So you transfer these poor folks' domains from one registrar known for shady practices toanother? How about at least transferring them to an OpenSRS registrar, or (gasp!) releasing all holds on the domains and giving the customer the choice of where to transfer to?
Right now the major issue is that laws designed to protect children can be used against children.
No, right now the major issue is that every politician and talking head is striving to equate the term "sex offender" with "child molester." And it's working. There are plenty of "sex offenders" on MySpace (and walking around your neighborhood each day) who do not now, and never will, pose the slightest risk to anyone's child.
Utah legislators must have deliberately ignored all advice given to them by the technical experts.
You're making the assumption that the legislature ever sought technical expertise to begin with. So often, the reason these stupid laws come about is that nobody ever bothers to "ask the experts."
Jesus H, at least I can tell you're the real deal. Now I'm going to have to go through every CD in my possession, looking to see whether or not I have some old backups of all the AOL shit. I'm fairly certain that it's all been lost to time (many priceless screenshots included) but damn if I could stumble across an archive.
Yes, that's me... If I knew you back in the day, get in touch.:) http://shat.net/contact.php is at least marginally likely to be read. Anything else is hit or miss.
I think we were marginal contemporaries. If I have it right, y'all were doing "invokes" (like 32-41908) while the Mac side was busy sending token/args. Yes, I remember the * menu on WAOL. Its equivalent on the Mac side was the "Bullet Menu," named for the fact that instead of being a *, it showed up in the menu bar as a bullet (cmd-8 on a Mac).
FDOs and atoms were the Windows side of things. Your mention of OpsSec brings up another anecdote. There was an internal account, "NOC Nodes," run by network ops. I once created a fake account with the screen name "N0C Nodes" (november zero charlie Nodes) and IM'd a friend with his full phone number. The poor bastard logged off and wiped his hard drive. It only became a joke years later when he forgave me.
You'd think employees of an ISP, who routinely warns its customers about it, would be wise to rudimentary "attacks" like phishing scams.
You'd be surprised. Back in the late '90s, when phishing first became a problem on AOL, they went so far as to modify the Instant Message window so that it contained a disclaimer, in very obvious red text, saying that no one from AOL will ever ask for your password. Believe me, very few people paid attention to that warning.
I recall sitting in the nerve center chat with the likes of VARST, UTRST, JXRST, etc. and having the occasional moron walk in trying to phish in the chat. They didn't generally last long, but I also have seen a VARST operator type his password into the chat. It's sad how easily some (high-level) employees can be socially engineered. That's what you get when you hire Joe Regular into an enterprise position and you don't give him adequate training.
From the perspective of someone who was in that scene more than a decade ago, it's enlightening to see how much of this is still going on. I don't see where in the article it says he used "'off-the-shelf' hacking software," but I guess these days it doesn't take much talent.
I remember when the phishing trend started. AOL's biggest mistake at that point was creating a special People Connection lobby that overhead/internal accounts would default to. Initially, it was just a private room whose name changed occasionally (who else remembers THEBLIMPSAIDITALL, and numerous incarnations of IllIlIIlIIlllIlIIlI...?). Anyone who knew the name could get into the room with any regular account, and phish privileged accounts to their heart's content. Eventually AOL made some progress and created a viewruled lobby, which they assumed would keep the riff-raff out, but they forgot to plan for the fact that the riff-raff already had access to privileged accounts.
In the early to mid 90s, there was no such thing as phishing. If you wanted privileged access, you had to work for it, and it was a thankless (but sometimes rewarding) task. There were a handful of folks - okay, probably a few handfuls, maybe numbering in the tens - who spent their free time doing real hacking. Those of us on the Mac side were busy poring over logs from Serial of Champions, reverse engineering the client-server communications. Through trial and error, we determined that every client request would send a two-character "token" and an argument to match. For example, double-clicking a message board to open it up might send the token "mB" with the message board's ID as the argument. Using the Keyword feature would send a Kk token, that's the only one I still remember for sure.
