This type of protection is AT BEST a 5 minute detour for anyone who knows what they're doing. All this means is that if you overflow a buffer on the stack you can't return into a buffer on the stack. Meanwhile, this is virtually worthless, particularly in a local exploit, because you can still execute code on the heap. For instance, i overflow the stack on x86 linux and overwrite EIP to point into the environment variables on the heap. If i've put my shellcode into say $HOME it'll execute it without a problem.
Also this does nothing to prevent heap overflows, which are often just as bad. If you'll remember the recent TSig bug in BIND 8 it exploited an off-by-one heap overflow which would in no way be stopped by this non-exec stack flag. The best prevention i've seen are using so-called "canary" values in between static buffers and saved return addresses, i.e. www.immunix.org
Obviously this is less of a security bug and more of an obfuscation of the file type. As always, people are just unable to resist the temptation to open something "in order to have your advice".
Enough already with the inane conspiracy theory. Brass tacks, people. First of all, let me clear up that I am a huge supporter of the open source movement and I've been an active member of the UNIX security auditing community (see my URL). But:
1. OpenBSD is merely a kernel and several small daemons and programs. Microsoft, the company, puts out their core OS, Web servers, browsers, web publishing software, FTP daemons, telnet daemons, NetBIOS daemons, etc., etc. They have much more code to audit.
2. OpenBSD is more secure than Windows because they don't run as many services. OBSD has had several remote root compromises in the last year, but none of them infringed on their "No remote holes in 3 years" claim because they don't run the daemons by default.
3. Microsoft doesn't audit their software because *IT ISN'T COST EFFECTIVE YET*. Not until people demand security will MS start doing this. It hasn't happened yet.
And finally, let's face reality: Anyone who knows what they're doing has firewalls, sniffers, IDS's and vulnerability scanners in place 24 hours a day monitoring incoming traffic to their OS's. Any government agency trying to get into any place worthwhile will be noticed and thwarted within minutes.
They probably expect to recover between a third and half the cost on the first movie (ie $100-150 million)
I hope you're not implying that the movie will make only $150 million. There's as much hype around this movie as there was for Episode 1, and the reviews are actually good! Even if the movie was a total stinker it would take $200M, which it isn't, so one can expect the total revenue for the movie to hit at least $300M. When you consider that Episode 1 made something like $450M it isn't ridiculous to see a figure like that.
Straight to video
Straight to video is impossible. According to interviews with New Line execs theatres which want to show LOTR: Fellowship of the Ring MUST purchase all three installments and show them for a minimum of six weeks.
I expect "Fellowship of the Ring" to do quite well, "Two Towers" to do a little less well, and "Return of the King" to do better than "Fellowship".
Any particular reason you say this? I found Two Towers to be my favorite installment of the trilogy. The action was always non-stop, the ending is absolutly epic (but i won't spoil it) and the potential for great CGI abounds. If anything I'd say that this first installment will gross the least, if for no other reason than Fellowship was my least favorite volume.
>If God hadn't meant us to fly, He wouldn't have given us big fucking brains!
IANAJF (I Am Not A Jesus Freak), nor do I believe in anything supernatural, but I find comments like this to be seriously lacking in thought. It's like saying "If God hadn't meant us to blow up the world with nukes he wouldn't have given us big fucking brains". Just because you can doesn't mean you should.
I should note that I fully support genetic experimentation on the off chance Britney Spears will be crossed with Jenna Jameson.
Oooohhh.. sounds like someone is jealous of us Greenwichites. You're probably from Norwalk or some other godforsaken cesspool of lower-middle class scum like yourself. Besides, we put all our cell phone towers in Stamford, but our multi-million dollar 10 story mansions block all transmitions due to the high concentraion of precious metals within.
OK, let's review what you're saying: You think that every virus, be it.com/.exe or whatever, is identified by taking a simple MD5 hash of that file and adding into some database? Wrong! If this were the case McAfee would be stymied every time someone changed a single byte in the file. So I could take any random virus exe and hex-edit the "J00 4R3 0WN3D" to "Y00 4R3 0WN3D" and McAfee wouldn't pick it up.
