We were surprised to see that the comments at the top of the game proudly proclaimed the authors: Bill Gates and Neil Konzen. Neil was a bright teenage hacker who I knew from his work on the Apple II (who would later become Microsoft's technical lead on the Mac project) but we were amazed that such a thoroughly bad game could be co-authored by Microsoft's co-founder, and that he would actually want to take credit for it in the comments.
And it ends there. Too funny if you ask me.
As for the Python portion of the site, could be a form of python based nuke system. Wouldn't be that hard to make, although running mod_python on certain machines would act strange if the admin didn't set it up properly. IMHO python is a lot easier than PERL, but we know what they say about opinions...
Not to be a cocky bastard but stigmatic is like my 50th account of which my first had about a 10-15k UID and I'm too lazy to retrace older accounts for the sake of trolling around a damn UID or the moderation bullshit so spare me the martyrism.
Weird and different? This place has become first posting trollisms with the same redundant stories:
Linux kernel released
Microsoft does someshit
Linux kernel released
Microsoft does some other shit
Linus takes a shit
Oh wait I do appreciate the stuff posted, however according to the motto "News for nerds stuff that matters, it seems 2001 made need a replacement. How about News for nerds who only use Linux or Microsoft and want to see other assinine shit in the middle of it all?
sitgmatic / deran9ed / sil / xp0rnstar ++ a shitload of others I choose not to trace.
I wouldnt say its a server concern I would use it as a wake up call to those who don't know much about security.
It wouldn't matter much even if you didn't have anything worthwhile on the machine should it be compromised however it can be leveraged as a gateway to attack other machines which can leave you in a bind if you were unaware that your machine is being used as an attack station.
annoyance psychologically with the rest of the world... ?
Personally I think if your involved somehow on the net you should take any kind of precaution regarding security regardless if your running any services, using credit cards, etc., the more you know the easier it'd be to avoid having someone do anything to your machine in a case of not knowing or not giving a shit.
Its nice to see this information for educational purposes at this point since its outdated. What would be nice however is if they released some new information on their projects.
Therein lies your arrogance I didn't know that an open minded constructed critique would render me as arrogant. How American of me.
I didn't assume anything I pointed out what I see as a slight pitfall in SourceForge's architecture, the inconsistencies of capitalizing on great ideas often to be sneered by those who do not fully understand how good of an alternative OpenSource is as compared to pre-packaged, overhyped products. Many of these open source ideas which end up on the chopping block never to be removed from sites like SourceForge provide fuel to the fire of commercial entities who claim that openSource cannot rival a product of theirs which is why people should dish out money for x package.
Sure they're not obligated to do anything and no one should expect them to, however where does the line get drawn in an effort to make sure expencies aren't raised to "The Next Best Thing..." only to be hindered by once again, a half assed developed venture?
First off the comment about them changing their name was done out of humor. SourceForge is a great site but at the same time they should try and architect a standards for the amount of time to implement a prodcut say one year before wiping it, and or some sort of mechanism to interact with developers to see if they plan on following up on their products, else again I state, their saturating the market with overhyped dreams.
Think of those who create certain projects that rival commercial ventures, e.g.:
Linux:: Windows
OpenSourceFirewall.com:: Commercial Firewalls
Snort:: Network Flight Recorder
and so on, these people had ideas and followed up on them with passion and determination and overall they kept up their projects.
So why would you think I bashed SourceForge when I merely made a comment for developers to get off their asses and follow through on their projects instead of dishing out dreams and hopes only to leave them hanging to dry because they don't have enough time. Why bother putting them out there if they don't intend on wholeheartedly fullfilling them.
Why shouldn't I have said that when its true, there are plenty of programs I could sift through and point out that are only taking up space and will never be followed up on. Maybe you misread the intent so I'll leverage it:
While SourceForge provides a hell of a lot of nice idea and schematics for some great tools, its sad to see some efforts aren't followed through on a lot of those great idea.
Vapourware!*@ I hear SourceForge is changing its domain name to VapourwareSource.com soon.
While SourceForge provides a hell of a lot of nice ideas and schematics for some great tools, its sad to see efforts aren't followed through on a lot of those great ideas.
How long will it take before ideas run dry especially when some of these prodcuts are thought up then hung out to dry never to be followed through? Maybe some of these developers should get together with others and focus on a strong product before just spitting an idea out, getting hopes raveled in the process only to drop it after a few months.
Corporations love this notion that the OpenSource industry can't get their act together and this is a major pitfall on the Unix side of the industry in hopes of creating the `Euphoric' notion of OpenSource being a better alternative than commercial ventures.
It can be viewed as a laugh to have such strong techological advances in the OpenSource field go up against the big guns only to have them fall on their asses because there were never any standardizations or follow-ups to keep the pressure on and prove that any new OpenSource project won't become vapourware in a few weeks/months/days.
Its funny how the government is now looking into possibly not using Microsoft products based on this incident. Last I checked at Attrition they couldn't even lock down their Unix stations either.
