"Whoever published the vulnerability and matching exploit code did not contact Oracle first."
It's interesting to me that this is a tag in the OP. I realize it's part of the Hacker's Code of Ethics to report exploits to vendors and I fully agree with it. For the most part it's people pushing software to its limits that find the bugs. BUT - the more business is done on the Internet the more valuable exploits become.
I am under the belief that somewhere out there, black-hat organizations have some really scary databases of exploits that have never been reported to vendors.
Reporting to vendors is the right thing to do, but if there's one thing I've learned in my life it's that when money and ethics collide money almost always wins.
Almost everybody out there, including the true geeks, runs Windows at work because they have to. Linux, Windows servers, XP desktops, Solaris, whatever corporate buys. Everything EXCEPT Macs.
At home we have a Macbook. Why? I don't mind running XP at work, but I'm not shelling out my own dough for Vista. I'd rather give it to Steve.
I think the backlash against Vista, whether justified or not, has caused a lot of people to look at Macs and to some degree Linux.
The summary is a little misleading because you can't just replace, say, 'ls' with 'exploit-binary-named-ls' because it'd fail the MD5 check. But a MITM constructed like they suppose could easily work. Briefly, it is:
1. Set yourself up as a mirror
2. Put old packages up with known vulnerabilities.
3. Distribute "updates" listing the old packages as new updates.
4. Watch your logs to see who updated with old packages, then go PWN them.
It also counts on lazy admins, but garsh how rare are those.
I guess it comes down to controlling distribution of the updates. Kudos to these Arizona guys. This is a really simple method that can cause complete mayhem in uncountable ways.
I don't think HD movies and the like are the main reason. A ripped Blueray movie for instance is really huge, but you just need enough work space to rip and compress it down to something usable.
Home movies is a legit use. I recently converted all of my home movies to digital, from Hi-8 through a capture card. The raw, uncompressed data is really huge. My once "massive" 500GB drive is about full.
Plus you need more disk space to edit the movies, and a way to back it up (compressed), but it's much easier to work on uncompressed video.
I'm still recording on mini-dv. Now imagine the space you need for HD home movies.
All this law does is provide legal protection for teachers to tech "alternate views" to the Theory of Evolution. It is NOT exclusively restricted to ID teaching. This could, logically, also include FSM theory. So don't worry, be Happy! Teachers in LA can now ALSO tell children about the Noodly beginnings of humanity in addition to other creationist teachings.
The first teacher in LA who actually does this has my vote for Teacher of the Year.
Every possible combination of screen size, chip, storage and memory have been packaged and named almost identically. Asus' plan to thoroughly confuse customers is complete.
Release malware in the form of a "Patch" to "Fix" the issue exploiting thousands of servers.
Well, you have to trust your vendor at some point right? Trust enables us to run yum or apt-get without having to read every line of source code for each upgraded package. I suppose having an open-source vendor is an advantage if you don't trust your supplier. But if you don't trust them why are you using them?
The fact that so many are doing this at once might be a clue that it's real.
I have sold a lot of stuff on Ebay too, but I quit in favor of Craigslist. This Ebay maneuver was just a calculated way for them to muscle sellers into giving Ebay a bigger piece of the pie. It's the 'ol "gain monopoly then exploit" plan. There needs to be a name for it. There probably is but I can't think of it...
Also here's the obligatory grammar gripe. "Have big corporations finally learned that they can go to far." Where is this "far" place and how do I get there?
You could be right, it depends on the poker AI. In chess everything is known so all possible moves can be calculated. But a chess player can disguise a strategy, causing a computer to calculate probable moves incorrectly. If it's done well the computer will makes moves to defend an attack that never comes. That's sort of a bluff.
I would think that the best poker AI does not try to anticipate what's in the player's hand based on what he does, but stays strictly with math based on known cards. The minute the AI starts adjusting to what opponents are doing it becomes vulnerable to being tricked.
Either way it's an intersting problem. It's entirely possible that, since poker is a game partly based on luck, that both human and computer are playing perfectly enough to never know which is really better.
The online poker houses don't ever "win" because they're not in the game. They're just the host, and they make money by taking percentage of the pot for each game.
It's for this reason they have an interest in making sure the games are fair. If there was ever reason to suspect the games were weighted or unfair everybody would leave to another host.
They are way too busy (literally) raking in the dough to cheat. The big online poker sites go through a lot of trouble to keep their reputation clean.