Don't think so, bud.. many viruses self-modify themselves during propogation to change things like IP addresses that they report back to. McAfee picks (some) of these changes up. Whatever it is that Magic Lantern does it is probably going to have some kind of IP address field in it, either that it reports to or that it lets connect to it. A person with enough IDA experience will easily be able to change this field to slip it through McAfee.
I know this is supposed to be a +1, Funny but this is probably the same thing that people said about AIM on the computer. "Why not just pick up the phone and call?". The answer, as with most things that are popular amongst college students, is that it's cheaper (or free) to message someone than it is to call.
This is an excellent idea, just as solar power was or wind power, but can someone please tell us why this didn't work?
When a company comes out with a new plan to solve the world's energy problems the rational person always asks "So why hasn't it been done?". Barring OPEC conspriracy theorists I refuse to believe that if this was valid it wouldn't have been done already. In fact, if it were possible the first people to jump on the bandwagon would be the people who already have the oil rigs in place.. i.e. the oil companies themselves.
What I hate is having to run some third party app for a client (even in a Linux environment) that *might* affect the whole machine.
If this is your problem you're not running the right apps. For modern production machines the problem is usually running Exchange/Sendmail instead of Qmail or MSDNS instead of DJBDNS (OK, maybe i'm partial to DJ Bernstein's apps). The only thing you might overload on is web servers, and if you're running Apache you've got such good code behind you that your CPU is probably the bottleneck.
The answer for production servers is not "seperation between clients" but rather choosing apps which are efficient. Name any app likely to be run on a high traffic machine and I can give you a specific UN*X app which will do it with very little waste.
You have GOT to be kidding me. Let's see what's going on at fleabag.com:
1. PHB visits from Silicon Valley and uses wireless connection to access internet with no encryption.
2. Hacker uses wireless internet connection, starts sniffing.
3. PHB checks email, maybe through POP3, unencrypted.
4. Hacker logs into corporate network with PHB's email password (you know it's the same)
5. phb@internal$ echo "Due to massive internal stupidity we've decided to lay off our security staff. Please collect your MCSE's and leave by the end of the day" | mail security@fleabag.com
Re:Slashdot's Missed Opportunities
on
Slashdot Updates
·
· Score: 1
Can you imagine the backlash from the Slashdot community if they came out with a pay service? They post stories all day about the evils of closed-source money-grubbing enterprises all day long. If they actually tried to charge people for some of their services they'd be crucified.
In my opinion, Slashdot is doing the right thing by not going the way of the Internet portal. Not only is the entire idea flawed (just look at Yahoo's stock price), but the creators have never been about the Almighty Dollar. They want to get interesting stories out to the geeks who find them useful. We trust Slashdot to provide the unadulterated news because they're NOT some corporate entity who is only in it for the money.
Re:Give me some targetted marketing
on
Slashdot Updates
·
· Score: 1
The people who post the ads are trying to introduce us to things that we haven't seen before or might not know about. If we are able to mod out the things we don't think we need we're not going to see anything new. Most of the people who come to this site are informed enough to look on their buying site of choice to find the latest and greatest gadget that they're interested in. Click-Thru's are mostly generated when someone sees something that is unique.. which you won't get if you only select/. ads that you're familiar with.
>We were attacked by people who have never claimed responsibility. It is possible that all who were involved perished in the crashes.
Good lord I love this argument. It's the easiest argument of all to dispute. The people who were on those planes have long histories which the US can trace back many years. During that time many of them were attending flight school and praying for the rest of the time. Where's the money to spend $30,000 on that coming from? The United States Government traced back these funds to other followers and soldiers of Osama bin Laden's army.
In addition, many of the people involved in the hijackings have been seen meeting three or four times with Taliban and Osama officials to discuss plans unknown. They've also been observed talking to Iraqi agents as well as dozens of others from Afghanistan and surrounding nations.
Anyone who doesn't think this is a multi-faceted conspiracy is seriously deluding themselves.
