Independent of whether or not you're trolling, this article needs someone to link to Advocating OpenBSD, and especially to a link off of that page, The Sound And The Fury.
Maybe it's just a case of this guy being able to argue his way convincingly out of anything.
yup. there's a lot he didn't point out. Here are a couple examples.
For example, why does he trust Palpatine's words? His argument against trusting Leia is that we know she's lied to the Empire so nothing else she says to him is beleivable. We've seen that Palpatine is willing to deceive people, so his words of wanting order or of the Senate not working should not be trusted either.
Comparing the Post-Empire galaxy to Somalia is naive - Somalia doesn't have a 1000 year history of governing itself democratically. There are plenty of examples of countries which have gone from dictatorships to more democratic governments with substantial success - look to latin america for plenty of examples.
And i see no reason to trust Darth Vader any more than Palpatine - though arrogant he shows many signs of being manipulated by Palpatine.
Finally, is there a point in the movies where the rebels actually say they have no idea of what to do with the dissolution of the empire? i was under the impression that their goal was to re-implement the Democratic Senate which had previously served them for 1000 years, right up to the point that Palpatine started manipulating organizations (like the Trade Fed) to blockade others, start wars, secede, etc.
I have absolutely no problem with occasionally paying for a copy of Redhat. It certainly beats the aggravation of trying to download the freaking ISOs.
i would never pay for a redhat cd or any other linux cd. i do, however, get my boss to pay for a few copies each new release. those boxes end up unopened on the shelves.
but i do buy each OpenBSD cd that comes out, even though i also track -current and haven't installed off cd since 2.7 (they've a fast net install). i like paying for OpenBSD cd's b/c i like OpenBSD's overall strategy better than RH's. plus we get better shows from Theo than we do from RH. oh, and OpenBSD has *much* better stickers included with their cd's than RH does.
you should find yourself a good mirror for redhat iso's. look for a large university that is the fewest hops away from your fastest net connection. chances are that.edu will have an anonymous mirror - in my area i primarily use UofM and MSU's software mirrors.
I guess, I'd like to know Who is using constant encryption and why? For me, Encryption needs to be strong, standard, and integrated, otherwise it's just a pain.
ssh, https://,/etc/shadow are quite common and good uses.
dvds and 802.11b incorporate broken encryption schemes but are quite common.
these meet your criteria (strong, standard, integrated) and as you pointed out, that's why they are constantly used.
the other less common steganographic and encryption techniques will be used by people who are fascinate by them, need to use them, or feel they need to use them. and eventually the better techniques will become easier to use, more integrated, stronger, and will become more widespread, e.g. more companies are using vpn's and ipsec, OpenBSD has encrypted swap space, etc.
you delete the program, create a 100 bytes file on that block, the remaining 3996 bytes would be filled with part of the code of the program. Now, how would a malicious person be able to figure out that the files you hide in the blank space are not leftovers from programs you deleted?
It depends on what kind of data you are hiding, and how that data compares to the data already there.
the 3996 bytes left over will have a very discernable pattern: it will be machine code of the program, NOT random bytes.
the 100 bytes encrypted file you create will be random data and will (most likely) look very different from the machine code.
It would be like reading this message and finding a bunch of random numbers in the middle of it - you've got to ask yourself why the pattern was broken.
A better option would be to make your encrypted data look like bytecode and not like random data, kind of like how uuencode makes binary data into ascii characters - that way it won't stand out against the other non-data in the file.
How can one determine the different between that and random bits left over from old programs, pictures?
your programs won't leave random bits behind, they leave program-droppings - maybe pointers, strings of data, etc. as with hiding data in image files, you have to be careful that the signature of your hidden data matches what one would expect in that area.
do a google search for steganography to learn more about it, like into Neil Provos's stegdetect work at citi.umich.edu.
Guido's fist is a rather simple solution and will come in quite handy retrieving any files he lost on my zip disk (after he's pulverized my face and stolen everything i own). i hope i was paranoid and encrypted them...
i prefer storing everything on my servers b/c i never know what's going to happen to that removable media. I've never had anything stolen of of me but have had to chase down people who've tried to steal my shit and have known plenty of people who have had their phyiscal stuff stolen from them (pickpocketing, muggings, etc) and plenty more people who are very forgetful and lose zips/cds/etc everywhere.
