Anti-leech seems to be marketing their product to websites that target stupid people. Apparantly their own popups (I don't see them) sell illegal things that stupid people would be likely to buy, Gator (ewww) and pop-up blockers (heh) that stupid and/or uninformed people would buy because they've never heard of Mozilla or any other decent browser.
Anti-leech doesn't care if/. readers don't visit the websites "protected" by their product. The chances of any moderately technical person being interested in any site using Anti-leech is so small that the site owners might as well save their bandwidth.
I would guess that Anti-leech technology in place increases the percentage of clueless users, which would be quite an asset if that's who your target market is.
Actually, I'm right with you on all of this, but I don't think there's an easy solution. I run bind on my external servers, one of which is still at a version that uses bind8. It's easy to say that I "should" have upgraded it to a more recent OS that uses bind9 (which seems to be quite a bit better) or "should" have installed some other named (thereby breaking the auto-updating that does more for system security than anything else).
I can (and do) keep things patched, but I don't have the time to maintain custom installs or upgrade the OS version on all my servers every time there's a minor release. If ISC doesn't notify SuSE of bind exploits, *I'm* the one that gets it in the shorts. I am really angry at ISC and am looking forward to an explanation. Grr.
OTOH, people who run wu-ftp on external servers are clearly not paying attention. They're not reading BugTraq and they're not reading this thread. Eventually, all these boxes will get 0wn3d and then reinstalled with something more secure, but that seems like a really slow and painful way to increase overall security. Enough of this and either the authors will fix an app or vendors will stop shipping it. As a matter of fact, that's what happened with bind - a total rewrite due to hot and cold running exploits in the original code base.
>> the article doesn't mention...where a break-in >> occurs because of a(n)... issue for which there >> is no released technical solution (i.e. anyone >> else who has software X would be susceptible...).
> So companies/whatever which can't be bpthered to > patch their holes get a buy? I don't think so.
The poster was talking about vulnerabilities for which there is *no* solution. A patch is a technical solution.
People who don't patch in a timely way *should* get into trouble, but that doesn't apply to the first site that gets 0wn3d via a previously unknown exploit.
Nevertheless, if the customers' private information has been compromised, the customer should be informed no matter who is to "blame".
Me too and I agree it works great. It even unzips zip|tar|jar files and scans all the files in them.
I run it on SuSE 7.something on a Compaq DL with sendmail, Cyrus IMAP and SpamAssassin. We only have 300 or so users and it can keep up with that no problem.
I also scan *outgoing* email, which is a bit trickier to set up but is good for legal reasons and for assuring someone that the Klez virus that they received which appeared to come from one of our users actually did not originate from within our network. I would recommend scanning your outgoing mail; it saves a lot of grief.
The only issue we had was the one regarding notification of the apparent sender of the virus; with so many spoofed senders, I just has to turn it off.
Not only do they support Mozilla, they even support Konqueror.
Of course it's possible to support different browsers; the ScotiaBank page is a very functional, customizable bunch of jsps, not some Flash-infested monstrosity written by someone who only knows how to run FrontPage. God, I hate FrontPage... anyone who can press ^C and ^V thinks they're a web designer.
I use the iris scanner at the front door at one of our sites. It's kinda cool, but it always bugs me that the voice just says "Identification successful"; it doesn't say who it identified me to be.
There's also a camera so the "hold up a disembodied eyeball" trick would probably be noticed, but I wonder how much attention the camera will get now that the responsibility for access control lies with the iris scanner. I think the main purpose of the camera is for confirmation after the fact. If the iris scanner says I entered the building at a certain time and I say I didn't, Security can check the video to see who actually had their eyeball there at that time, so someone who wanted to fool it would not only have to duplicate my iris, but also my physical appearance.
The iris scanners are replacing fingerprint scanners which drive people nuts with their low reliability. So far I have never need to be iris-scanned more than once, but with the fingerprint scanner, people often had to try twice.
Also, the fingerprint scanners are two-factor authentication methods (punch in a code, scan your fingerprint) and at some doors the list of codes is conveniently printed on a sheet taped up beside the scanner. The ability of users to turn two-factor authentication into one-factor authentication never ceases to amaze me.
I can't imagine having to do that. Why should I have to tell a government how much money I spent whilst out of their country?...even if I am one of their citizens.
Seeing as Canada and the US have different economic systems and 90% of Canadians live with 100 km of the American border, the Canadian government is always trying to keep Canadians from driving over the border and buying big things without paying the government its taxes. They don't really care how much you spent; they just care what you bought.