I would love to hear YOUR plan for stopping further acts of terrorism. Perhaps you're on the boat of people who believes that "if we had only given guns to the pilots this would never have happend". Perhaps you believe that if we simply withdraw all US presence (military, government, financial, tourist) in all Arab countries this will stop. Forget it. A man as obviously insane as Osama Bin Laden NEEDS an enemy. He NEEDS to have a Jihad just like Hitler needed someone to blame. No matter what the US and the rest of the world does it would never be enough. He will find an enemy.
Forget it, man.. It's a noble effort but until the software companies start actually dual-developing Linux games and releasing them SIMULTANEOUSLY with the windows distro this will never happen. If simultaneous dual platform development was ever going to happen it would've happened with the Mac 5 years ago. Macs still have a bigger marketshare on the PC than Linux, but game companies refuse to take the extra expense to do the ports for them.
Linux has it's use with the person who wants total control over his OS, not with the person who needs the latest/greatest games. Until Linux gets a >10% market share on the home PC market we're not going to progress any further on the games front.
Normally when companies say that they are "phasing out" or "discontinuing" a product line they are really just looking for a buyer. Most companies can't afford to do their own R&D on things like digital camera lines but might be able to buy it off an ailing division like Intel's CED.
Much the way MS DRM v2 has been cracked, scientists have broken God's law of the speed of light. Let's just hope he doesn't get his unholy lawyers on their ass.
Well, this might not kill 7,000 people but doing all of them at once to a chlorine plant could.
Except that now it isn't computer hacking, it's murder with all the normal penalties. Perhaps it's not 1st degree murder if the person didn't necessarily know that it was going to happen, but any court would convice on at least manslaughter. The point of this bill is to make the act of hax0ring punishable (in the case of Big Company Lawyers, naturally).
2. Of course FISA is secret. Of course, if this court deals with network surveillance it should be, too. There isn't much of a point in tipping off a suspect by telling them that they're under surveillance.
You missed the point, as many people have today. In any FBI/local PD investigation they never tip off the subject that they're being tapped. The point of this law is that they don't necessarily have to have probable cause to originally install the tap.
They merely have to have some gut feeling that you're doing something bad to begin electronic surveillence. If it turns out that you are doing something bad, they can go to the courts later and say "See? We knew he was doing something but just couldn't prove it without the tap." Under the current system they have to have probable cause with conventional means proved to a judge to get the tap.
This bill gives the FBI the power to cut out the legal system and act like cowboys.
we see some 14 year old nerd's sinister 8th grade picture on the cover of the Washington Post with the caption: WANTED DEAD OR ALIVE? This has gotten absolutely out of hand. I'm all for strict sentences, but they should be carried out in the same manner that things like fraud, B&E and vandalism are.
"I think hackers should also be considered terrorists and sentences that hackers get should be in line with terrorist sentences,"
Are they *insane*? At least they could clarify this with "who are trying to steal US nuclear secrets" or something.
OK, suppose I'm just Some Guy who has a little website on his home computer and can't afford a commercial IDS. I want to write one myself and include the latest IIS vulnerability. When I read the post which merely lists the consequences of the vulnerability I've got nothing to write.
OK, so I set up my sniffer and wait for the exploit attempts to roll in. I finally capture one and program my IDS to catch it. Ah crap, here comes another one that exploits the same vulnerability in a different way. Damn, it sure sucks that I didn't get full disclosure in that post.. otherwise I could've infered several different methods of exploitation and perhaps caught them all. But oh well, at least some lazy sysadmins didn't have to patch their systems for a couple hours while the blackhats coded up sploits.
Exactly. The patches are the problem, not the exploits. If Scott Culp really wants to plead with the security community about the way they do their work he should be telling people to tell them first so they can get a patch out.
Unfortunatly, if they know you're also not going to be releasing any details in your advisory they'll just sit on your hole for months and work on the new version of Mr. Annoying Paper Clip Guy.
Back when I did audits in my spare time I followed a specific set of guidelines.
1. always notify the vendor first.
2. always wait 2 weeks for a patch.
3. don't release on weekends or very late at night (sorry, other side of the globe.. i'm in the US)
4. always supply an exploit, if one is possible.
And even with all this in place sysadmins still wouldn't patch the problem until they got hacked. If someone doesn't patch their system after all of these steps nothing can make them.