I find some interesting data around town from people who thought storing on removable media suited them! As long as you *can* keep it safe on you, that's fine.
If you are able to store data in the slack space of binary executables, you're presumably root
not necessarily root, but you have root access, like in the case of a compromised system.
until detection utilities become widespread, this would be a great place to hide your 1337 +001z like DDoS utils, portscanners, passwd crackers, lists of cc's passwds etc etc. set up a redundant distributed system across all your hacked boxen to hide files in executables and the sysadmin will not even realise what his system is housing.
Re:How to Google Whack...
on
Google Juice
·
· Score: 2
What abould thinking of a search phrase that returns exactly 573 results?
maybe we should start a search for the people whose names return exactly 666 results and consider them potential anti-christ material.
Re:How to spam the web with links
on
Google Juice
·
· Score: 0, Offtopic
amen to that!
Re:How to spam the web with links
on
Google Juice
·
· Score: 1
Google could use the same method of rating that they do now to raise the importance of pages to also demote weblogs in importance
then if a lot of people include valid links in their weblogs to "the worlds funniest joke" (which points to a really funny joke) google will demote it? this method makes the assumption that all weblogs are bad.
one of the main benefits of google was supposed to be that it held user input in high regard - that if various users had links to the same site then all those users must be on to something, which is still valid to a very large degree.
Re:How to Google Whack...
on
Google Juice
·
· Score: 5, Informative
Try it yourself, just think up two obscure words and type them into Google.
3) do google search for the word and for derivatives of the word.
example:
words tried: inculcation, inculcator
4) choose word that has the least google returns
example:
inculcation: 14100 returns
inculcator: 238 returns
we choose inculcator.
5) if the returns number more than 1000 for any word or derivative, go back to step 1.
6) in the google returns for the word selected, look for an odd word in the returns, preferably one that is unrelated to the definition of the first word.
example:
words: inculcator, adepts
7) do a google search for both words. if it has more than one return, go to step 5.
8) submit your googlewhack
example:
words: inculcator, tablet.
9) once you find one googlewhack, look at the page returned for more odd/awkward words. use these as potential new googlewhacks.
using this method, i found a googlewhack in less than ten minutes (took me longer to write this up) and have repeatedly done so.
I would hate to accidentally block someone like google.
does robotcop have an 'Allow' feature to always allow certain ips? that and some whois's would solve this problem - it looks like google is 216.239.32.0 - 216.239.63.255
Re:But aren't poisoned addresses just stupid?
on
Robotcop: It's the Law
·
· Score: 3, Informative
3 things...
1- why not add valid addresses that get sent to/dev/null? e.g. aaaaaa@example.com through zzzzzz@example.com. you'd get a substantial amount of traffic for that many addresses, but you could modify the amount of addresses to whatever your bandwidth/server could handle.
2- what are the legalities involved in creating a webpage with a specific email address, perhaps send.mail.here.to.be.charged@example.com, and placing it *only* on a webpage with a blatant notice of "If you mail this address you allow me to charge you $100/byte sent to this address" or a more specific terms of use (in order to encompass selling the address to others) and then charge once you get mail to that address? could a terms of use be created that would make getting money legal?
3 - how many of you use Matt Wright's (*shudder* when you hear his name) formmail? how many of you use fake formmail scripts?
for a while now i've been using a fake formmail script that only prints out a webpage saying "thank you for using this script" but doesn't actually send mail. Some people see that output (ignoring the html comment that says "I HATE YOU YOU STUPID PIECE OF SHIT"), think the script has worked, and run a program to submit spam to the script to "send" mail to a few thousand addresses.
so far my fake script has saved thousands of addresses from getting spam. some people test the script with their address first and then dont come back when they dont get the mail, but i could modify the script to send out the first mail from an ip, but not the subsequent mail.
but im wondering, has anyone else done work on this or heard of work like this?
If you don't understand what i'm talking about in point 3- "Matt Wright" (is he a real person?) has a series of scripts, one is formmail.pl which allows mail to be sent to any address. some people search for servers with formmail.pl on them and use those scripts to pseudonymously send mail to other people. We had seen this quite a bit at work, which inspired me to create the fake formmail.pl.
are there any other common scripts like formmail.pl that could be faked in the same manner?
