I just got an xbox recently as a gift with the live subscription. Gaming has apparently taken on all types of new money making schemes. Microsoft (which has you pay a per year fee for server access) enforces a CC number for all accounts. even if they were a gift like mine was. This is to allow you to 'unlock' features in games. Want the extra outfit for your character ($5) please. There is a setting so that it's not automatic and I have the setting toggled so. I wouldn't be suprised if the 'more you pay' type mentatlity creeps into games more. They are probobly tired of seeing all those scammers on eBay making a mint off selling gold pieces (or whatever the currency for the game is), enhanced characters, etc.
Once companies realize that adult gamers have little else to dispose their cash on you will probobly be able to start a lvl 80 character for the low low price of $24.99. After you've purchased the game and online subscription of course. Don't forget to get the extra cache of power weapons upgrades... only $4.99 this week...
I just tried some everCrack last month as I was invited to play the third phase of the Beta for PS2 platform. And a lot of what this guy had to say was right on for my expierence. I had heard about eq, and daoc, and even played some games like DiabloII and noticed that people will exert power wherever they can. Players who revel in killing off other players (DiabloII) or leeching loot (eq). I had some incident where a MOB (new term for me) respawned and some members from my new guild killed the MOB thinking it was for me. However it wasn't and the other group had to wait for another respawn (8 minutes) and then I had to wait... it was infuriating. There was bad blood in the air and if we were all in the same meat space I'm sure a fight would have broken out.
I thought these games would be the ultimate incarnation of the games I grew up with (old SSI games like pools of radiance and bard's tale series) however the missing piece of that game (the human element) can sometimes make it more miserable an expierence. Ironically it's the human element that can make games really fantastic (like in CounterStrike...) but perhaps there is just a certain discipline (server admins who care about the players etc) to those games that commercial ones will lack. After playing the EQ beta on PS2 I was hooked. Like crack hooked. But considering what I just read and the expierences I've already had I doubt I would pay a monthly subscription for this.
To sum up, if your an old rpg fan like I am wait for something like phantasy star online or gta4 (which will hopefully be online) or just play NeverWinter Nights!
Twas the night before Christmas, and deep in IE A creature was stirring, a vulnerability MS02-066 was posted on the website with care In hopes that Team eEye would not see it there
But the engineers weren't nestled all snug in their beds, No, PNG images danced in their heads And Riley at his computer, with Drew's and my backing Had just settled down for a little PNG cracking
When rendering an image, we saw IE shatter And with just a glance we knew what was the matter Away into SoftICE we flew in a flash Tore open the core dumps, and threw RFC 1951 in the trash
The bug in the thick of the poorly-written code Caused an AV exception when the image tried to load Then what in our wondering eyes should we see But our data overwriting all of heap memory
With heap management structures all hijacked so quick We knew in a moment we could exploit this $#!% More rapid than eagles our malicious pic came -- The hardest part of this exploit was choosing its name
The biggest difference between the US and China is that in the US we simply 'flag' people when they view content that govt officials object to. China simply blocks it all together. I like to call it a passive police state. No aggressive tanks out in the square but plenty of riot control and lots of big brother. Also China doesn't have the tech to create the system themselves, the US private sector gave China most of it's capabilities. Now the big question is, Did the US intel community get together and insert some back doors in THAT technology so we can watch their watchers?
This is just a copy of Andreas Sandblads advisory, with a new command.
http://wwx.dino-soft.org/auto.html
note: prefix altered in "wwx". Needs to be reversed into "www" to make the URL work -
The above url when viewed WILL FORMAT THE A:\ drive when viewed on a fully updated and patched windows system. If you go there make sure there is nothing in the A:\ that formating will harm; because this has been tested and works on Windows 2000 WinXP/home/corp/pro Win98/SE.
This is a harmless POC to give you experts here a heads up; because Microsoft HAS been informed of the hole; but they seem to be sitting on there hands maybe much like the recent XP hole that they knew about before XP even shipped; but chose to wait until SP1 to correct.
This is VERY DANGEROUS, and this little harmless POC could quite easy be made to be quite nasty; but when the author of the original hole who's hole I have sort of legoised and made to work a very little bit differently Microsoft had this to say to the original author:
"Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".
Just like the Apache vulnerability release the ISS team failed to contact the maintainers about the vulnerability to get a proper patch released. This is horrible behaviour and it endangers everyone. Most say this recent behavior is due to the fact that M$ is in bed with ISS and their 'x-force'. They seem to target open source projects and then issue statements denying that there are 'responsible contacts' since it's not an actual firm or corporation. Just another tool to cause fear and uncertainty in the open source world in the name of security. While ISS didn't release the full details of the exploit they released enough. Anyone with half a brain can figure out how to turn this exploit into a deadly worm. I'd give it a few weeks before we see the first few attempts.
This means that someone captured it using a CAMera in the theater, most likely in the UK where the movie was released publically. This also means that if the piraters were really *good* they would patch into the sound board. otherwise you'll hear the difference (audience noise, room tone) Also the screen will be cut off on the sides and picture will have a grainy look to it. For it to be *leaked* like LOTR would involve someone with a screener copy (in this case a DVD sent to the Oscar's panel) releasing the data to the internet.
