Limit access to the highest officials? Think about that for a second. Now, do you think that would improve security, or degrade security?
If the concern is DDoS attacks, a more general solution is needed anyway for the business world. If the concern is privacy, a VPN over the public Internet, using top-flight encryption, is probably both cheaper and better than a private network. And if the danger is social engineering then the only solution is to get brighter users, a problem that remains unsolved so far.
At school, aged... 13, we were watching movies in English class with Tits and Bums in them. It was most amusing for us young chaps! Generally they were Shakespeare works, one Lady McBeth stands out in my mind.. mmmm... naked literary babes.
Too bad you were so entranced by the tits and bums that you didn't learn that it's Macbeth.
I do think there may be some use for this, but I wonder whether the config file format will be published so that anyone can make up their own config files. Y'know, fast forward over the boring scenes and cut to the chase.
[S]earching on Alta Vista... gets me over 80 hits, the last 40 of which have NOTHING to do with my search at all....
How did the first 40 hits do? How about the first 10? I ran that search on google and the first hit was to the jargon file entry and the next few were all about... well, they were about Signetics write-only memory. The
sixth result had jpegs of the original data sheets.
When the search turns up good results, who cares if there are some bad results far down the list?
I guarantee that there is no claim about image quality, nor even one about frame rates.
The tech specs for the card claim that it can do hardware mip-mapping, but sometimes when an application requests it, the card simply doesn't perform. The specs claim that the card can handle textures of a certain resolution and bit depth, but sometimes when an application gives it such textures, apparently it scales them down.
Which other ATI Radeon 8500 features don't work as advertised when playing Quake 3 Arena? The hardware anti-aliasing? The bi- and tri-linear filtering? The specular highlights, fog effects, reflections, LOD biasing?
Check the link above if you don't believe that they advertise that their product provides all those features and more. Then take a look at the images that others have posted links to and tell me that Radeon 8500 users are getting what they paid for.
Are there tools to detect changes made by crackers? One of my nightmares is a rooted zombie server that looks perfectly normal to me, but had several backdoors inserted...
An integrity checker such as Tripwire is what you want, and !Squalus pointed out that there is a version of Tripwire for routers.
The idea is this: generate secure hashes of all critical files, using a secure, one-way hashing algorithm such as SHA-1 or MD5. If those files are changed, hacked, or even damaged by hardware failures, comparing the old hashes will reveal that the files have been altered.
In practice, it's a little more complicated. Many files will change, or be changed, in the normal course of operations of a system. Imagine, for example, a clueless sysadmin who ran an integrity checker against all files on a system, and then freaked out because the log files had changed. So it is necessary to have clueful admins who will be able to understand which files are critical and can distinguish between proper, permitted changes and hacker intrusions.
As I'm sure you know, such clueful sysadmins are in short supply.
Another issue in some cases, like virus detection, is that the operating system itself must be trusted while the hashing is taking place. There are stealth viruses that can intercept reads to infected files, and make them appear clean. Or at least, there were, back in the days of DOS. In theory, the same thing could be accomplished by hacking a unix kernel.
For more information on secure hash algorithms, the best reference is Applied Cryptography, 2nd ed. by Bruce Schneier. I'm sure Tripwire has plenty of info on their web site, and a search for "integrity shell" or "secure one-way hashing" would, no doubt, turn up scads of resources and references.
The volume of noise a router could generate absolutely dwarfs what a computer could do.
Of course, a router is a computer.
I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.
SecurityFocus.com has an
article by Kevin Poulsen which addresses the
issue. He talked to Kevin Houle of CERT.
Here's an excerpt:
"What we see are routers with default and weak passwords being targeted," Houle said. After cracking a router, attackers can use it to launch straightforward denial of service attacks against an Internet site. Because routers can generate enough traffic to impede an end host, while standing up well to a similar counterattack, it's become a valued platform for cyber vandals engaged in online skirmishes in the mostly-juvenile computer underground.
"If I'm an intruder and I want to be well protected against people DoSing me, a router is somewhat better than an end host," said Houle.
