Excuse my ignorance. So if you wanted to prevent such attacks couldn't you require someone making a new user or posting as an AC to enter a randomly generated word back into a field. Two way communication must exist, so they can't hide forever. I suppose they could spoof the ip to another comprimised box and listen for the word there. If your page is limiting to one AC post/new user per IP per day then you will only have 1 spam per comprimised box.
Agreed.. k5 refered to 'the other guys' but it was never all that harsh.. It was a little friendly competition. Slashdot is a big dog, you've gotta expect k5 to give them shit when they can.
I was greatly saddened to see the site go down. When you pour blood sweat and tears into a project just to see it screwed up by someone who needs to get a life it's a sickening sensation. I'm glad to hear that you're willing to give it another try.
When it comes to the internet, the saying 'one bad apple ruins the whole bunch' really applies. What's the point? If your site gets popular enough to attract attention someone little bastard kid will just f*ck it all up.
I just wish that there was something that the hacker community could do to curb the script kiddie mentality. I mean, they are just kiddies. Used to be that we'd teach them a lesson and they'd shut up. Maybe an organization of white caps dedicated to securing up boxes with or without the admins permission? Or an ORBS style blacklist of known comprimised boxes? Maybe a bit radical, just a thought.
Anyway, good luck and keep it up. I'm all for turning off anony, you don't need ACs anyway.
They did shut down their submission queue for a few days. And then made it all non-anonymous.
I thought all was well, but I guess the little f*cks just DOSed their server off the net. Maybe they started submitting new account requests and then filled the comment/story queue.
To whomever did this to such a great site FUCK YOU!
So if it's open source (is the license close enough to consider this actually being open?) why couldn't the community just embrace and extend them back? Or at least use some of the code in other projects (Postgres,My)
Re:Message from the Admin (repost)
on
Geek Flavor
·
· Score: 2
Well at least document the experiment in its entirety. What went wrong? What went right? I'd say giving anyone ssh access to anything is bad news (local exploits vs. remote exploits). In fact, i can't really think of a way you could allow people to execute code without opening huge security risk. Maybe give everyone a virtual server?
caffeine is good, caffeine is great, caffeine makes you stay up late. caffeine has all the vitamins you need, but will make your face look so unclean. It powers the minds behind the software boom, and lets you spend quality time in the bathroom.
Thanks to the miracle of Captive-X, it is already possible to make a web-based worm that executes upon viewing. Just look at all these delicious exploits. And since more and more windows apps (e-mail, newsreaders,etc) are using IE as the in-app browser then those are affected too. What is rediculous is that the 'good times' virus is now a very real possibility.
I don't have to worry about it as I use Linux (not that we don't have exploits) but if you're a windows user please turn ActiveX off. The uberworm will happen eventually, and next time maybe it'll delete *.DOC,*.XLS,*.MDB instead of just *.JPG and *.MP3. That's going to seriously break some corporations off.
Check out this 35-page article on the long development cycle of Daikatana and the beginnings of Ion Storm.
The game really wasn't that bad of a concept, the problem was Romero had a totally unrealistic view of software development, and lacked management skills. It's really quite a textbook case.
One if the things i'm often asked is if perl, an interpreted languange, is fast enough to handle large amounts of hits. I always point them to slashdot as an example of why perl works even in large scale situations. The important thing is to write good code, no matter language it is in. Things like fastcgi or persistant php can help relieve some of the forking/init overhead, but other than that its on the programmer to make sure its quick.
Or is it the first of the Dr. Wily boards, where the monster turns into blocks one at a time, and runs through you to the other side? That guy was sort of amorphous like a turd. It was a pain to beat, but there was a specific pattern to how the blocks transferred to the other side.
Thats the one. Twon documented the select cheat quite well. Select is pause in MM1, and damage would be recounted after every pause. You had to be careful to not be damaged while you're doing it else you'd die too. But, in most situations wail on that pause and bosses go down.:) Works in some of the old sunsoft classics too (blaster master, uncle festers).
I realize this is a bit offtopic, but interesting none-the-less. Has anyone paid attention to what Janet Reno has had to say about this whole thing? Here's an article at The Register. She says that this proves that the US can catch 'cybercriminals' but they haven't proven anything yet as Mafiaboy has not gone to trial. Reno is ready to let the kid hang. Anyone else thing that the US gov't is getting a little to crazy about this whole 'cybercrime' thing? IMHO, security belongs in the hands of the admins, not the gov't. If your computer is on the internet, secure it!
Why does the log even have to be real, its a collection of text anybody could simply type into vi. IRC logs are not evidence, especially without at least some server headers or something.
Anyone who regularly looks at attrition's defaced mirror knows that a dominating portion of the blackhat crackers out there are using well known bugs and exploiting lazy (or overburdened, or unqualified) administrators instead. Most crackers are looking for noteriety first and everything else second. That's why web pages are defaced, credit card numbers are posted, etc. etc. How many blackhats do you think are looking for the bugs and keeping their mouths shut about it? I'm not saying it never happens, but certainly having open-source does more good than harm.