Before the movie goes to home video another release will occur that will be of much higher quality. (sorry to spoil it for those of you playing along at home)
What I can't figure out is how he would know all 4 of the winners in the first four. Everyone has just glanced over this detail. Saying "he knew the outcome ahead of time" is absurd! Unless the computer they had access to contained a script (this horse wins in the first...) and horse racing is as fake as WWE I'm still left in shock. Now if the guy had someone modify the bets AFTER the races that's another thing all together.
would be interesting to find out who they really are first. The company is hosting out of Salt Lake City but the registration information points to Panama. International law anyone? anyone?
Registrant:
Permissioned Media Inc.
Apartado 5956
Panama City, El Dorado Zona 6
PA
Registrar: Dotster (http://www.dotster.com)
Domain Name: FRIENDGREETINGS.COM
Created on: 20-JUL-02
Expires on: 20-JUL-03
Last Updated on: 17-OCT-02
Administrative Contact:
Alfaro, Ricardo alfaro@hushmail.com
Permissioned Media Inc.
Apartado 5956
Panama City, El Dorado Zona 6
PA
571-628-5535
Technical Contact:
Alfaro, Ricardo alfaro@hushmail.com
Permissioned Media Inc.
Apartado 5956
Panama City, El Dorado Zona 6
PA
571-628-5535 I also found links to 'offshore accounts and email' services registered under his name in different Panamanian web sites.
Panama Offshore Services International, Inc. Full Service Law Firm with an international presence, specializing in Commercial & Immigration Law. Discount retailer & wholesaler of Corporations, Foundations & Trusts. US$1000 complete package includes Corporation (or Foundation) + Bank Account. English & Spanish speaking staff. Ave. Ricardo J. Alfaro, Sun Towers, 1st Floor, Office #39, PTY 296, PO Box 0832-2745, WTC, Panama City, Republic of Panama E-mail: info@pos-inc.com Encrypted Email: posinc@hushmail.com Tel (Panama): ++(507) 236-8303 Fax (Panama): ++(507) 236-7150 Toll Free Fax / Voicemail: ++(800)-716-3452
I've been 'working' for about 10 years now in business that fight to stay alive. We watch the bottom lines and we make cuts when times are tough. I've never heard these things come from the industry of film and music. I understand it's art and that some things that are wonderful to watch cost money. But the salaries that are handed to actors these days are more ridiculous then what sports players make. Entertainment employees have more wealth then most of the world. I think it's a horrible way to distribute power in our country (yes money = power) and I hope it does change. Actors shouldn't make nearly what they make, hell sports players shouldn't either. Want me to go see a movie, make it $5. And I don't mean just one movie, $5 means I get to watch as many movies as I want that day. If that means that the top actor only gets 6 figures then so be it. I watched the dot com bubble burst and all our salaries plummet and to be honest it was probobly a good thing. Too many useless VP's drawing exhorbent salaries just like what we see in the media industry. Let them expierence the economic slump like the rest of us and humble themselves.
I've seen a lot of comments here that say "block the ports". I couldn't agree more. I work at (undisclosed security software vendor) and our vulnerability assessment tool tells administrators to disable this service unless it's absolutely needed. Some applications still use this medium as a way to message certain information (like system wide outages etc) in the same way that the unix 'wall' command does. Anyone who leaves the netBIOS ports open to the world though is just asking for trouble. Earlier the explaination on which ports (135-139 tcp/udp) to block was highly informative but I would say just block all of them from outside connections. I can't think of any examples where it is healthy to keep these open and available. Beyond annoying pop up messages it is possible to enumerate user information via the IPC$ null session bug which is STILL present in default installations of windows machines.
He's was also supposidly convicted at some point and time so he ended up on that side of the line to reduce his sentence. Can't say I blame him, geeks don't fair well in prison.
I don't feel sorry for him in anyway either, he is a paid network hall monitor who snitches on folks trading media. All arguements aside he's a paid fink. He knows there is a price to pay for the position he put himself in. He could have told the judge to stick the gavel where the sun don't shine and served his term. At least he wasn't a whiney brat about it.
Now if he is enjoying a large collection himself (eg viewing his database of child porn and other 'evidence') then he is also a huge hypocrite. And for that he should burn, but aside from that he isn't doing anything considered unethical or in bad taste.
If one wants to enjoy the privledge of illegal media (movies released to the net before the stores) there is a huge price to be paid. Paranoia, scheming and a little adrenaline. Don't like it? Don't download, it's that simple. The game has been going on for as long as I've had my fingers on a keyboard... the stakes have just gotten a lot higher.