You err in assuming that the alternative to anonymity is total loss of privacy. Most slashdotters are pseudonymous, like yourself. All I know about you is that you are a "Software consultant in the Boston area." (mongeese.org wouldn't resolve.) And you freely chose to reveal that information. Also, I can see a list of recent comments you've posted, how they were scored, and I can even click through to see what you wrote, if I'm so inclined.
The advantage of pseudonyms is that they protect privacy while still allowing a writer to build a reputation -- whether good or bad. And that allows readers to make informed decisions about whose words they want to read, and what biases those authors may have.
Even if a slashdotter wanted to make some comments and not have them associated with previous comments from the same nym (perhaps they had revealed in the past that they are employed writing video drivers for OmniMegaView video cards, and now they want to blow the whistle on OmniMegaViews treatment of its gay employees), an easy option is open to them. Simply create two (or more) user accounts.
Use one nym for posting work-related or technical material, another for comments that might be embarrassing in some way, and a third for flaming the trolls back to the stone age. Readers would have no way of knowing that the nyms all represented the same person in real life.
I think, though, that it would be better to increase the penalty for AC's, rather than set them to -1. If one could, say, hit them with an extra -2 penalty, that would still let those rare AC comments that had been strongly modded up pass through. In any case, this would only be an option -- if you object to it so strongly, don't turn it on.
That could only work in a country that had a wide-spread, effective and well-funded mass transit system, which the United States lacks for the most part.
On the topic at hand, I do have hope that the back door policies will be defeated. Strong crypto is a good way to communicate without the authorities eavesdropping on you, but an even better way is talking in person in a cave in Afghanistan.
Allowing freedom to be curtailed by these events would be a concession that the terrorists had beaten us, after all.
O beautiful for heroes proved
In liberating strife
Who more than self their country loved
And mercy more than life
"One guy posted to the DShield.org mailing list that he installed IIS Win2k from scratch. To be safe, he had his server disconnected from the Net, but had to connect it to download the patches," Ullrich said. "During the 45 seconds it took him to download the patches he was infected."
Excuse me? If he knew of the danger, WHY THE HELL did he have IIS running when he connected to the net to get the patches?? Did he think he needed the web _server_ running in order to use the web _browser_??
One thing you're missing, though, is that the people who are still infected by this thing are people who aren't paying any attention to what is going on. Not watching the news and/or don't even know that they're running IIS.
Therefore, you couldn't get in trouble for fixing their machines without their permission because they'd never even realize you had done so!
A glance at it shows that most of the hits are from Code Red III (XXXX rather than NNNN), the one that also tries to subvert cmd.exe and crack a shell. You should grep -c your logs for X's and N's; I'd be very interested in seeing what the relative frequency is of the variants.
Except, he wasn't selling anything to anyone, anywhere, using any payment system.
Elcomsoft, Ltd. was selling it.
At least under U.S. corporate law, a corporation provides a shield against civil litigation directed at the people in the organization. You can't sue the individuals, only the corporation as a whole (I think there's an exception for the officers of the corporation, and there are almost certainly other exceptions).
Of course, this is a criminal case, but it seems strange that the president of the Elcomsoft (who was present at the convention) wasn't also arrested, or arrested *instead of* Sklyarov. Surely he's more directly to blame for the selling of this technology.
By arresting Dmitri, the focus is on writing the code rather than selling the code. There seems to be a message there for the open source community, that their code will be subject to DMCA as much as any commercial code would.
For breaking our laws? Oh, that's right, this is slashdot, breaking laws you find inconvenient is OK.
There's a serious question as to whether he has broken any U.S. laws while in U.S. jurisdiction. The DMCA isn't the law in Russia. How would you react if you, say, travelled to Afghanistan and were arrested for actions you had performed in violation of Afghani law prior to your trip?
U.S. citizens need to realize that we are not the only nation on Earth, and those other sovereign states have as much right to their laws as we do to ours.
The Microsoft license on Java 1.1.4 lasts until 2008, so Sun cannot revoke it "at any time". And, of course, Microsoft is free to bundle a third party JVM, or even Sun's JVM. They just can't produce their own that conforms at any level above 1.1.4.
by the end of the month the security firms had tried repeatedly to move clocks forward and to get the worm to reawaken, but it never did.
