You are correct here as far as you go, but there is still an issue.
In order for a monitor to work, it must be viewable
I know that's a blindly flash of the obvious, but the author's point still stands. While you might no longer be able to do digital screen captures via PrintScreen or software, at worst case you could still take a picture of the screen and OCR it.
He made an extremely good reminder to people that, so long as people are involved, encryption will ultimately fail on some level, because the end product MUST be decrypted for us to use.
This actually wouldn't be a bad idea, although it would need to be done in a fairly clear-to-read manner and have severity labeled well.
I seem to recall that there was a Dilbert strip with Ratbert in Q&A, who had "Lethal", "Boneheaded", and "Vexing" as his bug severities. This would probably be a very good way to categorize them for end users:)
I believe that Taco means he's still receiving copies of klez at a rate of 5-10 a day. Given that Klez typically run it's payload on Windows with the assistance of Outlook, I sort of doubt that he's spreading it as you seem to believe.
Sadly, I completely understand his predicament, since I'm still receiving klez emails at about the same rate (which is one of the reasons I use Mozilla for email). Even worse, klez forges the FROM field through SMTP, so it's extremely difficult to tell who's infected. I get bounce messages all the time from people who think I'm infected, because of the header forging (I'm not; I checked the running processes, ran a virus scan, and ran netstat looking for unexpected connections).
It was pretty good. About three good tracks, which I consider par for a CD. Amusingly, it was the only time I ever used CDNow as a service, since I could never find the CD in a store.
Check out Project ELF for an example implementation of using an MD5 hash to uniquely identify download files and Bitzi for a good searchable community catalog of files and hashes (these two examples aren't directly related to each other).
It's definitely do-able, although no solution would really be perfect.
I doubt it makes a difference. In fact, the local number probably just forwards to the Washington Office (I may be wrong). Your Senator will probably hear about it either way.
I'm not kidding here. I work for a small company that recently fought against some unfair legislation that the Insurance Industry was trying to push and we learned some VERY interesting things about what tactics work for getting attentions.
CALL YOUR SENATORS. Handwritten letters are nice too, but what really matters is calling. You will get answered by a congressional staffer. Say the following:
"Hi, my name is _____ and I live in _______ in your district. I am calling to register my opposition to Senate Bill 2048. Thank you".
That's it. Unless you include a large check, they don't care WHY you oppose it really, but they DO care they you can vote for or against them.
Think about it this way: they can't spend the money, except on getting re-elected. Therefore, your vote costs a certain amount. If you call them and tell them the way you wish them to vote, they know that if they don't vote that way, they've lost a vote regardless of how much they spend. AND if you called, that means a lot of people probably think the same way, but weren't motivated enough to pick up the phone.
It's quick, simple, and took me all of 5 minutes, including looking up the phone number. DO IT.
Here you go. Elcomsoft filing for dismissal based on the extraterritoriality of the case, since they seem to think that it CAN be construed as a legal argument.
Simple example: State Highway Patrol cannot arrest you for speeding in another state, UNLESS you were speeding in their state and they crossed state lines in hot pursuit. Same thing here; The US cannot apply its laws to people who did not break the law in the US.
Hopefully, the judge for the case will remember this simple fact
You are dead on about the government enforced DNC lists. I'm actually on the Georgia list and almost NEVER get calls. My original post was merely pointing out that the DMA Do-Not-Call list is a scam.
That's like relying on the Tobacco Companies to issue guidelines on when smoking is socially acceptable and not.
The DMA is all about self-interest, and their particular interest is enabling their members to put as much advertising in front of your nose as possible The only thing they're trying to accomplish here is to look responsive, so that the threat of useful legislation in the area will be less.
Oh, and as for those people foolish enough to sign up for their "voluntary" no-call lists for telemarketers, that's about equivalent to replying to spam; it only confirms that your phone number is legitimate.
The following link goes directly to an article on the MS website that I read a number of months ago. I thought it was indicative of a stupid design then, and it seems that I was right.