That's something I thought about when I was around 15 or so. I was going to use VIOS (video input output system) to create a material that reads the surrounding area and recreate what an observer should see. Then I read a Gibson book (maybe it was sterling) where a vehicle used the same concept to camoflauge itself from aerial surveilence. My kicker was what happens when someone shines a spot light ON the object or points a laser. Will the system be able to 'forecast' where the light would end up and or shine it back in the even of a laser?? This idea (if patented) will make me puke on the current USPTO system. That or start filing a bunch of patents myself for photon torpedo's, neural network interference devices and anything else I've read in SF novels.
I've been wanting to get into this type of field myself now. Promise copyright thugs the world "I can stop them from copying your precious material" and deliver something that gets cracked in about a day or so. No skin off my back and I just took a couple million off your hands (RIAA/MPAA) to boot. I think we should all start selling schemes to them. Remember it's like telling them " I can make water not wet"... and the unbelievable part is they are stupid enough to believe it.
This is a section of the new reform that explains the actions a user may take if they have been wrongfully DoS'd by the Copyright thugs..
''(A) The affected file trader may file a claim for such compensation with the Attorney General 17 not later than 1 year after the date on which the 18 claim accrues. The Attorney General shall, not later 19 than 10 days after the claim is filed, serve notice of 20 the claim on the copyright owner against whom the 21 claim is brought, and shall investigate the claim.
They have 10 days to serve them. So I figure if everyone of us who has any type of network related errors starts automatically blaming them we can fill up the paperwork stack and let them choke on it. Sort of a legal DoS. Fuck 'em, they can attack us we can attack them. I don't even use p2p anymore but I think this is a retarded law. Aside from the fact that in a sense they are legalizing hacking.
How far can they go? can they take down my firewall to DoS me? If I'm on a cable node they will end up saturating the subnet and screwing up the bandwidth for everyone. boy ranting is fun...
Let's say for some reason a person writes a worm/virus whatever and it sets up a p2p node on your machine without your notice. Suddenly your getting attacked by some random john q mercenary hacker!
oh wait now THERE is a part of this no one thought about yet. MPAA RIAA has shit for brains and could never do the dirty work themselves. Basically they will have to hire a bunch of black hats to do the work for them. That's practically sanctioned terrorism! Makes me wonder if I should change jobs. I work in the security field now but can't say that I've ever had a job request like that. So Metallica would come to me and say "Hey this is Lars, here's a list of IP's take them down."
I think secretly I like this idea if I could be some weird net-wise Buba Fett. He was always my favorite character in Star Wars. Now it will be Star Warez.
it's no wonder they didn't get any of the other images on the site (which can all be reached by doing a google search). if they had access why not just rm -f * the web directory??
A lot of the folks here need to read more then the headlines and a few posts before putting in their two cents. Gilmore is opposed to secret rules and regulations for the airlines to enforce via Homeland Security. There are LOTS of reasons one may wish to buy an anonymous ticket and none of them have to do with terrorism OR hurting people. Some folks want to leave town unmolested by ex lovers, spouses, etc. I knew a musican who's bandmate started dating a fairly high profile actress. She went through great pains to go un noticed at an airport. It's her right not to be hounded by fans when she is going to visit some relative by plane.
Gilmore is wealthy and probobly loves anonymity himself. It's his right to maintain that. If he wants to fly somewhere and not disclose who he is then certain restrictions should apply. He doesn't mind that. He submitted to the "more aggresive inspection" of himself and his properties. I'm still not sure why he denied the search of his bag but I would assume he is a stubborn guy when it comes to hand searching bags. The last time I was at an airport I wanted to spit on the girl who was tossing my electronics around while she looked for contraband.
I don't think he has a great chance at winning this either but my support goes out to him for this battle. He is at least using his money to better our world. Not to bilk the rest of us (eg oracle) or just trying to corn hole random women (eg the oracle playboy).
Maybe if more of us were willing to ask the questions that he did things would improve. Instead we have morons (some posted earlier) that don't get the big picture and gripe about it. Next time they ask you for ID question them about it. Politely ask what regulation forces them to check ID's. Politely ask why some over zealous guy is feeling me up in front of a large crowd of people (some armed with machine guns). Ask why.
So I did a little digging and found the names of the sites that they were talking about. Google picked up the cache of the site and decided to see if any of the site is still online. Lo and Behold, Presto Magicko... http://www.porcamadonna.com/index2f.html
I saw a post attached to this thread somewhere stating ISS surely wouldn't withhold out of spite. In fact they simply don't trust the Apache team (specifically Red Hat).
Nothing about their motive to release this without notifying the vendor (apache dev team) but sheds light on remotely exploitable aspects of this find.
----------
This vulnerability was originally detected auditing the Apache 2.0 source tree. Apache 2.0 uses the same function to determine the chunk size, and has the same vulnerable signed comparison. It is, however, not vulnerable (by luck?) due to a signed comparison deep within the buffered reading routines (within core_input_filter).
This issue is no more exploitable or unexploitable on a 32-bit platform than on a 64-bit platform. Due to the signed comparison, the minimum size passed to the memcpy() function is 0x80000000 or about 2gb. Unless Apache has over 2gb of contiguous stack memory located after the target buffer in memory, a segmentation fault will be caused. If you understand how the stack is used, you will understand that this is an impossibility.
