Following the leadership steps recently left behind by such visionaries like Steve Christey of MITRE, Chris Wysopal of @stake, Inc. and Jon Lasser of SecurityFocus, thrillbert of Slashdot fame, today introduced an initiative that could have far reaching effects on the slashdot community. The Anti-Troll-Multiplicity Initiative (ATMi) is aimed at minimizing the size and number of troll posts allowed on slashdot.
"It's ridiculous! I have to go through at least 80 troll posts to get to the +5, Funny posts." remarked thrillbert, "this new draft would give all trolls guidelines they would be required to adhere to, or suffer being called Uncooperative Trolls".
When we contacted CmdrTaco, he was quoted as saying "umm.. heh.. heh.. I dunno". No other slashdot representative was available for comment at this time.
--- Ever found something in other than the last place you looked???
If these companies really think that everyone is stupid and will never figure it out.
I mean, sure, if you're running AOL there's a pretty good chance you're not exactly the sharpest tool in the shed. But to design software, which grabs so much information and sends it to central servers, and think that no one out there will figure it out, it seems to me they are the ones a few french fries short of a happy meal(tm).
--- I'm a few morsels short of a toll-house cookie myself...
That realizes that the security community (meaning bug hunters and researchers) provide their services, for the most part, free of charge.
In my book, this is considered a favor.
So now there's a draft which is going to tell me how to properly do this favor for them or else I am a 4$$hole?
So if you do me the favor of watching my dog, and I turn around and tell you that you need to watch my dog in my house, and that the dog needs to remain in my garage, which you need to remain in there to make sure he does not eat anything which may make him ill. And on top of that I tell you that you cannot wear anything blue/black/red/white because it makes my dog nervous, and that you MUST play with him for at least 45 minutes. And only feed him the special mixture of dogfood/yogurt served in the yellow tweety bird bowl which you will have to wash at every feeding.
Or of course, I could just be grateful that you informed me of a vulnerability in my software, and grateful that you are watching my dog.
Why does a vulnerability need to be discovered for people to realize that allowing any type of services (telnet, tftp, snmp or http) from outside your internal network to your router is outright stupid?
And in the case of an ISP, they should know their IP addresses and what addresses they use for internal machines, so creating simple Access Control Lists in their routers to deny all snmp from everywhere except their own internal machines should be as common sense as One leg at a time when putting your pants on while standing up.
access-list 161 permit tcp 192.168.148.0 0.255.255.255 any eq 161
access-list 161 deny tcp any any eq 161
Do you really want a version of Office for Linux? Really?
In one hand this is a good idea. It would make their OS dominance go bye-bye if people actually had a choice of platforms to run the office suite.
On the other hand, do we really want to create new libraries proprietary to M$ under Linux that would allow the RandomCrashTime(), ScrewUpTheFormat() and CloseProgramIfNotSavedIn15Minutes() calls?
And I'm sure they would require us to reboot after every save of the documents.
You don't need to have a hole in a router for it to be taken over. 90% (guestimate) of the routers of the world do ZERO logging. Which means that an attacker could sit there for hours on end doing a brute force password attack and no one would ever know.
Out of the last 6 companies where I have worked at in the past few years, 2 of them logged connects/logins/attempts. And I know of countless more that have no idea how to enable logging, nor what a syslog is.
So it's not necessary to have a hole in order to get enabled on a router, it just takes patience and a good brute force cracker with telnet capabilities.
Somehow, this seems like yet another brilliant idea by a marketing major.
Of course, we already know what direction the MBA's took 'eCommerce'.
Possible Arguement: I was just at a 7-11 and came up with a brilliant idea! They are making money by allowing someone to place ads on a monitor placed right by the check out screen. Can you imagine the income we could produce with all the monitors we have around our campus???
The 1st amendment prevents the US congress from abridging your freedom of speech. It says nothing about the Australian government. Sorry.
You do have a point, however, according to this:
''The people shall not be deprived or abridged of their right to speak, to write, or to publish their sentiments; and the freedom of the press, as one of the great bulwarks of liberty, shall be inviolable.''
Congress' job is to also protect those rights from whomever tries to opress them.
And in this case, it seems that Australian law is preventing me from expressing my sentiments regarding scoundrels in their country.
It seems to me that Justice John Hedigan has just opened a can of worms that even he does not understand. Given that Australians can sue people in the US for defamation now, I guess this would mean that people in the US can sue people in Australia for voilating our 1st amendment rights.
Last I checked, I am still allowed my opinion here in the US, and if I say that in my opinion John Hedigan is a clueless moron, and he tries to prevent me from expressing my opinion, then he is violating *MY* rights.
