I wonder if running your own (password-protected) vncserver will be any protection against this.
Negative. One of the r-parameters you throw back (depending on whether you do a direct inject or a reverse tunnel inject) is what port the daemon is listening on. Keep in mind, you're not adding a VNC service or using an existing one, you're injecting the code into running memory. It will run even if there's another one hanging out on the system. Hell, it even bypasses the GINA.
One of the things we haven't done over here is test it while another remote user is actively VNC-ing the box. That would be interesting.
Also, keep in mind that VNC injection is only one of many payloads, and in my opinion, not nearly the most useful (but definitely the most fun).
Maybe I'm going out on a limb here, but I'm guessing movie studio executives don't get together around the boardroom table and have conversations like, "gentlemen, our fare has been too highly reviewed of late. It's time to make a real stinker. One for the record books. Instant flop."
Honestly, I was confused myself. I was hoping for the standard quick "+5 Funny" hit and then the slow, steady drag of "-1 Overrated" grinding. Go figure.
Education is extremely important in this segment, no doubt. What concerns me is the "boot camp" format of these particular gigs, as well as the entry fee.
$4000 is an awful lot of money for a Common Body of Knowledge -- especially since its all available from the Internet.
I have nothing but encouragement for those who wish to enter the field. But save your money. Hell, drop sixty bucks and go to defcon.
1. Splurge $50-$100 on a second-hand 16xx/26xx router on Ebay.
2. Learn IOS. No, seriously. Read the docs.
3. Download Ethereal and learn how to decode a packet.
4. Congratulations. You're now a good four steps ahead of the last dozen "network engineers" I've had the privelege of meeting. Ask for no less than $40k.
lol. Thanks to Cypress Hill, I can never listen too that song in public. The urge to bust out into "Hand on the Pump" is just to strong. And I don't even own a shotgun.
Whatever happened to my decentralized net with no single point of failure?
Its still there, and you're using it. The only organizations affected by this are those who chose to use a service that acts as a single point of failure.
I don't. I wouldn't want to play football for a living, despite finding it very enjoyable. I wouldn't want to tote a rifle around for a living, despite finding it enjoyable and being quite good at it.
My point is that once something becomes work, at least for me, it ceases being fun. Hell, I break into Fortune 500 networks for a living, and even that has lost its charm.
"It's work, not fun," says Mr. Lim, who trains 10 hours a day with his eight teammates and their coach in a two-bedroom apartment, where they also live, in southern Seoul.
While I acknowledge the possibility of that being the case, I don't think its happening here. Still, I suppose the analogy holds. Good point.
Slashdot Mirror
I wonder if running your own (password-protected) vncserver will be any protection against this.
Negative. One of the r-parameters you throw back (depending on whether you do a direct inject or a reverse tunnel inject) is what port the daemon is listening on. Keep in mind, you're not adding a VNC service or using an existing one, you're injecting the code into running memory. It will run even if there's another one hanging out on the system. Hell, it even bypasses the GINA.
One of the things we haven't done over here is test it while another remote user is actively VNC-ing the box. That would be interesting.
Also, keep in mind that VNC injection is only one of many payloads, and in my opinion, not nearly the most useful (but definitely the most fun).
Dude, this is slashdot, do you think . . .
Hell, it's too easy. I'm just not going to touch it. Never mind.
Heh, forgot all about that. I wonder what percentage of Slashdot reads with sigs turned off.
Genre: see sig.
And for those who would like the actual URL . . .
4 75
http://bugzilla.mozilla.org/show_bug.cgi?id=167
Forgive me. I'm an idiot when I'm flamebait.
Ummmm . . .
The vulnerability was first reported in September of 2002.
Sorry. RTFA and all that.
I'm guessing that you are not necessarilly the audience that those movies are aimed at, 6573.
Maybe I'm going out on a limb here, but I'm guessing movie studio executives don't get together around the boardroom table and have conversations like, "gentlemen, our fare has been too highly reviewed of late. It's time to make a real stinker. One for the record books. Instant flop."
Sometimes they swing and miss.
Broadcast as hard as you can, but I doubt you'll be insinuating you signal into their CD-player's wiring. Good luck.
Honestly, I was confused myself. I was hoping for the standard quick "+5 Funny" hit and then the slow, steady drag of "-1 Overrated" grinding. Go figure.
Last year. I watched almost the whole thing from the bar. Fyodor's quite entertaining after a dozen Vodka Gimlets or so.
As for the cost, its called, "buy Blackhats and the Defcon's free." Sixty was a round number. I'll be more specific in the future. *grin*
[/cynical]
Education is extremely important in this segment, no doubt. What concerns me is the "boot camp" format of these particular gigs, as well as the entry fee.
$4000 is an awful lot of money for a Common Body of Knowledge -- especially since its all available from the Internet.
I have nothing but encouragement for those who wish to enter the field. But save your money. Hell, drop sixty bucks and go to defcon.
And I think I speak for all the CISSPs in the room when I say . . .
hahahahahaha!
Thanks, I'll take self-study and put the four grand down on an M3. Sellout? You betcha. *grin*
1. Splurge $50-$100 on a second-hand 16xx/26xx router on Ebay.
2. Learn IOS. No, seriously. Read the docs.
3. Download Ethereal and learn how to decode a packet.
4. Congratulations. You're now a good four steps ahead of the last dozen "network engineers" I've had the privelege of meeting. Ask for no less than $40k.
2. Nitpick: the term 'DD' generally denotes a Destroyer, not a Frigate ('FF').
Your plan, lacking '????', is fundamentally flawed. *grin*
lol. Thanks to Cypress Hill, I can never listen too that song in public. The urge to bust out into "Hand on the Pump" is just to strong. And I don't even own a shotgun.
Its still there, and you're using it. The only organizations affected by this are those who chose to use a service that acts as a single point of failure.
Heheheh.
"Would you like a Zerg Rush with that?"
I don't. I wouldn't want to play football for a living, despite finding it very enjoyable. I wouldn't want to tote a rifle around for a living, despite finding it enjoyable and being quite good at it.
My point is that once something becomes work, at least for me, it ceases being fun. Hell, I break into Fortune 500 networks for a living, and even that has lost its charm.
While I acknowledge the possibility of that being the case, I don't think its happening here. Still, I suppose the analogy holds. Good point.
Alternately, I could make a good salary working 8-5 in an intellectually challenging field and save the gaming for its true purpose: a hobby.
I don't want to imagine a world where videogames cease being fun because I need to keep winning to put food in my belly.
Just a thought.
Now I get it. Thanks.
And a golf ball of hafnium can do one ton?
read: ten.
Ignore me.
isnt's that a little weak?
Hiroshima had an estimated yied of 12-16kt, something that can be done these days with 24kg of plutonium (if google serves, anyway).
And a golf ball of hafnium can do one ton?
Seems a little less scary, in a nuclear sense.
M