Apache on "Win32" is not exploitable due to any "64-bit" addressing issues. It is easily exploitable due to the nature of structured exception handling on Windows and the fact that exception handler pointers are stored on the stack.
If the DoS vulnerability is related to the overflow then the ISS patch will work to prevent it. The unsigned comparison prevents any stack overflow and as a result any related DoS issue is prevented. If the DoS issue is unrelated, then of course the ISS patch will not be of any help.
I see your point but Microsoft's IIS dev team and Apache's dev team are two entirely different animals. Respected security firms generally have the courtesy of advising the vendor first and if they don't get a response will release the bug to the public. In this case however it would appear that ISS wanted to get the publicity that NGS software would have received. Here is an excerpt from their post to Bugtraq (referenced in the parent post)
Like ISS obviously did, one of the first things NGSSoftware did after the eEye ASP Chunk Transfer Encoding vulnerability came out, was check 'what else' is vulnerable to this kind of issue. Like ISS, NGSSoftware also noted that the Win32 distribution of Apache was vulnerable.
However, our approach to addressing this problem was/is completely different. We alerted Oracle, Apahce and CERT.
Our last response from Mark Fox of Apache was that they "have decided that we need to co-ordinate this issue with CERT so that we can get other vendors who ship Apache in their OS and projects aheads-up to this issue." NGSSoftware, of course agreed that this would be the best plan of action as most people who use the Win32 Apache version do not have a compiler and so can take steps to protect themselves. They're mostly relying on their apache 'supplier' to produce a patch.
p.s. the point i was making earlier in this post is that I'm not surprised if MS says they will take forever to put out a patch. I would be highly suprised if the Apache team would have said they were going to take 8 weeks to post their fix and not cooperated with the vulnerability finder. What ISS did was plain irresponsible, especially for a security firm that is publically traded.
Turns out the ISS X-Force team doesn't trust the Apache crew to fix what seems to be a very serious exploitable bug in the http code. They just released an advisory to the Bugtraq mailing list here and provided some 'patch code'. The patch code (which attempted to typcast the vulnerable area) doesn't seem to fix the issue. So in effect there are a bunch of Apache servers out there with a possibly remote exploitable buffer overflow. Was this a big ooops on the part of ISS? One has to wonder why they didn't go to the Apache team first with this? Rumor has it that ISS feels that Red Hat has burned them (ISS) in the past and since the Apache team has some Red Hat employees they shouldn't be trusted. Another rumor that has been floating is that the ISS team doesn't consider Apache to be "a vendor" and therefore doesn't need to follow the normal disclosure rules. This sets a pretty bad precedant of not working with vendors just because you don't get along with them. A companies personal pettiness should not be allowed to override the security of a majority of the internets websites. The patch has offically made it into the Apache CVS but again why the hell didn't ISS talk with Apache? I noticed another post by NGGS (referenced in link above) that they already had a CVS number so they appeared to have gone through the proper channels and got 'beat to the punch' by ISS. Sounds like a motive to me....
"The economic losses due to piracy are enormous, and they are felt thought the music value chain. Piracy also nurtures organized crime across the world, and it stunts investment, growth and jobs."
The words just aren't there........`s/thought/through/g; #moron`
oh wait, this just in.
Experts from the JUST_SUBMIT Group, a lying bag of lobbyists, have just released a advisory stating that pirating not only caused 50,000 deaths last year but may cause the Apocolypse.
"We got a communique from their leader, Satan the celestial terrorist, stating that the seventh sign is nigh. We're not real sure what nigh means but we have a team of lawyers ready to bring several law suites against Satan and his company, Hell Inc." stated Hilary Rosen, CEO of the RIAA. "Not only do we have copyrights on "Satan" and "Hell" but most of his deamons appear to operate peer to peer networks. They could face trillions of dollars in damages." For more information please read this document.
Didn't the entire watermarking effort get flushed after SDMI proved to be ineffective? The 'content protection' scheme was broken in no time by the guys at Princeton if memory serves.
So the music industry will have to subsidize new equipment to push their new technology increasing costs to the consumer in the end. The technology will get broken but they will have created so much momentum that they will continue to use it (like with DVD's) since they can't just recall it.
Foriegn markets will explode since folks like myself (and some readers here i'm sure) will go to Canada, UK, HK, etc get non watermarked equipment. Sales will 'slip' and suddenly pirates will be blamed again. Coming soon! WaterWhiteOut! With your WWO device you can effectively strip out all broadcast flags and record whatever the fuck you want. only 19.95
New laws will be created to help curb the rampant recording of signals in the air without authorization. 15 years (plus 2MM fine) for recording some new WB teeny bopper show and additional 10 years for uploading it to a server. It's just a vicsous cycle that we can't seem to break.
