Slashdot Mirror


User: Sancho

Sancho's activity in the archive.

Stories
0
Comments
5,182
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,182

  1. Re:bogus remarks on A Look at BSD Rootkits · · Score: 2, Interesting

    If the exploit works, it works. Pure and simple. His papers are referenced by other security researchers (which is how I found out about them) who mention BIOS exploits. By your logic, all researchers are "just looking to get published" whether they advance their field or not. There's so much more to whether it works or not that your statement is absurd. There's difficulty, feasibility, detectibility, reproducibility... at Black Hat last year, a presenter failed (multiple times) to demonstrate his exploit because it was extraordinarly difficult to pull off, and there's speculation that the Maynor wireless exploit wasn't demonstrated for the same reasons. In that latter case, a well respected security firm stood behind two researchers who showed remote, wireless exploitation of device drivers--look how well that turned out.

    Also, without trying to be pedantic, this is the first time you've referenced anyone besides the guy who wrote the papers, yet you claimed that security researchers consider it a real threat. A couple of people who consider it a real threat does not give weight to it. The debunking of "Blue Pill" (and a less well-known hypervisor exploit which was also demo'd at Black Hat in Las Vegas last year) demonstrate this. While they're fascinating technical demonstrations, the feasibility of a general-purpose exploit (that is, not targeting a specific platform, software version, etc) is low.

    Obviously, these items are more detectable than a persistent patched kernel, but not so detectable as to be obvious. Right. Because you first said, Some malware dynamically patches the kernel at runtime. So if you access settings on the hard disk or flash drive at all (and how could you not?) the malware can simply install itself after you boot. I inferred that you meant that simply having a hard disk in the machine was all that was required. In fact, you said as much: "Just" having the hard drive available will do nicely.

    I'm not trying to be rude, but if you formulate and express your opinions a little better, you'll probably get less argument from people. Of course if a home drive is mounted, and .bashrc/.profile/.xinitrc/whatever is autorun, then malware will be capable of reinstalling itself. That's a far cry from the sensationalist arguments presented--that simply having a hard drive installed in the machine is sufficient to allow recurring compromises.
  2. Re:bogus remarks on A Look at BSD Rootkits · · Score: 1
    Yes, your links to the papers support my point. One person is concerned with these exploits, and he has an agenda (getting published).

    Q: How are settings loaded under Unix systems?
    A: Executable Shell Scripts.

    "Just" having the hard drive available will do nicely. I don't understand. Can you give an example of how the data in your settings which is set by an executable shell script is going to compromise my machine unless there is a vulnerability in the shell script? Are you suggesting that during the LiveCD boot process, the LiveCD will run scripts which are located on the hard drive without user intervention?
  3. Re:bogus remarks on A Look at BSD Rootkits · · Score: 1

    If you were paying attention, I addressed that issue. If the computer stores settings anywhere (either a hard drive OR removable flash drive), then it is vulnerable. And let's be honest. How many users are going to create a new system layout and reburn it every time they want to change their system? Unless we're talking about an appliance device, not many. Ignoring, for the moment, your assertion that the BIOS could be compromised (though your link doesn't show that security researchers are concerned at all--just one researcher who was looking to be published), storing settings, which are data isn't going to recompromise the system unless there is a vulnerability in the software which reads and uses that data. Just having the hard drive there isn't going to cut it.

    In the event of installed software, assuming the malware compromises these files, yes, that could do it. I wonder how many livecds have an easy way to install new software to a partition, how many people would use this functionality, and how many rootkits would look for binaries in these directories to compromise.
  4. Re:What is XBMC? on Linux Finally Getting XBMC · · Score: 1

    Ok, now I gotta ask: where is the content coming from (downloaded from Sony? home file server?) And can the PS3 upscale SD DVDs to 1080i/p? Is the interface decent?

    I've been pondering my media setup lately, and came to the conclusion that my XBox is no longer suitable for my media needs. I'd been toying with the idea of getting an XBox 360 and finding a good way to stream media to it (currently, I think that the only options are Win/Mac, neither of which I have.) I recently discovered other possibilities , however I'm still leaving my options open. The 360/PS3 would be nice in that the device would also play games, and be a portal to HD media, but both solutions are around twice the price of the standalone players I linked to.