Scott Culp seems to think that the number of hacks will go down solely by eliminating #4, while in actuality the other 3 steps are the ones which get more boxes hacked. With you average buffer overflow thousands of hackers could write an exploit within maybe two or three hours of seeing a bugtraq post. Not notifying the vendor can cause havoc for weeks before a patch is issued.
Slashdot Mirror
This type of protection is AT BEST a 5 minute detour for anyone who knows what they're doing. All this means is that if you overflow a buffer on the stack you can't return into a buffer on the stack. Meanwhile, this is virtually worthless, particularly in a local exploit, because you can still execute code on the heap. For instance, i overflow the stack on x86 linux and overwrite EIP to point into the environment variables on the heap. If i've put my shellcode into say $HOME it'll execute it without a problem.
Also this does nothing to prevent heap overflows, which are often just as bad. If you'll remember the recent TSig bug in BIND 8 it exploited an off-by-one heap overflow which would in no way be stopped by this non-exec stack flag. The best prevention i've seen are using so-called "canary" values in between static buffers and saved return addresses, i.e. www.immunix.org
Obviously this is less of a security bug and more of an obfuscation of the file type. As always, people are just unable to resist the temptation to open something "in order to have your advice".
Enough already with the inane conspiracy theory. Brass tacks, people. First of all, let me clear up that I am a huge supporter of the open source movement and I've been an active member of the UNIX security auditing community (see my URL). But:
1. OpenBSD is merely a kernel and several small daemons and programs. Microsoft, the company, puts out their core OS, Web servers, browsers, web publishing software, FTP daemons, telnet daemons, NetBIOS daemons, etc., etc. They have much more code to audit.
2. OpenBSD is more secure than Windows because they don't run as many services. OBSD has had several remote root compromises in the last year, but none of them infringed on their "No remote holes in 3 years" claim because they don't run the daemons by default.
3. Microsoft doesn't audit their software because *IT ISN'T COST EFFECTIVE YET*. Not until people demand security will MS start doing this. It hasn't happened yet.
And finally, let's face reality: Anyone who knows what they're doing has firewalls, sniffers, IDS's and vulnerability scanners in place 24 hours a day monitoring incoming traffic to their OS's. Any government agency trying to get into any place worthwhile will be noticed and thwarted within minutes.
I hope you're not implying that the movie will make only $150 million. There's as much hype around this movie as there was for Episode 1, and the reviews are actually good! Even if the movie was a total stinker it would take $200M, which it isn't, so one can expect the total revenue for the movie to hit at least $300M. When you consider that Episode 1 made something like $450M it isn't ridiculous to see a figure like that.
Straight to video
Straight to video is impossible. According to interviews with New Line execs theatres which want to show LOTR: Fellowship of the Ring MUST purchase all three installments and show them for a minimum of six weeks.
I expect "Fellowship of the Ring" to do quite well, "Two Towers" to do a little less well, and "Return of the King" to do better than "Fellowship".
Any particular reason you say this? I found Two Towers to be my favorite installment of the trilogy. The action was always non-stop, the ending is absolutly epic (but i won't spoil it) and the potential for great CGI abounds. If anything I'd say that this first installment will gross the least, if for no other reason than Fellowship was my least favorite volume.
>If God hadn't meant us to fly, He wouldn't have given us big fucking brains!
IANAJF (I Am Not A Jesus Freak), nor do I believe in anything supernatural, but I find comments like this to be seriously lacking in thought. It's like saying "If God hadn't meant us to blow up the world with nukes he wouldn't have given us big fucking brains". Just because you can doesn't mean you should.
I should note that I fully support genetic experimentation on the off chance Britney Spears will be crossed with Jenna Jameson.
Oooohhh.. sounds like someone is jealous of us Greenwichites. You're probably from Norwalk or some other godforsaken cesspool of lower-middle class scum like yourself. Besides, we put all our cell phone towers in Stamford, but our multi-million dollar 10 story mansions block all transmitions due to the high concentraion of precious metals within.