Slashdot Mirror
I just got an xbox recently as a gift with the live subscription. Gaming has apparently taken on all types of new money making schemes. Microsoft (which has you pay a per year fee for server access) enforces a CC number for all accounts. even if they were a gift like mine was. This is to allow you to 'unlock' features in games. Want the extra outfit for your character ($5) please. There is a setting so that it's not automatic and I have the setting toggled so. I wouldn't be suprised if the 'more you pay' type mentatlity creeps into games more. They are probobly tired of seeing all those scammers on eBay making a mint off selling gold pieces (or whatever the currency for the game is), enhanced characters, etc.
Once companies realize that adult gamers have little else to dispose their cash on you will probobly be able to start a lvl 80 character for the low low price of $24.99. After you've purchased the game and online subscription of course. Don't forget to get the extra cache of power weapons upgrades... only $4.99 this week...
I just tried some everCrack last month as I was invited to play the third phase of the Beta for PS2 platform. And a lot of what this guy had to say was right on for my expierence. I had heard about eq, and daoc, and even played some games like DiabloII and noticed that people will exert power wherever they can. Players who revel in killing off other players (DiabloII) or leeching loot (eq). I had some incident where a MOB (new term for me) respawned and some members from my new guild killed the MOB thinking it was for me. However it wasn't and the other group had to wait for another respawn (8 minutes) and then I had to wait... it was infuriating. There was bad blood in the air and if we were all in the same meat space I'm sure a fight would have broken out.
I thought these games would be the ultimate incarnation of the games I grew up with (old SSI games like pools of radiance and bard's tale series) however the missing piece of that game (the human element) can sometimes make it more miserable an expierence. Ironically it's the human element that can make games really fantastic (like in CounterStrike...) but perhaps there is just a certain discipline (server admins who care about the players etc) to those games that commercial ones will lack. After playing the EQ beta on PS2 I was hooked. Like crack hooked. But considering what I just read and the expierences I've already had I doubt I would pay a monthly subscription for this.
To sum up, if your an old rpg fan like I am wait for something like phantasy star online or gta4 (which will hopefully be online) or just play NeverWinter Nights!
Twas the night before Christmas, and deep in IE
A creature was stirring, a vulnerability
MS02-066 was posted on the website with care
In hopes that Team eEye would not see it there
But the engineers weren't nestled all snug in their beds,
No, PNG images danced in their heads
And Riley at his computer, with Drew's and my backing
Had just settled down for a little PNG cracking
When rendering an image, we saw IE shatter
And with just a glance we knew what was the matter
Away into SoftICE we flew in a flash
Tore open the core dumps, and threw RFC 1951 in the trash
The bug in the thick of the poorly-written code
Caused an AV exception when the image tried to load
Then what in our wondering eyes should we see
But our data overwriting all of heap memory
With heap management structures all hijacked so quick
We knew in a moment we could exploit this $#!%
More rapid than eagles our malicious pic came --
The hardest part of this exploit was choosing its name
The biggest difference between the US and China is that in the US we simply 'flag' people when they view content that govt officials object to. China simply blocks it all together. I like to call it a passive police state. No aggressive tanks out in the square but plenty of riot control and lots of big brother.
Also China doesn't have the tech to create the system themselves, the US private sector gave China most of it's capabilities. Now the big question is, Did the US intel community get together and insert some back doors in THAT technology so we can watch their watchers?
This is just a copy of Andreas Sandblads advisory, with a new command.
http://wwx.dino-soft.org/auto.html
note: prefix altered in "wwx". Needs to be reversed into "www" to make the URL work -
The above url when viewed WILL FORMAT THE A:\ drive when viewed on a fully updated and patched windows system. If you go there make sure there is nothing in the A:\ that formating will harm; because this has been tested
and works on Windows 2000 WinXP/home/corp/pro Win98/SE.
This is a harmless POC to give you experts here a heads up; because Microsoft HAS been informed of the hole; but they seem to be sitting on there hands maybe much like the recent XP hole that they knew about before XP even shipped; but chose to wait until SP1 to correct.
This is VERY DANGEROUS, and this little harmless POC could quite easy be made to be quite nasty; but when the author of the original hole who's hole I have sort of legoised and made to work a very little bit differently Microsoft had this to say to the original author:
"Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".
Just like the Apache vulnerability release the ISS team failed to contact the maintainers about the vulnerability to get a proper patch released. This is horrible behaviour and it endangers everyone. Most say this recent behavior is due to the fact that M$ is in bed with ISS and their 'x-force'. They seem to target open source projects and then issue statements denying that there are 'responsible contacts' since it's not an actual firm or corporation. Just another tool to cause fear and uncertainty in the open source world in the name of security. While ISS didn't release the full details of the exploit they released enough. Anyone with half a brain can figure out how to turn this exploit into a deadly worm. I'd give it a few weeks before we see the first few attempts.
read the fs'cking NFO file people.
:: CAM
Quality
This means that someone captured it using a CAMera in the theater, most likely in the UK where the movie was released publically. This also means that if the piraters were really *good* they would patch into the sound board. otherwise you'll hear the difference (audience noise, room tone) Also the screen will be cut off on the sides and picture will have a grainy look to it. For it to be *leaked* like LOTR would involve someone with a screener copy (in this case a DVD sent to the Oscar's panel) releasing the data to the internet.