Maybe Mickeysoft should just open their source code to the industry everyone knows their op sys can only get better this way and maybe their programmers could stop focusing on all the patches they have to create stemming from posts @ SecurityFocus
Does this mean that since Glock sells to foreigners some of whom may be terrorists they should stop using them for possible leaks of information to customers, or perhaps because they'll be a fair leverage?
A static "Media Unique Key" in a separate, hidden area of the drive, identifies the individual drive. Making use of broadcast encryption and one way key algorithms, would-be hackers face a daunting number of keys to break.
Someone surely will break it sometime, but you have to stop and wonder when they state things like, "hidden area of the drive". Are they going to allow an individual group to validate the ethics of this. Some such as EPIC?
"It requires both drives to be compliant when data is to move from one disk to another," says Lotspiech. "And a compliant application to get all that data to the new drive".
So a hard drive containing small individual containing non-copyable files of say, Gartner reports, will essentially be unrestorable using existing backup programs.
How will this affect legacy systems and businesses who may not have the money to fully convert their systems should they want this technology.
Sounds like this has a long way to go and I'm sure many companies will oppose this.
Personally if I were in your situation I would go ever to a couple of job sites and search for companies willing to sponsor H1 visa's. Pages such as Hotjobs, Dice, Monster, all have options for foreigners to break into corporations via sponsorships.
Speedygrl has a comprehensive listing of job search engines and companies.
I've never dealt with looking for positions in other countries but soon I will be asking the same question when I get close to moving to Sweden, so I'm curious to these answers as well.
Personally I hope groups like EFF, ACLU, or others take actions to remove the added amendments in that bill. George W. Bush is moronic enough to sign the dotted line and push for this. Shady politics aren't new news and its funny no one has mentioned how odd it is that a bill which is supposed to supply law enforcement officers with medals had totally different clauses embedded in them.
I mentioned this article yesterday and its a shame it wasn't posted, I also referenced it on a post below and it wasn't acknowleged. *shrugs*
For those don't know this bill is pretty much falling through unless someone steps in and notices the 'fuzzy math` behind it.
Just think, this bill pops up when the President is on the way out and an idiot on the way in. Its the perfect situation for those in power to pull off a move that would give them the authority to take away priviledged liberties such as encryption. So for those in the computer security industry maybe its time to start pgp'ing everything and storing them elsewhere. Heaven knows if the bill passes your looking at an extra stretch of time trying to keep your information private.
So now when will/. post some encryption news like H.R.46 that congress is trying to sneak in or something other than most of this commercialistic stuff swelling my eyeballs to oblivion
I think its a nice idea but can see some downfalls in the ways of PUPILS being used as any kind of identification which should also be noted for those interested in Biometric security as well.
What will happen when say a person slightly blind using their products, has his pupils deteriorate are there any thoughts on the sensors and their reactions to this?
As for their emotion mouse I doubt it will give an accurate view of someone's psychological profile as there are heavy handed people, light handed people, etc. Will they have a certain buffer for values such as this or will they market it as a stand alone solution for determining this which is 'f(oo)ullproof'. What about persons with an abnormal perspiration problem will it flag them as a nervous wreck and more importantly will it clean itself after they've used that mouse (hey, I'm not sharing my mouse with a sweaty mo' fo now)
Seriously though many factors will make some of these things hard and though some may seem like a great idea I think many are jumping the gun into some sort of a Star Trekkie based environment filled with overhyped products.
Under some circumstances, an intruder who is able to observe an
SSL-encrypted session, and subsequently interrogate the server
involved in the session, may be able to recover the session key used in
that session, and then recover the encrypted data from that session.
The vulnerability can only be exploited if the intruder is able to
make repeated session-establishment attempts to the same vulnerable web
server which was involved in the original session. In addition, the
server must return error messages that distinguish between several modes
of failure. Although the number of session-establishment requests is
large, it is significantly more efficient than a brute-force attack
against the session key. Note that, although web servers comprise the
majority of vulnerable servers, other PKCS#1-enabled servers may be
vulnerable.
Note that the server's public and private key are not at risk from
this vulnerability, and that an intruder is only able to recover data from
a single session per attack. Compromising a single session does not give
an intruder any additional ability to compromise subsequent sessions.
Further, as mentioned above, this vulnerability does not affect all
PKCS#1-enabled products.
Last but not least there is ssldump, an SSLv3/TLS network protocol
analyzer which identifies TCP connections on the chosen network interface
and attempts to interpret them as SSLv3/TLS traffic. When it identifies
SSLv3/TLS traffic, it decodes the records and displays them in a textual
form to stdout. If provided with the appropriate keying material, it will
also decrypt the connections and display the application data
traffic.
Someone said they'd never heard of issues with SSL made me want to get
the info on this so apologies for making a redundant post if it seems this
way. This does not include issues with Mozilla, Netscape and IE and SSL
since it would've taken a lot more space..../shrugs
Well even using ssh in 'secure' network can still introduce the issue of someone snagging passwords along the wire via other methods such as someone using ssh and then using ftp instead of scp or sftp so I would guesstimate that 80% of the times it is always going to be users that are the weak link and not the protocols.
