Bullshit. Spam is bad as long as its non-invited. Yesterday, "nissan computer corp" spammed me because of nissan auto wants to shut'em down. Guess what? ncc is now one of my sworn enemies, and i've complained to their ISP's, simply because I don't want their spam.
If they had gone other ways than spamming, I would've supported them. But, by spamming, they made me one of their enemies.
Ohfuck, this is so ridiculous. Seriously. If an org. is stupid enough to page the admin because of a ping or two, then the dude that recomended that this should be done for the organization, should be FIRED.
As someone mentioned when talking about the several thousands attack they received per hour at blackhat briefings.. "Its not exactly ping packets we receive here".
Its an internal joke on every single security mailinglist I've seen. People complaining about someone ping'ing them, wanting to know what abuse@ address to send the logs to and so forth.
Its just so fucking ridiculous. People that are paranoid because of this need to BE MADE FUN OF. And a corp that freaks out because of a couple of ping, should fire the fsckhead that recomended firing of bells and whistles for nothing.
Its like making a so sensitive burglar detection, that it fires off all alarms because a fly flew by outside the window.
Seriously. They're doing nothing except sending icmp packets, and not many of them neither. This isn't a denial of service attack (a couple of pings don't constitute a dos). Its not very much of a probe neither, since you do not return very much information. IF you're scared by the information a ping gives out, then you're a paranoid idiot, nothing less.
And, comparing it to portscanning is dumb too. If you portscan, you scan a lot of ports, raising all kinds of bells'n whistles, in addition to that is exactly what scriptkiddies do before an attack. But a ping? Get real. Should they be harassed if they established tcp connections to port 80 on every host on the net too? *bllagh*.
I think this is one of the most stupid news-items I've evern seen. People get excited because of PINGS! Its like.. how dumb is it possible to get? One, or ten, or fifty, ping packets doesn't hurt you. Its not a DoS. Its not like it gathers much information about you ("are you alive, and what travel-time do you have to me?").
Oh! And, do anybody remember those lovely "internet-maps" that was made some time ago? That got that great coverage on slashdot, with people wanting them and so forth? How do you folks think those were made? Just picked out of thin air? NO! They were made by traceroutes.. which is what? traceroutes are either sending udp or icmp packets with a TTL starting with 1, and going upwards until you reach your destination host (so that the routers along the way send an icmp-ttl-exceeded or whatever its called when the TTL goes down to '0' at their point).
God. I really, really, really think this entire shit about quova inc is sooo stupid. As a Security administrator, I think its even MORE stupid to get excited because of a couple of pings.
Absolutely, but sometimes the caller get quite annoyed. Like, when I called TeleNor Internet Support here in norway. I was at a local school in my home town, that had "lost connectivity". Two secs of troubleshooting'em onsite showed no DNS servers. I couldn't recall the IP's, so I called TeleNor Internet Support (their ISP). The conversation:
---
me> Hi. I would like to know the ip-addresses of your dns servers.
support>Yes, please press 'start', then ch...
me> I would like to know the ip-addresses of your dns servers.
support>Yes, as I was saying, please press 'start', then
me>I want to know the IP's, not how to do it.
support>PLease press start, then
me> JUST GIVE ME THE DAMN IPS, WILL YOU ?
support> [silence].. oh! Sorry [laughs].. They are [ips]. [more laugher]. Usually the people that calls don't have a clue, so I guess I didn't think before starting to answer. You can't imagine how many clueless people call me each day rant, rant, rant for two minutes, mutual laughs, and so forth>.
---
I got quite annoyed at first, but he did tackle it good in the end, telling me a couple of "lusers he has served today" stories, and so forth:)
Personally I'm a bit tired of the entire x86 architecture. It has had patch upon patch upon patch applied onto it. Its a sucky design to start out with, and they're just adding more and more to it. I hope we'll see a more sensible cpu design in the future.
If cpu designers were like webpage designers, they would make a cpu like this. On the other hand, that is quite unlikely. Ohwell, I hope they'll drop it in a while.
I see a lot of good reasons to start out a project on your own. If I want to hack on a text editor, its because I want to learn. Actually, I did try to hack on an editor several years ago. I thought it sucked, and deleted my code. Just as well, it was sucky.
Some people get satisfied with their code. They get proud of it, and want to share it. I've coded some hobby projects and been proud of the code I produced. That was fun. I never gpl'ed the code though (This was 5 years ago, I was still using DOS, and had never read much about the GPL).
I fully understand those who program something as a test. They program something for themselves, and try things out. When it works, why not share the code? Maybe its not the best out there, but its yours. You want to share it. And why not GPL it when you're at it?
Another thing. There are needs for more editors. personally I use vi. Its not bloated, its easy to use when you've learned it, and so forth. emacspeople always make fun of me, but i don't really care. I use emacs from time to time too - but its a bit to memoryconsuming for me most of the time.
I also enjoy the powers of pico, joe, midtnight commanders internal editor, and so forth. Fun to play around with.