  5. Re:But what drives do you use? on Does ZFS Obsolete Expensive NAS/SANs? · · Score: 1

    Had to be consumer level, since the drive cage he wrote about is $1300 by itself.

  6. Re:Can we please get out the next OS first! on Second-gen iPhone Confirmed? · · Score: 1

    It's definitely a preference thing. I have a PPC6700, and I simply can't stand the lack of tactile feedback when making calls. It wouldn't be a big deal if either the voice dialing capabilities or the address book were better. Making a call is a pain in the butt, and typing in my voice mail password (the number one time that I need to press the numbers, anyway) is horrible. 99% of the people I call are in my recent calls list, which is very easily accessible.

    That said, I knew going in that it was going to suck. I bought the device because I wanted mobile internet more than I wanted a phone. I knowingly bought a PDA+Internet that happens to be able to make voice calls. However if the iPhone works as advertised and is as easy as they claim, then it might be enough to convince me to switch, once a 3G versions is available.

  7. Re:Hyperbole Ho! on "Jericho" Fans Send Over Nine Tons of Nuts to CBS · · Score: 1

    I don't think that Buffy was 'saved' by hardcore fans. WB gave it up, and UPN picked it up. I'm also not sure in what way it became a train-wreck. Viewership was reduced? Of course! UPN wasn't a widespread network at the time. Family Guy jokes aren't funny? Is that a symptom of being 'saved'? Or is it the writers simply being out of ideas?

    Shows are saved because the network realizes that there's enough of a fanbase to give it another shot. If it doesn't work out the second time, they're probably gone for good. But Family Guy, for example, seems to be working out, even if you don't find the jokes that great anymore.

  8. Re:So using this logic.... on Michigan Man Charged for Using Free WiFi · · Score: 1

    A 'yes' was not given. No answer was given. If the default state is 'not permitted' and you don't receive permission when you ask, then you obviously don't have permission.

  9. Re:So using this logic.... on Michigan Man Charged for Using Free WiFi · · Score: 1

    DHCP is a protocol where I ask for an address and routing information, and if I am allowed to have it, I get it. Your example has no such protocol.

    Trying to match things up with your analogy, what you described would be more like asking for a lease, not getting an answer, then trying out common IP ranges/routing tables until you find one that works.

  10. Re:Why is this needed at all? on Top 15 Free SQL Injection Scanners · · Score: 1

    The same thing (shooting yourself in the foot) could be said, nay, SCREAMED, about C. Absolutely. Did I say that C was a good learning language? The reason that I didn't mention C was because this is a thread about PHP, and because this is a story about SQL injection where one of the most common interfaces to the database is (wait for it)..... PHP.

    And if you'll note, I alluded to the fact that you could learn proper programming practices with any language, however that requires learning aids which mention them. In schools, this is sometimes the case. In books, it's much less so. Without the knowledge that these things can be insecure, it's hard to know what to do to secure them.
  11. Re:what exactly is an sql injection? on Top 15 Free SQL Injection Scanners · · Score: 1

    I don't know if you can turn it off--it's probably a per-database or -interface issue, however why they allow it is simple: complex queries and operations can require it.

  12. Re:Why is this needed at all? on Top 15 Free SQL Injection Scanners · · Score: 1

    There's a lot to be said for learning proper programming practices up front. A language which lets you shoot yourself in the foot that easily will likely cause the student to learn bad habits which will make later languages harder to learn, and which lends itself to creating security holes. I'd definitely not learn on PHP first, unless secure practices are a part of the criteria (not the case for most self-learners who read through a book.)

  13. Re:Wow, just wow on Stanford To Charge Reconnect Fee For DMCA Notices · · Score: 1
    Innocent until proven guilty is a pretty reasonable standard, but it's not the legal standard here. Also, remember that the student gets to respond, as well as appeal these issues. The likelihood of several false complaints against one IP address are fairly low, anyway.

