A couple of years ago, when our server room was being 'certified', one of the specific checks was "No, big red button, check". One of the guys in the group came up with a story about how someone's kid at the end of a 'tour' thought that the 'big red button' was ment to be pushed.
Get the source code! You might have called it outsourcing, but what you really did was pay someone to have an code empire in your domain. Even if they do finially deliver the finished product, you stuck with them for further development.
I think that Email Interception is the real hole here, rather than depending on unsecure websites.
If you can see at which sites a person does secure transactions, you can use the 'email password' functionality to send that user an unencrypted email containing the password or reset link.
That email would be easily read by a packet sniffer. Of course the victim would have to have their email client get the email, but email is the first thing that most people check. Sure the victim would get the password reset email, but most would believe that it is just a glitch.
Consider the (admittedly unlikely) scenario of a massive backlash by vergetarians against the meat-eaters...Would like it to be known to the vege-cops that you have been to a suspected slaughter-house
You'll have to pull the steak from my cold dead fingers!
All kidding aside, It's a silly ruling, the cops have no right to tamper with a guys car without a warrant of some kind. Without specific warrants cops don't have much in the way of 'special powers'. Without a warrant you can't just search someone's car, when it is sitting in their driveway. Should a Private Investigator be able to bug someone's car as well, it'd make catching cheaters alot easier. It's likely that this ruling will get thrown out on appeal, and I doubt if the Supreme Court wouldn't even bother considering reinstating the orginal Judge's ruling, but I guess that we'll see in a couple of years.
Poorly formated, no logical grouping, lists every software package he has ever touched (I surpised he didn't list Dell, Gateway, etc.), and completely lacks any kind of focus. I don't know how old this is (looks to be from 2001) but folks this should be an example of 'how not to do an entry level resume'. Also just for the record, if you kids do want to get into security, learn Snort.
Copied below for 'posterity'. Note that he lists "social engineering" as a technique.
Nicholas Jacobsen 1911 NE Thompson Portland, OR Massage: (503) 287-4812 Email: ethics@netzero.net
Employment * Long Term Goal: Network Manager position in the Computer Security Field * Immediate Goal: Network Administrator in the IT field. * Computer Security Institute's NetSec '01 New Orleans, LA June 2001 Intern: Technical Services, Computer Setup/Configuration, Attendee Registration, and Customer Service * 27th Annual Computer Security Conference Chicago, IL November 2000 Intern: Technical Services, Attendee Registration, and Customer Service * Ethics Design Winston, OR 1997-Present Consulting in computer system setup, design, security, and software. * Mustard Seed Educational Services Roseburg, OR 1989-1998 Website design, achievement test scoring, cashiering, curriculum recommendation, computer inventory and sales, program maintenance, exhibit hall setup/tear-down, assisting with publishing 32 page catalog. Education * Goal: BS in Computer Science via part-time studies and CISSP Certification * Professional Education: * NetSec '01, Attended: * How to Develop a Winning Security Architecture - David Lynas * Windows 2000 Security - Joel Scrambray * Virus Writers and Legislation - Sarah Gordon * Creating a Comprehensive Intrusion Detection System - Charles Hudson, Jr. * Phreakers to Frauds: Telecom Crime Investigation and Prevention - Andrea Morin * Building Secure Software - Gary McGraw * Preparing for ISO 17799 - Tom Peltier * Viruses, Hoaxes, Trojans, Worms, Where Will it End? - Bob Cartwright * Practical Forensics - Peter Garza * Hacking UNIX - Bob Geiger * 27th Annual Computer Security Conference, Attended: * Intrusion Techniques & Countermeasures - Rik Farrow * Implementing a Computer Incident Response Team - Peter Stephenson * 10 Other Security Classes * Formal Education: * Associates of Science Degree, Umpqua Community College, June 2001 * High School Diploma, Umpqua Community College Adult HS Diploma Program, March 2001 High school curriculum consisted of college preparation in math, reading, writing, humanities, music, social sciences, science, Hebrew, Latin, Greek, the study of the Great Books, and 2nd year college level computer course work in web page design, data communications, visual basic, C++, and networking. Approximately 50% of high school coursework has been at the College Credit (CC) level. Familiarity with... * Operating Systems: Windows 3.x, 95, 98, NT, 2000; Novell NOS; Unix variants, OS/2, DOS, VMS OS * Languages: Perl, Basic, Visual Basic, C/C++, Java, JavaScript, DHTML, HTML, CGI implementation, ActiveX Implementation * Applications: Microsoft Visual Studio, Microsoft Office Suite, Paint Shop Pro, Corel Suite, Maya 2.5, FrontPage, Dreamweaver, Ultraweaver, Homesite, TopStyle, Adobe (various), AutoCAD, AutoDesk Inventor, Filemaker Pro, Borland Programming Suite, Flash, Poser, Internet Space Builder, Retina, Nscan, Nmap, Visual Route, PGP, SATAN, SANTA, SAINT, L0phtcrack, Crack/John the Ripper/Derivatives, Iris, Notepad, Ultra Edit, SoftIce, among others. * Techniques: Firewall Configuration, Network/Server Security Analysis, HTTP/FTP/Telnet/IRC Server Configuration, LAN administration, Social Engineering, Intrusion Detection/Analysis, and Cryptography.