It would be a fun thing to be a lawyer and just for kicks, start a class action lawsuit against the Justice and the entire Justice System of Australia for violating our right to free speech. Wouldn't all American residents be qualified to join this lawsuit?
--
This.sig censored by Australian laws.
Very secret information....
on
Hotmail Hacked
·
· Score: 5, Funny
I know that/. will probably get a nasty email asking them to remove this post, but I just feel the need to post this bit of information:
NOTE: By following these directions you will be breaking the law.
while (in_car(use *right_foot))\
push(($pedal) to go [@REALLY_FAST]);
I have had this information in my head for years, but felt it was time to inform the rest of you how to do it. Now I know I will be pursued by lawyers attempting to utilize the DMCA against me for revealing this information that the vehicle manufacturers did not want you to know... such is the life of a hacker...
That was a very nice analogy with the bomb. However, the point you seem to be missing is that this stupid law is a violation of rights. Yes, you do have the right to try and figure how something works. Yes, you do have the right to do as you wish with a product you bought, and this does mean software you purchased and the ability to install it on any computer you wish, without the need to be calling your mommy for permission.
A better analogy would be of you getting dressed in your best plad pants, yellow t-shirt, and fisherman's cap. Then comming over to my house where I will beat the crap out of you because I have a law against people looking like Mr. Furley.
The best thing to do would be to write up some sort of a form letter. Pay attention to the problems you have encountered and document them. Do not mention specifics, nor methodologies used, just state the problems such as Employee records vieable by the world, etc.
You may even include some examples on how to check the system. Of course, this letter should include the regular Thank you for the opportunity, yada yada yada..
This method will not only show that your company _IS_ aware of security measures, but will also demonstrate gracefullness and genuine concern.
When things like motherboards, hard drives, and whatever other hardware you can imagine started coming out with stupid "Windows Compatible" stickers on them, I thought to myself "how stupid!".
Hardware doesn't need to be "Whatever Compatible". The software should be able to support the hardware.
It'd be like Chevron claiming that Techroline is Ford compatible. Would all Chevy owners start crying foul?!?!? I think not. But if Chevron wants to be stupid enough to cater to just one automobile maker, it would only go to show their ignorance.
Are Linux and Windows Pentium compatible? Yes. The software dictates the compatibility, not the other way around.
Taking a look at their site, not only do they plan on making money for the 'windows' version of the client, but if you pay attention to the pics shown, you can actually have your own internal jabber server.
What that means is that companies such as cisco, could set up their own jabber server to allow their CCO members to instant message with a Rep regarding problems (maybe bad example because if your network is down, no chance of getting to cisco in the first place).
When IM (read: icq) started becoming popular, I could imagine big companies providing tech support via IM. What happened to that? I don't know.. maybe the technology was too foreign to some of the execs and what FT is planning to do with the software is making it friendlier to the big cheeses, which will mean revenue and a return on their investment.
--
That of course is just my.02 cents worth, which with the recent crash of the market makes it more like.000045 cents worth.
Being the network admin, I've been researching this same issue. And I agree with you regarding the VPN solution. I recently found a link to a company called Colubris who has a really nice AP.
I sent them an email yesterday but have not heard back. I would like to know if I can tie the VPN to authenticate from our LDAP server to allow users worldwide mobility without having the local admins create them an account.
As for the stolen laptop, if you use SecureID tokens, this would help in a case like that, which is the reason I prefer this method over digital certificates.
I hate to be the one to point this out, but that is not a Wall Street Journal link.
But besides that.. I read the article earlier today, now I'm finding myself looking down to the parking lot looking for people with laptops in their car..
And I will reiterate the point.. I will stop being paranoid when you all stop following me.
Slashdot Mirror
Milpitas, CA 4/3/2002
Following the leadership steps recently left behind by such visionaries like Steve Christey of MITRE, Chris Wysopal of @stake, Inc. and Jon Lasser of SecurityFocus, thrillbert of Slashdot fame, today introduced an initiative that could have far reaching effects on the slashdot community. The Anti-Troll-Multiplicity Initiative (ATMi) is aimed at minimizing the size and number of troll posts allowed on slashdot.
"It's ridiculous! I have to go through at least 80 troll posts to get to the +5, Funny posts." remarked thrillbert, "this new draft would give all trolls guidelines they would be required to adhere to, or suffer being called Uncooperative Trolls".
When we contacted CmdrTaco, he was quoted as saying "umm.. heh.. heh.. I dunno". No other slashdot representative was available for comment at this time.
---
Ever found something in other than the last place you looked???
