the industry won't allow its movies to be broadcast because they don't want viewers to record 'perfect copies' of movies.
They could just *force* the cable companies to watermark the movies that they do play on their digital airwaves. That way, they would not be "perfect" copies.
But Nooooo.... use legislation, not technology to make sure the profits keep coming in...
2 years ago, I had warned their development team that the background transmissions were going to nail them when the community found out.
They worked with us to properly address this, and their development manager (who seemed to have a clue) was very adamant in making sure that no one in the security community would explode, such as putting information screens when you installed and upgraded the program.
We really pushed hard for them to include a "Never contact the Internet, ever!" select button, and they assured us that they would do it.
At some point, they just stopped sending us status reports. I figured that the development manager just left or was canned.
<SARCASM>It's nice to see that the development team was able to keep the marketroids at bay...</SARCASM>
Too bad for them. We were doing this on a volunteer basis.
Gentoo is a source-only distribution. This trojan has not affected Gentoo since the MD5 digest is checked before compilation occurs. I just checked, the MD5 digest included in the "portage tree" is the correct one, and portage has detected the change.
End result: no one in Gentoo has been able to compile/emerge openssh for the last few days.
This is so tech-elitist... "The users are the problem!"
Give a look at any paper by Sasse, Brostoff and Adams, such as this one, and then re-think your sysadmin I-never-change-my-dictionary-password-but-I-force- all-my-users-to-32-char-monthly-passwords bullshit attitude.
The answer is not to forget the human aspect. Find a better way to help users generate better passwords, through education and assistance, not automated password rules, and forced password expiry.
Patrick, write up a sign that sez "Do you want to be kicked out of school because of bullies?", sit down in the middle of the school with the sign. Students won't notice a student protesting, but they will notice a *parent*.
The school will attempt to throw you out, before you subvert too many young minds. Have reporters on stand-by when this happens, and have them ask the school-admin that attempts to kick you out, "what is the issue here?"
School-admins *hate* this. They do not want to be seen in a bad light on any media.
Your child cannot have his rights recognized because school administrators are even worse bullies than what he originally faced. You, as an adult, have the moral means and cojones to face another adult, and should the school admins not be ready to deal with the situation, then bring the situation up in the open, so that their bosses will have to face the music as well.
I was constantly bullied in high-school, and the stress I felt then was thousands of times higher than what I have felt in the business world. Your child must understand that he is not alone and millions of us understand him, and wish him well. What he is living right now is the worst part of his life, it's all better from here on.
I work in Ottawa, Canada, right on the borderline of French-speaking Quebec, and English-speaking Ontario. The whole city is used to working in both languages. We deal with it.
When two french-speaking co-workers decide to have a discussion about a particular business matter, they do it. If an english-speaker is beside them, and has to be included in the conversation later on, then the frnch-speakers will switch to english and fill the other person in.
It is a matter of respect and politeness. The presence of a unilingual person in a conversation defines the language used for all other persons. If there are two unilingual participants with "opposite" languages, say a unilingual-french speaker, and a unilingual-english speaker, then the meeting will probably be split into 2 parts, say 15 mins of english, and 15 mins of french, with someone bilingual translating (whispering) beside the unilinguals.
Again, it is a question of being fair and polite.
It would be considered quite insulting to insist on a certain language to be used throughout the meeting, on the example above.
Anyone will appreciate an effort on the part of the other person, to speak his native language. How can one improve if they are not permitted to practice ?
I think a better approach would be to have freshmeat.net permit the announcement of new projects even if they do not have code already.
Users could set a flag or a cookie if they think that those announcements are "noise".
You see, this is a personal pet-peeve. I started the Black Hole Firewall Project a few months back, and we had a number of coders ready to listen to users out there. But we did not want to start coding until we had requirements from the general population. So we started the project on Sourceforge and I announced the project on Freshmeat.net.
At least, I tried to announce the project on Freshmeat... No code, no announcement. I could not believe it. How could I get the general population to know that the project existed, and that we had a site ready to take in user requirements ?
I wrote to Slashdot as a question on how do new projects out there get general requirements from users if they have no code yet. I got no response from the Slash crew, and the question was never posted.
So, we quickly figured out that "Open Source" meant "give us an existing software for free", not "make *this* because we want it". To me, that means that the Open Source / Free Software dream of having commercial grade software is just a pipe-dream because the open/free software will either come from a company that will open/free its existing software, or from a guy/gal that wrote something cool and decided to share it.