Not to, uh, ask you to reveal trade secrets or anything, but does your bot actually fetch button images to make sure they're not transparent or something?
heh. i actually don't have any such bot, but meant to imply that it would be possbile to avoid them.
the most i do with robots on my website is feed them special links - you can load robots.txt on my site and note the minute changes.
do bad spiders follow predictable patterns? like always entering at/, as opposed to ever having referers like from a google search? pretty much any patterns you can identify will help develop heuristics to distinguish between valid users and robots.
my coworker points out you only need 2 ips to get around just robots mode - one to get robots.txt, other to traverse dirs that robots shouldn't be traversing.
you should focus most on easily modified identification methods, as well as ease of configuration. maybe eventually there would be room for a distributed fingerprint database of known spiders, or known spider ips, that you could use in conjunction with current methods.
How about tying both User-Agent and IP address to form valid/invalid users?
on second thought if you did this then a spider could generate varying user_agents to get around robotcop.
maybe once you've served someone a page asking for identification of sentience you could use these and other params (ACCEPT_LANGUAGE, etc) to identify a valid user, but not to identify a robot.
the blocking of valid users seems rather annoying (NAT users, some proxy users) and a bad spider could get around the short interval by increasing its sleep time.
IPv6 could screw your implementation. If i have access to a huge number of IP addresses then i could access your website through any one of those addresses. A spider could run an initial probe of a few million websites through one ip, change ips, then grab a second page from all those websites, change ips, grab webpage, etc etc.
if i know a website is running robotcop, can i screw over valid users by forging my ip address, accessing robots.txt, then accessing a honeypot dir? can i screw over all users by cycling through all ips and doing this (yeah that's time consuming, maybe i could just screw over users from one range?)?
The main problems i see from the robotcop approach is that it assumes everyone who accesses robots.txt is a robot and it assumes valid users will not follow certain paths through the website.
This is different for email poisoners b/c if i'm a user and i get to page with a bunch of (invalid) email addresses, it doesn't matter. i click back and continue on my way. but for something that actually *blocks* users, it's a bit different.
As it stands now, i could go to an internet cafe (often they use nat) and block every other user from seeing any site protected by robotcop.
How about tying both User-Agent and IP address to form valid/invalid users? that way a bad user behind NAT might get blocked while a good user could go on. The more information you can tie to one particular thread of access, the more likely you are to single out one particular user.
Instead of only blocking ips that seem to be bad spiders, why not feed themm specific information? that way if it is a user you can let them go on - "if you are a valid user, enter the word in the graphic below in this text field and click 'ok'!"
It really seems that whatever you do, it is possible to work around. Set cookies? i write a bot that keeps track of cookies. hidden webbugs/urls? my bot avoids these.
I can see robotcop as working in small cases, like for a limited number of servers on the internet, b/c then it is not worth the bot writer's time to implement work arounds. But once it becomes worth their time, you have a game of evolution.
Not that that's bad; keep a small enough base of users and you probably wont need to update methods all that often.
Unless you perfected AI a couple minutes before your post, and I didn't hear about it yet.
oh, did you actually think i was a real human?;-)
It would come out like a bad babelfish sitting in a car in the middle of summer in Texas
you're right of course; it occured to me after mailing that to my brother that it would be easiest to do two passes through babelfish (english to other language, other language to english) and give the prof a good laugh-
the spirit is willing but the flesh is weak ->
o espírito é disposto mas a carne é fraca ->
the spirit is made use but the meat is weak
a while back i thought it would be nice to code up a little website that would take your paper full of plagiarised statements and transform it into a somewhat grammatically and logically similar (though not recognizably plagiarised) statement. use thesaurus lookups and statement restructuring to hopefully get the same idea across, but in a different enough way that turnitin.com wouldn't catch it.
but i don't plagiaise, i'm not in school, and i've other things to do than race towards a placebo for plagiarists, or even panacea for plagiarists.
the iTunes installer quit out on me a couple times, hanging the system (the Finder has unexpectedly quit and somesuch). I kept rebooting and running the installer until it got through to the end (kinda like the oracle installer). It wasn't my G3 laptop, though, so i don't know if it had any other problems.
as an aside, George Perec wrote "La Disparition", a French novel, without using the letter 'e'. Gilbert Adair translated it into English without using the letter 'e' as well; the English version is called "A Void". It's rather pricey and hard to find - i bought it for my brother a couple years ago. Reading the first few pages was very disorienting - quite legible yet there was always the feeling that something was Wrong with it.
