Well sure, if you are starting from scratch, I would suggest that. BUT, this is a site that is already in production. If you have a squeaky hinge on a door in your house do you oil it, or bulldoze and rebuild? I was shooting for the quick fix as it's already hosed, instead of the wish list for v2.0 of the site.
If you are referring to the URI request for comments then you are wrong, it's not a standard. Check it out for yourself, the login syntax ([ user [ : password ] @ ] hostport) is only mentined inside of telnet:// and ftp:// not http:// or https://
I am assuming one of the sites you are referring to would be the one you put at the end of your post? If thats the case you really need a reality check, you don't even come close to wikipedia or slashdot... Not to undermine the size of your site or anything, but you are not the big dog you think you are. You are comparing 2 3 digit ranked sites to 2 of your 6 digit ranked sites.
The question that always comes to mind when people propose spam relieving solutions is how do you expect to implement it? It's not like you can just flip a switch and all of the sudden every email server and client out there understands the new routine. It would take years to roll out something that changes the current implementation of email. And what do you think everybody is going to do in the mean time? Ignore the new method so they don't loose important email from someone who hasn't "upgraded" their MTA. Rendering the new method useless.
Let's not even get into the hardware costs for anybody who actually legitimately sends more than 8000 emails per day. Large ISPs or mailing lists come to mind, now all of them are expected to spend more money just because you want less spam? I don't see that happening.
The satellite server is unbelievably expensive. They were reworking the pricing somewhat when I purchased a bunch of enterprise RHN licenses awhile back so it may be better now, but the price tag was a little breath taking considering the fact even with the satellite service you still have to pay the per server per year enterprise cost, with no discount.
Yahoo is not at fault for the application crashing, that would be poor bounds checking and error handling on the part of the Trillian developers. Writing fragile code when you are coding to a reverse engineered standard is pretty unacceptable...
Your so cute, you must work at a small company huh? While what you say sounds really GREAT, try implementing it at a company with over 100,000 nodes soon growing to 300000+.
Dear anonymous poster, if you had read the article you would realize they blame the wind NOT being strong ENOUGH... Yes Kitty Hawk had 25 MPH winds thats probably why it did fly.
This happens more than you would think. I had the same thing happen at a.com I was working at. We had one of our main web servers go down one evening and went over to the datacenter we were co-located at to check it out. Sure enough the cleaning lady had ganked our power to try and clean the floor. That is about the time we asked the co-loc facility why in the hell they had us plugged into a wall instead of rack power like the rest of the equipment... ah well.
First off, I will say whatever the hell I feel like saying.
Second off, I am not the one who has Troll points beside my comment, that would be you.
Third, you DO suggest the possiblity of not patching. Your comment about regression testing by the universitity etc... If there is no alternative to patching then why would somebody even bother with regression testing? In this case it's either patch, or someone will destroy my system for me. Personally, I don't see there really being any options here...
And your dead wrong that it isn't the institutions responsibility to protect their network resources. Which is why my comment about the university banning personal PCs is very real. It would be retarded for universities not to put some requirements on software the systems are required to run (anti-virus) and patches that must be applied (anything from windows update, if it's a windows box) Almost all of the latest viruses COULD have been prevented with patching alone. This is one thing I actually give Microsoft credit for, they can tell when a threat is a bad one and they release patches accordingly. It's bullshit attitudes like yours that put networks at risk. Well that and all the people that don't even know what a patch is...
So lets say I discovered a two food ingredients if mixed together would kill millions. And I somehow also found a shot that would make you immune to the effects if taken before the food combo. Would you prefer I release the specifics or let everybody get the injection first?
My favorite alternative to this is to warn them several times to go to a certain website where they must download and run the cleaner/patcher. If they don't comply, swap their port over to another vlan where the only thing they can do is see the other infected machines and download the patch.
Yes this requires scripting skills and good switching hardware, and yes I realize both of those are not available at all universities, just a suggestion where the hardware does exist.
The way to pull off the part about all they can do is download the patch, setup a linux box on this vlan which is the dhcp server, dns server and webserver. It gives out an address, along with the dns server and gateway setting set to the linux box. If they try to do dns resolutions just have the dns server answer back with it's ip address for every lookup. So when they hit www.google.com it will hit your web server. In the case of cached DNS entries, this is where the gateway comes into play. Set the box to redirect any incoming port 80 traffic to the local web server. That way any resolved or cached dns queries that end up becoming web requests end up at your webserver where you have a message and two links. One for the patch and one for "scan me so I can get back to the real network," which will kick off a copy of the dcom vuln scanner and if they have a clean bill of health swap them back to the real vlan.