I don't think that there is a Open Source coder out there that can stand being involved in a project that is structured from the get-go. Requirements? Planning? Design? BAH! Gimme CODE! Well, say that, and stay in your little dream world of "Apache made it big, man! Open Source r00lz!".
The rest of us will be waiting, hoping to see commercial-grade applications being correctly designed and planned. But, obviously, these will just have to happen spontaneously, since there is no way for the general population to say what they want or need.
Patent the business process of "patenting".
If they say that business processes cannot be patented, then create a web site that implements the business process of patenting, and patent *that*.
Then sue them for having an internal Intranet system that infringes on your patent.
Market speak for : I created an IP packet with nothing after it. Any firewall worth its salt will prevent this packet from flowing, especially an application-level gateway.
Maybe Windows has a specific exploit where a naked IP packet will be blindly forwarded or responded to. That would explain the Windows-only support of this. If this is the case, then as soon as Windows fixes that bug, byebye Nanoprobe usefulness.
It is easy to create this "Super firewall", and "super server" if you re-write IP and TCP... Look, I can ignore all packets that do not match my format, and therefore be immune to DoS attacks! Oh wait, I seem to be getting a huge amount of valid packets... damn....
I have had the honor of being the first test subject of the Common Criteria here in Canada. CSE (Canadian Security Establishment, or just "The Establishment" to the people playing the Game...) was responsible for testing out the Common Criteria, as proposed, over 4 years ago.
We knew that we had to get our product (a transparent-proxy firewall) "certified" if we wanted to sell it to the Canadian government.
Enter CSE.
They told us that the Orange Book was being phased out and that we could be the first profuct to be evaluated under the new "Woldwide" Common Criteria. We accepted. *I* was the one who was assigned to do it.
Since this was the first product to undergo the Common Criteria "checklist", I could debate any point of the criteriaif I didn't agree with it (which I did, often...).
Of course, the dice were loaded: they were 7 CSE people, and I was alone. I often had to debate my points over and over to different people until the head techie (the Brain) agreed and put a note into the Criteria. I assume that they then reported the proposed change to NSA (or the "Headquarters" as they called it).
Our product was evaluated under the EAL-1 checklist; that's the lowest, but it was the only real one achievable at the time.
The next 7 months were rather tedious: I would give all the product documentation and white papers, and they would lookup each function of our product in their checklist, such as :
Component prevents communications between targets if critical error condition occurs: YES
Component outputs error message if critical error condition occurs: NO
For EAL-1 to be attributed, we would need the YES in items 1.1,3.4,7.6,101.4.6, and so on...
They would give this back to me, and I would have to check each and every point. If I didn't agree with a point, I had to document the product even more (more white papers, more changes to the user guide, admin guide, etc...). We could not change the code... Oh, and I am not a tech writer... but boy, did I ever have to become one then...
Since each and every log message has to be documented and explained in the product documentation, for a product to get EAL-1, I almost quit the day that they told me that I had to document DEBUG log messages! Since we had rather original coders in our midst (hey San!), I could not conceive having to explain debug messages like:
Jesus, I need a beer in seconds.
or
Oh no don't touch me there.
Luckily, I was able to debate that one requirements out. Thank G0d.
The bottom line is that this forced us to document our product way the hell more than what we had at the time, and I think that our users benefitted greatly. CSE ended up with a better, more logical Criteria, and we were then able to sell to the Canadian Government.
Was it worth it ? Well, I could have used the sleep... But I think that it made our product and documentation much better, and it opened a market that we wanted, and then realized that we were the only player in it. That meant big bucks; way more than we originally thought. So, yes, it was worth it.
Would it still be worth it? Hell yes, that's why I want the Black Hole Project to get cetified under the Common Criteria as soon as possible. (Disclaimer: I have left the company that did the product originally, and I am now on my own)
OK, on the same vein of thought:
Many crackers out there deface web sites. I propose to them to, instead, change the META tags of the sites they crack to include naughty words. Most web admins won't notice, and most readers won't look at the page source.
Do Yahoo, and Ebay first...
I live right next to the Canadian ECHELON site (Leitrim & Bank, in Ottawa). Every once in a while, my baby monitor starts buzzing for a few minutes. I am ready to bet that they spy on my monitor to calibrate a few things:-) Anyone know where I can get a 128-bit key encrypted baby monitor ??
On another note, I wanted to try something out: They can see my house from the base, so I wanted to buy an old (huge) satellite dish and aim it at them, but not connect it to anything... Then I would just aim a video camera at the dish and see marines come in at night and dismantle the dish:-)
I have been looking for this Holy Grail for a little while, but nothing seems to fit the bill.