Before the movie goes to home video another release will occur that will be of much higher quality. (sorry to spoil it for those of you playing along at home)
What I can't figure out is how he would know all 4 of the winners in the first four. Everyone has just glanced over this detail. Saying "he knew the outcome ahead of time" is absurd! Unless the computer they had access to contained a script (this horse wins in the first...) and horse racing is as fake as WWE I'm still left in shock. Now if the guy had someone modify the bets AFTER the races that's another thing all together.
would be interesting to find out who they really are first. The company is hosting out of Salt Lake City but the registration information points to Panama. International law anyone? anyone?
Registrant:
Permissioned Media Inc.
Apartado 5956
Panama City, El Dorado Zona 6
PA
Registrar: Dotster (http://www.dotster.com)
Domain Name: FRIENDGREETINGS.COM
Created on: 20-JUL-02
Expires on: 20-JUL-03
Last Updated on: 17-OCT-02
Administrative Contact:
Alfaro, Ricardo alfaro@hushmail.com
Permissioned Media Inc.
Apartado 5956
Panama City, El Dorado Zona 6
PA
571-628-5535
Technical Contact:
Alfaro, Ricardo alfaro@hushmail.com
Permissioned Media Inc.
Apartado 5956
Panama City, El Dorado Zona 6
PA
571-628-5535
I also found links to 'offshore accounts and email' services registered under his name in different Panamanian web sites.
Panama Offshore Services International, Inc.
Full Service Law Firm with an international presence, specializing in Commercial & Immigration Law. Discount retailer & wholesaler of Corporations, Foundations & Trusts. US$1000 complete package includes Corporation (or Foundation) + Bank Account. English & Spanish speaking staff.
Ave. Ricardo J. Alfaro, Sun Towers, 1st Floor, Office #39, PTY 296, PO Box 0832-2745, WTC, Panama City, Republic of Panama
E-mail: info@pos-inc.com Encrypted Email: posinc@hushmail.com
Tel (Panama): ++(507) 236-8303
Fax (Panama): ++(507) 236-7150
Toll Free Fax / Voicemail: ++(800)-716-3452
to see these results click here.
I've been 'working' for about 10 years now in business that fight to stay alive. We watch the bottom lines and we make cuts when times are tough. I've never heard these things come from the industry of film and music. I understand it's art and that some things that are wonderful to watch cost money. But the salaries that are handed to actors these days are more ridiculous then what sports players make. Entertainment employees have more wealth then most of the world. I think it's a horrible way to distribute power in our country (yes money = power) and I hope it does change. Actors shouldn't make nearly what they make, hell sports players shouldn't either. Want me to go see a movie, make it $5. And I don't mean just one movie, $5 means I get to watch as many movies as I want that day. If that means that the top actor only gets 6 figures then so be it. I watched the dot com bubble burst and all our salaries plummet and to be honest it was probobly a good thing. Too many useless VP's drawing exhorbent salaries just like what we see in the media industry. Let them expierence the economic slump like the rest of us and humble themselves.
I've seen a lot of comments here that say "block the ports". I couldn't agree more. I work at (undisclosed security software vendor) and our vulnerability assessment tool tells administrators to disable this service unless it's absolutely needed. Some applications still use this medium as a way to message certain information (like system wide outages etc) in the same way that the unix 'wall' command does. Anyone who leaves the netBIOS ports open to the world though is just asking for trouble. Earlier the explaination on which ports (135-139 tcp/udp) to block was highly informative but I would say just block all of them from outside connections. I can't think of any examples where it is healthy to keep these open and available. Beyond annoying pop up messages it is possible to enumerate user information via the IPC$ null session bug which is STILL present in default installations of windows machines.
He's was also supposidly convicted at some point and time so he ended up on that side of the line to reduce his sentence. Can't say I blame him, geeks don't fair well in prison.
I don't feel sorry for him in anyway either, he is a paid network hall monitor who snitches on folks trading media. All arguements aside he's a paid fink. He knows there is a price to pay for the position he put himself in. He could have told the judge to stick the gavel where the sun don't shine and served his term. At least he wasn't a whiney brat about it.
Now if he is enjoying a large collection himself (eg viewing his database of child porn and other 'evidence') then he is also a huge hypocrite. And for that he should burn, but aside from that he isn't doing anything considered unethical or in bad taste.
If one wants to enjoy the privledge of illegal media (movies released to the net before the stores) there is a huge price to be paid. Paranoia, scheming and a little adrenaline. Don't like it? Don't download, it's that simple. The game has been going on for as long as I've had my fingers on a keyboard... the stakes have just gotten a lot higher.
ne0
That's something I thought about when I was around 15 or so. I was going to use VIOS (video input output system) to create a material that reads the surrounding area and recreate what an observer should see. Then I read a Gibson book (maybe it was sterling) where a vehicle used the same concept to camoflauge itself from aerial surveilence. My kicker was what happens when someone shines a spot light ON the object or points a laser. Will the system be able to 'forecast' where the light would end up and or shine it back in the even of a laser?? This idea (if patented) will make me puke on the current USPTO system. That or start filing a bunch of patents myself for photon torpedo's, neural network interference devices and anything else I've read in SF novels.