I don't know how it works in Europe, where there are so many physically small countries with so much traffic between them all. Are the sales tax rates equivalent, so it's not worth driving across a border to make a large purchase? Aren't there import duties?
Likewise for SuSE. They backported apache, openssl and openssh within a couple of days, and I spent one long day patching everything that faced out. With YaST2 it is a no-brainer, even remotely, but some of the systems are too minimal for that and needed manual patching.
Some spammer sent me an email that he had "noticed" that we were running apache 1.3.19 on our main web server, drew my attention to the fact that there was a vulnerability in it (as if I hadn't spent the last 2 days reading a zillion Bugtraq posts about it) and offered his services to "secure" our site. Of course, his scan did not detect that we were running 1.3.19-126, which is as secure as anything else out there.
Sendmail + Cyrus IMAP + AMaViS + OpenAntiVirus + MimeDefang + SpamAssassin for ~300 users on SuSE. Sounds complicated (took a while to set up) but works great. All Free or Open Source, too.
"Gotchas" that I ran into are:
1) don't send virus notifications to the sender (since 90% of the viruses we get are Klez and don't actually come from the apparent sender), or to the intended recipient (unless most of your users are smarter and more computer literate that your average mollusc, unlike mine) who will probably get all confused and bombard your help desk with questions
2) don't scan for dangerous attachments before scanning for viruses, or the user will get a message saying that some file (not identified as a virus yet) was stripped from an email that wasn't even sent by the alleged sender. This will terminally confuse the users. MimeDefang is a milter and AMaViS is a weirdly hacked up (in the best way) local delivery agent. I have yet to find a way to make MimeDefang run after AMaViS, so I currently only use MimeDefang+SpamAssassin for the spam flagging which it does a great job at.
One interesting source of information is
IcannWatch.
As far as objective sources of information, that is what Auerbach is fighting to get access to. As long as ICANN's records are kept secret, we will never know what is going on.
... existing ban on the "advertisement" of any device that is used primarily for surreptitious electronic surveillance applies to online ads.
Does this include tcpdump? What about nmap? Are they "devices"? If not, will the lawmakers eventually realize that there is no real functional difference between s/w and h/w and try to ban these tools because hackers use them?
What a witch hunt. It's easy for some of us to say, "Well, that's the US for you", but this kind of thing affects all of us, not only because so much of the net is hosted in the US, but because the US aggressively tries to export its value system to the rest of the world (for the "good" of everyone, of course).
USAians should be very worried about their country's current stampede back into the Middle Ages.
I use Red Hat at home an SuSE at work and I frankly don't see any technical reasons why Red Hat has such a such market dominance here in North America. As a matter of fact, my home Red Hat box is less stable that all my work SuSE boxen, though this is probably because I am always installing weird experimental shit on my home box and they frown on experimenting with the corporate mail and web servers at work for some strange reason.
The main problem I have with running two distros is remembering which utility to use on which box; I occasionally look for rc.config on my home box or try to find up2date on my work machines.
OK, so through an airport in some time period, you have, say, 1 million passengers and four known terrorists. This system will flag two of the terrorists and 2,500 random civilians who happen to look like someone. All 2,502 of these people will have to be checked, ID'ed, searched, yadda. Eventually, most of them (perhaps including one or both of the flagged terrorists, depending on how good their covers are) will be let onto the planes.
Terrorists unknown to the face recognition system will walk onto the plane with the same 0.25% chance of being stopped as the rest of us.
This is another way of doing the math that does not fill me with confidence.
From the article: The law of gravity is one of science's most sacrosanct principles; any breaching of its walls would represent a major threat to the current theoretical framework.
Like *that's* never happened before.
The principles of science are not divine law; they are our most supportable best guesses as to how this weird universe of ours works. It is unscientific at best to treat the "law" of gravity (as we understand it) as if it were some rule decreed by the Powers That Be which it would be heresy to question.
Whether or not this guy is actually onto something, it is only by exploring and trying these things that we will expand our understanding. As the previous poster said, gravity is *not* yet completely understood and even failed experiments add to our knowledge of the way things work.
So, do you think that crypto should be restricted within the US as well, since the terrorists and other criminals in a more technologically advanced country like the USA are more likely to understand and use the harder-to-break crypto?
_The Left Hand of Darkness_ is probably one of my favorite books ever. I would also highly recommend _The Lathe of Heaven_. She writes powerful stories without a trace of sentimentality.
_The Disposessed_ is an extremely thought-provoking book that probably pisses off virtually everyone who reads it, which is a good thing IMO.
b1tr0t said:
> And having a fixed IP so you can SSH back
> home is nice, too.