OK, let's review what you're saying: You think that every virus, be it .com/.exe or whatever, is identified by taking a simple MD5 hash of that file and adding into some database? Wrong! If this were the case McAfee would be stymied every time someone changed a single byte in the file. So I could take any random virus exe and hex-edit the "J00 4R3 0WN3D" to "Y00 4R3 0WN3D" and McAfee wouldn't pick it up.
Don't think so, bud.. many viruses self-modify themselves during propogation to change things like IP addresses that they report back to. McAfee picks (some) of these changes up. Whatever it is that Magic Lantern does it is probably going to have some kind of IP address field in it, either that it reports to or that it lets connect to it. A person with enough IDA experience will easily be able to change this field to slip it through McAfee.
I know this is supposed to be a +1, Funny but this is probably the same thing that people said about AIM on the computer. "Why not just pick up the phone and call?". The answer, as with most things that are popular amongst college students, is that it's cheaper (or free) to message someone than it is to call.
When a company comes out with a new plan to solve the world's energy problems the rational person always asks "So why hasn't it been done?". Barring OPEC conspriracy theorists I refuse to believe that if this was valid it wouldn't have been done already. In fact, if it were possible the first people to jump on the bandwagon would be the people who already have the oil rigs in place.. i.e. the oil companies themselves.
If this is your problem you're not running the right apps. For modern production machines the problem is usually running Exchange/Sendmail instead of Qmail or MSDNS instead of DJBDNS (OK, maybe i'm partial to DJ Bernstein's apps). The only thing you might overload on is web servers, and if you're running Apache you've got such good code behind you that your CPU is probably the bottleneck.
The answer for production servers is not "seperation between clients" but rather choosing apps which are efficient. Name any app likely to be run on a high traffic machine and I can give you a specific UN*X app which will do it with very little waste.
You have GOT to be kidding me. Let's see what's going on at fleabag.com:
1. PHB visits from Silicon Valley and uses wireless connection to access internet with no encryption.
2. Hacker uses wireless internet connection, starts sniffing.
3. PHB checks email, maybe through POP3, unencrypted.
4. Hacker logs into corporate network with PHB's email password (you know it's the same)
5. phb@internal$ echo "Due to massive internal stupidity we've decided to lay off our security staff. Please collect your MCSE's and leave by the end of the day" | mail security@fleabag.com
Can you imagine the backlash from the Slashdot community if they came out with a pay service? They post stories all day about the evils of closed-source money-grubbing enterprises all day long. If they actually tried to charge people for some of their services they'd be crucified.
In my opinion, Slashdot is doing the right thing by not going the way of the Internet portal. Not only is the entire idea flawed (just look at Yahoo's stock price), but the creators have never been about the Almighty Dollar. They want to get interesting stories out to the geeks who find them useful. We trust Slashdot to provide the unadulterated news because they're NOT some corporate entity who is only in it for the money.
The people who post the ads are trying to introduce us to things that we haven't seen before or might not know about. If we are able to mod out the things we don't think we need we're not going to see anything new. Most of the people who come to this site are informed enough to look on their buying site of choice to find the latest and greatest gadget that they're interested in. Click-Thru's are mostly generated when someone sees something that is unique.. which you won't get if you only select /. ads that you're familiar with.
>We were attacked by people who have never claimed responsibility. It is possible that all who were involved perished in the crashes.
Good lord I love this argument. It's the easiest argument of all to dispute. The people who were on those planes have long histories which the US can trace back many years. During that time many of them were attending flight school and praying for the rest of the time. Where's the money to spend $30,000 on that coming from? The United States Government traced back these funds to other followers and soldiers of Osama bin Laden's army.
In addition, many of the people involved in the hijackings have been seen meeting three or four times with Taliban and Osama officials to discuss plans unknown. They've also been observed talking to Iraqi agents as well as dozens of others from Afghanistan and surrounding nations.
Anyone who doesn't think this is a multi-faceted conspiracy is seriously deluding themselves.
I would love to hear YOUR plan for stopping further acts of terrorism. Perhaps you're on the boat of people who believes that "if we had only given guns to the pilots this would never have happend". Perhaps you believe that if we simply withdraw all US presence (military, government, financial, tourist) in all Arab countries this will stop. Forget it. A man as obviously insane as Osama Bin Laden NEEDS an enemy. He NEEDS to have a Jihad just like Hitler needed someone to blame. No matter what the US and the rest of the world does it would never be enough. He will find an enemy.