Now, here's how I came across this little gem of stupidity:
I have designed a few cgi-enabled websites (for myself) that have a rather odd feature- compiled VB cgi. This seems very strange, I'm sure, but VB is actually fairly nice for very simple programs that handle databases.
Unfortunately, I started running into trouble when I assumed that IE played by the rules with the Content-Type headers. I naively assumed that I could generate images as well as html on the fly, and IE would display it the way it was intended, since this would be very good for displaying images that were stored in the blob field of a database.
Wrong! It turns out, certain Content-Types are considered "ambiguous", meaning that IE assumes you don't know what you're talking about and it needs to check to see if the content actually is what you say it is. If it fails the test, then IE overrides the Content-Type and simply displays the page as what it thinks it is.
Ok, that doesn't sound too bad, does it? Well, what if you have a file that you list as Content-Type: text/plain (which is one of the ambiguous types), but the actually data is executable! IE tests the data and decides that the Content-Type is wrong, decides to treat it as executable, and pops you a dialogue box, asking if you want to download this or open it.
Mind you, all this time, the URL sitting in your address bar probably ends in ".html". So you say "yeah, lets open the file..html is save, right?". Woops, there went your hard drive.
Now, I haven't tested this scenario, since I don't have malicious intent. The real bug is probably not quite as straight-forward as this (but then again, maybe it is). However, I can't help but be disgusted at the fact that this is not an accidental oversight, but rather an unintended consequence of a boneheaded feature.
Well, first off, I don't think anyone should write this as a virus; that's just plain stupid. Write it as a targeted script against known infected IPs. I believe that's what you were advocating here and I agree with it, but the terminology was a bit ambiguous in spots and I wanted to make sure.
Your comment on the Default Installation Settings problem is probably on target as well. I really couldn't say what the default installation is for Win2K since I never pick default, and I specifically don't install IIS. I had assumed that it was not in the default, although it is very possible that it is.
As for ATTBroadband blocking port 80, I'm fairly sure they are since I've gotten no non-local traffic on apache since Monday at 11pm. I have no problems with connecting locally, and have checked my firewall settings. Additionally, I've read reports from fairly credible sources stating that they were taking these steps, and I have confirmed that I can't connect to my webserver remotely, but have no problem connecting on other ports. Note that they only blocked inbound connection attempts on port 80; outbound works just fine.
I've thought quite a bit about this, since my apache server has been getting hammered with probes, and now my ISP (ATT Broadband) seems to have blocked connections to port 80 of it's subscribers, leaving my website high and dry (yes, I can jump ports, but then I have to tell everyone I've jumped ports.)
Unfortunately, the general consensus is that the proper remedy for this worm is to reformat and reinstall on an infected machine. And while the idea of reformatting the drives of all those idiots who got themselves infect and are probing my machine is very appealing, it's also potentially very illegal.
I would be in favor of half-measures, like a script that would patch the IIS vulnerability, and clear out the root.exe and explorer.exe vulnerabilities, but this may be ultimately harmful, since it may not remove all vulnerabilities AND it may make detection of the exploit more difficult for the machine owner.
Does anyone have any ideas in light of these problems?
"I understand budget overruns of a few million. It's to be expected when researching and developing new and untested technology but wasting almost $1 billion on an unusuable design???"
Check your math again. 97 million is not "almost $1 billion" dollars. It is close to a tenth of a billion dollars. Still significant, but nowhere near as bad really.
Dude, put down the Star Trek Technical Manual and rejoin us in the real world.
Basically, for anyone else who's wondering, this is a load of pseudo-scientific garbage that is designed to sound realistic enough to alarm anyone reading.
Would a REAL physics major in the relevent area care to enlighten us further in this area? As I recall, this isn't too different than the techniques being used to try to initiate nuclear fusion, and I'm pretty sure that the sun is not "dark matter" (which I also recall doesn't really have an explanation, beyond being an unaccounted-for quantity of matter that must exist for the Hubble Constant to be accurate as it has been measured)
Corporate sentiment like this is why the number of programs that are intended to aid in anonymous information sharing have flourished. I've been writing one (Project ELF) that is designed to provide a sort of anonymous online library where people can share information, specifically because people like this guy seem to think that everything you say and do online should be tracable back to you.