Perhaps I'm misunderstanding (or misunderestimating?:) your point here, but I don't think the issue with clocks is that the worm will "reawaken", but rather that on some machines with significantly slow clocks (a couple weeks slow) which still think the date is around the middle of July, the worm is still in spread mode.
On such a machine, the worm never switched to attack mode, and then went dormant, but is still scanning IPs, looking for hosts to infect.
In any case, the reports that people are being scanned show that, one way or another, there are active copies of Code Red out there. And they've got almost three weeks to spread before switching into flood mode.
(On re-reading your article, I think I'm just agreeing with you. I think. Anyway, I wanted to clarify the bit about the clocks.)
It checks forc:\notworm but it does not create such a file, at least according eEye (I only read the summary, not the complete disassembly, but they made no mention of it creating the file).
So the lysine deficiency isn't going to result in previously-infected systems becoming immune.
It's funny, though, that no one has advised creating such a file as a quick fix to slow the spread of Code Red. (Of course, it's better to install the patch and/or disable the index server entirely.)
One of the greatest stories about rigged demos is The Story of Mel from the Jargon File. Mel Kaye wrote a blackjack program to demo the Royal McBee LPG-30, but he didn't appreciate it when he was asked to modify it so that the program would cheat....
This isn't the first time Meinel has socially engineered her way into Sci Am. They had an issue devoted to security a couple of years ago, and in addition to people like (if memory serves) Matt Blaze and Bruce Schneier, they had an article filled with her drivel.
You would think Scientific American would have learned from that experience (I imagine they got a fair amount of negative feedback from it), but apparently they didn't.
Under Jewish law... you must return a lost object if it has a distinguishing mark, it has not been abandoned by its owner, and it has value.
That reminds me of a news story I saw recently on on one of the news magazine shows, about how the major airlines do a lousy job at finding and returning lost baggage. And there's a business down in Alabama that buys lost luggage from the airlines (after it's been lost for a certain amount of time, and the airlines have given up hope of returning it) and sells the contents.
Even if some of the contents are identifiable (say, a ring with an inscription), once the bags have been sold to the unclaimed baggage center your only recourse would be to buy the item back. Even if you could show that the item belonged to you, your pleas would fall on deaf ears.
I don't believe that for a second. If this guy had been drunk and disorderly, that certainly would have been mentioned in the news reports, if not included in the charges against him.
Since it wasn't, I think it's safe to assume that he wasn't. By the way, what if anything did the authorities do about the case you cite? Maybe they ignore real problems like those to focus on insignifica?
Makes me proud to be from Michigan. Not.
Dave Conrad aka Dr. A. van Code Well a friend of a friend of a friend told me
Also, drink some impure water to contract amoebic dysentery to get the full "I went to Zambia to see the eclipse and all I got was this life-threatening case of diarrhea" experience.
Dave Conrad aka Dr. A. van Code Well a friend of a friend of a friend told me
Slashdot Mirror
Limit access to the highest officials? Think about that for a second. Now, do you think that would improve security, or degrade security?
If the concern is DDoS attacks, a more general solution is needed anyway for the business world. If the concern is privacy, a VPN over the public Internet, using top-flight encryption, is probably both cheaper and better than a private network. And if the danger is social engineering then the only solution is to get brighter users, a problem that remains unsolved so far.
At school, aged... 13, we were watching movies in English class with Tits and Bums in them. It was most amusing for us young chaps! Generally they were Shakespeare works, one Lady McBeth stands out in my mind.. mmmm... naked literary babes.
Too bad you were so entranced by the tits and bums that you didn't learn that it's Macbeth.
I do think there may be some use for this, but I wonder whether the config file format will be published so that anyone can make up their own config files. Y'know, fast forward over the boring scenes and cut to the chase.
[S]earching on Alta Vista ... gets me over 80 hits, the last 40 of which have NOTHING to do with my search at all....
How did the first 40 hits do? How about the first 10? I ran that search on google and the first hit was to the jargon file entry and the next few were all about ... well, they were about Signetics write-only memory. The
sixth result had jpegs of the original data sheets.