The online poker sites are already filled with "bots" that play statistically perfect poker. Or at least perfect enough to earn a profit over time.
It's not a terribly difficult calculation to know if a bet has sufficient pot odds. Playing against imperfect players a bot is virtually garaunteed to make money.
Against professionals though it might have trouble winning, since pros also calculate pot odds more or less perfectly, but can change their play to throw off the computer. It's sort of akin to how a chess master might beat a computer.
Indeed. And what about the prospect of offshore drilling for solar power? How many seagulls and fish will it displace or kill? I know it's next on the BU$H Agenda, don't try to pretend otherwise!
They are attempting to help their customers at the expense of everybody else on the Internet. If I understand the article, they're pre-scanning every possible URL on a page. In essense they're clicking every possible link before you do.
For instance I searched for "avg" on google and counted the number of "href=" appearances on the resulting page. It happened to be an even 100. AVG is visiting ALL of of those HREFs in the background. A user will click on only one.
I would assume their scanner is smart enough to remove duplicates HREFs and do some other smart things. But still, this is a terrible idea. I guess we all have to go buy more servers and bandwidth so the anti-virus people can make a living now?
I know where they are. There are several hundred pounds of them in my basement. They're there because I missed the deadline to sell them back to the bookstore before a new edition came out and now I'm stuck with them. But I figure if I hold on to them long enough, eventually a new addition will come out re-arranged in the exact configuration these old ones are in and they'll be worth something again.
Yet another industry's outdated business model falls victim to progress. Publishers and authors have a right to earn a living from their work, but so long as they're unfair about it people will subvert the system.
Textbooks are ideal for digital distribution - no shipping, no heavy books to carry, and they're seachable. They'll just have to drop the hefty, inflated pricing model. Sorry guys!
Publishing will go digital, kicking and screaming, but they'll go. Amazon knew this, why do you think they're pushing the Kindle so hard? As an avid reader I'm almost on board but not quite yet.
EBay is simply an auction house, facilitating the auctioning of products.
Ebay is not just a simple auction house. They're obligated to follow local laws within the areas they sell, and it's enormously complicated. Otherwise they'd just be a huge fencing operation for stolen or illigitimate goods (which one could arue they are, but that's another story.)
So the question becomes whether Ebay did everything required by law to stem the sale of conterfeit goods. I would imagine right now any company who has ever had their goods copied and sold on Ebay is on the phone with their lawyer figuring out how much they can squeeze from Ebay. The whole things smells like French protectionism. I mean, they're holding Ebay liable for the whole sale, not just the ~5% they raked off the top.
As for the "who cares" arguement, well, the people whose brand has been ripped off care and the law is on their side. Apparently it's *entirely* on their side.
It's not so much a legal question as a business problem. Vendors are obligated to fix their bug and security holes because they are problems for customers.
I would just leave the courts out of it and let the free market decide. In this particular case, a good response would be: (A) I have reported this to management and we will seek other vendors to suit our needs. (B) I am obligated to report this security hole to the usual vulnerability lists, because since I found it obviously somebody else could too.
If they still don't fix it after that then find another vendor. Eventually, *poof* - bad vendor goes out of business, problem solved.
From the article: "...What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry. Citibank spokesman Robert Julavits says the bank "has complied with all applicable notification requirements."
But according to the Payment Card Industry's own rules and the disclosure laws of NY, in the event of a breach the company must follow these rules:
* Notification: Most expedient time possible, without unreasonable delay
* Civil or criminal penalty for failure to promptly disclose
So in other words they were more than happy to keep this secret to themselves.
Agreed, because it's very easy to throw around project managment buzzwords and terms, but at the end of the day project management is real work requiring real skills.
Many people have low opinions of PMs, but once you work with a skilled one the difference is obvious.
Because the average end-user doesn't have the ability to domain-taste. Only weasels like NetSol do.
So it seems like ICANN is saying, "we can't stop you from domain-tasting, but we can charge you for when you do it." It "just so happens" that their method pretty is self-serving.
I suppose the massive number of domain registrations done by netsol has an impact on ICANN so they can justify the fee, and it also helps us poor users who just want our domain names. And God knows our legislators won't help. So go for it ICANN! Any enemy of Network Solutions is a friend of mine.
Slashdot Mirror
"Whoever published the vulnerability and matching exploit code did not contact Oracle first."