Obviously you are well mis-informed as to the repercussions of not patching for this worm. You can get pissed at Microsoft if you wish, but not patching for this is not really an option. Non-authenticated remote administrator exploit with one of the 30 different variations of the exploit that are available to the public. People have even released DCOM exploit for dummies howto pages at this point. Unless you want random people traipsing around your hard drive with rights to read/write anything on the disk, then patch.
And if the RA was caught infecting everyones PCs with a new hole while passing around a disk to fix an old one, it wouldn't happen twice because they would be expelled. Just remember, not everyone is out to get you. Take off the tin hat sometime, leave your cave, smile and say hi to the people you meet on your trip around the real world. They are not all out to get you, if this sentence seems false, there is medication that can help you.
The wrong thing for you to do is to try and fight the man and tell them they can't do things to your PC because pretty soon your network jack will stop working and you will be packing up your PC. And if you enlist enough of your buddies to fight the fight with you, next thing you know they will institute a policy that part of enrollment is paying for a brand new Dell laptop that will be yours when you leave school, but will be administrated as the school asks till that happens. Just FYI thats the way several of the expensive universities do it.
The larger it gets the more the control slips, you can easily put your hands on 40 boxes. You can't easily put your hands on 100,000+ desktops, of which at least 65,000 are running DCom and are located in damn near all of the contiguous states and several countries...
When you move things up to that level you run into problems that you could never imagine... Just trying to share the perspective of how things work in BIG companies.
Not trying to pick on you, your just at the end of the chain on this thread:) The problem isn't at the gates. The problem at least on big networks comes in when you have VPN, dial-in, dial-out, laptop users that take computers home at night, etc... Unless you are doing acl's at each layer2/3 device then all the border protection in the world isn't going to stop it from spreading when Joe brings in his laptop from home where he has no cable router.
The only valid defense for this one is to patch, or run a network where windows boxes don't really talk to eachother or exchange... The 4444 thing will work for this variant, but.B will just add randomization of the shell port so you are pretty much hosed at that point.
Actually there are several versions and the newer versions of the exploit do not make the box unstable. The call at the end of the shell code was changed to solve that "problem".
Ya your right, sorry bout that... I just remember having to pick through the licenses for a program we were working on, I forgot that all the stuff we were using was LGPL. Brain fart:(
Since you obviously don't live in the real world, here is a quick note from it... There are LOTS of devices that don't support encryption that are in use at most organizations of decent size. If you were to take a stroll around all of the fortune 1xx companies I bet you would find un-encrypted traffic that might be considered sensitive data flowing all over the place...
And I am not talking just the custom apps that some dev team in house wrote several years ago. This includes software packages today that don't have below 1mil price points (ERP.)
And we can look at a much lower level, most companies of any size are going to have some Cisco gear on their network. Guess what the normal cisco image doesn't support? Encryption, which means you are giving out passwords to all your layer 2/3 devices to anybody sniffing because Cisco doesn't seem to want to give ssh to everybody.
Even lower down the food chain, home routers, wirless access points, how do you configure them? Telnet or HTTP.
The list of examples goes on for days, before you tear into all the non encryption using admins out there. Try sitting in their shoes and think about the battles they have to fight on a daily basis, just to get the gear they need to do their job, much less change the way HUGE vendors do business. Business case always beats techie's wild brained ideas, like security.
You can link against GPL libraries in your code, but if you go in and monkey with the library at all to get your code to work you have to release those changes...
I can't decide if this is a troll or not. How is this a big vulnerability? Well, take a second and think how easy it is to be exposed to a midi file compared to an executable in an email or a malformed packet on one of Windows many default listening ports.
Newer versions of outlook and many mail servers can block.exe,.src,.com,etc... extensions from ever making it to your double click happy hand.
A $35 personal firewall from your local computer store can protect you from port based attacks.
But when was the last time you saw security software/hardware that blocked midi files? An exploit of this in the wild would mean any webpage, any HTML email, any midi file download would be an attack vector. How is this a small problem?
I honestly don't see the purpose in this site or the tool being developed to use it. I use Nessus on a daily basis and it seems to work just fine for this task.
I mean what more could you ask for... a client/server based vuln. scanner that will give you reports in xml, csv, txt, html, doc... Since the site and database has been created, maybe you should just write a program that exports the exploit tests as Nessus nasl scripts so we can do the tests and Snort rules so we can detect testing.
Slashdot Mirror
Well sure, if you are starting from scratch, I would suggest that. BUT, this is a site that is already in production. If you have a squeaky hinge on a door in your house do you oil it, or bulldoze and rebuild? I was shooting for the quick fix as it's already hosed, instead of the wish list for v2.0 of the site.