Slashdot Mirror
on Solaris, put /usr/ucb/ in your PATH before /bin and /usr/bin
/bin/ps seems to run faster than /usr/ucb/ps.
but note that
check out: http://www.space.com/news/a11_plaque.html
doesn't fully answer your question, but indicates someone back then had a wider view of the world.
Independent of whether or not you're trolling, this article needs someone to link to Advocating OpenBSD, and especially to a link off of that page, The Sound And The Fury.
I thought he was trying to make a point on the current situation in U.S.A.
yup. there's a lot he didn't point out. Here are a couple examples.
For example, why does he trust Palpatine's words? His argument against trusting Leia is that we know she's lied to the Empire so nothing else she says to him is beleivable. We've seen that Palpatine is willing to deceive people, so his words of wanting order or of the Senate not working should not be trusted either.
Comparing the Post-Empire galaxy to Somalia is naive - Somalia doesn't have a 1000 year history of governing itself democratically. There are plenty of examples of countries which have gone from dictatorships to more democratic governments with substantial success - look to latin america for plenty of examples.
And i see no reason to trust Darth Vader any more than Palpatine - though arrogant he shows many signs of being manipulated by Palpatine.
Finally, is there a point in the movies where the rebels actually say they have no idea of what to do with the dissolution of the empire? i was under the impression that their goal was to re-implement the Democratic Senate which had previously served them for 1000 years, right up to the point that Palpatine started manipulating organizations (like the Trade Fed) to blockade others, start wars, secede, etc.
did you mean for that to spell out as being the "I LOVE NY" act?
nice!
i would never pay for a redhat cd or any other linux cd. i do, however, get my boss to pay for a few copies each new release. those boxes end up unopened on the shelves.
but i do buy each OpenBSD cd that comes out, even though i also track -current and haven't installed off cd since 2.7 (they've a fast net install). i like paying for OpenBSD cd's b/c i like OpenBSD's overall strategy better than RH's. plus we get better shows from Theo than we do from RH. oh, and OpenBSD has *much* better stickers included with their cd's than RH does.
you should find yourself a good mirror for redhat iso's. look for a large university that is the fewest hops away from your fastest net connection. chances are that .edu will have an anonymous mirror - in my area i primarily use UofM and MSU's software mirrors.
For me, Encryption needs to be strong, standard, and integrated, otherwise it's just a pain.
ssh, https://, /etc/shadow are quite common and good uses.
dvds and 802.11b incorporate broken encryption schemes but are quite common.
these meet your criteria (strong, standard, integrated) and as you pointed out, that's why they are constantly used.
the other less common steganographic and encryption techniques will be used by people who are fascinate by them, need to use them, or feel they need to use them. and eventually the better techniques will become easier to use, more integrated, stronger, and will become more widespread, e.g. more companies are using vpn's and ipsec, OpenBSD has encrypted swap space, etc.
It depends on what kind of data you are hiding, and how that data compares to the data already there.
the 3996 bytes left over will have a very discernable pattern: it will be machine code of the program, NOT random bytes.
the 100 bytes encrypted file you create will be random data and will (most likely) look very different from the machine code.
It would be like reading this message and finding a bunch of random numbers in the middle of it - you've got to ask yourself why the pattern was broken.
A better option would be to make your encrypted data look like bytecode and not like random data, kind of like how uuencode makes binary data into ascii characters - that way it won't stand out against the other non-data in the file.
your programs won't leave random bits behind, they leave program-droppings - maybe pointers, strings of data, etc. as with hiding data in image files, you have to be careful that the signature of your hidden data matches what one would expect in that area.
do a google search for steganography to learn more about it, like into Neil Provos's stegdetect work at citi.umich.edu.