Under California's anti-identity theft law "SB1386,"...
Trouble with that is, I don't live in California, if it was a federal law, then that would apply. However, I do think that most courts would say that to protect a ongoing investigation, it might be permissable for a short time. Of course it looks like the Feds held this for more than 6 months! Also, the initial breech was due to T-Mobile's lack of security.
Personally I don't think that companies will start taking their security seriously until big judgements are passed in class action lawsuits. When the bean counters find that the cost of truely secure systems is less than the cost of a lawsuit then these companies (like T-Mobile) will start taking security seriously. Any class action lawyers out there should take note, I believe Juries will hand out big bucks from companies who are careless with their personal information.
T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning.
Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?
BTW, the Black Hat's email address (and online identity) is ethics@netzero.net and at one point was looking for work as a security administrator. Not a big surprise that he was interested in the field, but 'Ethics'!
Was that supposed to be funny, or are you really that stupid?
You my good AC 'sir', are a thin skinned ass.
Uh, the entire appendix should be labeled 'historical' and clearly hasn't been updated in at least 5 years. I applaud the author for making this tome available, but I'd probably be better as a good seed for a wiki.
I'd hate to look a gift horse in the mouth, but my first look at a page was this grafic of the parts of a PC which is (obviously) out of date. It doens't even include an optical drive, or a mouse for that matter.
Crackers are what poly wants. If we ever want to 'take back' the work "hackers" we need to stop using a word which looks and sounds so much like it. Instead call a person who uses technology for nefarious purposes a 'Black Hat' (or 'black hats' for plural).
As the start of the relationship between Hitler's Germany and IBM is now more than 70 years ago, it'd be safe to say that those who were responsable for turning a blind eye are now long dead and most likely burning in a special level of hell (well, one can hope). However I agree that this story does need to be told, but more as a warning of the misuse of technology and the drive of greed, than one of the current moral state of the IBM leadership.
Personally, I applaude IBM's management for leveraging open source technology.
I'd make a good Republican, I'm fat, white, and intolerant of others. All I need now is a few hundred $million.
The 'few hundred $million" would make you 'elite' what W calls his 'base' in the republican party. There are only two 'qualifications' to be a 'regular republican'.
A willingness to vote on a single issue, such as gun rights, or abortion criminalization.
or, a willingness to hand all advantages to the moneyed elite, in the vain hope that you will be able to benefit from it when 'I become rich'.
Doctors should feel lucky, a bus drivers kills his passengers because he is too tired to drive, gets charged with homicide and thrown in JAIL. Doctors who have been up for 24 hours and prescribe medicine which kills a person, runs the risk of getting sued, damn that quite a racket.
' So now with robotic surgery, both the doctor and the robot can liable for damages. Next thing you know, telecoms will be liable for medical malpractice if the network connections fail during remote robotic surgery."
When you build a product, there is (at least) an implied warranty that it is fit for a specific use. A surgical robot, *should* be able to conduct an operation. We aren't talking an apples and oranges thing here. I think the auther is trying to place a back end comment about tort reform.Now tell me again why we need tort reform...
oh, yea, Malpractice is up 25% in 10 years (but medical costs have risen much higher...).
All that's left is good-looking, young hosts who don't know jack about what they are talking about.
Sounds like a typical layoff cycle. First you get rid of all the people who quietly get their work done, but don't kiss the ass of the right people, then the rest of the good workers start seeing a sinking ship and bolt. After that all you got left are the kiss-ass, blame layers, who make it their job do drive off anyone good left. Nothing new here...
Question for Ofoto: You system won't let me edit photos with my firefox
browser, It incorrectly finds that I am using Netscape 1.0 (which I am
not).
I replied back saying:
Thank you very kindy for the form letter, my question wasn't about IE, it was about Firefox. It has Flash installed but the site will not load the flash tools, becuase the script is poorly written, and it insists that flash is not loaded on my browser. At no point does your website say that it is only written for IE. What's odd is that I wasn't having any problems with your site until I tried to correct a red-eye problem . My quess is that if you'all changed the script to allow for a non-IE user-agent Firefox would work correctly and your site would be accessable to those that cannot (due to using Linux as an OS), or will not (due to IE's consistant security problems) Microsoft's Internet Exploder.