We eventually compiled a list of the various "tokens" that made up the AOL protocol, and what they did. There was a developer's client extension that allowed for sending arbitrary token/args, and like most things inhouse, it was leaked to a few people. This gave some of us the ability to do things nobody else could. Way before AOL ever introduced "Mail Controls," for instance, we were able to reject mail from specified users. The feature had been built into the system from the beginning but had never been released to the public (IIRC, the then-system-devs didn't even know it was possible). We'd stumbled upon the feature by sending random tokens to the server.
Here's a funny story about how something went from blackhat to implemented feature. At some point I discovered a token that would refresh the client's installed list of screen names. Basically, if you had AOL installed on multiple computers, or had multiple copies of the client on one machine, the list of your available screen names would inevitably become outdated across clients: if you created a new screen name on one client, then switched to another, the new name wouldn't show as a sign-on option. Likewise, if you deleted a screen name while you were logged in from one machine, that name would still (incorrectly) display as available on another machine. There was no way to synch up the list of names, so if you created screen name FoobarMan on machine A, the only way to sign onto it from machine B was to reinstall the client.
Well, I found out that if you sent a certain token to the server, it would force a client-side refresh of the screen names on the sign-on list. Having legitimate access to publish things - did I mention I was not only a haxx0r, but also remote staff - I created a little form with a link that would send that token, thus refreshing the client's list of screen names. I passed it on to a TechLive friend who started giving it out to members who were having this (common) problem. Eventually someone inhouse got wind of it. I got reamed, my creation was removed, and a month later a shiny new feature appeared at keyword: NAMES... "Refresh Screen Name List."
Go figure.:)
Accessing member information is hardly anything new. AOL has a customer management system
How long till they want to simply ban the internet?
Fuck that, I'm waiting for our Congresscritters to figure out that the solution is to ban children. Without children, 99% of the so-called "problems" that the legislature attempts to address would no longer exist.
Open land and cheap power, yeah, that's it. The fact that the Carolinas are awfully close to DC, just a coincidence. And it's not like Google's giant facility in Washington State is going to be a stone's throw away from the NSA facility in Yakima, right?
North and South Carolina don't rank so well in terms of electricity cost per state. If you want cheap tracts of land and cheap electricity, you build a data center in Oklahoma or Kansas (yes, Virginia, there is fiber there), not in Washington or the Carolinas...
the government simply cannot take private property without reimbursement.
Sure they can; they can even take your private property and give it to a corporation without reimbursement. It's called "eminent domain," and in case you don't recall, the Supreme Court recently affirmed the government's authority to do just that.
If they don't have a problem handing over 15 private residences to Pfizer, I doubt they'd have any problem reappropriating the contents of college students' essays to Turnitin. It's a brave ne[w|ocon] world we're living in.
Which is why we have the Mickey Mouse copyright extension named after Bono, the worthless AHRA, the easily abused DMCA and the obnoxious NET Act, as well as whatever laws I haven't heard of yet.
Dude, I was totally with you until you dissed the American Hot Rod Association. Certainly you must realize that they're one of the most well-respected drag racing organizations in the world. It amazes me that you would lump such a geeky, gear-headed organization amongst your legitimate complaints about ridiculous copyright laws! Personally, I wish that Sonny Bono had been involved in a real crash, AHRA style, instead of colliding with a tree. Everyone knows that real drivers crash other drivers, only drunks crash into trees.
I concur, the letter is a work of art, even with its various typos. (I sort of wish that Mr. Ledford had waited for the staff-reviewed copy, and posted that, but the last thing I'm going to do is critique him at this point.) My favorite excerpt is as follows:
Procedurally, we need to address how best to move the case to the Fresno Branch so you can enjoy our new Courthouse and avoid Judge Levi's wrath for filing in the wrong court.
You want pwnage, that's it.
Here is an attorney who not only is familiar with and sees through the RIAA's shotgun tactics, and even refers to them as such in his draft, he is admonishing the opposing counsel in beautifully crafted language. While the written words offer to assist said counsel in resolving a filing mistake, a very clear and very different message is conveyed. Mr. Ledford has just told the RIAA to go fuck their collective selves, and he appears to have the case law to back it up (IANAL, and I'm definitely not licensed to practice in California, so that is only my interpretation). He knows he's right, he knows that the RIAA is not willing to appear in court for a showdown after the issues that he's cited - inappropriate venue, lack of probable cause, history of discredited experts, etc. - and he's finally revealed himself as the man with the balls to make the play.