Can we be really sure that they are really running IIS on Win* now?
It's down.. what more proof do you need that it truly is an IIS server on Win?
If these companies really think that everyone is stupid and will never figure it out.
I mean, sure, if you're running AOL there's a pretty good chance you're not exactly the sharpest tool in the shed. But to design software, which grabs so much information and sends it to central servers, and think that no one out there will figure it out, it seems to me they are the ones a few french fries short of a happy meal(tm).
---
I'm a few morsels short of a toll-house cookie myself...
That realizes that the security community (meaning bug hunters and researchers) provide their services, for the most part, free of charge.
In my book, this is considered a favor.
So now there's a draft which is going to tell me how to properly do this favor for them or else I am a 4$$hole?
So if you do me the favor of watching my dog, and I turn around and tell you that you need to watch my dog in my house, and that the dog needs to remain in my garage, which you need to remain in there to make sure he does not eat anything which may make him ill. And on top of that I tell you that you cannot wear anything blue/black/red/white because it makes my dog nervous, and that you MUST play with him for at least 45 minutes. And only feed him the special mixture of dogfood/yogurt served in the yellow tweety bird bowl which you will have to wash at every feeding.
Or of course, I could just be grateful that you informed me of a vulnerability in my software, and grateful that you are watching my dog.
(Score: -1 Ranting)
Yeah.. sorry about that, I was looking elsewhere when I left the tcp portion in there. I meant to change it to /any/.
:-}
Thanks!
Why does a vulnerability need to be discovered for people to realize that allowing any type of services (telnet, tftp, snmp or http) from outside your internal network to your router is outright stupid?
And in the case of an ISP, they should know their IP addresses and what addresses they use for internal machines, so creating simple Access Control Lists in their routers to deny all snmp from everywhere except their own internal machines should be as common sense as One leg at a time when putting your pants on while standing up.
access-list 161 permit tcp 192.168.148.0 0.255.255.255 any eq 161 access-list 161 deny tcp any any eq 161
Then again, most users only see the LILO screen once every blue moon.
Now, installing the graphical LILO to boot my windows box, now that's entertaining!
$1,000 per year +
$1,500 per application
Large Developer
$10,000 per year +
$1,500 per application
Virus Developers
$1,200 per year +
$0.25cents per computer infected*
* Tracking provided by Bill Gate's Email Tracking System(tm)
Do you really want a version of Office for Linux? Really?
In one hand this is a good idea. It would make their OS dominance go bye-bye if people actually had a choice of platforms to run the office suite.
On the other hand, do we really want to create new libraries proprietary to M$ under Linux that would allow the RandomCrashTime(), ScrewUpTheFormat() and CloseProgramIfNotSavedIn15Minutes() calls?
And I'm sure they would require us to reboot after every save of the documents.
---
If I had a funny sig, it would be here...
In-Dash PC emmulating windows: US$1,000
802.11b Wireless LAN card: US$120
Airsnort: Free
Sending a WinPopUp that says "YOU ARE AN IDIOT" to the moron who just cut you off: Priceless
For some things there are hand signals, for everything else, there's Linux.
"It is better to keep your mouth shut and appear dumb, than to open it and remove all doubt."
You don't need to have a hole in a router for it to be taken over. 90% (guestimate) of the routers of the world do ZERO logging. Which means that an attacker could sit there for hours on end doing a brute force password attack and no one would ever know.
Out of the last 6 companies where I have worked at in the past few years, 2 of them logged connects/logins/attempts. And I know of countless more that have no idea how to enable logging, nor what a syslog is.
So it's not necessary to have a hole in order to get enabled on a router, it just takes patience and a good brute force cracker with telnet capabilities.
variations in things like the speed of light over time
;)
Well, I'd be willing to say that the lights turn on now-a-days much faster than they did 100 years ago.. does this affect isotope dating?
--
Relax, it's a joke. Have a good friday!
Somehow, this seems like yet another brilliant idea by a marketing major.
Of course, we already know what direction the MBA's took 'eCommerce'.
Possible Arguement : I was just at a 7-11 and came up with a brilliant idea! They are making money by allowing someone to place ads on a monitor placed right by the check out screen. Can you imagine the income we could produce with all the monitors we have around our campus???
The 1st amendment prevents the US congress from abridging your freedom of speech. It says nothing about the Australian government. Sorry.
You do have a point, however, according to this:
''The people shall not be deprived or abridged of their right to speak, to write, or to publish their sentiments; and the freedom of the press, as one of the great bulwarks of liberty, shall be inviolable.''
Congress' job is to also protect those rights from whomever tries to opress them.