I've been wanting to get into this type of field myself now. Promise copyright thugs the world "I can stop them from copying your precious material" and deliver something that gets cracked in about a day or so. No skin off my back and I just took a couple million off your hands (RIAA/MPAA) to boot. I think we should all start selling schemes to them. Remember it's like telling them " I can make water not wet"... and the unbelievable part is they are stupid enough to believe it.
This is a section of the new reform that explains the actions a user may take if they have been wrongfully DoS'd by the Copyright thugs..
''(A) The affected file trader may file a claim
for such compensation with the Attorney General
17 not later than 1 year after the date on which the
18 claim accrues. The Attorney General shall, not later
19 than 10 days after the claim is filed, serve notice of
20 the claim on the copyright owner against whom the
21 claim is brought, and shall investigate the claim.
They have 10 days to serve them. So I figure if everyone of us who has any type of network related errors starts automatically blaming them we can fill up the paperwork stack and let them choke on it. Sort of a legal DoS. Fuck 'em, they can attack us we can attack them. I don't even use p2p anymore but I think this is a retarded law. Aside from the fact that in a sense they are legalizing hacking.
How far can they go? can they take down my firewall to DoS me? If I'm on a cable node they will end up saturating the subnet and screwing up the bandwidth for everyone. boy ranting is fun...
Let's say for some reason a person writes a worm/virus whatever and it sets up a p2p node on your machine without your notice. Suddenly your getting attacked by some random john q mercenary hacker!
oh wait now THERE is a part of this no one thought about yet. MPAA RIAA has shit for brains and could never do the dirty work themselves. Basically they will have to hire a bunch of black hats to do the work for them. That's practically sanctioned terrorism! Makes me wonder if I should change jobs. I work in the security field now but can't say that I've ever had a job request like that. So Metallica would come to me and say "Hey this is Lars, here's a list of IP's take them down."
I think secretly I like this idea if I could be some weird net-wise Buba Fett. He was always my favorite character in Star Wars. Now it will be Star Warez.
it's no wonder they didn't get any of the other images on the site (which can all be reached by doing a google search).
if they had access why not just rm -f * the web directory??
A lot of the folks here need to read more then the headlines and a few posts before putting in their two cents. Gilmore is opposed to secret rules and regulations for the airlines to enforce via Homeland Security. There are LOTS of reasons one may wish to buy an anonymous ticket and none of them have to do with terrorism OR hurting people. Some folks want to leave town unmolested by ex lovers, spouses, etc. I knew a musican who's bandmate started dating a fairly high profile actress. She went through great pains to go un noticed at an airport. It's her right not to be hounded by fans when she is going to visit some relative by plane.
Gilmore is wealthy and probobly loves anonymity himself. It's his right to maintain that. If he wants to fly somewhere and not disclose who he is then certain restrictions should apply. He doesn't mind that. He submitted to the "more aggresive inspection" of himself and his properties. I'm still not sure why he denied the search of his bag but I would assume he is a stubborn guy when it comes to hand searching bags. The last time I was at an airport I wanted to spit on the girl who was tossing my electronics around while she looked for contraband.
I don't think he has a great chance at winning this either but my support goes out to him for this battle. He is at least using his money to better our world. Not to bilk the rest of us (eg oracle) or just trying to corn hole random women (eg the oracle playboy).
Maybe if more of us were willing to ask the questions that he did things would improve. Instead we have morons (some posted earlier) that don't get the big picture and gripe about it. Next time they ask you for ID question them about it. Politely ask what regulation forces them to check ID's. Politely ask why some over zealous guy is feeling me up in front of a large crowd of people (some armed with machine guns). Ask why.
So I did a little digging and found the names of the sites that they were talking about. Google picked up the cache of the site and decided to see if any of the site is still online. Lo and Behold, Presto Magicko...
http://www.porcamadonna.com/index2f.html
I saw a post attached to this thread somewhere stating ISS surely wouldn't withhold out of spite. In fact they simply don't trust the Apache team (specifically Red Hat).
"It may not be in my customers' best interest to let Red Hat know there is a
security vulnerability," Rouland said. "I don't consider Red Hat a trusted
third party."
How is it they can't trust Red Hat? Aren't they one of the affected vendors? Sounds like a personal issue to me.
Nothing about their motive to release this without notifying the vendor (apache dev team) but sheds light on remotely exploitable aspects of this find.
----------
This vulnerability was originally detected auditing the Apache 2.0 source
tree. Apache 2.0 uses the same function to determine the chunk size, and
has the same vulnerable signed comparison. It is, however, not vulnerable
(by luck?) due to a signed comparison deep within the buffered reading
routines (within core_input_filter).
This issue is no more exploitable or unexploitable on a 32-bit platform than
on a 64-bit platform. Due to the signed comparison, the minimum size passed
to the memcpy() function is 0x80000000 or about 2gb. Unless Apache has over
2gb of contiguous stack memory located after the target buffer in memory, a
segmentation fault will be caused. If you understand how the stack is used,
you will understand that this is an impossibility.