Thank you in advance for the pointless form letter you are about to send.
My brother uses Ofoto to distribute photos of my niece, I decided to sign up and upload pics of my son, when I tried to use their online tools to correct red-eye, they were telling me that flash wasn't installed in my FireFox browser. I sent a question to the help desk. This is the reply the I got today...
(please not the "ensure security" part)
Hello Eric,
Thank you for contacting the Ofoto Customer Service Team.
If you are experiencing difficulty uploading, viewing, purchasing, or
editing on Ofoto's web site, we'd suggest updating to the latest version
of Internet Explorer.
Updating to the latest version of Internet Explorer will ensure security
while viewing or purchasing online.
To download the latest version of Internet Explorer, follow the
appropriate link:
I am fairly convinced that the problem which most people have with cell phone users is that they cannot hear both sides of the converstation, hence my comment. Personally, I don't care about people carrying on conversations in resturants, but I know that many people do, including some that own them.
Many have started to use 'cell phone jammers', which are illegal in the U.S. and I believe that it's a good law, but I do respect people's wish to create 'quite zones' on their private property. The previously mentioned paint additive can allow this, and does so without infringing on the rights of people who happen to be nearby. I didn't say this before, but I believe that this will be the most common usage of this technology.
As this "security improvement" only affects computers in specially prepared rooms...more tempest-proof than a metal painted room
No the special rooms mentioned in the article are the Faraday cage, with which they compare the effect. This is what happens when you skim an article, just looking for something to bitch about. The article clearly states that this paint is intended for entire buildings, for example (from the article):
DefendAir would be an attractive option to protect an RFID-enabled warehouse, he says.
Also
More important, it blocks mobile-phone signals.
Can you imagine the benifit of using it in the outside paint for a movie theater, or resturant. You whouldn't even have to use jammers (which whould bleed into the street and are illegal anyways) to achieve freedom from hearing only one side of someone's conversation.
Slashdot Mirror
A couple of years ago, when our server room was being 'certified', one of the specific checks was "No, big red button, check". One of the guys in the group came up with a story about how someone's kid at the end of a 'tour' thought that the 'big red button' was ment to be pushed.
Get the source code! You might have called it outsourcing, but what you really did was pay someone to have an code empire in your domain. Even if they do finially deliver the finished product, you stuck with them for further development.
I think that Email Interception is the real hole here, rather than depending on unsecure websites. If you can see at which sites a person does secure transactions, you can use the 'email password' functionality to send that user an unencrypted email containing the password or reset link. That email would be easily read by a packet sniffer. Of course the victim would have to have their email client get the email, but email is the first thing that most people check. Sure the victim would get the password reset email, but most would believe that it is just a glitch.
All kidding aside, It's a silly ruling, the cops have no right to tamper with a guys car without a warrant of some kind. Without specific warrants cops don't have much in the way of 'special powers'. Without a warrant you can't just search someone's car, when it is sitting in their driveway. Should a Private Investigator be able to bug someone's car as well, it'd make catching cheaters alot easier. It's likely that this ruling will get thrown out on appeal, and I doubt if the Supreme Court wouldn't even bother considering reinstating the orginal Judge's ruling, but I guess that we'll see in a couple of years.
Poorly formated, no logical grouping, lists every software package he has ever touched (I surpised he didn't list Dell, Gateway, etc.), and completely lacks any kind of focus. I don't know how old this is (looks to be from 2001) but folks this should be an example of 'how not to do an entry level resume'. Also just for the record, if you kids do want to get into security, learn Snort.
Copied below for 'posterity'. Note that he lists "social engineering" as a technique.
Nicholas Jacobsen
1911 NE Thompson
Portland, OR
Massage: (503) 287-4812
Email: ethics@netzero.net
Employment
* Long Term Goal: Network Manager position in the Computer Security Field
* Immediate Goal: Network Administrator in the IT field.
* Computer Security Institute's NetSec '01 New Orleans, LA June 2001
Intern: Technical Services, Computer Setup/Configuration, Attendee Registration, and Customer Service
* 27th Annual Computer Security Conference Chicago, IL November 2000
Intern: Technical Services, Attendee Registration, and Customer Service
* Ethics Design Winston, OR 1997-Present
Consulting in computer system setup, design, security, and software.
* Mustard Seed Educational Services Roseburg, OR 1989-1998
Website design, achievement test scoring, cashiering, curriculum recommendation, computer inventory and sales, program maintenance, exhibit hall setup/tear-down, assisting with publishing 32 page catalog.