And another thing, if its so easy to grep for strcpy then why hasn't it been done to the code in the first place? Why isn't it automatic?
You're all wrong on the arcade point.. Nobody goes because all the competition is online.. No need to go to the arcade for competitors.
I still go every once in awhile just to find fighting-game players, but event that is great at home these days (tekken3 on PSX, everyone has it, lots of good players)
Arcade manufacturers missed the point even worse than the home market. Arcades should have had T1's and arcade vs. arcade competition a long time ago.. Look at how popular those bar vs. bar trivia games are. (T-1 might be a tad unrealistic, but even clever use of a modem could have done the job)
Now with dsl and cable becoming a norm, it'll probably never happen.
The over-use of the first person shooter and the real-time strategy format is no different than the over use of the side-scroller (mario-type) and the overhead-shooter.
It got old, the industry milked it anyway, and we moved on.
Same thing happens now. Titles like half-life and messiah are evidence of people ready to move on. I think one reason why these genres have been SO popular for SO long is the introduction of internet play. That kind of connectivity is what made the later incarnations so popular. Of course the industry misconstrues this and thinks that the FPS and the RTS are the greatest thing since sliced bread. The gamers are thristy for the next genre, somebody will inovate and take all the money. Just like id and blizzard did before, nintendo & konami before that, and atari & activision before that.
So, religion aside, the real issue is: who's going to fund creation of new life? My guess is that the US won't support it for political reasons, but that some 3rd world country will. Same with genetic engineering - you know that eventually somebody is going to start cloning humans.... and people *will* pay money (hey perverts: want a 21-year old Pamela Andersen clone? How about a clone of famous dead people? How about cloning sports stars and genetically enhancing them to have more mass, muscle, how about genetically enhanced wrestlers? is there any money in any of these?)
Wouldn't that be clonism. Seriously, a clone would be every bit as human as any one of us. There would certainly be a great deal of debate about both the social implications of clones and the ethics of cloning itself.
Anybody else notice that the first steps in ending the 'old west' mentality of the internet have all been taken by corporations? Pirates don't fear the FBI, instead they fear the RIAA, SPA or MPAA sueing them for everything they've got.
If the internet is to be policed (which is inevitable), who would you want to police it?
I've received kudos a few times for the naming convention we have here at my house. Everyone picks their favorite classic arcade game, and the servers are mspacman and pacman (mspacman, of course being the faster of the two).
Its a great naming convention because there are plenty of names to choose from.
Like any product or service, the informed consumer doesn't get ripped off. If you had stayed abreast of the news you heard about the hotmail crack and now have your e-mail at yahoo.
And like with any product or service, there will be a portion of the population that won't care that they're getting ripped off.
If security was a concern, storing mail at hotmail is an obvious no-no, even for a novice user (who chances-are not have much concern for security).
What is important is that the average user hear about such poor service, and switch.
Slashdot Mirror
Excuse my ignorance. So if you wanted to prevent such attacks couldn't you require someone making a new user or posting as an AC to enter a randomly generated word back into a field. Two way communication must exist, so they can't hide forever. I suppose they could spoof the ip to another comprimised box and listen for the word there. If your page is limiting to one AC post/new user per IP per day then you will only have 1 spam per comprimised box.
Am I missing something?
Agreed.. k5 refered to 'the other guys' but it was never all that harsh.. It was a little friendly competition. Slashdot is a big dog, you've gotta expect k5 to give them shit when they can.
The IPs are likely spoofed. Isn't the MAC address also in an IP header? Is that spoofable?
I was greatly saddened to see the site go down. When you pour blood sweat and tears into a project just to see it screwed up by someone who needs to get a life it's a sickening sensation. I'm glad to hear that you're willing to give it another try.
When it comes to the internet, the saying 'one bad apple ruins the whole bunch' really applies. What's the point? If your site gets popular enough to attract attention someone little bastard kid will just f*ck it all up.
I just wish that there was something that the hacker community could do to curb the script kiddie mentality. I mean, they are just kiddies. Used to be that we'd teach them a lesson and they'd shut up. Maybe an organization of white caps dedicated to securing up boxes with or without the admins permission? Or an ORBS style blacklist of known comprimised boxes? Maybe a bit radical, just a thought.
Anyway, good luck and keep it up. I'm all for turning off anony, you don't need ACs anyway.
They did shut down their submission queue for a few days. And then made it all non-anonymous.
I thought all was well, but I guess the little f*cks just DOSed their server off the net. Maybe they started submitting new account requests and then filled the comment/story queue.
To whomever did this to such a great site FUCK YOU!
So if it's open source (is the license close enough to consider this actually being open?) why couldn't the community just embrace and extend them back? Or at least use some of the code in other projects (Postgres,My)
Well at least document the experiment in its entirety. What went wrong? What went right? I'd say giving anyone ssh access to anything is bad news (local exploits vs. remote exploits). In fact, i can't really think of a way you could allow people to execute code without opening huge security risk. Maybe give everyone a virtual server?
caffeine is good, caffeine is great, caffeine makes you stay up late. caffeine has all the vitamins you need, but will make your face look so unclean. It powers the minds behind the software boom, and lets you spend quality time in the bathroom.