Someone needs to look into database connection pooling.
If you are referring to the URI request for comments then you are wrong, it's not a standard. Check it out for yourself, the login syntax ([ user [ : password ] @ ] hostport) is only mentined inside of telnet:// and ftp:// not http:// or https://
Thats the neat part about him being the boss, he doesn't have to put up with your sh#@, you have to put up with his.
I am assuming one of the sites you are referring to would be the one you put at the end of your post? If thats the case you really need a reality check, you don't even come close to wikipedia or slashdot... Not to undermine the size of your site or anything, but you are not the big dog you think you are. You are comparing 2 3 digit ranked sites to 2 of your 6 digit ranked sites.
snowjournal.com vs wikipedia.org
skimaps.com vs wikipedia.org
Maybe this will put it a little more in perspective for you:
sun.com vs wikipedia.org
The question that always comes to mind when people propose spam relieving solutions is how do you expect to implement it? It's not like you can just flip a switch and all of the sudden every email server and client out there understands the new routine. It would take years to roll out something that changes the current implementation of email. And what do you think everybody is going to do in the mean time? Ignore the new method so they don't loose important email from someone who hasn't "upgraded" their MTA. Rendering the new method useless.
Let's not even get into the hardware costs for anybody who actually legitimately sends more than 8000 emails per day. Large ISPs or mailing lists come to mind, now all of them are expected to spend more money just because you want less spam? I don't see that happening.
The satellite server is unbelievably expensive. They were reworking the pricing somewhat when I purchased a bunch of enterprise RHN licenses awhile back so it may be better now, but the price tag was a little breath taking considering the fact even with the satellite service you still have to pay the per server per year enterprise cost, with no discount.
I am so glad I just switched all my Linux boxes to Windows 2003 Server boxes!
Yahoo is not at fault for the application crashing, that would be poor bounds checking and error handling on the part of the Trillian developers. Writing fragile code when you are coding to a reverse engineered standard is pretty unacceptable...
Your so cute, you must work at a small company huh? While what you say sounds really GREAT, try implementing it at a company with over 100,000 nodes soon growing to 300000+.
Dear anonymous poster, if you had read the article you would realize they blame the wind NOT being strong ENOUGH... Yes Kitty Hawk had 25 MPH winds thats probably why it did fly.
*sigh*
This happens more than you would think. I had the same thing happen at a .com I was working at. We had one of our main web servers go down one evening and went over to the datacenter we were co-located at to check it out. Sure enough the cleaning lady had ganked our power to try and clean the floor. That is about the time we asked the co-loc facility why in the hell they had us plugged into a wall instead of rack power like the rest of the equipment... ah well.
You might be on to something there... I'll take distribution rights you can have naming rights. Split the take 50-50?
First off, I will say whatever the hell I feel like saying.
Second off, I am not the one who has Troll points beside my comment, that would be you.
Third, you DO suggest the possiblity of not patching. Your comment about regression testing by the universitity etc... If there is no alternative to patching then why would somebody even bother with regression testing? In this case it's either patch, or someone will destroy my system for me. Personally, I don't see there really being any options here...
And your dead wrong that it isn't the institutions responsibility to protect their network resources. Which is why my comment about the university banning personal PCs is very real. It would be retarded for universities not to put some requirements on software the systems are required to run (anti-virus) and patches that must be applied (anything from windows update, if it's a windows box) Almost all of the latest viruses COULD have been prevented with patching alone. This is one thing I actually give Microsoft credit for, they can tell when a threat is a bad one and they release patches accordingly. It's bullshit attitudes like yours that put networks at risk. Well that and all the people that don't even know what a patch is...
So lets say I discovered a two food ingredients if mixed together would kill millions. And I somehow also found a shot that would make you immune to the effects if taken before the food combo. Would you prefer I release the specifics or let everybody get the injection first?
My favorite alternative to this is to warn them several times to go to a certain website where they must download and run the cleaner/patcher. If they don't comply, swap their port over to another vlan where the only thing they can do is see the other infected machines and download the patch.
Yes this requires scripting skills and good switching hardware, and yes I realize both of those are not available at all universities, just a suggestion where the hardware does exist.
The way to pull off the part about all they can do is download the patch, setup a linux box on this vlan which is the dhcp server, dns server and webserver. It gives out an address, along with the dns server and gateway setting set to the linux box. If they try to do dns resolutions just have the dns server answer back with it's ip address for every lookup. So when they hit www.google.com it will hit your web server. In the case of cached DNS entries, this is where the gateway comes into play. Set the box to redirect any incoming port 80 traffic to the local web server. That way any resolved or cached dns queries that end up becoming web requests end up at your webserver where you have a message and two links. One for the patch and one for "scan me so I can get back to the real network," which will kick off a copy of the dcom vuln scanner and if they have a clean bill of health swap them back to the real vlan.