Education
* Goal: BS in Computer Science via part-time studies and CISSP Certification
* Professional Education:
* NetSec '01, Attended:
* How to Develop a Winning Security Architecture - David Lynas
* Windows 2000 Security - Joel Scrambray
* Virus Writers and Legislation - Sarah Gordon
* Creating a Comprehensive Intrusion Detection System - Charles Hudson, Jr.
* Phreakers to Frauds: Telecom Crime Investigation and Prevention - Andrea Morin
* Building Secure Software - Gary McGraw
* Preparing for ISO 17799 - Tom Peltier
* Viruses, Hoaxes, Trojans, Worms, Where Will it End? - Bob Cartwright
* Practical Forensics - Peter Garza
* Hacking UNIX - Bob Geiger
* 27th Annual Computer Security Conference, Attended:
* Intrusion Techniques & Countermeasures - Rik Farrow
* Implementing a Computer Incident Response Team - Peter Stephenson
* 10 Other Security Classes
* Formal Education:
* Associates of Science Degree, Umpqua Community College, June 2001
* High School Diploma, Umpqua Community College Adult HS Diploma Program, March 2001
High school curriculum consisted of college preparation in math, reading, writing, humanities, music, social sciences, science, Hebrew, Latin, Greek, the study of the Great Books, and 2nd year college level computer course work in web page design, data communications, visual basic, C++, and networking. Approximately 50% of high school coursework has been at the College Credit (CC) level.
Familiarity with...
* Operating Systems: Windows 3.x, 95, 98, NT, 2000; Novell NOS; Unix variants, OS/2, DOS, VMS OS
* Languages: Perl, Basic, Visual Basic, C/C++, Java, JavaScript, DHTML, HTML, CGI implementation, ActiveX Implementation
* Applications: Microsoft Visual Studio, Microsoft Office Suite, Paint Shop Pro, Corel Suite, Maya 2.5, FrontPage, Dreamweaver, Ultraweaver, Homesite, TopStyle, Adobe (various), AutoCAD, AutoDesk Inventor, Filemaker Pro, Borland Programming Suite, Flash, Poser, Internet Space Builder, Retina, Nscan, Nmap, Visual Route, PGP, SATAN, SANTA, SAINT, L0phtcrack, Crack/John the Ripper/Derivatives, Iris, Notepad, Ultra Edit, SoftIce, among others.
* Techniques: Firewall Configuration, Network/Server Security Analysis, HTTP/FTP/Telnet/IRC Server Configuration, LAN administration, Social Engineering, Intrusion Detection/Analysis, and Cryptography.
Personally I don't think that companies will start taking their security seriously until big judgements are passed in class action lawsuits. When the bean counters find that the cost of truely secure systems is less than the cost of a lawsuit then these companies (like T-Mobile) will start taking security seriously. Any class action lawyers out there should take note, I believe Juries will hand out big bucks from companies who are careless with their personal information.
Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?
BTW, the Black Hat's email address (and online identity) is ethics@netzero.net and at one point was looking for work as a security administrator. Not a big surprise that he was interested in the field, but 'Ethics'!
All kidding aside, I can't imagine the utter fustration of your less technically inclinded neighors, who are finding their own channels blocked.
I'd hate to look a gift horse in the mouth, but my first look at a page was this grafic of the parts of a PC which is (obviously) out of date. It doens't even include an optical drive, or a mouse for that matter.
Crackers are what poly wants. If we ever want to 'take back' the work "hackers" we need to stop using a word which looks and sounds so much like it. Instead call a person who uses technology for nefarious purposes a 'Black Hat' (or 'black hats' for plural).
Personally, I applaude IBM's management for leveraging open source technology.
Feeding the conspricy theorists is so much fun!
Doctors should feel lucky, a bus drivers kills his passengers because he is too tired to drive, gets charged with homicide and thrown in JAIL. Doctors who have been up for 24 hours and prescribe medicine which kills a person, runs the risk of getting sued, damn that quite a racket.
oh, yea, Malpractice is up 25% in 10 years (but medical costs have risen much higher...).
when cars fly.
The real question is "I am a Comcast Digital Cable customer (with more channels than I can count), so why don't I have this channel?".
(please not the "ensure security" part)
I can really relate, I've had roommates eat my food before. Grazing for food was practically a sport in some of the houses which I have lived.
Many have started to use 'cell phone jammers', which are illegal in the U.S. and I believe that it's a good law, but I do respect people's wish to create 'quite zones' on their private property. The previously mentioned paint additive can allow this, and does so without infringing on the rights of people who happen to be nearby. I didn't say this before, but I believe that this will be the most common usage of this technology.
Go ahead, give it a try it can't be any worse than Colloidal silver Treatments