Guido's fist is a rather simple solution and will come in quite handy retrieving any files he lost on my zip disk (after he's pulverized my face and stolen everything i own). i hope i was paranoid and encrypted them...
i prefer storing everything on my servers b/c i never know what's going to happen to that removable media. I've never had anything stolen of of me but have had to chase down people who've tried to steal my shit and have known plenty of people who have had their phyiscal stuff stolen from them (pickpocketing, muggings, etc) and plenty more people who are very forgetful and lose zips/cds/etc everywhere.
I find some interesting data around town from people who thought storing on removable media suited them! As long as you *can* keep it safe on you, that's fine.
not necessarily root, but you have root access, like in the case of a compromised system.
until detection utilities become widespread, this would be a great place to hide your 1337 +001z like DDoS utils, portscanners, passwd crackers, lists of cc's passwds etc etc. set up a redundant distributed system across all your hacked boxen to hide files in executables and the sysadmin will not even realise what his system is housing.
maybe we should start a search for the people whose names return exactly 666 results and consider them potential anti-christ material.
amen to that!
then if a lot of people include valid links in their weblogs to "the worlds funniest joke" (which points to a really funny joke) google will demote it? this method makes the assumption that all weblogs are bad.
one of the main benefits of google was supposed to be that it held user input in high regard - that if various users had links to the same site then all those users must be on to something, which is still valid to a very large degree.
i've written a how-to on this; it's at http://www.blackant.net/other/random/how-to-google whack.php and repeated below for your convenience.
HOW-TO GoogleWhack
1) think of complex word, mispell it, and search dictionary.com for the misspelling.
example:
word: insullatory
http://www.dictionary.com/search?q=insullatory
2) look through dictionary.com suggestions for a very odd-sounding word, look at definition of word.
example:3
word: inculcation
http://www.dictionary.com/search?q=inculcation&r=
3) do google search for the word and for derivatives of the word.
example:
words tried: inculcation, inculcator
4) choose word that has the least google returns
example:
inculcation: 14100 returns
inculcator: 238 returns
we choose inculcator.
5) if the returns number more than 1000 for any word or derivative, go back to step 1.
6) in the google returns for the word selected, look for an odd word in the returns, preferably one that is unrelated to the definition of the first word.
example:
words: inculcator, adepts
7) do a google search for both words. if it has more than one return, go to step 5.
8) submit your googlewhack
example:
words: inculcator, tablet.
9) once you find one googlewhack, look at the page returned for more odd/awkward words. use these as potential new googlewhacks.
using this method, i found a googlewhack in less than ten minutes (took me longer to write this up) and have repeatedly done so.
does robotcop have an 'Allow' feature to always allow certain ips? that and some whois's would solve this problem - it looks like google is 216.239.32.0 - 216.239.63.255
1- why not add valid addresses that get sent to /dev/null? e.g. aaaaaa@example.com through zzzzzz@example.com. you'd get a substantial amount of traffic for that many addresses, but you could modify the amount of addresses to whatever your bandwidth/server could handle.
2- what are the legalities involved in creating a webpage with a specific email address, perhaps send.mail.here.to.be.charged@example.com, and placing it *only* on a webpage with a blatant notice of "If you mail this address you allow me to charge you $100/byte sent to this address" or a more specific terms of use (in order to encompass selling the address to others) and then charge once you get mail to that address? could a terms of use be created that would make getting money legal?
3 - how many of you use Matt Wright's (*shudder* when you hear his name) formmail? how many of you use fake formmail scripts?
for a while now i've been using a fake formmail script that only prints out a webpage saying "thank you for using this script" but doesn't actually send mail. Some people see that output (ignoring the html comment that says "I HATE YOU YOU STUPID PIECE OF SHIT"), think the script has worked, and run a program to submit spam to the script to "send" mail to a few thousand addresses.
so far my fake script has saved thousands of addresses from getting spam. some people test the script with their address first and then dont come back when they dont get the mail, but i could modify the script to send out the first mail from an ip, but not the subsequent mail.
but im wondering, has anyone else done work on this or heard of work like this?