Most of my clients use LDAP for authentication too, and I have yet to find a Contivity-like server on Linux that will support a LDAP-aware Windows client for tunnelling all protocols.
The most that I have been able to find is Socks and the server can run on Linux, and it also supports Kerberos. The Socks Windose client can be setup to tunnel all TCP and UDP ports to the Socks server.
Now, if someone could make Vtun LDAP-aware and make a windows client.... Jehreg
Well, I needed a target to test out my Nessus version, so here goes:
Nessus Scan Report
Number of hosts which were alive during the test : 1 Number of security holes found : 5 Number of security warnings found : 1 Number of security notes found : 2
The 'finger' cgi is installed. It is usually not a good idea to have such a service installed, since it usually gives more troubles than anything else.
Double check that you really want to have this service installed.
I have no sympathies on this, as it is obvious that this was not planned and organized properly, even just reading this article, and not even being at the event.
When a conference is organized, the speakers are lined up first, then main corporate sponsors.
Here is the important step: PRE-REGISTRATION.
I cannot believe that the show was permitted to occur if less than 1000 people pre-registered.
Once the pre-registration is on the way and things are occuring as predicted, the rest of the show floor is sold. The order of things is especially important if the event is small to medium-size.
The Linux community cannot let Corporate-America do its usual sleazy fast-buck-get-out scams. The organizers of this show obviously didn't give a rat's ass about the image of Linux.
I find that this is a problem with the Linux movement, since there is no central body of representation, there can be no oversight of the use of the term "Linux". Anyone can do what they wish, and in this case, the community gets it in the shorts PR-wise.
I have to agree with many of the posters here who suggest that Linux users attend only a few well-known shows. I think the smaller-scale cities could benefit by meeting the organizers of these bigger events and "invite" the show over to their city, a-la Internet World show of a few years back. This trade show would "occur" about 6 times per year, in different cities each time. Sort of a travelling circus. Pun intended.
Slashdot Mirror
They could just *force* the cable companies to watermark the movies that they do play on their digital airwaves. That way, they would not be "perfect" copies.
But Nooooo.... use legislation, not technology to make sure the profits keep coming in...
They worked with us to properly address this, and their development manager (who seemed to have a clue) was very adamant in making sure that no one in the security community would explode, such as putting information screens when you installed and upgraded the program.
We really pushed hard for them to include a "Never contact the Internet, ever!" select button, and they assured us that they would do it.
At some point, they just stopped sending us status reports. I figured that the development manager just left or was canned.
<SARCASM>It's nice to see that the development team was able to keep the marketroids at bay...</SARCASM>
Too bad for them. We were doing this on a volunteer basis.
End result: no one in Gentoo has been able to compile/emerge openssh for the last few days.
Which is good :-)
Damn! I missed it!
This is so tech-elitist... "The users are the problem!"
- all-my-users-to-32-char-monthly-passwords bullshit attitude.
Give a look at any paper by Sasse, Brostoff and Adams, such as this one, and then re-think your sysadmin I-never-change-my-dictionary-password-but-I-force
The answer is not to forget the human aspect. Find a better way to help users generate better passwords, through education and assistance, not automated password rules, and forced password expiry.
They employ Vulcans for their 'approximations'...
I guess he "first post" me...
Errrrr, what *proof* were you given that your Passport Account is *deleted* as opposed to *inactive* ?
This was taken directly from a newspaper.
STOP! Or I'll say "STOP!" again!
The school will attempt to throw you out, before you subvert too many young minds. Have reporters on stand-by when this happens, and have them ask the school-admin that attempts to kick you out, "what is the issue here?"
School-admins *hate* this. They do not want to be seen in a bad light on any media.
Your child cannot have his rights recognized because school administrators are even worse bullies than what he originally faced. You, as an adult, have the moral means and cojones to face another adult, and should the school admins not be ready to deal with the situation, then bring the situation up in the open, so that their bosses will have to face the music as well.
I was constantly bullied in high-school, and the stress I felt then was thousands of times higher than what I have felt in the business world. Your child must understand that he is not alone and millions of us understand him, and wish him well. What he is living right now is the worst part of his life, it's all better from here on.
Patrick Naubert
"I live in Quebec....
... & lives in another..." (En Anglais dans le texte)
:-p
Pat.
When two french-speaking co-workers decide to have a discussion about a particular business matter, they do it. If an english-speaker is beside them, and has to be included in the conversation later on, then the frnch-speakers will switch to english and fill the other person in.