So as of now I will wait for the next security based document pimping IPSec, Secure Tunneling, Diameter, SSH over SSL over Biometric based authentication, then point out the clueless (l)user who just did something stupid like use a protocol which doesn't provide any encyption down the strech.
First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI.
Certificates provide an attractive business model. They cost almost nothing to make, and if you can convince someone to buy a certificate each year for $5, that times the population of the Internet is a big yearly income. If you can convince someone to purchase a private CA and pay you afee for every certificate he issues, you're also in good shape. It's no wonder so many companies are trying to cash in on this potential market.With that much money at stake, it is also no wonder
that almost all the literature and lobbying on the subject is produced by PKI vendors. And this literature leaves some pretty basic questions unanswered: What good are certificates anyway? Are they secure? For what?
Taken from a prior document written by Bruce Schneier which can be found here.
Man in the middle attacks have been rampant for some time now so I don't know why anyone would use an article such as this for 'clarity's' sake where security is concerned. Sure it assists in dealing with issues and bringing them to light but when you need that much of a level of trust the easiest way to circumvent ANY man in the middle attack or any other form of an authentication issue can be achieved simpler via way of verifying a PGP key id over the phone before any trusted information is encrypted and sent down the wire using any key.
Would've made a nice longer post but Monday morning hangovers leave me feeling pissy
I'd hate to be on the receiving end of a healthcare system with such antiquated stuff. Would this mean they're also sharing medical tools from the Smithsonian? Its surely a sad thing to see the tech industry boom with some little being down in other sectors such as healthcare. Maybe some generous corporation can help out a country by donating at least a Pentium II or something similar.
Not too sure what this has to do with technology though, someone must've been a bit hit up for stories. I know of a company using a tweaked up Commodore for a gateway/cache machine does this mean I should post it as relevant?
While this may be no new news to anyone here are some thoughts on circumventing security modules such as Carnivore. All this was written on a flight from New York to California (how thrilling.)
What? Some slight information on Carnivore
Why? Because everyone is pissing up a storm on Carnivore How? Sitting down reading Information Security Management Handbook 4th Edition (Tipton, Krause)
Where? Flying over Canada on a re-routed flight to California
Based on the gathered information related to Carnivore, it copies mail sent from the ISP of a user provided he or she is being investigated, after obtaining a warrant, in order to filter e-mail based on human programmed input:
http://pcworld.idg.com.au/pcw.nsf/reviews/49939FEB 71ED36F5CA25692700182669!OpenDocument
What exactly is this input? Who knows but we can guesstimate its likely a combo of words and synonyms based on some violent and discriminating words maybe even translated into foreign languages.
With this in mind it should be easy to circumvent it with simple little tweaks in order to send that "threat" you've been thinking about, or any other
irrelevant e-mail you've been paranoid to send down the wires due to fear of government snooping.
Carnivore is ISP based from what I read, so its functionality will not apply to using a re-mailer from whatever address your sending the e-mail from nor does it apply to sending spoofed e-mails with a packet injection tool nor a proxy since after all, it is only monitoring your account on your ISP with Carnivore running on that isolated network to capture your e-mail.
Based on the architecture the FBI would need to isolate your IP address as opposed to snooping a complete netblock in order to capture your data, this means they're going to have to set it up to snoop your ISP's router/switch and determine where exactly you are when you connect unless you have a static IP address in which they can segregate your traffic to a specific area which would be hellishly easy for them to do. I'm sure your ISP can simply switch you into a specific area via software and access lists at the drop of a dime as well.
Carnivore simply makes unknowledgeable people think the government(s) is(are) out to get them which personally I don't think is the case. Officials have better things to do (hopefully) than sniffing through days/weeks/months worth
of e-mail looking for that "one" discriminating message your sending. Takes time and a lot of effort including legal work that theoretically has to be taken when we regard the masses.
However if your the target of some investigation do not be fooled into thinking they will not go this far.
Anyways enough of the BS corporate(ish) stuff you should realize by now.
Lets start with a threatening letter we'll assume John Doe wants to send but is afraid of things like Carnivore and Echelon type systems. Why should he send it? Who knows he's just fscked in his brain for all we know and wants to be the next
Una'bummer'.
Based on typical filters and from what we know, we can determine that there is probably some sort of word based capturing going on within Carnivore which likely flags words which are incriminating enough to capture John Doe and make him Mitnick's ex-roommate's new roommate.
So the test begins. With a proxied Netscape browser we find proxy.foo.com and slightly obscure our information and change our hostname to whatever@wherever.com. In theorum mail is being sniffed to the account in question johndoe@sampleisp.com in which they have their warrant and not whatever@wherever.com which makes any information they gather obsolete. Well, after some legal mumbo jumbo obsoletes their methods and what information they gathered along with the terms of the warrant.
Hey if they're monitoring johndoe@sampleisp.com and sniff the whole network then jane.something@sampleisp.com should be able to hold them liable for invasion of privacy. Thats something I can't speak on since I'm not a lawyer.
Other ways to cirvumvent this would probably be as simple as creating your message and saving the entire message as a picture and simply sending it along with a message of "Picture of my new car."