Apache on "Win32" is not exploitable due to any "64-bit" addressing issues.
It is easily exploitable due to the nature of structured exception handling
on Windows and the fact that exception handler pointers are stored on the
stack.
If the DoS vulnerability is related to the overflow then the ISS patch will
work to prevent it. The unsigned comparison prevents any stack overflow and
as a result any related DoS issue is prevented. If the DoS issue is
unrelated, then of course the ISS patch will not be of any help.
ISS X-Force
I see your point but Microsoft's IIS dev team and Apache's dev team are two entirely different animals. Respected security firms generally have the courtesy of advising the vendor first and if they don't get a response will release the bug to the public. In this case however it would appear that ISS wanted to get the publicity that NGS software would have received. Here is an excerpt from their post to Bugtraq (referenced in the parent post)
Like ISS obviously did, one of the first things NGSSoftware did after the
eEye ASP Chunk Transfer Encoding vulnerability came out, was check 'what
else' is vulnerable to this kind of issue. Like ISS, NGSSoftware also noted
that the Win32 distribution of Apache was vulnerable.
However, our approach to addressing this problem was/is completely
different. We alerted Oracle, Apahce and CERT.
Our last response from Mark Fox of Apache was that they "have decided that
we need to co-ordinate this issue with CERT so that we can get other vendors
who ship Apache in their OS and projects aheads-up to this issue."
NGSSoftware, of course agreed that this would be the best plan of action as
most people who use the Win32 Apache version do not have a compiler and so
can take steps to protect themselves. They're mostly relying on their apache
'supplier' to produce a patch.
p.s. the point i was making earlier in this post is that I'm not surprised if MS says they will take forever to put out a patch. I would be highly suprised if the Apache team would have said they were going to take 8 weeks to post their fix and not cooperated with the vulnerability finder. What ISS did was plain irresponsible, especially for a security firm that is publically traded.
I posted this as a story earlier...
Turns out the ISS X-Force team doesn't trust the Apache crew to fix what seems to be a very serious exploitable bug in the http code. They just released an advisory to the Bugtraq mailing list here and provided some 'patch code'. The patch code (which attempted to typcast the vulnerable area) doesn't seem to fix the issue.
So in effect there are a bunch of Apache servers out there with a possibly remote exploitable buffer overflow. Was this a big ooops on the part of ISS?
One has to wonder why they didn't go to the Apache team first with this? Rumor has it that ISS feels that Red Hat has burned them (ISS) in the past and since the Apache team has some Red Hat employees they shouldn't be trusted.
Another rumor that has been floating is that the ISS team doesn't consider Apache to be "a vendor" and therefore doesn't need to follow the normal disclosure rules. This sets a pretty bad precedant of not working with vendors just because you don't get along with them. A companies personal pettiness should not be allowed to override the security of a majority of the internets websites. The patch has offically made it into the Apache CVS but again why the hell didn't ISS talk with Apache? I noticed another post by NGGS (referenced in link above) that they already had a CVS number so they appeared to have gone through the proper channels and got 'beat to the punch' by ISS. Sounds like a motive to me....
"The economic losses due to piracy are enormous, and they are felt thought the music value chain. Piracy also nurtures organized crime across the world, and it stunts investment, growth and jobs."
The words just aren't there........`s/thought/through/g; #moron`
oh wait, this just in.
Experts from the JUST_SUBMIT Group, a lying bag of lobbyists, have just released a advisory stating that pirating not only caused 50,000 deaths last year but may cause the Apocolypse.
"We got a communique from their leader, Satan the celestial terrorist, stating that the seventh sign is nigh. We're not real sure what nigh means but we have a team of lawyers ready to bring several law suites against Satan and his company, Hell Inc." stated Hilary Rosen, CEO of the RIAA. "Not only do we have copyrights on "Satan" and "Hell" but most of his deamons appear to operate peer to peer networks. They could face trillions of dollars in damages."
For more information please read this document.
Didn't the entire watermarking effort get flushed after SDMI proved to be ineffective? The 'content protection' scheme was broken in no time by the guys at Princeton if memory serves.
So the music industry will have to subsidize new equipment to push their new technology increasing costs to the consumer in the end. The technology will get broken but they will have created so much momentum that they will continue to use it (like with DVD's) since they can't just recall it.
Foriegn markets will explode since folks like myself (and some readers here i'm sure) will go to Canada, UK, HK, etc get non watermarked equipment. Sales will 'slip' and suddenly pirates will be blamed again.
Coming soon! WaterWhiteOut! With your WWO device you can effectively strip out all broadcast flags and record whatever the fuck you want. only 19.95
New laws will be created to help curb the rampant recording of signals in the air without authorization. 15 years (plus 2MM fine) for recording some new WB teeny bopper show and additional 10 years for uploading it to a server.
It's just a vicsous cycle that we can't seem to break.
thothic