    (especially coming from dubious sources like the RIAA) Lots of people like to throw this sort of phrase around, insinuating that the RIAA is highly likely to make mistakes. Let me say that as someone who does deal with these complaints every day, they're usually pretty accurate. Other people have reported similarly.

    It's rare that guilt is denied. Usually the student pleads ignorance of the legal issues. Occasionally, they just say, "Ok, I'll stop." Once in a blue moon, someone says that they didn't do it, and usually they have an unprotected access point in their room. That doesn't make them guilty, but for the purposes of the letters, it's still their name, and they have to deal with the consequences.

    So yeah, when the RIAA makes this claim and we verify it with our logs, it's pretty much assumed that the filesharing came from that IP at that time, and we can even tie it to the room (which lets us verify that the lease logs are correct based upon the room's occupant's).

    In the case of Stanford, I have heard that they perform similar investigations before accusing students. So it boils down to the fact that the student is either sharing the files or sharing their connection. In either case, that's a big no-no here, and probably at Stanford, too. At Stanford, they get to respond and say, "Hey, I was sharing my connection." If the continue sharing their connection after finding out what can happen...well, cold as it may sound, I think that they deserve what they get.

    conversely this Stanford policy suggests that the default assumption is that students are guilty as soon as they are accused by possibly dubious accusers. Except that they only get disconnected (at least the first time--the other times, it's not clear) if they fail to respond. Stanford wants them to respond so that Stanford can fulfill their legal obligation of responding to the RIAA. In the first case, they aren't getting turned off for getting a notice, they're getting turned off for not replying to it. Multiple letters? You have to start wondering.
  14. Re:College candidates - reprioritize your preferen on Stanford To Charge Reconnect Fee For DMCA Notices · · Score: 1
    Please don't put words in my mouth, or twist things to suit your own agenda.

    If Stanford is legally required to comply with any wishes of the RIAA Not any wishes--specific legal requests spelled out under the DMCA. For example, the RIAA can't just ask for names that correspond to IP addresses. They must swear under the penalty of purjury that they found copyright infringement, and they must list several pieces of data to support it (the work that was infringed, the file name, the date, the time, the timezone, the IP address). Anything less is at least an invalid request, and possibly perjury or flat out illegal.

    why is it that other universities have REFUSED to comply. There are several reasons. For one, they may feel that the risk of a lawsuit is minimal. The RIAA is going after individuals because they can bully them, pure and simple. A university has the legal funds to fight them, and the clout to make a stink over it in the press, giving the music industry a bad name in the eyes of the general public (contrary to popular belief on here, the music industry isn't universally loathed by the general public at this point in time.) Another reason is that they might be a state school in a state which limits the lawsuits which may target the university (in Texas, I believe, anyone suing a state entity must receive permission from the legislature, and awards are highly restricted--both of these combined makes it unlikely that significant damages would be recovered, even if the RIAA won the case.)

    None of this relieves the university of the legal responsibility to respond to the complaints--it simply mitigates damage and/or liklihood of an actual suit being brought to court. The university can weigh all of this in their decision. They may also weigh bad press for "supporting copyright infringement", apparent disregard for laws, promoting disregard for laws, being a good citizen, politics (state schools generally have to abide by the state leaders, and business-friendly states might put a lot of pressure on the school to comply), etc.

    So no, it's not really BS. It's a legal obligation that some universities ignore.
  15. Re:Wow, just wow on Stanford To Charge Reconnect Fee For DMCA Notices · · Score: 1

    Breach of contract? I'm not really sure about that. Although tuitition money pays for networking services in most universities, that doesn't imply any sort of service level agreement. Most university rules include clauses where disruptive network activity is grounds for disconnection, and no one bats an eye at this. Stanford is saying that excessive DMCA notices is grounds for disconnection. If there wasn't enough evidence to support the claim (firewall logs, etc) then I'd say they shouldn't disable the access, however if there are firewall logs to support the claim, and dhcp/802.1x logs showing that the IP was leased to this student, then yeah, it would fall under the rules.

