is that the guy who cracked a microsoft machine and had access to their network for about 2 weeks (article should be on/. somewhere) stole some snippets of code that were (coincidentally??) the ones dealing with the new activation codes. If that is true, than the crack can be released before the product;-)
Ted Bardusch writes "Since the news that the human genome only contains 30000 genes or so
(speculation had been like 142000), the model of one gene, one protein seems to be broken. As the
NY times put it in the op-ed pice by Gould
http://www.nytimes.com/2001/02/19/opinion/19GOUL.h tml the model is now going to have to be far
more complex. And the more complex it gets, the harder it is to see how a "simple" change can
produce a series of mutations that leads to macro-evolution working. Like the irreducible complexity
argument that Behe uses, this provides further fuel to the need to revisit the validity of Darwin. After
all, Darwin himself stated that his theory would be invalid if there were complexity found at the
cellular level. This shows there is huge complexity at an even deeper level. "
What? Our 400+ node network (at a campus) is completely run by students, and I bet that we're far more secure than the network created by the average MCSE certified nitwit.
You state that students "aren't equipped with the intellect and maturity needed to have this kind of position". As a student (20 years old, studying Information Technology in the Netherlands), I am now the unofficial security expert at a company that make E-business solutions. You may have bad experience with students, but I guarantee you that the students that are interested in this kind of positions are the ones that have more knowledge of security than the average software developer.
Remember the predictions for the leonid showers for the last couple of years? Last year, there were about 5 predictions about the peak-time, and none of them was correct.
Sites from nasa & esa both picked a predicition and told the world that that would be the time, so sorry if I don't believe this instantly...
Slashdot Mirror
Okay, wrong reply (Yes, I scanned the article and saw the words 'microsoft' 'security' 'ask' 'question' and 0 comments, started typing like a wildman to be the first to type an intelligent question ... and realised just a bit too late that it wasn't a call for questions).
:)
Please mod me down before to many people notice my dumbness
Unfortunately for those who oppose full disclosure, the issue was discussed on Bugtraq, which finally led to the details of the vulnerability. This means that the Microsoft-supported way of disclosing bugs (Do issue an advisory but do not publish any details that could be used in creating exploits) apparently didn't work out. Ofcourse, there was a (small) delay, but eventually everybody knew about it before the patch was released.
My question regarding this issue is: how do you feel about this issue? Do you really think that not fully disclosing a vulnerability will prevent exploits to be made? One of the arguments for full disclosure is that sysadmins are able to reproduce the error so that they can test if their system is vulnerable, but with limited disclosure this will only be possible for a small (and probably malicious) public.
The site
w ww.introversion.co.uk/uplink/+&hl=en
:)
http://www.introversion.co.uk/ gives a 403 error, but thanks to google we can still do some kind of browsing:
Main site: http://www.google.com/search?q=cache:HF4gZfFTKQQ:
How to browse the site? Easy: just hoover your mouse over a link, copy-paste the URL in google, and click the 'view google's cache' link. Browsing has never been more easy!
Some quotes from the page:
I am connected to the net through surfnet, but I can't say I notice any differences. According to the surfnet website the link is done through TeleGlobe, and my traceroute shows teleglobe hops. Unfortunately my ping to America (specifically www.internet2.edu and www.uic.edu ) are still over 100ms ... so much for low pings.
Since this link was established half a month ago, it can't be routers that need to ajust their tables. Too bad, no high-speed pr0n^H^H^H^Hresearch material for me.
He doesn't know that clicking on an e-mail attachment (that seems to come from secretary@dutchgovernment.nl) could let a trojan loose on his system, one that becomes active AFTER authentication with smartcard/iris scan, one that changes keystrokes but doesn't show that to the user.
Doing things like this is acceptable for companies, because they are profit based and take risks all the time. For governments, it is totally unacceptable that this is possible, but unfortunately they have spent literally millions of euro's on pilots and can't reverse the process. Somebody has to make clear to them that the internet + computers == not a secure infrastructure, but well ... is there anybody who will listen?
My apologies for my bad english, I'm Dutch.
The results weren't bad: at around 1:40UT the sky cleared (it was amazing: from fully clouded to clear in less than 10 minutes) and we could watch for around 1 and a half hour. We saw a total of 60 meteors (55 being leonids) with 3 large ones (one being very spectacular).
We in europe are in a bad position since the maximum is predicted at around 19:00 localtime (when the radiant is still below horizon), but we are going to try again tomorrow. Yes, it's cold, yes, we only see meteors for maybe an hour on an entire night, but when you see a huge meteor giving a trail that lasts for seconds .. you know it's worth it.
The results of this expedition will be put next to our other ones, and can be found at our observatory's website
I mean, how many closed WINE forks does the world need?
... as soon as they have enough subscribers, they'll release it all under the Wine license. Okay, I must note here that I don't know the specifics about that one, but it's more Free than the currently used Alladin license.