Simplicity sometimes works better over the high tech since most technical minds would overexert themselves in ways of technology often forgetting the simple things you could accomplish without knowing much about higher end technology such
as encryption schemes, spoofing, etc.
Another oddball way of conveying messages whether or not encrypted is to send a message written in binary with something as lame as:
[sil@stigmata] echo "I need help with this math problem:
[sil@stigmata] 43 61 72 6E 69 76 6F 72 65 20 63 69 72 75 6D
[sil@stigmata] 76 65 6E 74 69 6F 6E 20 74 65 73 74 20 70 68
[sil@stigmata] 61 73 65 20 31 0A" | mail -s hello somebody@somewhere.com
Do you think the makers of Carnivore have pre-determined someone sending out a message of this nature? Certainly if Carnivore's input was created by human input, its likely they wouldn't be expecting something like this unless it was
a known fact beforehand that they would be dealing with some sort of cryptology.
For more obscurity depending on who you are sending the message to, both parties can agree on a scheme to use based on anything. It can be a time defined simple encryption scheme based on the hour of the day, day itself and month.
For example parties A & B decide they will create a unique method to cypher private messages with these variables.
T(D+M+Y)/2 Time + (DAY+MONTH+YEAR) where a message sent at 11:pm on 5/12/00 would be added to equal 28 all together then shifted this amount plus that of the English alphabet (26) divided by 2 so the word "TEST" becomes "RAQR"
This cypher was established since the letter T is the 20th letter of the alphabet I decided to count 27 characters from the letter T. Simple and effect
and although based on one scheme its portable enough to obscure all messages since its time based and as stated who the hell would be able to figure this out before you had accmplished your dirty deed.
Other scenarios include the infamous (my favorite) spoofed mail technique using some relay host we could find anywhere on the net.
[sil@stigmata] hostname gary7.nsa.gov
[sil@gary7] adduser verona
[sil@gary7] su verona
[verona@gary7] echo "Hello Kapitan" | mail -s foo somebody@somewhere.com
You don't have to be a rocket scientist to do any of this and you don't have to be a genius to figure out ways to circumvent Carnivore, and if your still paranoid then get a packet injection suite and spoof the address along with the
entire payload attached for added screwability.
What about translating the message into a foreign language, converting it to binary then adding two digits or letters to every new hex value, where OxF now becomes QzH? I'm sure you can get a clear picture on why you shouldn't worry your life over what the government is doing. Many times I see rants and people complaining about the lack of privacy, but what I fail to see is someone taking
the time to find a neat trick to go on with life and privacy at their own expense. Lets face it, common sense should tell you that any government is going to do whatever they want, whenever they want and nothing you can do is going to stop them so get a life.
There are plenty of ways to circumvent technologies such as this without having
the brain power of Albert Einstein and without having to delve deeper into technologies which will most likely be something authorities will be waiting for.
J. Oquendo
Re:Hacking, Cracking, my opinion.
on
Hackers
·
· Score: 1
First off know your role... These terms stemmed from people who became tired of being misassociated with those who knew little about security and opted to download whatever was available to annoy. IMO they should be labled script kiddiots entirely.
I see hacking as a form of learning manipulation of whats available and not as some form of intruding on someone's network or "Hacking for good" or whatever else you'd like to call define these terms.
Hacker one who hacks for good?
As in hacks what? Try hacking an OS from scratch or take an existing product and make it better. That to me is a hack and not some "We hack to save the world" defacement which are rampant.
Cracker one who hacks for evil?
No call them criminals which is what they are.
If I created a gun would that make me a killer? If I used the gun would that make me a gunmaker? No keep the terms in sync with their respective description.
I thought that it was much more likely that the cracker was just using tools he had gotten from other places, and that he had not written any of them. That he was just a script kiddie.
Odd how the term script kiddie wasn't coined till late last year
I logged into the Sun box and started poking around. I had begun to suspect that what I had found was a sniffer that the cracker was running to capture logins and passwords on our system and on other systems that our users connected to. Running a utility to check the network card showed that it was in promiscuous mode. The ifconfig utility reported that it was not and this told me that he had replaced the system ifconfig command with a rootkit version that lied to us about the promiscuous status of our network interface. So he was running a sniffer on our system.
Odd how Solaris machines even up until now have no definitive way of determining whether or not a device is in promiscous mode...
We then posted a system message that said that the hard drive on the Sun had crashed
Security Through Obscurity... tsk tsk
. The rest of us started working installing the latest Digital Unix on the alphas.
DigUnix... got root?
I hope this was a pretend story because if it isn't then these half wits deserve to have their machine rooted by some luzer script kiddiot
First off this has nothing to do with Linux and if it did then why would someone be moronic enough to think they know enough about Linux to throw a commercial or even non-profit site running something out of their comprehension?
If you took time to notice my post you would see the reference to OpenBSD which is secure as hell on a clean install.
So again I post: If someone took a quick second to "Get A Clue" we wouldn't have this issue here would we?
Slashdot Mirror
And it ends there. Too funny if you ask me.
As for the Python portion of the site, could be a form of python based nuke system. Wouldn't be that hard to make, although running mod_python on certain machines would act strange if the admin didn't set it up properly. IMHO python is a lot easier than PERL, but we know what they say about opinions...