  16. Re:File a complaint if they demand ID! on Driver's License to be the Next Debit Card · · Score: 1

    Two questions:

    1) If the merchant requires an ID for every transaction, can they still ask for ID when using the Visa?
    2) Can the merchant exercise their right to eject someone from the store and ban them for refusing to show ID when using Visa?

    As far as I can see, they can't refuse to complete the current transaction, but I can't find anything in the merchant agreement which would prevent them from refusing further business.

  17. Re:FF are not sequels on Does Zelda Need an Overhaul? · · Score: 1

    Not exactly a sequel, but not exactly a standalone game relying on the trademark.

    The first 3 Final fantasy games had incredibly similar feels (at least, the NES/Famicom versions did). They each had slight changes to the character sheet development, but the gameplay, quests, etc. were all very similar.

    The next 3 games also had similar feels. They definitely drew on the first three, but they added a great deal of story and characterization, and of course, enhanced graphics (being on the next generation of consoles).

    From that point on, Final Fantasy games have largely been linked through the storytelling (plus minor details such as types of magic and the names of spells, items, etc.) Though IX has always stood out as kind of a black sheep, in my opinion, the games improved on the graphics, character design, etc. and varied in minor details, but each game's epic story made it paradoxically stand out while proving that it was a FF.

  18. Re:Wow on Stanford To Charge Reconnect Fee For DMCA Notices · · Score: 1
    These kinds of posts get pretty tiresome.

    So Stanford is now making money off the DMCA takedown notices and the RIAA/MPAA lawsuits. That's pretty unlikely. The PDF says that they hired 3 full time staff to deal with the complaints. That's going to cost quite a lot of money.

    Plus, those fees are crazy. Deterrents are meant to be. But honestly, $100 isn't that absurd, and consider also that the fine is assessed IFF you fail to respond within 48 hours. Plus, there's an appeals process. My guess is that most people won't actually ever have to pay the higher tiers. They'll get the first notice, respond, stop their copyright infringement (being scared that they'll have to pay even more), and any further notices (unlikely, since they've stopped sharing) will be bogus and appealed.

    Besides having the college students pay $1,000's of dollars in legal fees, For what? File sharing? The university doesn't make them do that.

    now the school is trying to take money from them. Gee, you mean the school is trying to deter behavior that costs Stanford money?

    Again, there's no way that Stanford will be coming out ahead from these fines. They're still taking a hit because they had to hire the extra staff. Even assuming $40k per employee (pretty low, all things considered), that's $120k that they're shelling out to deal with these crappy complaints. To just make up that cost, they'd have to have 1000 fines assessed at the first level (most people probably won't ever hit that second level), and that means that 1000 students had to be accused (not unreasonable) and not respond within 48 hours (pretty unlikely) and not appeal (really unlikely). Appeals will cost even more man-hours, which translates into even more money.

    Yeah. They're trying to screw you. That's it. /sarcasm
  19. Re:Wow, just wow on Stanford To Charge Reconnect Fee For DMCA Notices · · Score: 1

    The clause you refer to is about removing content, not service. For example, if the MPAA sends a takedown notice to Youtube, Youtube must remove the file. If the uploader files a counter-notice, Youtube must restore the file. This is different from choosing to refuse service to that person in the future, which is something most companies can legally do. Whether the university could do it would depend upon the local laws.

    Regardless, at least for the first notice, the student has 48 hours to respond, and the fee is assessed if they fail to. There is also an appeals process, so it seems to me like the appeals process would include filing the counter-notice.

  20. Re:Suggestion to Stanford students: on Stanford To Charge Reconnect Fee For DMCA Notices · · Score: 1

    The solution to "spending so much staff time responding to copyright violations" should be really fucking obvious: Don't spend so much staff time responding to copyright violations! Make the students sign something when they get their network access that makes the student -- not Stanford -- responsible for the copyright violation. Then make the RIAA take it to court.

    (Does this work, legally? For all I know, the DMCA might have some sort of fine about not responding to copyright violation notices...) Glad you asked!