The entire missive can be summed up from a geek's standpoint in eleven characters: "YHBT. HAND."
I don't know whether or not the Merchant family has actually fronted $6,880.25 for the research that culminated in this letter, and I suspect that either settlement or judgement will negate the fees, but those dollars are worth their weight in gold. I've followed the entire RIAA spectacle with mildly detached interest since they first started filing lawsuits, and to be quite frank, this is the most damning coffin-nail yet.
..It's more like "time to put an ad in the paper, an onslaught of new customers is coming!" I wish I still had time to do spyware removals and clean up infested computers. Easy money for those who have the time and are willing to make housecalls.
The Coral Cache operates on port 8090. Here is a corrected link, though at this point, all that's cached is proof that the Internet Patrol's copy of WordPress has left a smoldering crater where their server once was...
Wait.. which side is the Fox News mouthpiece, and which side is the guy who sued because he didn't want his image published? I can easily see it going either way.
Does anyone know if there are any special driver requirements, beyond "anyone with a wireless card?" The documentation is rather...sparse. I've got a Broadcom wireless card in my laptop and it's generally a pain to get things like aerodump going; it requires installing a debug driver, then rolling back the driver afterwards, and the network functionality itself is disabled during this period, at least with aerodump.
I'm curious if ferret can sniff without the added hassle...
I'd also considering using inline CSS and JavaScript instead of linking them in externally as files. Surely this will reduce the network load.
Actually, the opposite should be true. Client browsers will typically[1] cache the contents of an external.css file, downloading it no more frequently than once per visit (the same holds true for.js files). If you're inlining your CSS or Javascript as part of your pages, the client has to download a copy each and every time they load a new page on your site. Granted, for a personal blog or your local copy of Gallery, that isn't a big deal, but for an enterprise-grade site, compartmentalizing your CSS away from your view is almost always a good idea.
[1]Geeks will be the exception here; I always set my browsers to download a fresh copy of files "every time" as opposed to the normal default of "once per session."
Seconded... Congrats Merlyn. It sucks that all of this happened in the first place, but you're proof that if you keep fighting, eventually justice can work for "the little guy."
Given the competition that exists within the industry, is this needed?
Competition? As in where I get to choose from one of [Verizon|Cingular|Sprint], all of which charge mostly the same, and whichever one I pick, I'm either stuck with them for 2 years or stuck paying exorbitant fees to "fire" them and switch to one of their clones? I'm intentionally glossing over the prepaid services (Virgin Mobile, for example) because they tend to piggyback on other carriers' networks (Virgin is actually Sprint's network, so in essence if you use Virgin Mobile, you're really using Sprint).
Saying there's real competition in the wireless industry is like saying that because Sony, BMG, and Warner all make CDs, there's "real competition" in that industry. Cable companies were forced to accept all comers (see Time Warner's cables being used by Earthlink, often at a lower fee than TW's RoadRunner service) - and hell, my cable company doesn't even lock me into a 2-year contract...
If this isn't a case of a solution looking for a problem (or a politician pandering for votes), I don't know what is. There aren't even laws prohibiting real world bullying, are there? Kids get in fights all the time and here in a large metro area, unless there's a weapon involved, it's usually handled within the school. Are we really such a nation of pansies that we need laws to protect us from being ridiculed on the internet?
Attacks coming from China, probably with government support, far outstrip other attackers in terms of volume, proficiency and sophistication, said a senior Netwarcom official
Gee, ya think? China has more than a billion people. I know they're not all running around with shiny new laptops, but come on - this is akin to saying that the majority of low-temperature attacks on the United States come from Canada. Well, duh!
I can make the same "cyberattack" claims about my not-worth-cracking dedicated servers and the dinky firewall machine sitting on my cable modem, too, but that doesn't mean I'm engaged in a "cyberwar" with anyone. The majority of rooted machines trying to root mine are in China. Most of this comes in the form of automated attempts to bruteforce ssh, but I've seen targeted attempts where there's clearly a human on the other end of the wire.