About the rejected diffs. Maybe the author had thought of something similiar, but didn't like this ones implementation. Perhaps he thought the code looked ugly. Perhaps the code didn't abstract the way the maintainer wanted. Who knows?
The best way to submitt diffs is not just to code something up, if its actively maintained code. Its to ask the author on how he wants it coded, and code it that way. That may be "off-putting" for some, but I for sure wouldn't want to put code that ruined my plans, into my project.
Hmf. Maybe that's why I can't attract enough people to be bothered starting with my current dream (of the last 3 years). I want a database-driven newsserver/mailing-list/webboard/bbs. That is, I want a database to contain all the articles and logins/passwords, the newsserver should serve all that. Mailinglists for those that don't like news, and webboards to attract the intelligent but computer illerates. BBS-style would be cool too, so that people could remember the good old days:)
ohwell.:D This got a bit long, and shurely not helt onto one topic throughout, but..:D
--
Re:One last defense of my gender on /.
on
Deja For Sale
·
· Score: 2
I've gotten sick of defending myself and my gender time and time again, but I'll do so one last time.
Why do you do it all? I for one didn't take notice of what you *wrote* in your signature, before you defended yourself against that troll. I don't care wheter your male or female. I don't care wheter your short, tall, good-looking, ugly, black, white, male, female or *whatever* as long as you write intelligent things.
The only thing you should do when someone attacks you, is to *ignore the idiots*. Don't answer the obvious far too stupid trolls. They'll go away, eventually, hopefully.:)
Until then, ignore'em. They're not worth your time. Intelligent people don't care about your gender when they discuss with you.
--
Re:The problem with the list...
on
MAPS Sued Again
·
· Score: 2
Bullshit.
You don't get onto MAPS because someone at your ISP spams. Your ISP has had to *refuse* to terminate the spammer, and specifically *allow* them to continue spamming, and show total unwillingness to terminating the spambag.
It could have gotten itself onto ORBS, but that is because of them beeing an open relay, or beeing a relay for someone beeing an open relay.
No. Make an exploit. send it to to developer. Publish it on bugtraq only if the developers don't respond. exploits are ammunition. handle them with care.
Of course notifying the developer first, and give him a week or two to make a fix is a nice thing to do, as long as the exploit isn't already found in the wild.
But, it should always be posted to bugtraq when a fix is issued. Both for education and so that admins may test their systems.
Information about the holes should be made public, including the information on how to exploit them.
Having developers/distributions distribute fixed versions before exploit gets wild is win for everyone.
That depends. Personally I really like the idea of pushing closed source developers a bit by publishing the exploit before contacting them. It makes an incentive to open source it. If it had been open source, you would've published a patch along the exploit.
I'm sure those who use closed source solutions will disagree,;)
I worry about the trend of using the innocents as cannon fodder (as described by Marcus Ranum, whose homepage at http://www.clark.net/pub/mjr appears to have disappeared. anyone know where it is now?).
Oh, I forgot to comment on this. Are people still taking Marcus Ranum seriously? After his speech on blackhat this year? Of course, one should embrace new ideas and so forth, but hiding the exploits, and not letting the public see vulnerabilities is hardly a new idea. It was the way things worked in the past. And the pasts show that IT DOESNT WORK.
I don't care how many "innocents" that is used as cannon fodder. I want to be able to make sure that MY system is secure. The same applies to every other security conscious admin out there. We scour bugtraq, pen-test, vuln-dev, incidents, and so forth. I want to be able to secure my system damn it. I don't want the information HIDDEN from me.
If people don't care about their security. *BAD FOR THEM*. I want to be able to secure MY systems, and I want people equal to me, to be able to secure THEIR systems, without having to wade through a bunch of NDA's, being part of special commitees or whatever.
Furthermore, how do you think programmers ever will learn to program securely, if they can't follow security lists where exploits are shown and openly discussed? Heh, they should teach themselves magically perhaps?
blargh, no Ranums ideas are outdated, and really, I lost all respect for the guy during this years blackhat briefings in las vegas.
Very few novice Redhat 6 users, myself included, actively monitor the security problems addressed at bugtraq or securityfocus, out of ignorance or lack of time.
Or, as it was for me, SuSE 5.1 or 5.2 (don't remember which one) that had the qpopper vulnerability. I was cracked, and afterwards I *love* the resources secfocus, rootshell, packetstorm and so forth has provided for me.
wu-ftpd exploit
If an open source program has a security fix , people will run a diff, and find the bug. If you've seen the exploit floating around, they are mostly written by kiddies / friends of kiddies. People that put "DO not distribute" in the top of the comments of the code. The code is of course circulated among 'the eLiTe uND3Rgr0und' - and after a relative short time, it gets onto kiddie-hands, via irc or whatever. They don't need bugtraq for this.
DO NOT post exploits to the general public; insist that securityfocus, bugtraq, and others only allow legitimate developers to view them. Exploits are the equivalent of guns and ammo, and there is a great need for background checks!