Not to be a cocky bastard but stigmatic is like my 50th account of which my first had about a 10-15k UID and I'm too lazy to retrace older accounts for the sake of trolling around a damn UID or the moderation bullshit so spare me the martyrism.
Weird and different? This place has become first posting trollisms with the same redundant stories:
Linux kernel released
Microsoft does someshit
Linux kernel released
Microsoft does some other shit
Linus takes a shit
Oh wait I do appreciate the stuff posted, however according to the motto "News for nerds stuff that matters, it seems 2001 made need a replacement. How about News for nerds who only use Linux or Microsoft and want to see other assinine shit in the middle of it all?
sitgmatic / deran9ed / sil / xp0rnstar ++ a shitload of others I choose not to trace.
I wouldnt say its a server concern I would use it as a wake up call to those who don't know much about security.
... ?
It wouldn't matter much even if you didn't have anything worthwhile on the machine should it be compromised however it can be leveraged as a gateway to attack other machines which can leave you in a bind if you were unaware that your machine is being used as an attack station.
annoyance psychologically with the rest of the world
Personally I think if your involved somehow on the net you should take any kind of precaution regarding security regardless if your running any services, using credit cards, etc., the more you know the easier it'd be to avoid having someone do anything to your machine in a case of not knowing or not giving a shit.
SpeedyGrl.com
It could've been worse for the guy had they bombarded him for 366 days of William Shatner singing those annoying ass songs of his.
What he should've done is enrolled in one of those collegegirlsellingherassonacam.com and enjoyed those wasted days with better company.
SourceForge Spoof
Its nice to see this information for educational purposes at this point since its outdated. What would be nice however is if they released some new information on their projects.
SourceForge spoof
Therein lies your arrogance I didn't know that an open minded constructed critique would render me as arrogant. How American of me.
I didn't assume anything I pointed out what I see as a slight pitfall in SourceForge's architecture, the inconsistencies of capitalizing on great ideas often to be sneered by those who do not fully understand how good of an alternative OpenSource is as compared to pre-packaged, overhyped products. Many of these open source ideas which end up on the chopping block never to be removed from sites like SourceForge provide fuel to the fire of commercial entities who claim that openSource cannot rival a product of theirs which is why people should dish out money for x package.
Sure they're not obligated to do anything and no one should expect them to, however where does the line get drawn in an effort to make sure expencies aren't raised to "The Next Best Thing..." only to be hindered by once again, a half assed developed venture?
First off the comment about them changing their name was done out of humor. SourceForge is a great site but at the same time they should try and architect a standards for the amount of time to implement a prodcut say one year before wiping it, and or some sort of mechanism to interact with developers to see if they plan on following up on their products, else again I state, their saturating the market with overhyped dreams.
Think of those who create certain projects that rival commercial ventures, e.g.:
Linux :: Windows
OpenSourceFirewall.com :: Commercial Firewalls
Snort :: Network Flight Recorder
and so on, these people had ideas and followed up on them with passion and determination and overall they kept up their projects.
So why would you think I bashed SourceForge when I merely made a comment for developers to get off their asses and follow through on their projects instead of dishing out dreams and hopes only to leave them hanging to dry because they don't have enough time. Why bother putting them out there if they don't intend on wholeheartedly fullfilling them.
Why shouldn't I have said that when its true, there are plenty of programs I could sift through and point out that are only taking up space and will never be followed up on. Maybe you misread the intent so I'll leverage it:
While SourceForge provides a hell of a lot of nice idea and schematics for some great tools, its sad to see some efforts aren't followed through on a lot of those great idea.
Redhat Spoof
Vapourware!*@ I hear SourceForge is changing its domain name to VapourwareSource.com soon.
While SourceForge provides a hell of a lot of nice ideas and schematics for some great tools, its sad to see efforts aren't followed through on a lot of those great ideas.
How long will it take before ideas run dry especially when some of these prodcuts are thought up then hung out to dry never to be followed through? Maybe some of these developers should get together with others and focus on a strong product before just spitting an idea out, getting hopes raveled in the process only to drop it after a few months.
Corporations love this notion that the OpenSource industry can't get their act together and this is a major pitfall on the Unix side of the industry in hopes of creating the `Euphoric' notion of OpenSource being a better alternative than commercial ventures.
It can be viewed as a laugh to have such strong techological advances in the OpenSource field go up against the big guns only to have them fall on their asses because there were never any standardizations or follow-ups to keep the pressure on and prove that any new OpenSource project won't become vapourware in a few weeks/months/days.
Home sweet home
Its funny how the government is now looking into possibly not using Microsoft products based on this incident. Last I checked at Attrition they couldn't even lock down their Unix stations either.
Maybe Mickeysoft should just open their source code to the industry everyone knows their op sys can only get better this way and maybe their programmers could stop focusing on all the patches they have to create stemming from posts @ SecurityFocus
Does this mean that since Glock sells to foreigners some of whom may be terrorists they should stop using them for possible leaks of information to customers, or perhaps because they'll be a fair leverage?