When the search turns up good results, who cares if there are some bad results far down the list?
I guarantee that there is no claim about image quality, nor even one about frame rates.
The tech specs for the card claim that it can do hardware mip-mapping, but sometimes when an application requests it, the card simply doesn't perform. The specs claim that the card can handle textures of a certain resolution and bit depth, but sometimes when an application gives it such textures, apparently it scales them down.
Which other ATI Radeon 8500 features don't work as advertised when playing Quake 3 Arena? The hardware anti-aliasing? The bi- and tri-linear filtering? The specular highlights, fog effects, reflections, LOD biasing?
Check the link above if you don't believe that they advertise that their product provides all those features and more. Then take a look at the images that others have posted links to and tell me that Radeon 8500 users are getting what they paid for.
Is ATI guilty of fraud? Definitely.
Are there tools to detect changes made by crackers? One of my nightmares is a rooted zombie server that looks perfectly normal to me, but had several backdoors inserted...
An integrity checker such as Tripwire is what you want, and !Squalus pointed out that there is a version of Tripwire for routers.
The idea is this: generate secure hashes of all critical files, using a secure, one-way hashing algorithm such as SHA-1 or MD5. If those files are changed, hacked, or even damaged by hardware failures, comparing the old hashes will reveal that the files have been altered.
In practice, it's a little more complicated. Many files will change, or be changed, in the normal course of operations of a system. Imagine, for example, a clueless sysadmin who ran an integrity checker against all files on a system, and then freaked out because the log files had changed. So it is necessary to have clueful admins who will be able to understand which files are critical and can distinguish between proper, permitted changes and hacker intrusions.
As I'm sure you know, such clueful sysadmins are in short supply.
Another issue in some cases, like virus detection, is that the operating system itself must be trusted while the hashing is taking place. There are stealth viruses that can intercept reads to infected files, and make them appear clean. Or at least, there were, back in the days of DOS. In theory, the same thing could be accomplished by hacking a unix kernel.
For more information on secure hash algorithms, the best reference is Applied Cryptography, 2nd ed. by Bruce Schneier. I'm sure Tripwire has plenty of info on their web site, and a search for "integrity shell" or "secure one-way hashing" would, no doubt, turn up scads of resources and references.
The volume of noise a router could generate absolutely dwarfs what a computer could do.
Of course, a router is a computer.
I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.
SecurityFocus.com has an article by Kevin Poulsen which addresses the issue. He talked to Kevin Houle of CERT. Here's an excerpt:
You err in assuming that the alternative to anonymity is total loss of privacy. Most slashdotters are pseudonymous, like yourself. All I know about you is that you are a "Software consultant in the Boston area." (mongeese.org wouldn't resolve.) And you freely chose to reveal that information. Also, I can see a list of recent comments you've posted, how they were scored, and I can even click through to see what you wrote, if I'm so inclined.
;-)
The advantage of pseudonyms is that they protect privacy while still allowing a writer to build a reputation -- whether good or bad. And that allows readers to make informed decisions about whose words they want to read, and what biases those authors may have.
Even if a slashdotter wanted to make some comments and not have them associated with previous comments from the same nym (perhaps they had revealed in the past that they are employed writing video drivers for OmniMegaView video cards, and now they want to blow the whistle on OmniMegaViews treatment of its gay employees), an easy option is open to them. Simply create two (or more) user accounts.
Use one nym for posting work-related or technical material, another for comments that might be embarrassing in some way, and a third for flaming the trolls back to the stone age. Readers would have no way of knowing that the nyms all represented the same person in real life.
"On Slashdot, nobody knows you're really CowboyNeal."
I think, though, that it would be better to increase the penalty for AC's, rather than set them to -1. If one could, say, hit them with an extra -2 penalty, that would still let those rare AC comments that had been strongly modded up pass through. In any case, this would only be an option -- if you object to it so strongly, don't turn it on.
P.S. The plural of mongoose is polygoose.
On the topic at hand, I do have hope that the back door policies will be defeated. Strong crypto is a good way to communicate without the authorities eavesdropping on you, but an even better way is talking in person in a cave in Afghanistan.