No way. I insist on being able to review the exploits, review the vulnerabilities and so forth. I want to patch my holes, but I want that they're there before I go ahead and patch. Also, the exploits puts a fire in the asses of the developers. It makes sure that they do produce a fix, and fast. I, as a security admin for my company want those fixes asap. I don't want to live months without them because there is a bunch of lazy admins in the world that should "be protected". No thank you..
We need to express leadership in the open-source community to make the distros have secure default configurations,
Agreed. Nothing but sshd and auth should be started by default. Everything else than that should have to be specified explicitly, imho.
and automatically alert users of security problems,
No way. NOOO way. I don't want the distro to automagically check for anything. That should be made an OPTION to ENABLE, not something that should be forced upon people. NO way..
*shudder*
Realize the useability and security go hand in hand, and consumers, in the long run, are going to support the OS that gives them the fewest headaches
Yup, and therefore distros should be shipped without many daemons enabled by default. The full disclosure policy is not affected by this.
An excellent example of this is the SYN Flooding attack perpetrated on PANIX in NYC years ago. Let's rewrite history and suppose that the attack was mailed to CERT first (and not used in public first). [...snip...] Well, fix it, of course, right? The problem is that the fix isn't obvious (it still isn't obvious, years after the attack).
There are lots of problems where the fix isn't obvious. Its design flaws in the tcp, ip, or whatever protocol. SYN-attacks are design-flaws in the protocol.
I agree with you that syn-attacks, and other DoS attacks, don't seem to have an end. The point is, we cannot actually say that it has been a Bad Thing (Tm) disclosing them. They SHOULD be pointed out. As another one that replied to you said, he wrote a paper about it three years before Panix. Nobody was interested because the problem was only theoretical. It would be to expensive with ingress filtering, it would ruin mobile ip, and so forth.
The solution to the syn-flooding attacks are of course ingress filtering. THe trouble is that nobody wanted to do that, before the "syn-flooding-tools" existed. And seriously, do you think it would've been better if nobody ever had disclosed it? Do you really think its better to have an extremely weak infrastructure, instead of having the infrastructure going through peer-review again and again, until you find all the bugs ?
Personally I'm glad the synflood-attack-tools were made publicly available. I'm glad that smurf was made public.. and so forth. Without'em, we wouldn't get ISP's to do ingressfiltering, people wouldn't do anything to try preventing it. Now people at least TRY.
Oh, I could rant on forever, but I think i'll stop now.:)
Full disclosure is the right way to go... WHEN handled sensibly. You have no need for a coded exploit - if you can't write it yourself, what chance do you have to understand it? And if you don't understand it, what possible LEGITIMATE use do you have for it?
I as an admin have legitimate use for it. I'm able to run the exploit against my box, to check if I'm vulnerable. If its a proper description of the vulnerability in addition,i'll be able to check if the flaw is there at all in my version of the software.
Exploits is an easy was to check if you're vulnerable and needs a patch. Its helluva lot easier than to check if you've got the updated libs, and if the program is updated, and versionchecking everything.
Of course, its not foolproof. You may be vulnerable even if the exploit doesn't work. But, if you run redhat, and the exploit is for redhat, then..:-)
Furthermore, you say that full disclosure is the way to go. And right afterwards, you say that exploits shouldn't be released. Sorry mac, its not full disclosure if you don't disclose everything. You seem to have misunderstood something.
For example, while MS didn't improve LanMan until l0pht released l0phtcrack, neither was anybody cracking it!
And how exaclty do you know that? When l0pht released the informatiom, security minded people were able to patch their systems, because they forced a fix to be made. If they had not publicised the information, you wouldn't know about it. You wouldn't know that you were vulnerable, and if you had a smartass cracker around, he could run circles around you without you understanding what the fsck were going on.
You seem like a troll, but are modded to 5.. I don't get it.
The number of people actually capable of discovering new holes AND who are shady enough to exploit them is so tiny that the odds are high an average user will never be affected by them. Most of these people spend all their time coding up "exploits" for skript kiddies today anyway!
And how can you be so certain about this? You really can't. What is unknown is unknown. You are doing nothing but theorizing right now.
Btw, as far as I know, slashdot has been cracked once without anyone having any idea on how it was cracked. Furthermore, rootshell.com was cracked about 1-2 years ago. I don't think they've discovered how yet. So, you are saying that the superhackers don't exist, even so, we see this kind of things.
Keep in mind that your enemies are the skript kiddiez, NOT the corporations or end users.
I seem to remember som corporations using more than a year in patching some holes. I think they are my enemies, not the scriptkiddies. And I've been cracked by scriptkiddies. If the tools weren't widely published and available, I would never've known what hit me. (maybe i wouldn't have been hit, but that i can't know).
I was kinda surprised reading the logs. Cmdrtaco sounded a lot more like a scriptkiddie than I really liked. Comments like:
bob_jones_iii is being an annoying prick. can we kill him? someone dos him;)
Really really disappointed me. Sure, he's got a smiley there, but still. I wouldn't be surprised if someone actually DoS'ed the sucker because "o allmighty Taco told them to".