It's interesting to me that this is a tag in the OP. I realize it's part of the Hacker's Code of Ethics to report exploits to vendors and I fully agree with it. For the most part it's people pushing software to its limits that find the bugs. BUT - the more business is done on the Internet the more valuable exploits become.
I am under the belief that somewhere out there, black-hat organizations have some really scary databases of exploits that have never been reported to vendors.
Reporting to vendors is the right thing to do, but if there's one thing I've learned in my life it's that when money and ethics collide money almost always wins.
Almost everybody out there, including the true geeks, runs Windows at work because they have to. Linux, Windows servers, XP desktops, Solaris, whatever corporate buys. Everything EXCEPT Macs.
At home we have a Macbook. Why? I don't mind running XP at work, but I'm not shelling out my own dough for Vista. I'd rather give it to Steve.
I think the backlash against Vista, whether justified or not, has caused a lot of people to look at Macs and to some degree Linux.
1. Set yourself up as a mirror
2. Put old packages up with known vulnerabilities.
3. Distribute "updates" listing the old packages as new updates.
4. Watch your logs to see who updated with old packages, then go PWN them.
It also counts on lazy admins, but garsh how rare are those.
I guess it comes down to controlling distribution of the updates. Kudos to these Arizona guys. This is a really simple method that can cause complete mayhem in uncountable ways.
I don't think HD movies and the like are the main reason. A ripped Blueray movie for instance is really huge, but you just need enough work space to rip and compress it down to something usable.
Home movies is a legit use. I recently converted all of my home movies to digital, from Hi-8 through a capture card. The raw, uncompressed data is really huge. My once "massive" 500GB drive is about full.
Plus you need more disk space to edit the movies, and a way to back it up (compressed), but it's much easier to work on uncompressed video.
I'm still recording on mini-dv. Now imagine the space you need for HD home movies.
All this law does is provide legal protection for teachers to tech "alternate views" to the Theory of Evolution. It is NOT exclusively restricted to ID teaching. This could, logically, also include FSM theory. So don't worry, be Happy! Teachers in LA can now ALSO tell children about the Noodly beginnings of humanity in addition to other creationist teachings.
The first teacher in LA who actually does this has my vote for Teacher of the Year.
Now, if I only had a vote...
Yeah, it's called "Ruby on Rails."
Every possible combination of screen size, chip, storage and memory have been packaged and named almost identically. Asus' plan to thoroughly confuse customers is complete.
It's easy, you just look for a comment like: /* BEGIN bug causing possible MASSIVE future EXPLOIT. */
Release malware in the form of a "Patch" to "Fix" the issue exploiting thousands of servers.
Well, you have to trust your vendor at some point right? Trust enables us to run yum or apt-get without having to read every line of source code for each upgraded package. I suppose having an open-source vendor is an advantage if you don't trust your supplier. But if you don't trust them why are you using them?
The fact that so many are doing this at once might be a clue that it's real.
I have sold a lot of stuff on Ebay too, but I quit in favor of Craigslist. This Ebay maneuver was just a calculated way for them to muscle sellers into giving Ebay a bigger piece of the pie. It's the 'ol "gain monopoly then exploit" plan. There needs to be a name for it. There probably is but I can't think of it...
Also here's the obligatory grammar gripe. "Have big corporations finally learned that they can go to far." Where is this "far" place and how do I get there?
You could be right, it depends on the poker AI. In chess everything is known so all possible moves can be calculated. But a chess player can disguise a strategy, causing a computer to calculate probable moves incorrectly. If it's done well the computer will makes moves to defend an attack that never comes. That's sort of a bluff.
I would think that the best poker AI does not try to anticipate what's in the player's hand based on what he does, but stays strictly with math based on known cards. The minute the AI starts adjusting to what opponents are doing it becomes vulnerable to being tricked.
Either way it's an intersting problem. It's entirely possible that, since poker is a game partly based on luck, that both human and computer are playing perfectly enough to never know which is really better.
The online poker houses don't ever "win" because they're not in the game. They're just the host, and they make money by taking percentage of the pot for each game.
It's for this reason they have an interest in making sure the games are fair. If there was ever reason to suspect the games were weighted or unfair everybody would leave to another host.
They are way too busy (literally) raking in the dough to cheat. The big online poker sites go through a lot of trouble to keep their reputation clean.
It's not a terribly difficult calculation to know if a bet has sufficient pot odds. Playing against imperfect players a bot is virtually garaunteed to make money.
Against professionals though it might have trouble winning, since pros also calculate pot odds more or less perfectly, but can change their play to throw off the computer. It's sort of akin to how a chess master might beat a computer.