Thanks to the miracle of Captive-X, it is already possible to make a web-based worm that executes upon viewing. Just look at all these delicious exploits. And since more and more windows apps (e-mail, newsreaders,etc) are using IE as the in-app browser then those are affected too. What is rediculous is that the 'good times' virus is now a very real possibility.
I don't have to worry about it as I use Linux (not that we don't have exploits) but if you're a windows user please turn ActiveX off. The uberworm will happen eventually, and next time maybe it'll delete *.DOC,*.XLS,*.MDB instead of just *.JPG and *.MP3. That's going to seriously break some corporations off.
Check out this 35-page article on the long development cycle of Daikatana and the beginnings of Ion Storm.
The game really wasn't that bad of a concept, the problem was Romero had a totally unrealistic view of software development, and lacked management skills. It's really quite a textbook case.
jplt with the lain skin. Its the only skin i have so far but it's pretty cool.
Wait, didn't the article originally come from the WSJ?
One if the things i'm often asked is if perl, an interpreted languange, is fast enough to handle large amounts of hits. I always point them to slashdot as an example of why perl works even in large scale situations. The important thing is to write good code, no matter language it is in. Things like fastcgi or persistant php can help relieve some of the forking/init overhead, but other than that its on the programmer to make sure its quick.
Thats the one. Twon documented the select cheat quite well. Select is pause in MM1, and damage would be recounted after every pause. You had to be careful to not be damaged while you're doing it else you'd die too. But, in most situations wail on that pause and bosses go down.
the giant turd second to last in original mega man.. guy was a bitch to kill without the select cheat.
I realize this is a bit offtopic, but interesting none-the-less. Has anyone paid attention to what Janet Reno has had to say about this whole thing? Here's an article at The Register. She says that this proves that the US can catch 'cybercriminals' but they haven't proven anything yet as Mafiaboy has not gone to trial. Reno is ready to let the kid hang. Anyone else thing that the US gov't is getting a little to crazy about this whole 'cybercrime' thing? IMHO, security belongs in the hands of the admins, not the gov't. If your computer is on the internet, secure it!
Why does the log even have to be real, its a collection of text anybody could simply type into vi. IRC logs are not evidence, especially without at least some server headers or something.
justin@jplt.com - http://www.jplt.com
Anyone who regularly looks at attrition's defaced mirror knows that a dominating portion of the blackhat crackers out there are using well known bugs and exploiting lazy (or overburdened, or unqualified) administrators instead. Most crackers are looking for noteriety first and everything else second. That's why web pages are defaced, credit card numbers are posted, etc. etc. How many blackhats do you think are looking for the bugs and keeping their mouths shut about it? I'm not saying it never happens, but certainly having open-source does more good than harm.
And another thing, if its so easy to grep for strcpy then why hasn't it been done to the code in the first place? Why isn't it automatic?
You're all wrong on the arcade point.. Nobody goes because all the competition is online.. No need to go to the arcade for competitors.
I still go every once in awhile just to find fighting-game players, but event that is great at home these days (tekken3 on PSX, everyone has it, lots of good players)
Arcade manufacturers missed the point even worse than the home market. Arcades should have had T1's and arcade vs. arcade competition a long time ago.. Look at how popular those bar vs. bar trivia games are. (T-1 might be a tad unrealistic, but even clever use of a modem could have done the job)
Now with dsl and cable becoming a norm, it'll probably never happen.
It got old, the industry milked it anyway, and we moved on.
Same thing happens now. Titles like half-life and messiah are evidence of people ready to move on. I think one reason why these genres have been SO popular for SO long is the introduction of internet play. That kind of connectivity is what made the later incarnations so popular. Of course the industry misconstrues this and thinks that the FPS and the RTS are the greatest thing since sliced bread. The gamers are thristy for the next genre, somebody will inovate and take all the money. Just like id and blizzard did before, nintendo & konami before that, and atari & activision before that.
Anybody else notice that the first steps in ending the 'old west' mentality of the internet have all been taken by corporations? Pirates don't fear the FBI, instead they fear the RIAA, SPA or MPAA sueing them for everything they've got.
If the internet is to be policed (which is inevitable), who would you want to police it?
I've received kudos a few times for the naming convention we have here at my house. Everyone picks their favorite classic arcade game, and the servers are mspacman and pacman (mspacman, of course being the faster of the two).
Its a great naming convention because there are plenty of names to choose from.
So far we have:
mspacman
pacman
tempest (my box)
galaxian
galaga
zaxxon
frogger
TSIA.
Like any product or service, the informed consumer doesn't get ripped off. If you had stayed abreast of the news you heard about the hotmail crack and now have your e-mail at yahoo.
And like with any product or service, there will be a portion of the population that won't care that they're getting ripped off.
If security was a concern, storing mail at hotmail is an obvious no-no, even for a novice user (who chances-are not have much concern for security).
What is important is that the average user hear about such poor service, and switch.