Also, the "fuckings" , "sucks", the signal_11 bashing, and so forth was kinda surprising. It sure shows that some people act much more freely on IRC, than on web.
On the other hand, I do understand the frustration of someone constantly nagging at you, flaming you, and so forth. I really hope Malda keeps reading his mailbox himself, instead of getting someone else to read it.
Another thing I began thinking about. They don't link to the stories they throw away. There's no recylcle bin we may look in. Personally I would love it if there were some sort of reason when disapproving a story - and that they would be thrown into some bins. If they have, say four throwaway bins. One that is just 'garbage' that noone get to read, and three, like.. 'posted before', 'not interesting enough', and say 'Cool, but not cool enough'. (or whatever categories they want) - then that wouldn't be to prone to abuse.. I think.. (but I don't KNOW:-). As it is more, most of the interesting stuff at slashdot (the most interesting links and so forth) is almost always to be found in the comments. If more of them made the garbage-bins, I think that would be cool:)
Also, the different bins would satisfy the demand for "why the story was rejected" a bit more. If it was trashed into 'garbage' they considered it garbage, and so forth. And, I can't see why this would take ANY more time. I don't know how the slashdot system works, but at the moment, there are two things that can happen. They approve it, or they don't. Two buttons / a menu or whatever. They could just make some more buttons. No need for a comment, and.. wellwell Just an idea. It has probably already been considered.
hmf. this got a bit long, with nothing but mine opionions and stuff. Ohwell:-)
2. Earlier machines usually had a 5 1/4" floppy disk, until the late 486s started really using 3.5" floppies. Most people are not going to spend money and time ripping out an old floppy.
Its probably just me, but I've never seen a 5 1/4" floppydiskdrive on anything except 286's and below. Hmm.. or maybe once.. yes.. I did see it on a 386 once. But only once.
Most 286's had 3.5" too.. at least those I used.
So, THAT is not a problem, and besides, it untrue;D
I really don't see the problem. FreeNet isn't mean to be a replacement as "The Mp3 Distributor". Its meant as a place you can enter your information - and it'll get cached all around the place, making distrubtion much more efficient. Furthermore, its meant to a place you CANT censor. I for one will be making a "freenet-website" as soon as updating documents and so forth is supported in an adequate manner. It won't bring me any cash, and it won't be good for commercial use, but it won't tax my connection very heavily neither:-D
One problem w/freenet and the caching system is that you cannot create dynamical sites. Everything is static pages, that you have to update manually. Another problem is the entire update thingie. Since everything is "pull-based" I would think that expiring an old document is almost impossible. That would be kinda ruining to say, a homepage that's updated every hour.
I don't know how, but I hope that the above mentioned problem will be addressed by the creators of freenet.:)
To sum it up - I think you should look elsewhere if you just want another warez&mp3sharing tool. FreeNet *can* be used for those purposes, but its not efficient to do it with. You'll have to distribute the "keywords" for the song through some means, if you want anyone to be able to FIND it, and then you're vulnerable to censorship again.
So, i don't see the problem.:D
--
Re:How can I assert my own ethics on FreeNet?
on
Freenet 0.3 Released
·
· Score: 2
Since when does supporting freedom of speech mean supporting what people say with it?
You don't need to support it. You don't necessarily SUPPORT it by hosting it, you're making their speech POSSIBLE.
If I see a skinhead standing on a street corner handing out NAZI propaganda, because I support his right to speak, I will not do anything to silence him. But I am not going to stand there alongside him handing out flyers as well and support his message .
Its not comparable. What's comparable is as follows. You own a "public plaza" where people walk. Would you let the nazi stand there and hand out his propaganda? If not, would you let OTHERS stand there and hand out THEIR propaganda?
I would definitively let him hand out his propaganda on my plaza if I would let others do it. He should have the same right to distribute his information, as others should have. I would on the other hand strongly oppose his stance, and I would even go so far as print out my own brochures and stand alongside him handing out information that rebuffed his.
The author of the article should read the changelog for the proftpd daemon, for apache, and so forth. Debian has a tendency to backport security fixes instead of shipping the newest versions. I find that much better than always shipping the latest and greatest bugware.:)
Ah. On time. Its no use handing out hundreds of IPs to nothing. You don't need hundreds of different ip's just to do some hosting. You need one for each SSL-host, and one for the rest. So, if every provider that needs ip's get something like a/28 or a/27 - that should be more than enough. And, you don't need one IP for every workstation at your company neither. Use NAT. Then you've got some sort of a "firewall" at the same time.
I can't understand why they've used this long to implement this. No "small" company should need more than a/27 or a/28. Have a DMZ for the servers, and place the rest behind NAT.
Slashdot Mirror
Bullshit. Spam is bad as long as its non-invited. Yesterday, "nissan computer corp" spammed me because of nissan auto wants to shut'em down. Guess what? ncc is now one of my sworn enemies, and i've complained to their ISP's, simply because I don't want their spam.