Obviously you are well mis-informed as to the repercussions of not patching for this worm. You can get pissed at Microsoft if you wish, but not patching for this is not really an option. Non-authenticated remote administrator exploit with one of the 30 different variations of the exploit that are available to the public. People have even released DCOM exploit for dummies howto pages at this point. Unless you want random people traipsing around your hard drive with rights to read/write anything on the disk, then patch.
And if the RA was caught infecting everyones PCs with a new hole while passing around a disk to fix an old one, it wouldn't happen twice because they would be expelled. Just remember, not everyone is out to get you. Take off the tin hat sometime, leave your cave, smile and say hi to the people you meet on your trip around the real world. They are not all out to get you, if this sentence seems false, there is medication that can help you.
The wrong thing for you to do is to try and fight the man and tell them they can't do things to your PC because pretty soon your network jack will stop working and you will be packing up your PC. And if you enlist enough of your buddies to fight the fight with you, next thing you know they will institute a policy that part of enrollment is paying for a brand new Dell laptop that will be yours when you leave school, but will be administrated as the school asks till that happens. Just FYI thats the way several of the expensive universities do it.
The larger it gets the more the control slips, you can easily put your hands on 40 boxes. You can't easily put your hands on 100,000+ desktops, of which at least 65,000 are running DCom and are located in damn near all of the contiguous states and several countries...
When you move things up to that level you run into problems that you could never imagine... Just trying to share the perspective of how things work in BIG companies.
Not trying to pick on you, your just at the end of the chain on this thread :) The problem isn't at the gates. The problem at least on big networks comes in when you have VPN, dial-in, dial-out, laptop users that take computers home at night, etc... Unless you are doing acl's at each layer2/3 device then all the border protection in the world isn't going to stop it from spreading when Joe brings in his laptop from home where he has no cable router.
.B will just add randomization of the shell port so you are pretty much hosed at that point.
The only valid defense for this one is to patch, or run a network where windows boxes don't really talk to eachother or exchange... The 4444 thing will work for this variant, but
Actually there are several versions and the newer versions of the exploit do not make the box unstable. The call at the end of the shell code was changed to solve that "problem".
Ya your right, sorry bout that... I just remember having to pick through the licenses for a program we were working on, I forgot that all the stuff we were using was LGPL. Brain fart :(
Since you obviously don't live in the real world, here is a quick note from it... There are LOTS of devices that don't support encryption that are in use at most organizations of decent size. If you were to take a stroll around all of the fortune 1xx companies I bet you would find un-encrypted traffic that might be considered sensitive data flowing all over the place...
And I am not talking just the custom apps that some dev team in house wrote several years ago. This includes software packages today that don't have below 1mil price points (ERP.)
And we can look at a much lower level, most companies of any size are going to have some Cisco gear on their network. Guess what the normal cisco image doesn't support? Encryption, which means you are giving out passwords to all your layer 2/3 devices to anybody sniffing because Cisco doesn't seem to want to give ssh to everybody.
Even lower down the food chain, home routers, wirless access points, how do you configure them? Telnet or HTTP.
The list of examples goes on for days, before you tear into all the non encryption using admins out there. Try sitting in their shoes and think about the battles they have to fight on a daily basis, just to get the gear they need to do their job, much less change the way HUGE vendors do business. Business case always beats techie's wild brained ideas, like security.
You can link against GPL libraries in your code, but if you go in and monkey with the library at all to get your code to work you have to release those changes...
I can't decide if this is a troll or not. How is this a big vulnerability? Well, take a second and think how easy it is to be exposed to a midi file compared to an executable in an email or a malformed packet on one of Windows many default listening ports.
.exe,.src,.com,etc... extensions from ever making it to your double click happy hand.
Newer versions of outlook and many mail servers can block
A $35 personal firewall from your local computer store can protect you from port based attacks.
But when was the last time you saw security software/hardware that blocked midi files? An exploit of this in the wild would mean any webpage, any HTML email, any midi file download would be an attack vector. How is this a small problem?
I honestly don't see the purpose in this site or the tool being developed to use it. I use Nessus on a daily basis and it seems to work just fine for this task.
I mean what more could you ask for... a client/server based vuln. scanner that will give you reports in xml, csv, txt, html, doc... Since the site and database has been created, maybe you should just write a program that exports the exploit tests as Nessus nasl scripts so we can do the tests and Snort rules so we can detect testing.