    What's important is that Stanford--not the students--owns that address space. That means that ultimately, Stanford--not the students--are responsible for the data that comes out of there. That sucked really hard, until the DMCA came along and offered safe-harbor to ISPs, as long as ISPs continue to play by the rules. One of those rules is to have the offending content removed, and to give up the name of the person who had control over that IP address at that time. If Stanford fails to do this, they become liable for the infringements. Before the DMCA, they would have been liable, regardless, and it would have been up to them to recoup their costs from the actual infringer, through whatever legal means available to them (holding diplomas, going to court, etc).
  21. Re:College candidates - reprioritize your preferen on Stanford To Charge Reconnect Fee For DMCA Notices · · Score: 1

    Would..should..could...
    The unfortunate truth is that Stanford is legally required to deal with these complaints. In the case of Stanford, that meant adding 3 full time positions. I'd wager that it probably cost more than $100,000 per year ($33k per position is seriously low-balling when you consider benefits that have to be paid out to full-timers). So what do you do? Pass that on to the entire student body, even though a good percentage of them probably isn't pirating? Or do you pass it on to the accused who, while they aren't definitely pirating, are definitely pretty likely to be. Other people have posted that the accuracy of these complaints tends to be very high, so the likelihood of mis-fining someone is probably pretty low, and I'd imagine that you could make appeals in such cases.

    The truth is, most people will probably roll over and pay the fine, just like they roll over and pay the RIAA, and for mostly the same reasons: they know that they did it and got caught.

  22. Re:Accessing class materials. on Stanford To Charge Reconnect Fee For DMCA Notices · · Score: 1

    Unlikely. Every college campus I've ever been on has had computer labs open to students. If you get cut off, you can go there to do your work.

  23. Re:Economics here... on Stanford To Charge Reconnect Fee For DMCA Notices · · Score: 1

    Basic economics now comes into play. When there is demand, and no supply, a free-market will adjust to create the supply, and meet demand. Unfortunately, the RIAA and the MPAA have failed so miserably at meeting demand that the supply has been created ad-hock by hobbyists, hackers, and media pirates, despite the legal challenges and persecution. Yes. That demand for free music is pretty tough to meet for a company that's trying to make money.

    However, instead of acknowledging the market forces at work, and responding accordingly, the RIAA and MPAA's response has actually inflamed the issue by crippling thier status quo distribution network with aggravating DRM. People wanted digital downloads, and they received digital downloads with DRM. For a WHOLE lot of people, that was fine. Another segment of the population started demanding DRM-free digital downloads. Guess what? That's starting to happen now, too.

    Inertia's a bitch. You can't expect a company to change overnight. They don't like to take risks. It's too risky. :)

    As a free-market economy we should reject increased government regulations and market controls, which act to stifle innovation and the creation of new market opportunities. Possibly..possibly.. What innovation is being stifled by copyright? Do you actually think that the arts and sciences would be more promoted if artists didn't have a monopoly on their work?
  24. Re:Mac Owners (not) Running Windows on Microsoft To Dump 32-Bit After Vista · · Score: 2, Interesting

    The hardware VT bit is a bit misleading. Some instructions are slower under Intel's VT instruction set than under software emulation or native virtualization. However some instructions are faster. A virtualization company who tests these things will be able to utilize some of the hardware VT to gain an edge.

    Regardless, VMWare uses native virtualization in all of its products, meaning it still needs to be run on the same type of CPU. It runs the instructions directly on the CPU, so the switch to Intel was still important. Virtual PC for the Mac uses emulation, which is much slower.

    Of course, being able to boot Windows is certainly a factor, too. Before Boot Camp, though, it was probably beyond the capabilities of most people.

  25. Re:Mac Owners (not) Running Windows on Microsoft To Dump 32-Bit After Vista · · Score: 2, Insightful

    I don't know. Some people attribute the raging success of Apple's computer line in the past couple of years to the switch, because virtualization is now much better. Certainly most of the geeks I know that run Apple only switched because they could use virtualization to run those apps that they could not live without, as well as for testing in other OSs.