Yeah, it would be nice if it worked reliably. I came here to check out/. while I'm waiting (and waiting and waiting...) for an ssh connection to my home box. The quality of service for @home is so inconsistent, it makes me crazy. I pay them C$40 per month for speeds that are no better than dial-up except in the middle of the night.
It looks like what they're trying to do is to get my (or your) government to be obliged to prosecute things that are crimes in other countries, or at least enforce the judgement of the courts of other countries.
This raises some interesting issues; the "offense" of printing the stuff occurred in the US but the "harm" caused by it occurred in Australia. It's like the question of shooting someone who is standing on the other side of an international border; what country does the crime occur in? If this had been a paper magazine and some Aussie bought it in the US and took it back to Oz, would the US publisher be liable under Australian law for the contents of the magazine? Hmm, this is not good.
In this case though, if Dow Jones doesn't pay up, will the Australian govt seize their assets in Australia? Can they do that?
We at Slashdot have found some interesting information on your fine site. In approximately ten minutes we will be posting a link to http://www.foo.org/articles?id=1234pdq on the main page of our News for Nerds page, with a few lines of inflammatory comment.
This is likely to result in approximately fifty thousand Linux geeks trying to access this page at the same time.
Historically, we have found that this often results in routers turning into stuttering braindamaged shells of their former selves, and webservers melting down into steaming heaps of slag.
From Dmitry's presentation re the eBook Pro compiler:
"All HTML pages and supplementary files are compressed with deflate algorithm from ZLIB"
"Compressed data are encrypted by XOR-ing each byte with every byte of the string "encrypted", which is the same as XOR with constant byte"
This is totally mindboggling if true. Are we saying that people can XOR their data stream with a *single byte*, advertise it as "virtually 100% burglar-proof" and then get listened to when they complain about evol haxors cracking their encryption?
What makes this "Pay per Bug View" list proponent think that bughunters will report bugs to them rather than BugTraq? Ms B.Hunter would get (probably) limited credit at some far future date, after someone else disclosed the bug publicly. This is even assuming that the list would publish the bug and not just quietly fix it and hope nobody notices.
Anyway, how the Hell can you enforce a NDA on Open Source software? Put a block at the top of the BIND source saying "By reading this source code you agree to not disclose any bugs except to pay-per-bug-view@isc.org"? Only the members of the list would be bound by the NDA; non-members would just wait for it to leak to BugTraq (free as in speech *and* beer), and then they could do what they want with the info.
Slashdot Mirror
Anti-leech seems to be marketing their product to websites that target stupid people. Apparantly their own popups (I don't see them) sell illegal things that stupid people would be likely to buy, Gator (ewww) and pop-up blockers (heh) that stupid and/or uninformed people would buy because they've never heard of Mozilla or any other decent browser.
/. readers don't visit the websites "protected" by their product. The chances of any moderately technical person being interested in any site using Anti-leech is so small that the site owners might as well save their bandwidth.
Anti-leech doesn't care if
I would guess that Anti-leech technology in place increases the percentage of clueless users, which would be quite an asset if that's who your target market is.
Actually, I'm right with you on all of this, but I don't think there's an easy solution. I run bind on my external servers, one of which is still at a version that uses bind8. It's easy to say that I "should" have upgraded it to a more recent OS that uses bind9 (which seems to be quite a bit better) or "should" have installed some other named (thereby breaking the auto-updating that does more for system security than anything else).
I can (and do) keep things patched, but I don't have the time to maintain custom installs or upgrade the OS version on all my servers every time there's a minor release. If ISC doesn't notify SuSE of bind exploits, *I'm* the one that gets it in the shorts. I am really angry at ISC and am looking forward to an explanation. Grr.
OTOH, people who run wu-ftp on external servers are clearly not paying attention. They're not reading BugTraq and they're not reading this thread. Eventually, all these boxes will get 0wn3d and then reinstalled with something more secure, but that seems like a really slow and painful way to increase overall security. Enough of this and either the authors will fix an app or vendors will stop shipping it. As a matter of fact, that's what happened with bind - a total rewrite due to hot and cold running exploits in the original code base.
>> the article doesn't mention ...where a break-in ... issue for which there
>> occurs because of a(n)
>> is no released technical solution (i.e. anyone
>> else who has software X would be susceptible...).
> So companies/whatever which can't be bpthered to
> patch their holes get a buy? I don't think so.
The poster was talking about vulnerabilities for which there is *no* solution. A patch is a technical solution.
People who don't patch in a timely way *should* get into trouble, but that doesn't apply to the first site that gets 0wn3d via a previously unknown exploit.
Nevertheless, if the customers' private information has been compromised, the customer should be informed no matter who is to "blame".