Gov sucks.
Windows2000 Spoof
A static "Media Unique Key" in a separate, hidden area of the drive, identifies the individual drive. Making use of broadcast encryption and one way key algorithms, would-be hackers face a daunting number of keys to break.
Someone surely will break it sometime, but you have to stop and wonder when they state things like, "hidden area of the drive". Are they going to allow an individual group to validate the ethics of this. Some such as EPIC?
"It requires both drives to be compliant when data is to move from one disk to another," says Lotspiech. "And a compliant application to get all that data to the new drive".
So a hard drive containing small individual containing non-copyable files of say, Gartner reports, will essentially be unrestorable using existing backup programs.
How will this affect legacy systems and businesses who may not have the money to fully convert their systems should they want this technology.
Sounds like this has a long way to go and I'm sure many companies will oppose this.
F.B.I.'s Most Wanted Hacker
Personally if I were in your situation I would go ever to a couple of job sites and search for companies willing to sponsor H1 visa's. Pages such as Hotjobs, Dice, Monster, all have options for foreigners to break into corporations via sponsorships.
Speedygrl has a comprehensive listing of job search engines and companies.
I've never dealt with looking for positions in other countries but soon I will be asking the same question when I get close to moving to Sweden, so I'm curious to these answers as well.
Hope that helped a bit.
Redhat spoofed
Personally I hope groups like EFF, ACLU, or others take actions to remove the added amendments in that bill. George W. Bush is moronic enough to sign the dotted line and push for this. Shady politics aren't new news and its funny no one has mentioned how odd it is that a bill which is supposed to supply law enforcement officers with medals had totally different clauses embedded in them.
I mentioned this article yesterday and its a shame it wasn't posted, I also referenced it on a post below and it wasn't acknowleged. *shrugs*
For those don't know this bill is pretty much falling through unless someone steps in and notices the 'fuzzy math` behind it.
Just think, this bill pops up when the President is on the way out and an idiot on the way in. Its the perfect situation for those in power to pull off a move that would give them the authority to take away priviledged liberties such as encryption. So for those in the computer security industry maybe its time to start pgp'ing everything and storing them elsewhere. Heaven knows if the bill passes your looking at an extra stretch of time trying to keep your information private.
Circumventing Carnivore
So now when will /. post some encryption news like H.R.46 that congress is trying to sneak in or something other than most of this commercialistic stuff swelling my eyeballs to oblivion
H.R. 46
Home Sweet Home
FYI here is the product information page with its references to NASA, etc.
Attention.com
Now if they only made a gen x version I could use to shock myself silly...
Now he can team up with the folks at that Czech hospital using the Atari and take over the world. What'll be next Afghanistan stockpiling game genie.
I think its a nice idea but can see some downfalls in the ways of PUPILS being used as any kind of identification which should also be noted for those interested in Biometric security as well.
What will happen when say a person slightly blind using their products, has his pupils deteriorate are there any thoughts on the sensors and their reactions to this?
As for their emotion mouse I doubt it will give an accurate view of someone's psychological profile as there are heavy handed people, light handed people, etc. Will they have a certain buffer for values such as this or will they market it as a stand alone solution for determining this which is 'f(oo)ullproof'. What about persons with an abnormal perspiration problem will it flag them as a nervous wreck and more importantly will it clean itself after they've used that mouse (hey, I'm not sharing my mouse with a sweaty mo' fo now)
Seriously though many factors will make some of these things hard and though some may seem like a great idea I think many are jumping the gun into some sort of a Star Trekkie based environment filled with overhyped products.
Antioffline -- Putting the Hero in Heroin
Under some circumstances, an intruder who is able to observe an SSL-encrypted session, and subsequently interrogate the server involved in the session, may be able to recover the session key used in that session, and then recover the encrypted data from that session.
The vulnerability can only be exploited if the intruder is able to make repeated session-establishment attempts to the same vulnerable web server which was involved in the original session. In addition, the server must return error messages that distinguish between several modes of failure. Although the number of session-establishment requests is large, it is significantly more efficient than a brute-force attack against the session key. Note that, although web servers comprise the majority of vulnerable servers, other PKCS#1-enabled servers may be vulnerable.
Note that the server's public and private key are not at risk from this vulnerability, and that an intruder is only able to recover data from a single session per attack. Compromising a single session does not give an intruder any additional ability to compromise subsequent sessions. Further, as mentioned above, this vulnerability does not affect all PKCS#1-enabled products.
Snipped from CERT advisory CA-98.07.PKCS
Here is an OpenSSL issue
OpenSSL bypassing
Last but not least there is ssldump, an SSLv3/TLS network protocol analyzer which identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.
Someone said they'd never heard of issues with SSL made me want to get the info on this so apologies for making a redundant post if it seems this way. This does not include issues with Mozilla, Netscape and IE and SSL since it would've taken a lot more space...
home sweet home
Well even using ssh in 'secure' network can still introduce the issue of someone snagging passwords along the wire via other methods such as someone using ssh and then using ftp instead of scp or sftp so I would guesstimate that 80% of the times it is always going to be users that are the weak link and not the protocols.