It is a matter of respect and politeness. The presence of a unilingual person in a conversation defines the language used for all other persons. If there are two unilingual participants with "opposite" languages, say a unilingual-french speaker, and a unilingual-english speaker, then the meeting will probably be split into 2 parts, say 15 mins of english, and 15 mins of french, with someone bilingual translating (whispering) beside the unilinguals.
Again, it is a question of being fair and polite.
It would be considered quite insulting to insist on a certain language to be used throughout the meeting, on the example above.
Anyone will appreciate an effort on the part of the other person, to speak his native language. How can one improve if they are not permitted to practice ?
My $0.02
Pat.
Users could set a flag or a cookie if they think that those announcements are "noise".
My $0.02
Jehreg
At least, I tried to announce the project on Freshmeat... No code, no announcement. I could not believe it. How could I get the general population to know that the project existed, and that we had a site ready to take in user requirements ?
I wrote to Slashdot as a question on how do new projects out there get general requirements from users if they have no code yet. I got no response from the Slash crew, and the question was never posted.
So, we quickly figured out that "Open Source" meant "give us an existing software for free", not "make *this* because we want it". To me, that means that the Open Source / Free Software dream of having commercial grade software is just a pipe-dream because the open/free software will either come from a company that will open/free its existing software, or from a guy/gal that wrote something cool and decided to share it.
I don't think that there is a Open Source coder out there that can stand being involved in a project that is structured from the get-go. Requirements? Planning? Design? BAH! Gimme CODE! Well, say that, and stay in your little dream world of "Apache made it big, man! Open Source r00lz!".
The rest of us will be waiting, hoping to see commercial-grade applications being correctly designed and planned. But, obviously, these will just have to happen spontaneously, since there is no way for the general population to say what they want or need.
Jehreg.
If they say that business processes cannot be patented, then create a web site that implements the business process of patenting, and patent *that*.
Then sue them for having an internal Intranet system that infringes on your patent.
Maybe Windows has a specific exploit where a naked IP packet will be blindly forwarded or responded to. That would explain the Windows-only support of this. If this is the case, then as soon as Windows fixes that bug, byebye Nanoprobe usefulness.
It is easy to create this "Super firewall", and "super server" if you re-write IP and TCP... Look, I can ignore all packets that do not match my format, and therefore be immune to DoS attacks! Oh wait, I seem to be getting a huge amount of valid packets... damn....
What drivel...
We knew that we had to get our product (a transparent-proxy firewall) "certified" if we wanted to sell it to the Canadian government.
Enter CSE.
They told us that the Orange Book was being phased out and that we could be the first profuct to be evaluated under the new "Woldwide" Common Criteria. We accepted. *I* was the one who was assigned to do it.
Since this was the first product to undergo the Common Criteria "checklist", I could debate any point of the criteriaif I didn't agree with it (which I did, often...).
Of course, the dice were loaded: they were 7 CSE people, and I was alone. I often had to debate my points over and over to different people until the head techie (the Brain) agreed and put a note into the Criteria. I assume that they then reported the proposed change to NSA (or the "Headquarters" as they called it).
Our product was evaluated under the EAL-1 checklist; that's the lowest, but it was the only real one achievable at the time.
The next 7 months were rather tedious: I would give all the product documentation and white papers, and they would lookup each function of our product in their checklist, such as :
- Component prevents communications between targets if critical error condition occurs: YES
- Component outputs error message if critical error condition occurs: NO
For EAL-1 to be attributed, we would need the YES in items 1.1,3.4,7.6,101.4.6, and so on...They would give this back to me, and I would have to check each and every point. If I didn't agree with a point, I had to document the product even more (more white papers, more changes to the user guide, admin guide, etc...). We could not change the code... Oh, and I am not a tech writer... but boy, did I ever have to become one then...
Since each and every log message has to be documented and explained in the product documentation, for a product to get EAL-1, I almost quit the day that they told me that I had to document DEBUG log messages! Since we had rather original coders in our midst (hey San!), I could not conceive having to explain debug messages like :
Jesus, I need a beer in seconds. or Oh no don't touch me there.Luckily, I was able to debate that one requirements out. Thank G0d.
The bottom line is that this forced us to document our product way the hell more than what we had at the time, and I think that our users benefitted greatly. CSE ended up with a better, more logical Criteria, and we were then able to sell to the Canadian Government.
Was it worth it ? Well, I could have used the sleep... But I think that it made our product and documentation much better, and it opened a market that we wanted, and then realized that we were the only player in it. That meant big bucks; way more than we originally thought. So, yes, it was worth it.