If they had gone other ways than spamming, I would've supported them. But, by spamming, they made me one of their enemies.
--
Ohfuck, this is so ridiculous. Seriously. If an org. is stupid enough to page the admin because of a ping or two, then the dude that recomended that this should be done for the organization, should be FIRED.
As someone mentioned when talking about the several thousands attack they received per hour at blackhat briefings.. "Its not exactly ping packets we receive here".
Its an internal joke on every single security mailinglist I've seen. People complaining about someone ping'ing them, wanting to know what abuse@ address to send the logs to and so forth.
Its just so fucking ridiculous. People that are paranoid because of this need to BE MADE FUN OF. And a corp that freaks out because of a couple of ping, should fire the fsckhead that recomended firing of bells and whistles for nothing.
Its like making a so sensitive burglar detection, that it fires off all alarms because a fly flew by outside the window.
--
Seriously. They're doing nothing except sending icmp packets, and not many of them neither. This isn't a denial of service attack (a couple of pings don't constitute a dos). Its not very much of a probe neither, since you do not return very much information. IF you're scared by the information a ping gives out, then you're a paranoid idiot, nothing less.
.. how dumb is it possible to get? One, or ten, or fifty, ping packets doesn't hurt you. Its not a DoS. Its not like it gathers much information about you ("are you alive, and what travel-time do you have to me?").
.. which is what? traceroutes are either sending udp or icmp packets with a TTL starting with 1, and going upwards until you reach your destination host (so that the routers along the way send an icmp-ttl-exceeded or whatever its called when the TTL goes down to '0' at their point).
And, comparing it to portscanning is dumb too. If you portscan, you scan a lot of ports, raising all kinds of bells'n whistles, in addition to that is exactly what scriptkiddies do before an attack. But a ping? Get real. Should they be harassed if they established tcp connections to port 80 on every host on the net too? *bllagh*.
I think this is one of the most stupid news-items I've evern seen. People get excited because of PINGS! Its like
Oh! And, do anybody remember those lovely "internet-maps" that was made some time ago? That got that great coverage on slashdot, with people wanting them and so forth? How do you folks think those were made? Just picked out of thin air? NO! They were made by traceroutes
God. I really, really, really think this entire shit about quova inc is sooo stupid. As a Security administrator, I think its even MORE stupid to get excited because of a couple of pings.
/RANT
--
Absolutely, but sometimes the caller get quite annoyed. Like, when I called TeleNor Internet Support here in norway. I was at a local school in my home town, that had "lost connectivity". Two secs of troubleshooting'em onsite showed no DNS servers. I couldn't recall the IP's, so I called TeleNor Internet Support (their ISP). The conversation: .. oh! Sorry [laughs].. They are [ips]. [more laugher]. Usually the people that calls don't have a clue, so I guess I didn't think before starting to answer. You can't imagine how many clueless people call me each day rant, rant, rant for two minutes, mutual laughs, and so forth>.
:)
---
me> Hi. I would like to know the ip-addresses of your dns servers.
support>Yes, please press 'start', then ch...
me> I would like to know the ip-addresses of your dns servers.
support>Yes, as I was saying, please press 'start', then
me>I want to know the IP's, not how to do it.
support>PLease press start, then
me> JUST GIVE ME THE DAMN IPS, WILL YOU ?
support> [silence]
---
I got quite annoyed at first, but he did tackle it good in the end, telling me a couple of "lusers he has served today" stories, and so forth
--
Personally I'm a bit tired of the entire x86 architecture. It has had patch upon patch upon patch applied onto it. Its a sucky design to start out with, and they're just adding more and more to it. I hope we'll see a more sensible cpu design in the future.
If cpu designers were like webpage designers, they would make a cpu like this. On the other hand, that is quite unlikely. Ohwell, I hope they'll drop it in a while.
--
I see a lot of good reasons to start out a project on your own. If I want to hack on a text editor, its because I want to learn. Actually, I did try to hack on an editor several years ago. I thought it sucked, and deleted my code. Just as well, it was sucky.
:)
:D This got a bit long, and shurely not helt onto one topic throughout, but .. :D
Some people get satisfied with their code. They get proud of it, and want to share it. I've coded some hobby projects and been proud of the code I produced. That was fun. I never gpl'ed the code though (This was 5 years ago, I was still using DOS, and had never read much about the GPL).
I fully understand those who program something as a test. They program something for themselves, and try things out. When it works, why not share the code? Maybe its not the best out there, but its yours. You want to share it. And why not GPL it when you're at it?
Another thing. There are needs for more editors. personally I use vi. Its not bloated, its easy to use when you've learned it, and so forth. emacspeople always make fun of me, but i don't really care. I use emacs from time to time too - but its a bit to memoryconsuming for me most of the time.
I also enjoy the powers of pico, joe, midtnight commanders internal editor, and so forth. Fun to play around with.
About the rejected diffs. Maybe the author had thought of something similiar, but didn't like this ones implementation. Perhaps he thought the code looked ugly. Perhaps the code didn't abstract the way the maintainer wanted. Who knows?