Indeed. And what about the prospect of offshore drilling for solar power? How many seagulls and fish will it displace or kill? I know it's next on the BU$H Agenda, don't try to pretend otherwise!
They are attempting to help their customers at the expense of everybody else on the Internet. If I understand the article, they're pre-scanning every possible URL on a page. In essense they're clicking every possible link before you do.
For instance I searched for "avg" on google and counted the number of "href=" appearances on the resulting page. It happened to be an even 100. AVG is visiting ALL of of those HREFs in the background. A user will click on only one.
I would assume their scanner is smart enough to remove duplicates HREFs and do some other smart things. But still, this is a terrible idea. I guess we all have to go buy more servers and bandwidth so the anti-virus people can make a living now?
I know where they are. There are several hundred pounds of them in my basement. They're there because I missed the deadline to sell them back to the bookstore before a new edition came out and now I'm stuck with them. But I figure if I hold on to them long enough, eventually a new addition will come out re-arranged in the exact configuration these old ones are in and they'll be worth something again.
Yet another industry's outdated business model falls victim to progress. Publishers and authors have a right to earn a living from their work, but so long as they're unfair about it people will subvert the system.
Textbooks are ideal for digital distribution - no shipping, no heavy books to carry, and they're seachable. They'll just have to drop the hefty, inflated pricing model. Sorry guys!
Publishing will go digital, kicking and screaming, but they'll go. Amazon knew this, why do you think they're pushing the Kindle so hard? As an avid reader I'm almost on board but not quite yet.
EBay is simply an auction house, facilitating the auctioning of products.
Ebay is not just a simple auction house. They're obligated to follow local laws within the areas they sell, and it's enormously complicated. Otherwise they'd just be a huge fencing operation for stolen or illigitimate goods (which one could arue they are, but that's another story.)
So the question becomes whether Ebay did everything required by law to stem the sale of conterfeit goods. I would imagine right now any company who has ever had their goods copied and sold on Ebay is on the phone with their lawyer figuring out how much they can squeeze from Ebay. The whole things smells like French protectionism. I mean, they're holding Ebay liable for the whole sale, not just the ~5% they raked off the top.
As for the "who cares" arguement, well, the people whose brand has been ripped off care and the law is on their side. Apparently it's *entirely* on their side.
It's not so much a legal question as a business problem. Vendors are obligated to fix their bug and security holes because they are problems for customers.
I would just leave the courts out of it and let the free market decide. In this particular case, a good response would be: (A) I have reported this to management and we will seek other vendors to suit our needs. (B) I am obligated to report this security hole to the usual vulnerability lists, because since I found it obviously somebody else could too.
If they still don't fix it after that then find another vendor. Eventually, *poof* - bad vendor goes out of business, problem solved.
From the article: "...What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry. Citibank spokesman Robert Julavits says the bank "has complied with all applicable notification requirements."
But according to the Payment Card Industry's own rules and the disclosure laws of NY, in the event of a breach the company must follow these rules:
* Notification: Most expedient time possible, without unreasonable delay
* Civil or criminal penalty for failure to promptly disclose
So in other words they were more than happy to keep this secret to themselves.
That is a good point. LAMP became a one-checkbox install because it's FOSS. LAMJ could easily have been. Except it's not a very catchy acronym.
Personally I'd like to see LAPJ: Linux, Apache, Postgres, Java.
Anyway, love it or hate it, Java has reached the critical mass to be around for a long time.
Agreed, because it's very easy to throw around project managment buzzwords and terms, but at the end of the day project management is real work requiring real skills.
Many people have low opinions of PMs, but once you work with a skilled one the difference is obvious.
"Murdoch Mostly Mopes; Missing Money Makes Monday More Melancholy."
Slashdot submission sure sucks.
Because the average end-user doesn't have the ability to domain-taste. Only weasels like NetSol do.
So it seems like ICANN is saying, "we can't stop you from domain-tasting, but we can charge you for when you do it." It "just so happens" that their method pretty is self-serving.
I suppose the massive number of domain registrations done by netsol has an impact on ICANN so they can justify the fee, and it also helps us poor users who just want our domain names. And God knows our legislators won't help. So go for it ICANN! Any enemy of Network Solutions is a friend of mine.
I hate to be a pedantic killjoy, but on that film the light flash lasted about 3 seconds. I could see it pretty well with my naked eye.
Try again, science!