Would it still be worth it? Hell yes, that's why I want the Black Hole Project to get cetified under the Common Criteria as soon as possible. (Disclaimer: I have left the company that did the product originally, and I am now on my own)
Many crackers out there deface web sites. I propose to them to, instead, change the META tags of the sites they crack to include naughty words. Most web admins won't notice, and most readers won't look at the page source.
Do Yahoo, and Ebay first...
Oh, wait, that's right...
Q-Bert
Jehreg
Anyone know where I can get a 128-bit key encrypted baby monitor ??
On another note, I wanted to try something out: They can see my house from the base, so I wanted to buy an old (huge) satellite dish and aim it at them, but not connect it to anything... :-)
Then I would just aim a video camera at the dish and see marines come in at night and dismantle the dish
Jehreg
Most of my clients use LDAP for authentication too, and I have yet to find a Contivity-like server on Linux that will support a LDAP-aware Windows client for tunnelling all protocols.
The most that I have been able to find is Socks and the server can run on Linux, and it also supports Kerberos. The Socks Windose client can be setup to tunnel all TCP and UDP ports to the Socks server.
Now, if someone could make Vtun LDAP-aware and make a windows client....
Jehreg
Nessus Scan Report
Number of hosts which were alive during the test : 1
Number of security holes found : 5
Number of security warnings found : 1
Number of security notes found : 2
List of the tested hosts :
[ Back to the top ] 205.177.226.233 :
List of open ports :
[ back to the list of ports ]
Vulnerability found on port www (80/tcp)
- The 'perl' cgi is installed and can be launched
/cgi-bin
[ back to the list of ports ]as a CGI. This is like giving a free shell to anyone, with the
http server privileges (root or nobody).
Solution : remove it from
Risk factor : Serious
CVE : CAN-1999-0509
Vulnerability found on port www (80/tcp)
- The 'jj' cgi is installed. This CGI has
/cgi-bin.
[ back to the list of ports ]a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from
Risk factor : Serious
CVE : CVE-1999-0260
Vulnerability found on port www (80/tcp)
- The 'glimpse' cgi is installed. This CGI has
/cgi-bin.
[ back to the list of ports ]a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Note that we could not actually check for the presence
of this vulnerability, so you may be using a patched
version.
Solution : remove it from
Risk factor : Serious
CVE : CVE-1999-0147
Vulnerability found on port www (80/tcp)
- The 'Count.cgi' cgi is installed. This CGI has
/cgi-bin.
[ back to the list of ports ]a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from
Risk factor : Serious
CVE : CVE-1999-0021
Vulnerability found on port www (80/tcp)
- 'cgiwrap' is installed. This CGI has
/cgi-bin.
[ back to the list of ports ]a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from
Risk factor : Serious
Warning found on port www (80/tcp)
[ back to the list of ports ]The 'finger' cgi is installed. It is usually
/cgi-bin.
not a good idea to have such a service installed, since
it usually gives more troubles than anything else.
Double check that you really want to have this
service installed.
Solution : remove it from
Risk factor : Serious
CVE : CAN-1999-0197
Information found on port www (80/tcp)
[ back to the list of ports ]The remote web server type is :
Apache/1.3.12 (Unix) PHP/4.0.0 FrontPage/4.0.4.3
We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult
Information found on port general/udp
This file was generated by Nessus, the open-sourced security scanner.For your information, here is the traceroute to 205.177.226.233 :
?
When a conference is organized, the speakers are lined up first, then main corporate sponsors.
Here is the important step: PRE-REGISTRATION.
I cannot believe that the show was permitted to occur if less than 1000 people pre-registered.
Once the pre-registration is on the way and things are occuring as predicted, the rest of the show floor is sold. The order of things is especially important if the event is small to medium-size.
The Linux community cannot let Corporate-America do its usual sleazy fast-buck-get-out scams. The organizers of this show obviously didn't give a rat's ass about the image of Linux.
I find that this is a problem with the Linux movement, since there is no central body of representation, there can be no oversight of the use of the term "Linux". Anyone can do what they wish, and in this case, the community gets it in the shorts PR-wise.
I have to agree with many of the posters here who suggest that Linux users attend only a few well-known shows. I think the smaller-scale cities could benefit by meeting the organizers of these bigger events and "invite" the show over to their city, a-la Internet World show of a few years back. This trade show would "occur" about 6 times per year, in different cities each time. Sort of a travelling circus. Pun intended.
My $0.02