And in this case, it seems that Australian law is preventing me from expressing my sentiments regarding scoundrels in their country.
--
And that's the game! -Jim Carey
It seems to me that Justice John Hedigan has just opened a can of worms that even he does not understand. Given that Australians can sue people in the US for defamation now, I guess this would mean that people in the US can sue people in Australia for voilating our 1st amendment rights.
.sig censored by Australian laws.
Last I checked, I am still allowed my opinion here in the US, and if I say that in my opinion John Hedigan is a clueless moron, and he tries to prevent me from expressing my opinion, then he is violating *MY* rights.
It would be a fun thing to be a lawyer and just for kicks, start a class action lawsuit against the Justice and the entire Justice System of Australia for violating our right to free speech. Wouldn't all American residents be qualified to join this lawsuit?
--
This
I know that /. will probably get a nasty email asking them to remove this post, but I just feel the need to post this bit of information:
NOTE: By following these directions you will be breaking the law.
while (in_car(use *right_foot))\
push(($pedal) to go [@REALLY_FAST]);
I have had this information in my head for years, but felt it was time to inform the rest of you how to do it. Now I know I will be pursued by lawyers attempting to utilize the DMCA against me for revealing this information that the vehicle manufacturers did not want you to know... such is the life of a hacker...
Because the baboons seem to have screwed the whole thing up...
Yes, the word MOVIE was TRADEMARKED back in 1890 with a registration of 000000000.
pulheeze!
My genitalia was trademarked in 1965 as micro-soft for obvious reasons by my family. Can I have microsoft.biz now?
That was a very nice analogy with the bomb. However, the point you seem to be missing is that this stupid law is a violation of rights. Yes, you do have the right to try and figure how something works. Yes, you do have the right to do as you wish with a product you bought, and this does mean software you purchased and the ability to install it on any computer you wish, without the need to be calling your mommy for permission.
A better analogy would be of you getting dressed in your best plad pants, yellow t-shirt, and fisherman's cap. Then comming over to my house where I will beat the crap out of you because I have a law against people looking like Mr. Furley.
That would be a better description of the DMCA.
How I wish I had a quantum girlfriend that could take care of my problems without me having to turn her on.. no foreplay necessary...
The best thing to do would be to write up some sort of a form letter. Pay attention to the problems you have encountered and document them. Do not mention specifics, nor methodologies used, just state the problems such as Employee records vieable by the world, etc.
You may even include some examples on how to check the system. Of course, this letter should include the regular Thank you for the opportunity , yada yada yada..
This method will not only show that your company _IS_ aware of security measures, but will also demonstrate gracefullness and genuine concern.
When things like motherboards, hard drives, and whatever other hardware you can imagine started coming out with stupid "Windows Compatible" stickers on them, I thought to myself "how stupid!".
Hardware doesn't need to be "Whatever Compatible". The software should be able to support the hardware.
It'd be like Chevron claiming that Techroline is Ford compatible. Would all Chevy owners start crying foul?!?!? I think not. But if Chevron wants to be stupid enough to cater to just one automobile maker, it would only go to show their ignorance.
Are Linux and Windows Pentium compatible? Yes. The software dictates the compatibility, not the other way around.
Taking a look at their site, not only do they plan on making money for the 'windows' version of the client, but if you pay attention to the pics shown, you can actually have your own internal jabber server.
.02 cents worth, which with the recent crash of the market makes it more like .000045 cents worth.
What that means is that companies such as cisco, could set up their own jabber server to allow their CCO members to instant message with a Rep regarding problems (maybe bad example because if your network is down, no chance of getting to cisco in the first place).
When IM (read: icq) started becoming popular, I could imagine big companies providing tech support via IM. What happened to that? I don't know.. maybe the technology was too foreign to some of the execs and what FT is planning to do with the software is making it friendlier to the big cheeses, which will mean revenue and a return on their investment.
--
That of course is just my
Being the network admin, I've been researching this same issue. And I agree with you regarding the VPN solution. I recently found a link to a company called Colubris who has a really nice AP.
I sent them an email yesterday but have not heard back. I would like to know if I can tie the VPN to authenticate from our LDAP server to allow users worldwide mobility without having the local admins create them an account.
As for the stolen laptop, if you use SecureID tokens, this would help in a case like that, which is the reason I prefer this method over digital certificates.
I hate to be the one to point this out, but that is not a Wall Street Journal link.
But besides that.. I read the article earlier today, now I'm finding myself looking down to the parking lot looking for people with laptops in their car..
And I will reiterate the point.. I will stop being paranoid when you all stop following me.