So as of now I will wait for the next security based document pimping IPSec, Secure Tunneling, Diameter, SSH over SSL over Biometric based authentication, then point out the clueless (l)user who just did something stupid like use a protocol which doesn't provide any encyption down the strech.
First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI.
Certificates provide an attractive business model. They cost almost nothing to make, and if you can convince someone to buy a certificate each year for $5, that times the population of the Internet is a big yearly income. If you can convince someone to purchase a private CA and pay you afee for every certificate he issues, you're also in good shape. It's no wonder so many companies are trying to cash in on this potential market.With that much money at stake, it is also no wonder that almost all the literature and lobbying on the subject is produced by PKI vendors. And this literature leaves some pretty basic questions unanswered: What good are certificates anyway? Are they secure? For what?
Taken from a prior document written by Bruce Schneier which can be found here.
Man in the middle attacks have been rampant for some time now so I don't know why anyone would use an article such as this for 'clarity's' sake where security is concerned. Sure it assists in dealing with issues and bringing them to light but when you need that much of a level of trust the easiest way to circumvent ANY man in the middle attack or any other form of an authentication issue can be achieved simpler via way of verifying a PGP key id over the phone before any trusted information is encrypted and sent down the wire using any key.
Would've made a nice longer post but Monday morning hangovers leave me feeling pissy
My Slashdot Spoof
I'd hate to be on the receiving end of a healthcare system with such antiquated stuff. Would this mean they're also sharing medical tools from the Smithsonian? Its surely a sad thing to see the tech industry boom with some little being down in other sectors such as healthcare. Maybe some generous corporation can help out a country by donating at least a Pentium II or something similar.
Not too sure what this has to do with technology though, someone must've been a bit hit up for stories. I know of a company using a tweaked up Commodore for a gateway/cache machine does this mean I should post it as relevant?
My Slashdot Spoof
Circumventing Carnivore sil@www.dot.antioffline.com
B 71ED36F5CA25692700182669!OpenDocument
What exactly is this input? Who knows but we can guesstimate its likely a combo of words and synonyms based on some violent and discriminating words maybe even translated into foreign languages.
While this may be no new news to anyone here are some thoughts on circumventing security modules such as Carnivore. All this was written on a flight from New York to California (how thrilling.)
What? Some slight information on Carnivore
Why? Because everyone is pissing up a storm on Carnivore How? Sitting down reading Information Security Management Handbook 4th Edition (Tipton, Krause)
Where? Flying over Canada on a re-routed flight to California
Based on the gathered information related to Carnivore, it copies mail sent from the ISP of a user provided he or she is being investigated, after obtaining a warrant, in order to filter e-mail based on human programmed input:
http://pcworld.idg.com.au/pcw.nsf/reviews/49939FE
With this in mind it should be easy to circumvent it with simple little tweaks in order to send that "threat" you've been thinking about, or any other irrelevant e-mail you've been paranoid to send down the wires due to fear of government snooping.
Carnivore is ISP based from what I read, so its functionality will not apply to using a re-mailer from whatever address your sending the e-mail from nor does it apply to sending spoofed e-mails with a packet injection tool nor a proxy since after all, it is only monitoring your account on your ISP with Carnivore running on that isolated network to capture your e-mail.
Based on the architecture the FBI would need to isolate your IP address as opposed to snooping a complete netblock in order to capture your data, this means they're going to have to set it up to snoop your ISP's router/switch and determine where exactly you are when you connect unless you have a static IP address in which they can segregate your traffic to a specific area which would be hellishly easy for them to do. I'm sure your ISP can simply switch you into a specific area via software and access lists at the drop of a dime as well.
Carnivore simply makes unknowledgeable people think the government(s) is(are) out to get them which personally I don't think is the case. Officials have better things to do (hopefully) than sniffing through days/weeks/months worth of e-mail looking for that "one" discriminating message your sending. Takes time and a lot of effort including legal work that theoretically has to be taken when we regard the masses.
However if your the target of some investigation do not be fooled into thinking they will not go this far.
Anyways enough of the BS corporate(ish) stuff you should realize by now.
Lets start with a threatening letter we'll assume John Doe wants to send but is afraid of things like Carnivore and Echelon type systems. Why should he send it? Who knows he's just fscked in his brain for all we know and wants to be the next Una'bummer'.
Based on typical filters and from what we know, we can determine that there is probably some sort of word based capturing going on within Carnivore which likely flags words which are incriminating enough to capture John Doe and make him Mitnick's ex-roommate's new roommate.
So the test begins. With a proxied Netscape browser we find proxy.foo.com and slightly obscure our information and change our hostname to whatever@wherever.com. In theorum mail is being sniffed to the account in question johndoe@sampleisp.com in which they have their warrant and not whatever@wherever.com which makes any information they gather obsolete. Well, after some legal mumbo jumbo obsoletes their methods and what information they gathered along with the terms of the warrant.
Hey if they're monitoring johndoe@sampleisp.com and sniff the whole network then jane.something@sampleisp.com should be able to hold them liable for invasion of privacy. Thats something I can't speak on since I'm not a lawyer.