Why wait?
Forget it, man.. It's a noble effort but until the software companies start actually dual-developing Linux games and releasing them SIMULTANEOUSLY with the windows distro this will never happen. If simultaneous dual platform development was ever going to happen it would've happened with the Mac 5 years ago. Macs still have a bigger marketshare on the PC than Linux, but game companies refuse to take the extra expense to do the ports for them.
Linux has it's use with the person who wants total control over his OS, not with the person who needs the latest/greatest games. Until Linux gets a >10% market share on the home PC market we're not going to progress any further on the games front.
The Wreck-A-Nice-Beach programs of today can't keep up with the hip jive of today's hep modern computer cats like Woz 'n' the Funky Bunch.
Normally when companies say that they are "phasing out" or "discontinuing" a product line they are really just looking for a buyer. Most companies can't afford to do their own R&D on things like digital camera lines but might be able to buy it off an ailing division like Intel's CED.
Much the way MS DRM v2 has been cracked, scientists have broken God's law of the speed of light. Let's just hope he doesn't get his unholy lawyers on their ass.
Because no one is going to buy some small-time shop's processor unless they say that it's just like the Pentium IV but without the fancy hologram.
Except that now it isn't computer hacking, it's murder with all the normal penalties. Perhaps it's not 1st degree murder if the person didn't necessarily know that it was going to happen, but any court would convice on at least manslaughter. The point of this bill is to make the act of hax0ring punishable (in the case of Big Company Lawyers, naturally).
You missed the point, as many people have today. In any FBI/local PD investigation they never tip off the subject that they're being tapped. The point of this law is that they don't necessarily have to have probable cause to originally install the tap.
They merely have to have some gut feeling that you're doing something bad to begin electronic surveillence. If it turns out that you are doing something bad, they can go to the courts later and say "See? We knew he was doing something but just couldn't prove it without the tap." Under the current system they have to have probable cause with conventional means proved to a judge to get the tap.
This bill gives the FBI the power to cut out the legal system and act like cowboys.
"I think hackers should also be considered terrorists and sentences that hackers get should be in line with terrorist sentences,"
Are they *insane*? At least they could clarify this with "who are trying to steal US nuclear secrets" or something.
OK, suppose I'm just Some Guy who has a little website on his home computer and can't afford a commercial IDS. I want to write one myself and include the latest IIS vulnerability. When I read the post which merely lists the consequences of the vulnerability I've got nothing to write.
OK, so I set up my sniffer and wait for the exploit attempts to roll in. I finally capture one and program my IDS to catch it. Ah crap, here comes another one that exploits the same vulnerability in a different way. Damn, it sure sucks that I didn't get full disclosure in that post.. otherwise I could've infered several different methods of exploitation and perhaps caught them all. But oh well, at least some lazy sysadmins didn't have to patch their systems for a couple hours while the blackhats coded up sploits.
Exactly. The patches are the problem, not the exploits. If Scott Culp really wants to plead with the security community about the way they do their work he should be telling people to tell them first so they can get a patch out.
Unfortunatly, if they know you're also not going to be releasing any details in your advisory they'll just sit on your hole for months and work on the new version of Mr. Annoying Paper Clip Guy.
Back when I did audits in my spare time I followed a specific set of guidelines.
1. always notify the vendor first.
2. always wait 2 weeks for a patch.
3. don't release on weekends or very late at night (sorry, other side of the globe.. i'm in the US)
4. always supply an exploit, if one is possible.
And even with all this in place sysadmins still wouldn't patch the problem until they got hacked. If someone doesn't patch their system after all of these steps nothing can make them.
Scott Culp seems to think that the number of hacks will go down solely by eliminating #4, while in actuality the other 3 steps are the ones which get more boxes hacked. With you average buffer overflow thousands of hackers could write an exploit within maybe two or three hours of seeing a bugtraq post. Not notifying the vendor can cause havoc for weeks before a patch is issued.