Allowing freedom to be curtailed by these events would be a concession that the terrorists had beaten us, after all.
O beautiful for heroes proved
In liberating strife
Who more than self their country loved
And mercy more than life
Is that with the lower cost of living in Iowa as compared with, say, New York factored in? Or is that based on the raw numbers?
Excuse me? If he knew of the danger, WHY THE HELL did he have IIS running when he connected to the net to get the patches?? Did he think he needed the web _server_ running in order to use the web _browser_??
Therefore, you couldn't get in trouble for fixing their machines without their permission because they'd never even realize you had done so!
Cheers!
Elcomsoft, Ltd. was selling it.
At least under U.S. corporate law, a corporation provides a shield against civil litigation directed at the people in the organization. You can't sue the individuals, only the corporation as a whole (I think there's an exception for the officers of the corporation, and there are almost certainly other exceptions).
Of course, this is a criminal case, but it seems strange that the president of the Elcomsoft (who was present at the convention) wasn't also arrested, or arrested *instead of* Sklyarov. Surely he's more directly to blame for the selling of this technology.
By arresting Dmitri, the focus is on writing the code rather than selling the code. There seems to be a message there for the open source community, that their code will be subject to DMCA as much as any commercial code would.
There's a serious question as to whether he has broken any U.S. laws while in U.S. jurisdiction. The DMCA isn't the law in Russia. How would you react if you, say, travelled to Afghanistan and were arrested for actions you had performed in violation of Afghani law prior to your trip?
U.S. citizens need to realize that we are not the only nation on Earth, and those other sovereign states have as much right to their laws as we do to ours.
Dueling Banjos!!!
(Hmm. New Slashcode? Could Slashdot *get* any better??)
Perhaps I'm misunderstanding (or misunderestimating? :) your point here, but I don't think the issue with clocks is that the worm will "reawaken", but rather that on some machines with significantly slow clocks (a couple weeks slow) which still think the date is around the middle of July, the worm is still in spread mode.
On such a machine, the worm never switched to attack mode, and then went dormant, but is still scanning IPs, looking for hosts to infect.
In any case, the reports that people are being scanned show that, one way or another, there are active copies of Code Red out there. And they've got almost three weeks to spread before switching into flood mode.
(On re-reading your article, I think I'm just agreeing with you. I think. Anyway, I wanted to clarify the bit about the clocks.)
134 * 1024 = 137,216 bytes.
It should be easy enough to strip with dd:
dd if=infected.doc.pif of=disinfected.doc bs=1k skip=134
Let us know if you find anything interesting.
So the lysine deficiency isn't going to result in previously-infected systems becoming immune.
It's funny, though, that no one has advised creating such a file as a quick fix to slow the spread of Code Red. (Of course, it's better to install the patch and/or disable the index server entirely.)
You would think Scientific American would have learned from that experience (I imagine they got a fair amount of negative feedback from it), but apparently they didn't.
Well a friend of a friend of a friend told me
Well a friend of a friend of a friend told me
Under Jewish law ... you must return a lost object if it has a distinguishing mark, it has not been abandoned by its owner, and it has value.
That reminds me of a news story I saw recently on on one of the news magazine shows, about how the major airlines do a lousy job at finding and returning lost baggage. And there's a business down in Alabama that buys lost luggage from the airlines (after it's been lost for a certain amount of time, and the airlines have given up hope of returning it) and sells the contents.
Even if some of the contents are identifiable (say, a ring with an inscription), once the bags have been sold to the unclaimed baggage center your only recourse would be to buy the item back. Even if you could show that the item belonged to you, your pleas would fall on deaf ears.
Another fine example of corporate ethics.
Well a friend of a friend of a friend told me
Since it wasn't, I think it's safe to assume that he wasn't. By the way, what if anything did the authorities do about the case you cite? Maybe they ignore real problems like those to focus on insignifica?
Makes me proud to be from Michigan. Not.
Dave Conrad aka Dr. A. van Code
Well a friend of a friend of a friend told me
Dave Conrad aka Dr. A. van Code
Well a friend of a friend of a friend told me