Other ways to cirvumvent this would probably be as simple as creating your message and saving the entire message as a picture and simply sending it along with a message of "Picture of my new car."
Simplicity sometimes works better over the high tech since most technical minds would overexert themselves in ways of technology often forgetting the simple things you could accomplish without knowing much about higher end technology such as encryption schemes, spoofing, etc.
Another oddball way of conveying messages whether or not encrypted is to send a message written in binary with something as lame as:
[sil@stigmata] echo "I need help with this math problem:
[sil@stigmata] 43 61 72 6E 69 76 6F 72 65 20 63 69 72 75 6D
[sil@stigmata] 76 65 6E 74 69 6F 6E 20 74 65 73 74 20 70 68
[sil@stigmata] 61 73 65 20 31 0A" | mail -s hello somebody@somewhere.com
Do you think the makers of Carnivore have pre-determined someone sending out a message of this nature? Certainly if Carnivore's input was created by human input, its likely they wouldn't be expecting something like this unless it was a known fact beforehand that they would be dealing with some sort of cryptology.
For more obscurity depending on who you are sending the message to, both parties can agree on a scheme to use based on anything. It can be a time defined simple encryption scheme based on the hour of the day, day itself and month.
For example parties A & B decide they will create a unique method to cypher private messages with these variables.
T(D+M+Y)/2 Time + (DAY+MONTH+YEAR) where a message sent at 11:pm on 5/12/00 would be added to equal 28 all together then shifted this amount plus that of the English alphabet (26) divided by 2 so the word "TEST" becomes "RAQR"
This cypher was established since the letter T is the 20th letter of the alphabet I decided to count 27 characters from the letter T. Simple and effect and although based on one scheme its portable enough to obscure all messages since its time based and as stated who the hell would be able to figure this out before you had accmplished your dirty deed.
Other scenarios include the infamous (my favorite) spoofed mail technique using some relay host we could find anywhere on the net.
[sil@stigmata] hostname gary7.nsa.gov
[sil@gary7] adduser verona
[sil@gary7] su verona
[verona@gary7] echo "Hello Kapitan" | mail -s foo somebody@somewhere.com
You don't have to be a rocket scientist to do any of this and you don't have to be a genius to figure out ways to circumvent Carnivore, and if your still paranoid then get a packet injection suite and spoof the address along with the entire payload attached for added screwability.
What about translating the message into a foreign language, converting it to binary then adding two digits or letters to every new hex value, where OxF now becomes QzH? I'm sure you can get a clear picture on why you shouldn't worry your life over what the government is doing. Many times I see rants and people complaining about the lack of privacy, but what I fail to see is someone taking the time to find a neat trick to go on with life and privacy at their own expense. Lets face it, common sense should tell you that any government is going to do whatever they want, whenever they want and nothing you can do is going to stop them so get a life.
There are plenty of ways to circumvent technologies such as this without having the brain power of Albert Einstein and without having to delve deeper into technologies which will most likely be something authorities will be waiting for.
J. Oquendo
First off know your role... These terms stemmed from people who became tired of being misassociated with those who knew little about security and opted to download whatever was available to annoy. IMO they should be labled script kiddiots entirely.
I see hacking as a form of learning manipulation of whats available and not as some form of intruding on someone's network or "Hacking for good" or whatever else you'd like to call define these terms.
Hacker one who hacks for good?
As in hacks what? Try hacking an OS from scratch or take an existing product and make it better. That to me is a hack and not some "We hack to save the world" defacement which are rampant. Cracker one who hacks for evil?
No call them criminals which is what they are.
If I created a gun would that make me a killer? If I used the gun would that make me a gunmaker? No keep the terms in sync with their respective description.
Script kiddies do as scriptkiddiot do
I thought that it was much more likely that the cracker was just
using tools he had gotten from other places, and that he had not
written any of them. That he was just a script kiddie.
Odd how the term script kiddie wasn't coined till late last year
I logged into the Sun box and started poking around. I had begun
to suspect that what I had found was a sniffer that the cracker
was running to capture logins and passwords on our system and on
other systems that our users connected to. Running a utility to
check the network card showed that it was in promiscuous mode.
The ifconfig utility reported that it was not and this told me
that he had replaced the system ifconfig command with a rootkit
version that lied to us about the promiscuous status of our
network interface. So he was running a sniffer on our system.
Odd how Solaris machines even up until now have no definitive
way of determining whether or not a device is in promiscous
mode...
We then posted a system message that said that the hard drive
on the Sun had crashed
Security Through Obscurity... tsk tsk
. The rest of us started working installing the latest Digital Unix on the alphas.
DigUnix... got root?
I hope this was a pretend story because if it isn't then these
half wits deserve to have their machine rooted by some luzer
script kiddiot
First off this has nothing to do with Linux and if it did then why would someone be moronic enough to think they know enough about Linux to throw a commercial or even non-profit site running something out of their comprehension?
If you took time to notice my post you would see the reference to OpenBSD which is secure as hell on a clean install.
So again I post: If someone took a quick second to "Get A Clue" we wouldn't have this issue here would we?
Join our clueless clan