Me too and I agree it works great. It even unzips zip|tar|jar files and scans all the files in them.
I run it on SuSE 7.something on a Compaq DL with sendmail, Cyrus IMAP and SpamAssassin. We only have 300 or so users and it can keep up with that no problem.
I also scan *outgoing* email, which is a bit trickier to set up but is good for legal reasons and for assuring someone that the Klez virus that they received which appeared to come from one of our users actually did not originate from within our network. I would recommend scanning your outgoing mail; it saves a lot of grief.
The only issue we had was the one regarding notification of the apparent sender of the virus; with so many spoofed senders, I just has to turn it off.
Not only do they support Mozilla, they even support Konqueror.
... anyone who can press ^C and ^V thinks they're a web designer.
Of course it's possible to support different browsers; the ScotiaBank page is a very functional, customizable bunch of jsps, not some Flash-infested monstrosity written by someone who only knows how to run FrontPage. God, I hate FrontPage
I use the iris scanner at the front door at one of our sites. It's kinda cool, but it always bugs me that the voice just says "Identification successful"; it doesn't say who it identified me to be.
There's also a camera so the "hold up a disembodied eyeball" trick would probably be noticed, but I wonder how much attention the camera will get now that the responsibility for access control lies with the iris scanner. I think the main purpose of the camera is for confirmation after the fact. If the iris scanner says I entered the building at a certain time and I say I didn't, Security can check the video to see who actually had their eyeball there at that time, so someone who wanted to fool it would not only have to duplicate my iris, but also my physical appearance.
The iris scanners are replacing fingerprint scanners which drive people nuts with their low reliability. So far I have never need to be iris-scanned more than once, but with the fingerprint scanner, people often had to try twice.
Also, the fingerprint scanners are two-factor authentication methods (punch in a code, scan your fingerprint) and at some doors the list of codes is conveniently printed on a sheet taped up beside the scanner. The ability of users to turn two-factor authentication into one-factor authentication never ceases to amaze me.
Seeing as Canada and the US have different economic systems and 90% of Canadians live with 100 km of the American border, the Canadian government is always trying to keep Canadians from driving over the border and buying big things without paying the government its taxes. They don't really care how much you spent; they just care what you bought.
I don't know how it works in Europe, where there are so many physically small countries with so much traffic between them all. Are the sales tax rates equivalent, so it's not worth driving across a border to make a large purchase? Aren't there import duties?
On the UT copyright notices page, it says
"Ogg Vorbis Copyright © 2001"
Is this new or has UT used ogg before? I just love seeing open standards replace proprietary standards.
Likewise for SuSE. They backported apache, openssl and openssh within a couple of days, and I spent one long day patching everything that faced out. With YaST2 it is a no-brainer, even remotely, but some of the systems are too minimal for that and needed manual patching.
Some spammer sent me an email that he had "noticed" that we were running apache 1.3.19 on our main web server, drew my attention to the fact that there was a vulnerability in it (as if I hadn't spent the last 2 days reading a zillion Bugtraq posts about it) and offered his services to "secure" our site. Of course, his scan did not detect that we were running 1.3.19-126, which is as secure as anything else out there.
"Gotchas" that I ran into are:
1) don't send virus notifications to the sender (since 90% of the viruses we get are Klez and don't actually come from the apparent sender), or to the intended recipient (unless most of your users are smarter and more computer literate that your average mollusc, unlike mine) who will probably get all confused and bombard your help desk with questions
2) don't scan for dangerous attachments before scanning for viruses, or the user will get a message saying that some file (not identified as a virus yet) was stripped from an email that wasn't even sent by the alleged sender. This will terminally confuse the users. MimeDefang is a milter and AMaViS is a weirdly hacked up (in the best way) local delivery agent. I have yet to find a way to make MimeDefang run after AMaViS, so I currently only use MimeDefang+SpamAssassin for the spam flagging which it does a great job at.
As far as objective sources of information, that is what Auerbach is fighting to get access to. As long as ICANN's records are kept secret, we will never know what is going on.
Does this include tcpdump? What about nmap? Are they "devices"? If not, will the lawmakers eventually realize that there is no real functional difference between s/w and h/w and try to ban these tools because hackers use them?
What a witch hunt. It's easy for some of us to say, "Well, that's the US for you", but this kind of thing affects all of us, not only because so much of the net is hosted in the US, but because the US aggressively tries to export its value system to the rest of the world (for the "good" of everyone, of course).
USAians should be very worried about their country's current stampede back into the Middle Ages.
Hmm, "database of large image files", is that what the pr0n vendors are calling it nowadays?