What that completely ignores is the fact that there are many cases where you don't necessarily wish your opinions and information to be tracable. I believe that Slashdot has a rational behind the concept of the Anonymous Coward. Some information is just too important to be shared for people to have to worry about being tracked down for sharing it.
The downside is that people are more likely to say and do irresponsible things with anonymity. However, that is really a small price to pay to avoid the loss of freedom that comes when everything is monitored.
An Absolutely Amazing Book
on
Thief of Time
·
· Score: 4
This is a book that truly defies description to someone that has never read the DiscWorld series. Check out ThiefOfTime.net for the official page, complete with excerpt
Basically, in the 20 or so previous DiscWorld books, Pratchett has built a very rich and detailed history through the events of the characters. However, as would happen with almost any author, there are small timeline mistakes and such that creep into the series, which very devout fans love to point out on USENET.
Thief of Time starts with the explanation of an event in the past of the DiscWorld that caused the Timeline to crash (which explains all the little inconsistancies, since it had to be patched back together). Since then, it's been up to the Monks of History not to merely record history as it happens, but to ensure that history continues to happen at all!
Main characters in the book are Lu Tze (a History Monk patterned after Lao Tzu), Susan Sto Helit (Death's grand-daughter), DEATH, Lobsand Ludd (Lu Tze's apprentice), and The Auditors.
Anyone who enjoys the sort of satirical humor that was present in Hitchhiker's Guide should check this out, and then read the rest of Pratchett's work.
More information about Terry Pratchett and his works can be found at
If this is the same program that I recall (and I'm pretty sure it is), this was a rather nice little bare-bones webserver.
Back in earlier days of the web, sometime around 1995 or 1996, I recall finding this on the website of the student who wrote it. At the time, I needed a personal webserver and I don't think that Apache had released a port to Win32 at that point (I may be wrong). Anyway, I installed this sucker and it ran beautifully. It also had a tiny little Illuminati pyramid that sat in the systray.
Interesting that M$ picked it up for experimentation. I would hasten to point out though that they are merely complying with the previous software license, since I doubt they would have used the GPL of their own accord.
Slashdot Mirror
In order for a monitor to work, it must be viewable
I know that's a blindly flash of the obvious, but the author's point still stands. While you might no longer be able to do digital screen captures via PrintScreen or software, at worst case you could still take a picture of the screen and OCR it.
He made an extremely good reminder to people that, so long as people are involved, encryption will ultimately fail on some level, because the end product MUST be decrypted for us to use.
This actually wouldn't be a bad idea, although it would need to be done in a fairly clear-to-read manner and have severity labeled well.
:)
I seem to recall that there was a Dilbert strip with Ratbert in Q&A, who had "Lethal", "Boneheaded", and "Vexing" as his bug severities. This would probably be a very good way to categorize them for end users
Sadly, I completely understand his predicament, since I'm still receiving klez emails at about the same rate (which is one of the reasons I use Mozilla for email). Even worse, klez forges the FROM field through SMTP, so it's extremely difficult to tell who's infected. I get bounce messages all the time from people who think I'm infected, because of the header forging (I'm not; I checked the running processes, ran a virus scan, and ran netstat looking for unexpected connections).
It was pretty good. About three good tracks, which I consider par for a CD. Amusingly, it was the only time I ever used CDNow as a service, since I could never find the CD in a store.
- (n) series; system; grouping of enterprises; order succession; (P)
keiretsugaisha- affiliate company
keiretsukalooted directly from Jeffrey's JapaneseEnglish Dictionary Server
"Heh. Bunnies"
It's definitely do-able, although no solution would really be perfect.
Oh, and yes, this is breakable. It's not nearly so easy as a standard XOR cipher, but it is BY NO MEANS, unbreakable.