If you don't understand what i'm talking about in point 3- "Matt Wright" (is he a real person?) has a series of scripts, one is formmail.pl which allows mail to be sent to any address. some people search for servers with formmail.pl on them and use those scripts to pseudonymously send mail to other people. We had seen this quite a bit at work, which inspired me to create the fake formmail.pl.
are there any other common scripts like formmail.pl that could be faked in the same manner?
heh. i actually don't have any such bot, but meant to imply that it would be possbile to avoid them.
the most i do with robots on my website is feed them special links - you can load robots.txt on my site and note the minute changes.
do bad spiders follow predictable patterns? like always entering at /, as opposed to ever having referers like from a google search? pretty much any patterns you can identify will help develop heuristics to distinguish between valid users and robots.
my coworker points out you only need 2 ips to get around just robots mode - one to get robots.txt, other to traverse dirs that robots shouldn't be traversing.
you should focus most on easily modified identification methods, as well as ease of configuration. maybe eventually there would be room for a distributed fingerprint database of known spiders, or known spider ips, that you could use in conjunction with current methods.
on second thought if you did this then a spider could generate varying user_agents to get around robotcop.
maybe once you've served someone a page asking for identification of sentience you could use these and other params (ACCEPT_LANGUAGE, etc) to identify a valid user, but not to identify a robot.
looking over the technical review and the readme, a few initial, random, and sporadic thoughts:
the blocking of valid users seems rather annoying (NAT users, some proxy users) and a bad spider could get around the short interval by increasing its sleep time.
IPv6 could screw your implementation. If i have access to a huge number of IP addresses then i could access your website through any one of those addresses. A spider could run an initial probe of a few million websites through one ip, change ips, then grab a second page from all those websites, change ips, grab webpage, etc etc.
if i know a website is running robotcop, can i screw over valid users by forging my ip address, accessing robots.txt, then accessing a honeypot dir? can i screw over all users by cycling through all ips and doing this (yeah that's time consuming, maybe i could just screw over users from one range?)?
The main problems i see from the robotcop approach is that it assumes everyone who accesses robots.txt is a robot and it assumes valid users will not follow certain paths through the website.
This is different for email poisoners b/c if i'm a user and i get to page with a bunch of (invalid) email addresses, it doesn't matter. i click back and continue on my way. but for something that actually *blocks* users, it's a bit different.
As it stands now, i could go to an internet cafe (often they use nat) and block every other user from seeing any site protected by robotcop.
How about tying both User-Agent and IP address to form valid/invalid users? that way a bad user behind NAT might get blocked while a good user could go on. The more information you can tie to one particular thread of access, the more likely you are to single out one particular user.
Instead of only blocking ips that seem to be bad spiders, why not feed themm specific information? that way if it is a user you can let them go on - "if you are a valid user, enter the word in the graphic below in this text field and click 'ok'!"
It really seems that whatever you do, it is possible to work around. Set cookies? i write a bot that keeps track of cookies. hidden webbugs/urls? my bot avoids these.
I can see robotcop as working in small cases, like for a limited number of servers on the internet, b/c then it is not worth the bot writer's time to implement work arounds. But once it becomes worth their time, you have a game of evolution.
Not that that's bad; keep a small enough base of users and you probably wont need to update methods all that often.
oh, did you actually think i was a real human? ;-)
It would come out like a bad babelfish sitting in a car in the middle of summer in Texas
you're right of course; it occured to me after mailing that to my brother that it would be easiest to do two passes through babelfish (english to other language, other language to english) and give the prof a good laugh-
the spirit is willing but the flesh is weak ->
o espírito é disposto mas a carne é fraca ->
the spirit is made use but the meat is weak
but i don't plagiaise, i'm not in school, and i've other things to do than race towards a placebo for plagiarists, or even panacea for plagiarists.
the iTunes installer quit out on me a couple times, hanging the system (the Finder has unexpectedly quit and somesuch). I kept rebooting and running the installer until it got through to the end (kinda like the oracle installer). It wasn't my G3 laptop, though, so i don't know if it had any other problems.
as an aside, George Perec wrote "La Disparition", a French novel, without using the letter 'e'. Gilbert Adair translated it into English without using the letter 'e' as well; the English version is called "A Void". It's rather pricey and hard to find - i bought it for my brother a couple years ago. Reading the first few pages was very disorienting - quite legible yet there was always the feeling that something was Wrong with it.