The best way to submitt diffs is not just to code something up, if its actively maintained code. Its to ask the author on how he wants it coded, and code it that way. That may be "off-putting" for some, but I for sure wouldn't want to put code that ruined my plans, into my project.
Hmf. Maybe that's why I can't attract enough people to be bothered starting with my current dream (of the last 3 years). I want a database-driven newsserver/mailing-list/webboard/bbs. That is, I want a database to contain all the articles and logins/passwords, the newsserver should serve all that. Mailinglists for those that don't like news, and webboards to attract the intelligent but computer illerates. BBS-style would be cool too, so that people could remember the good old days
ohwell.
--
I've gotten sick of defending myself and my gender time and time again, but I'll do so one last time.
:)
Why do you do it all? I for one didn't take notice of what you *wrote* in your signature, before you defended yourself against that troll. I don't care wheter your male or female. I don't care wheter your short, tall, good-looking, ugly, black, white, male, female or *whatever* as long as you write intelligent things.
The only thing you should do when someone attacks you, is to *ignore the idiots*. Don't answer the obvious far too stupid trolls. They'll go away, eventually, hopefully.
Until then, ignore'em. They're not worth your time. Intelligent people don't care about your gender when they discuss with you.
--
Bullshit.
You don't get onto MAPS because someone at your ISP spams. Your ISP has had to *refuse* to terminate the spammer, and specifically *allow* them to continue spamming, and show total unwillingness to terminating the spambag.
It could have gotten itself onto ORBS, but that is because of them beeing an open relay, or beeing a relay for someone beeing an open relay.
--
No. Make an exploit. send it to to developer. Publish it on bugtraq only if the developers don't respond. exploits are ammunition. handle them with care.
;)
Of course notifying the developer first, and give him a week or two to make a fix is a nice thing to do, as long as the exploit isn't already found in the wild.
But, it should always be posted to bugtraq when a fix is issued. Both for education and so that admins may test their systems.
Information about the holes should be made public, including the information on how to exploit them.
Having developers/distributions distribute fixed versions before exploit gets wild is win for everyone.
That depends. Personally I really like the idea of pushing closed source developers a bit by publishing the exploit before contacting them. It makes an incentive to open source it. If it had been open source, you would've published a patch along the exploit.
I'm sure those who use closed source solutions will disagree,
--
I worry about the trend of using the innocents as cannon fodder (as described by Marcus Ranum, whose homepage at http://www.clark.net/pub/mjr appears to have disappeared. anyone know where it is now?).
Oh, I forgot to comment on this. Are people still taking Marcus Ranum seriously? After his speech on blackhat this year? Of course, one should embrace new ideas and so forth, but hiding the exploits, and not letting the public see vulnerabilities is hardly a new idea. It was the way things worked in the past. And the pasts show that IT DOESNT WORK.
I don't care how many "innocents" that is used as cannon fodder. I want to be able to make sure that MY system is secure. The same applies to every other security conscious admin out there. We scour bugtraq, pen-test, vuln-dev, incidents, and so forth. I want to be able to secure my system damn it. I don't want the information HIDDEN from me.
If people don't care about their security. *BAD FOR THEM*. I want to be able to secure MY systems, and I want people equal to me, to be able to secure THEIR systems, without having to wade through a bunch of NDA's, being part of special commitees or whatever.
Furthermore, how do you think programmers ever will learn to program securely, if they can't follow security lists where exploits are shown and openly discussed? Heh, they should teach themselves magically perhaps?
blargh, no Ranums ideas are outdated, and really, I lost all respect for the guy during this years blackhat briefings in las vegas.
--
Very few novice Redhat 6 users, myself included, actively monitor the security problems addressed at bugtraq or securityfocus, out of ignorance or lack of time.
Or, as it was for me, SuSE 5.1 or 5.2 (don't remember which one) that had the qpopper vulnerability. I was cracked, and afterwards I *love* the resources secfocus, rootshell, packetstorm and so forth has provided for me.
wu-ftpd exploit
If an open source program has a security fix , people will run a diff, and find the bug. If you've seen the exploit floating around, they are mostly written by kiddies / friends of kiddies. People that put "DO not distribute" in the top of the comments of the code. The code is of course circulated among 'the eLiTe uND3Rgr0und' - and after a relative short time, it gets onto kiddie-hands, via irc or whatever. They don't need bugtraq for this.
DO NOT post exploits to the general public; insist that securityfocus, bugtraq, and others only allow legitimate developers to view them. Exploits are the equivalent of guns and ammo, and there is a great need for background checks!
No way. I insist on being able to review the exploits, review the vulnerabilities and so forth. I want to patch my holes, but I want that they're there before I go ahead and patch. Also, the exploits puts a fire in the asses of the developers. It makes sure that they do produce a fix, and fast. I, as a security admin for my company want those fixes asap. I don't want to live months without them because there is a bunch of lazy admins in the world that should "be protected". No thank you..