Function XorEncode(ByVal StringData As String, SeedKey As Long) As String
Dim i As Long
Dim strTemp As String
Rnd -1
Randomize SeedKey
For i = 1 To Len(StringData)
strTemp = strTemp & Chr((Asc(Mid(StringData, i, 1)) Xor (Int(Rnd * 255))))
Next i
Randomize
XorEncode = strTemp
End Function
Oh, how friggin hard...... please.
I doubt it makes a difference. In fact, the local number probably just forwards to the Washington Office (I may be wrong). Your Senator will probably hear about it either way.
CALL YOUR SENATORS. Handwritten letters are nice too, but what really matters is calling. You will get answered by a congressional staffer. Say the following:
"Hi, my name is _____ and I live in _______ in your district. I am calling to register my opposition to Senate Bill 2048. Thank you".
That's it. Unless you include a large check, they don't care WHY you oppose it really, but they DO care they you can vote for or against them.
Think about it this way: they can't spend the money, except on getting re-elected. Therefore, your vote costs a certain amount. If you call them and tell them the way you wish them to vote, they know that if they don't vote that way, they've lost a vote regardless of how much they spend. AND if you called, that means a lot of people probably think the same way, but weren't motivated enough to pick up the phone.
It's quick, simple, and took me all of 5 minutes, including looking up the phone number. DO IT.
Dismissal Motion for Lack of Jurisdiction
Simple example: State Highway Patrol cannot arrest you for speeding in another state, UNLESS you were speeding in their state and they crossed state lines in hot pursuit. Same thing here; The US cannot apply its laws to people who did not break the law in the US.
Hopefully, the judge for the case will remember this simple fact
You are dead on about the government enforced DNC lists. I'm actually on the Georgia list and almost NEVER get calls. My original post was merely pointing out that the DMA Do-Not-Call list is a scam.
The DMA is all about self-interest, and their particular interest is enabling their members to put as much advertising in front of your nose as possible The only thing they're trying to accomplish here is to look responsive, so that the threat of useful legislation in the area will be less.
Oh, and as for those people foolish enough to sign up for their "voluntary" no-call lists for telemarketers, that's about equivalent to replying to spam; it only confirms that your phone number is legitimate.
Don't forget who was a programmer once upon a time, even if they're just a figurehead now.
Appendix A: MIME Type Detection in Internet Explorer
Now, here's how I came across this little gem of stupidity:
I have designed a few cgi-enabled websites (for myself) that have a rather odd feature- compiled VB cgi. This seems very strange, I'm sure, but VB is actually fairly nice for very simple programs that handle databases.
Unfortunately, I started running into trouble when I assumed that IE played by the rules with the Content-Type headers. I naively assumed that I could generate images as well as html on the fly, and IE would display it the way it was intended, since this would be very good for displaying images that were stored in the blob field of a database.
Wrong! It turns out, certain Content-Types are considered "ambiguous", meaning that IE assumes you don't know what you're talking about and it needs to check to see if the content actually is what you say it is. If it fails the test, then IE overrides the Content-Type and simply displays the page as what it thinks it is.
Ok, that doesn't sound too bad, does it? Well, what if you have a file that you list as Content-Type: text/plain (which is one of the ambiguous types), but the actually data is executable! IE tests the data and decides that the Content-Type is wrong, decides to treat it as executable, and pops you a dialogue box, asking if you want to download this or open it.
Mind you, all this time, the URL sitting in your address bar probably ends in ".html". So you say "yeah, lets open the file.
Now, I haven't tested this scenario, since I don't have malicious intent. The real bug is probably not quite as straight-forward as this (but then again, maybe it is). However, I can't help but be disgusted at the fact that this is not an accidental oversight, but rather an unintended consequence of a boneheaded feature.
"If you can't get a good quote something, make one up and attribute it to someone famous and intelligent"
--death_denied(User#533148)
Your comment on the Default Installation Settings problem is probably on target as well. I really couldn't say what the default installation is for Win2K since I never pick default, and I specifically don't install IIS. I had assumed that it was not in the default, although it is very possible that it is.