The transgaming patches are NOT closed source, they are just not Free Software. You can download them (see the winex project on sourceforge) or get them from CVS, you just can't use them for anything commercial. And
In #coverage on irc.slashnet.org our operators are posting the latest news on the events. The channel is +m, so please message opers with your (validated) news sources.
Hacker1: Wow, what kind of modem is that?
:-)
(cool graphics coming from another machine over modem are on the screen, yes, this modem is definately broadband, otherwise it would be impossible to show such neat graphics)
Hacker2: It's an 28k8 !!!
Hacker1: Amazing, marvellous, etc. etc.
(forgive me for not remembering the names, the wasn't that good
No, it wil not. Meteors you see are actually be little grains of sand, I doubt those will have an impact on ISS. On the other hand, meteor observations is a piece of astronomy that can easily be done by amateurs but that does have scientific value: new models are generated based on the observations, and these models help predict meteor showers (so that solar panels of sattelites can be turned if huge amounts of spacejunk is expected). The perseids are relatively small, members of my local observatory saw 13 in 5 hours yesterday (okay, it was partly clouded). With a huge meteor shower as the predicted leonids (they were predicted to shower enourmously for the past few years, but I didn't notice any of that), things may be different for ISS.
This cluster is relatively small: 133 nodes. At my university they had a 250-node cluster up for a day during the lustrumcluster project. They wanted to have a 365-node cluster (the number of years that the university exists), but had trouble getting enough machines. A friend of mine (who was a member of the group that built it) told me that it equaled an 99Ghz intel machine (they used 250 intel machines with procs around 400 Mhz)
:-)
So, this cluster is relatively small
--
so, go slashdotters go!
... :)
The story has only 10 comments the moment I write this, and already the server is responding _very_ slowly. But heck, you could expect that if somebody is shouting 'go slashdotters go!'
--
Well, after almost everybody got killed in the season finale a few years ago, and Cancerman was killed afterwards, X-files kinda died.
Then Duchovny stepped out of it (the episodes with mr family man (*puke*) still haven't aired in the Netherlands, but I assume they suck bigtime), now Anderson. Going downhill fast.
In my opinion, Carter should've ended the series a long time ago, maybe with a cliffhanger, but the series lost the charm it had a few years ago.
--
Kivio is maybe not a recent addition, but Yet Another Tool From TheKompany That Looks Like Something We Know From Windows (YATFTKTLLSWKFW)
--
No, it's aprils fools day already here in europe, so it could be ... ;-)
--
But there are like 20/30 CA's in my browsers list, some of them with very obscure names. Will they all refuse it?
--
What if i would own (I don't by the way ;-) the domain www.microsoff.nl. I register my company 'Microsoff' here in the netherlands, and claim I do window-cleaning (as long as the type of commerce you do is different, you can register a name here).
It should be possible for me to get a Verisign certificate for 'the Microsoff corporation'. Most users won't notice this, so I can trick people into running my code.
Is there anything that can be done against this? Has Microsoft trademarked all 'Microsoft'-alike names? Can Verisign refuse to give out a certificate?
--
The main reason for introduction of the activation code, is to reduce the amount of illigal copies. Unfortunately for Microsoft, software crackers are usually very intelligent people that are challenged by such a nice new copy-protection schema. Therefore, I estimate that a crack for this new protection will be released within a week after the introduction of the new XP software
/. somewhere) stole some snippets of code that were (coincidentally??) the ones dealing with the new activation codes. If that is true, than the crack can be released before the product ;-)
A rumor I heard (but I can't validate it, it remains a rumor) is that the guy who cracked a microsoft machine and had access to their network for about 2 weeks (article should be on
--
- Quickly design graphical applications
- use pre-fabbed components
- a language that every idiot can use
- a RAD (rapid application development) tool
You need: kylixI went to a free seminar a few weeks ago, and it looked really impressive.
--
the ./configure script shows on my system:
:)
checking DVD CSS code... no
looks like it's already there
--
This says exactly the opposite.
--
What? Our 400+ node network (at a campus) is completely run by students, and I bet that we're far more secure than the network created by the average MCSE certified nitwit.
You state that students "aren't equipped with the intellect and maturity needed to have this kind of position". As a student (20 years old, studying Information Technology in the Netherlands), I am now the unofficial security expert at a company that make E-business solutions. You may have bad experience with students, but I guarantee you that the students that are interested in this kind of positions are the ones that have more knowledge of security than the average software developer.
--
This is the shortest description of an article that I've ever seen on slashdot in the last 2 years .. ;-)
--
Remember the predictions for the leonid showers for the last couple of years? Last year, there were about 5 predictions about the peak-time, and none of them was correct. ...
Sites from nasa & esa both picked a predicition and told the world that that would be the time, so sorry if I don't believe this instantly
--