We need to express leadership in the open-source community to make the distros have secure default configurations,
Agreed. Nothing but sshd and auth should be started by default. Everything else than that should have to be specified explicitly, imho.
and automatically alert users of security problems,
No way. NOOO way. I don't want the distro to automagically check for anything. That should be made an OPTION to ENABLE, not something that should be forced upon people. NO way..
*shudder*
Realize the useability and security go hand in hand, and consumers, in the long run, are going to support the OS that gives them the fewest headaches
Yup, and therefore distros should be shipped without many daemons enabled by default. The full disclosure policy is not affected by this.
--
An excellent example of this is the SYN Flooding attack perpetrated on PANIX in NYC years ago. Let's rewrite history and suppose that the attack was mailed to CERT first (and not used in public first). [...snip...] Well, fix it, of course, right? The problem is that the fix isn't obvious (it still isn't obvious, years after the attack).
.. and so forth. Without'em, we wouldn't get ISP's to do ingressfiltering, people wouldn't do anything to try preventing it. Now people at least TRY.
:)
There are lots of problems where the fix isn't obvious. Its design flaws in the tcp, ip, or whatever protocol. SYN-attacks are design-flaws in the protocol.
I agree with you that syn-attacks, and other DoS attacks, don't seem to have an end. The point is, we cannot actually say that it has been a Bad Thing (Tm) disclosing them. They SHOULD be pointed out. As another one that replied to you said, he wrote a paper about it three years before Panix. Nobody was interested because the problem was only theoretical. It would be to expensive with ingress filtering, it would ruin mobile ip, and so forth.
The solution to the syn-flooding attacks are of course ingress filtering. THe trouble is that nobody wanted to do that, before the "syn-flooding-tools" existed. And seriously, do you think it would've been better if nobody ever had disclosed it? Do you really think its better to have an extremely weak infrastructure, instead of having the infrastructure going through peer-review again and again, until you find all the bugs ?
Personally I'm glad the synflood-attack-tools were made publicly available. I'm glad that smurf was made public
Oh, I could rant on forever, but I think i'll stop now.
--
Full disclosure is the right way to go... WHEN handled sensibly. You have no need for a coded exploit - if you can't write it yourself, what chance do you have to understand it? And if you don't understand it, what possible LEGITIMATE use do you have for it?
.. :-)
I as an admin have legitimate use for it. I'm able to run the exploit against my box, to check if I'm vulnerable. If its a proper description of the vulnerability in addition,i'll be able to check if the flaw is there at all in my version of the software.
Exploits is an easy was to check if you're vulnerable and needs a patch. Its helluva lot easier than to check if you've got the updated libs, and if the program is updated, and versionchecking everything.
Of course, its not foolproof. You may be vulnerable even if the exploit doesn't work. But, if you run redhat, and the exploit is for redhat, then
Furthermore, you say that full disclosure is the way to go. And right afterwards, you say that exploits shouldn't be released. Sorry mac, its not full disclosure if you don't disclose everything. You seem to have misunderstood something.
For example, while MS didn't improve LanMan until l0pht released l0phtcrack, neither was anybody cracking it!
And how exaclty do you know that? When l0pht released the informatiom, security minded people were able to patch their systems, because they forced a fix to be made. If they had not publicised the information, you wouldn't know about it. You wouldn't know that you were vulnerable, and if you had a smartass cracker around, he could run circles around you without you understanding what the fsck were going on.
You seem like a troll, but are modded to 5.. I don't get it.
The number of people actually capable of discovering new holes AND who are shady enough to exploit them is so tiny that the odds are high an average user will never be affected by them. Most of these people spend all their time coding up "exploits" for skript kiddies today anyway!
And how can you be so certain about this? You really can't. What is unknown is unknown. You are doing nothing but theorizing right now.
Btw, as far as I know, slashdot has been cracked once without anyone having any idea on how it was cracked. Furthermore, rootshell.com was cracked about 1-2 years ago. I don't think they've discovered how yet. So, you are saying that the superhackers don't exist, even so, we see this kind of things.
Keep in mind that your enemies are the skript kiddiez, NOT the corporations or end users.
I seem to remember som corporations using more than a year in patching some holes. I think they are my enemies, not the scriptkiddies. And I've been cracked by scriptkiddies. If the tools weren't widely published and available, I would never've known what hit me. (maybe i wouldn't have been hit, but that i can't know).
--
I was kinda surprised reading the logs. Cmdrtaco sounded a lot more like a scriptkiddie than I really liked. Comments like:
;)
.. (but I don't KNOW :-). As it is more, most of the interesting stuff at slashdot (the most interesting links and so forth) is almost always to be found in the comments. If more of them made the garbage-bins, I think that would be cool :)
.. wellwell Just an idea. It has probably already been considered.
:-)
bob_jones_iii is being an annoying prick. can we kill him? someone dos him
Really really disappointed me. Sure, he's got a smiley there, but still. I wouldn't be surprised if someone actually DoS'ed the sucker because "o allmighty Taco told them to".