I use Red Hat at home an SuSE at work and I frankly don't see any technical reasons why Red Hat has such a such market dominance here in North America. As a matter of fact, my home Red Hat box is less stable that all my work SuSE boxen, though this is probably because I am always installing weird experimental shit on my home box and they frown on experimenting with the corporate mail and web servers at work for some strange reason.
The main problem I have with running two distros is remembering which utility to use on which box; I occasionally look for rc.config on my home box or try to find up2date on my work machines.
OK, so through an airport in some time period, you have, say, 1 million passengers and four known terrorists. This system will flag two of the terrorists and 2,500 random civilians who happen to look like someone. All 2,502 of these people will have to be checked, ID'ed, searched, yadda. Eventually, most of them (perhaps including one or both of the flagged terrorists, depending on how good their covers are) will be let onto the planes.
Terrorists unknown to the face recognition system will walk onto the plane with the same 0.25% chance of being stopped as the rest of us.
This is another way of doing the math that does not fill me with confidence.
From the article:
The law of gravity is one of science's most sacrosanct principles; any breaching of its walls would represent a major threat to the current theoretical framework.
Like *that's* never happened before.
The principles of science are not divine law; they are our most supportable best guesses as to how this weird universe of ours works. It is unscientific at best to treat the "law" of gravity (as we understand it) as if it were some rule decreed by the Powers That Be which it would be heresy to question.
Whether or not this guy is actually onto something, it is only by exploring and trying these things that we will expand our understanding. As the previous poster said, gravity is *not* yet completely understood and even failed experiments add to our knowledge of the way things work.
So, do you think that crypto should be restricted within the US as well, since the terrorists and other criminals in a more technologically advanced country like the USA are more likely to understand and use the harder-to-break crypto?
_The Left Hand of Darkness_ is probably one of my favorite books ever. I would also highly recommend _The Lathe of Heaven_. She writes powerful stories without a trace of sentimentality.
_The Disposessed_ is an extremely thought-provoking book that probably pisses off virtually everyone who reads it, which is a good thing IMO.
b1tr0t said:
/. while I'm waiting (and waiting and waiting ...) for an ssh connection to my home box. The quality of service for @home is so inconsistent, it makes me crazy. I pay them C$40 per month for speeds that are no better than dial-up except in the middle of the night.
...
> And having a fixed IP so you can SSH back
> home is nice, too.
Yeah, it would be nice if it worked reliably. I came here to check out
Still waiting
It looks like what they're trying to do is to get my (or your) government to be obliged to prosecute things that are crimes in other countries, or at least enforce the judgement of the courts of other countries.
This raises some interesting issues; the "offense" of printing the stuff occurred in the US but the "harm" caused by it occurred in Australia. It's like the question of shooting someone who is standing on the other side of an international border; what country does the crime occur in? If this had been a paper magazine and some Aussie bought it in the US and took it back to Oz, would the US publisher be liable under Australian law for the contents of the magazine? Hmm, this is not good.
In this case though, if Dow Jones doesn't pay up, will the Australian govt seize their assets in Australia? Can they do that?
Dear webmaster@foo.org;
We at Slashdot have found some interesting information on your fine site. In approximately ten minutes we will be posting a link to http://www.foo.org/articles?id=1234pdq on the main page of our News for Nerds page, with a few lines of inflammatory comment.
This is likely to result in approximately fifty thousand Linux geeks trying to access this page at the same time.
Historically, we have found that this often results in routers turning into stuttering braindamaged shells of their former selves, and webservers melting down into steaming heaps of slag.
Please alert your webadmins/netadmins/ISP.
Thank you and have a nice day.
Sincerely, CmdrTaco
"All HTML pages and supplementary files are compressed with deflate algorithm from ZLIB"
"Compressed data are encrypted by XOR-ing each byte with every byte of the string "encrypted", which is the same as XOR with constant byte"
This is totally mindboggling if true. Are we saying that people can XOR their data stream with a *single byte*, advertise it as "virtually 100% burglar-proof" and then get listened to when they complain about evol haxors cracking their encryption?
> Wait until the wheeled light-seeking eels rule the planet with cruel inhuman efficiency.
Oh man, can I use that as a sig? That is the weirdest statement I have seen in a long time.
Perp
Anyway, how the Hell can you enforce a NDA on Open Source software? Put a block at the top of the BIND source saying "By reading this source code you agree to not disclose any bugs except to pay-per-bug-view@isc.org"? Only the members of the list would be bound by the NDA; non-members would just wait for it to leak to BugTraq (free as in speech *and* beer), and then they could do what they want with the info.
I wouldn't join. Not that they've asked me :-}