As for ATTBroadband blocking port 80, I'm fairly sure they are since I've gotten no non-local traffic on apache since Monday at 11pm. I have no problems with connecting locally, and have checked my firewall settings. Additionally, I've read reports from fairly credible sources stating that they were taking these steps, and I have confirmed that I can't connect to my webserver remotely, but have no problem connecting on other ports. Note that they only blocked inbound connection attempts on port 80; outbound works just fine.
Unfortunately, the general consensus is that the proper remedy for this worm is to reformat and reinstall on an infected machine. And while the idea of reformatting the drives of all those idiots who got themselves infect and are probing my machine is very appealing, it's also potentially very illegal.
I would be in favor of half-measures, like a script that would patch the IIS vulnerability, and clear out the root.exe and explorer.exe vulnerabilities, but this may be ultimately harmful, since it may not remove all vulnerabilities AND it may make detection of the exploit more difficult for the machine owner.
Does anyone have any ideas in light of these problems?
CAREFUL CAREER MANEUVERING WILL ALLOW ME TO CONTINUE PLAYING ASHERON'S CALL ALL DAY WHILE THE PAYCHECKS NEVER CEASE
The relevant example starts about halfway through.
"I understand budget overruns of a few million. It's to be expected when researching and developing new and untested technology but wasting almost $1 billion on an unusuable design???" Check your math again. 97 million is not "almost $1 billion" dollars. It is close to a tenth of a billion dollars. Still significant, but nowhere near as bad really.
Basically, for anyone else who's wondering, this is a load of pseudo-scientific garbage that is designed to sound realistic enough to alarm anyone reading.
Would a REAL physics major in the relevent area care to enlighten us further in this area? As I recall, this isn't too different than the techniques being used to try to initiate nuclear fusion, and I'm pretty sure that the sun is not "dark matter" (which I also recall doesn't really have an explanation, beyond being an unaccounted-for quantity of matter that must exist for the Hubble Constant to be accurate as it has been measured)
What that completely ignores is the fact that there are many cases where you don't necessarily wish your opinions and information to be tracable. I believe that Slashdot has a rational behind the concept of the Anonymous Coward. Some information is just too important to be shared for people to have to worry about being tracked down for sharing it.
The downside is that people are more likely to say and do irresponsible things with anonymity. However, that is really a small price to pay to avoid the loss of freedom that comes when everything is monitored.
Basically, in the 20 or so previous DiscWorld books, Pratchett has built a very rich and detailed history through the events of the characters. However, as would happen with almost any author, there are small timeline mistakes and such that creep into the series, which very devout fans love to point out on USENET.
Thief of Time starts with the explanation of an event in the past of the DiscWorld that caused the Timeline to crash (which explains all the little inconsistancies, since it had to be patched back together). Since then, it's been up to the Monks of History not to merely record history as it happens, but to ensure that history continues to happen at all!
Main characters in the book are Lu Tze (a History Monk patterned after Lao Tzu), Susan Sto Helit (Death's grand-daughter), DEATH, Lobsand Ludd (Lu Tze's apprentice), and The Auditors.
Anyone who enjoys the sort of satirical humor that was present in Hitchhiker's Guide should check this out, and then read the rest of Pratchett's work.
More information about Terry Pratchett and his works can be found at
- L-Space
- alt.fan.pratchett
or any number of other online resources.Project ELF - Anonymous Distributed Filesharing
Back in earlier days of the web, sometime around 1995 or 1996, I recall finding this on the website of the student who wrote it. At the time, I needed a personal webserver and I don't think that Apache had released a port to Win32 at that point (I may be wrong). Anyway, I installed this sucker and it ran beautifully. It also had a tiny little Illuminati pyramid that sat in the systray.
Interesting that M$ picked it up for experimentation. I would hasten to point out though that they are merely complying with the previous software license, since I doubt they would have used the GPL of their own accord.
Project ELF - Anonymous Distributed Filesharing