Also, the "fuckings" , "sucks", the signal_11 bashing, and so forth was kinda surprising. It sure shows that some people act much more freely on IRC, than on web.
On the other hand, I do understand the frustration of someone constantly nagging at you, flaming you, and so forth. I really hope Malda keeps reading his mailbox himself, instead of getting someone else to read it.
Another thing I began thinking about. They don't link to the stories they throw away. There's no recylcle bin we may look in. Personally I would love it if there were some sort of reason when disapproving a story - and that they would be thrown into some bins. If they have, say four throwaway bins. One that is just 'garbage' that noone get to read, and three, like.. 'posted before', 'not interesting enough', and say 'Cool, but not cool enough'. (or whatever categories they want) - then that wouldn't be to prone to abuse.. I think
Also, the different bins would satisfy the demand for "why the story was rejected" a bit more. If it was trashed into 'garbage' they considered it garbage, and so forth. And, I can't see why this would take ANY more time. I don't know how the slashdot system works, but at the moment, there are two things that can happen. They approve it, or they don't. Two buttons / a menu or whatever. They could just make some more buttons. No need for a comment, and
hmf. this got a bit long, with nothing but mine opionions and stuff. Ohwell
--
I can't remember seeing the apache crew do that.. if you remember when apache.org was cracked.
--
2. Earlier machines usually had a 5 1/4" floppy disk, until the late 486s started really using 3.5" floppies. Most people are not going to spend money and time ripping out an old floppy.
.. at least those I used.
;D
Its probably just me, but I've never seen a 5 1/4" floppydiskdrive on anything except 286's and below. Hmm.. or maybe once.. yes.. I did see it on a 386 once. But only once.
Most 286's had 3.5" too
So, THAT is not a problem, and besides, it untrue
--
actually, you'd be pretty stupid not to bookmark you favourite sites anyways..
;)
Why on earth should I bother bookmarking slashdot, when it takes far much effort to use the bookmarks-button, than to just type 'slashdot.org' ?
You only show that you probably have a patethic 400keys-per-minute typingspeed.
--
You're using WINDOWS. yuck...
--
I really don't see the problem. FreeNet isn't mean to be a replacement as "The Mp3 Distributor". Its meant as a place you can enter your information - and it'll get cached all around the place, making distrubtion much more efficient. Furthermore, its meant to a place you CANT censor. I for one will be making a "freenet-website" as soon as updating documents and so forth is supported in an adequate manner. It won't bring me any cash, and it won't be good for commercial use, but it won't tax my connection very heavily neither :-D
:)
:D
One problem w/freenet and the caching system is that you cannot create dynamical sites. Everything is static pages, that you have to update manually. Another problem is the entire update thingie. Since everything is "pull-based" I would think that expiring an old document is almost impossible. That would be kinda ruining to say, a homepage that's updated every hour.
I don't know how, but I hope that the above mentioned problem will be addressed by the creators of freenet.
To sum it up - I think you should look elsewhere if you just want another warez&mp3sharing tool. FreeNet *can* be used for those purposes, but its not efficient to do it with. You'll have to distribute the "keywords" for the song through some means, if you want anyone to be able to FIND it, and then you're vulnerable to censorship again.
So, i don't see the problem.
--
Since when does supporting freedom of speech mean supporting what people say with it?
You don't need to support it. You don't necessarily SUPPORT it by hosting it, you're making their speech POSSIBLE.
If I see a skinhead standing on a street corner handing out NAZI propaganda, because I support his right to speak, I will not do anything to silence him. But I am not going to stand there alongside him handing out flyers as well and support his message .
Its not comparable. What's comparable is as follows. You own a "public plaza" where people walk. Would you let the nazi stand there and hand out his propaganda? If not, would you let OTHERS stand there and hand out THEIR propaganda?
I would definitively let him hand out his propaganda on my plaza if I would let others do it. He should have the same right to distribute his information, as others should have. I would on the other hand strongly oppose his stance, and I would even go so far as print out my own brochures and stand alongside him handing out information that rebuffed his.
--
The author of the article should read the changelog for the proftpd daemon, for apache, and so forth. Debian has a tendency to backport security fixes instead of shipping the newest versions. I find that much better than always shipping the latest and greatest bugware. :)
--
Ah. On time. Its no use handing out hundreds of IPs to nothing. You don't need hundreds of different ip's just to do some hosting. You need one for each SSL-host, and one for the rest. So, if every provider that needs ip's get something like a /28 or a /27 - that should be more than enough. And, you don't need one IP for every workstation at your company neither. Use NAT. Then you've got some sort of a "firewall" at the same time.
/27 or a /28. Have a DMZ for the servers, and place the rest behind NAT.
I can't understand why they've used this long to implement this. No "small" company should need more than a
--
Its very b0rked, yes. I got the same error message.
--
I always read the articles first - don't you? :)
--
I get a filter-errormessage when I try to access that page, and i'm not running any filter, so it seems their server has b0rked already.
:)
hmf, slashdotting is to powerfull.
--