While I don't doubt that DoD machines are probably being targeted intentionally, there's an overwhelming amount of garbage traffic coming out of central and eastern Asia, and it hits everyone. Nearly half of all my rejected SMTP traffic is from Chinese netspace, but most of it's trying to peddle western products to American consumers, the Chinese people have nothing to do with it. China's so full of compromised hosts that whoever's actually cracking DoD machines is probably sitting in an internet cafe in Milan, piping data through some rooted.gov.cn box...
Oh, and the next person to use "spear phishing" in an article is getting a swift kick in the nuts!
Slashdot Mirror
So you transfer these poor folks' domains from one registrar known for shady practices to another? How about at least transferring them to an OpenSRS registrar, or (gasp!) releasing all holds on the domains and giving the customer the choice of where to transfer to?
Jesus H, at least I can tell you're the real deal. Now I'm going to have to go through every CD in my possession, looking to see whether or not I have some old backups of all the AOL shit. I'm fairly certain that it's all been lost to time (many priceless screenshots included) but damn if I could stumble across an archive.
Yes, that's me... If I knew you back in the day, get in touch. :) http://shat.net/contact.php is at least marginally likely to be read. Anything else is hit or miss.
I think we were marginal contemporaries. If I have it right, y'all were doing "invokes" (like 32-41908) while the Mac side was busy sending token/args. Yes, I remember the * menu on WAOL. Its equivalent on the Mac side was the "Bullet Menu," named for the fact that instead of being a *, it showed up in the menu bar as a bullet (cmd-8 on a Mac).
:)
FDOs and atoms were the Windows side of things. Your mention of OpsSec brings up another anecdote. There was an internal account, "NOC Nodes," run by network ops. I once created a fake account with the screen name "N0C Nodes" (november zero charlie Nodes) and IM'd a friend with his full phone number. The poor bastard logged off and wiped his hard drive. It only became a joke years later when he forgave me.
Fun times.
I recall sitting in the nerve center chat with the likes of VARST, UTRST, JXRST, etc. and having the occasional moron walk in trying to phish in the chat. They didn't generally last long, but I also have seen a VARST operator type his password into the chat. It's sad how easily some (high-level) employees can be socially engineered. That's what you get when you hire Joe Regular into an enterprise position and you don't give him adequate training.
From the perspective of someone who was in that scene more than a decade ago, it's enlightening to see how much of this is still going on. I don't see where in the article it says he used "'off-the-shelf' hacking software," but I guess these days it doesn't take much talent.
:)
I remember when the phishing trend started. AOL's biggest mistake at that point was creating a special People Connection lobby that overhead/internal accounts would default to. Initially, it was just a private room whose name changed occasionally (who else remembers THEBLIMPSAIDITALL, and numerous incarnations of IllIlIIlIIlllIlIIlI...?). Anyone who knew the name could get into the room with any regular account, and phish privileged accounts to their heart's content. Eventually AOL made some progress and created a viewruled lobby, which they assumed would keep the riff-raff out, but they forgot to plan for the fact that the riff-raff already had access to privileged accounts.
In the early to mid 90s, there was no such thing as phishing. If you wanted privileged access, you had to work for it, and it was a thankless (but sometimes rewarding) task. There were a handful of folks - okay, probably a few handfuls, maybe numbering in the tens - who spent their free time doing real hacking. Those of us on the Mac side were busy poring over logs from Serial of Champions, reverse engineering the client-server communications. Through trial and error, we determined that every client request would send a two-character "token" and an argument to match. For example, double-clicking a message board to open it up might send the token "mB" with the message board's ID as the argument. Using the Keyword feature would send a Kk token, that's the only one I still remember for sure.
We eventually compiled a list of the various "tokens" that made up the AOL protocol, and what they did. There was a developer's client extension that allowed for sending arbitrary token/args, and like most things inhouse, it was leaked to a few people. This gave some of us the ability to do things nobody else could. Way before AOL ever introduced "Mail Controls," for instance, we were able to reject mail from specified users. The feature had been built into the system from the beginning but had never been released to the public (IIRC, the then-system-devs didn't even know it was possible). We'd stumbled upon the feature by sending random tokens to the server.
Here's a funny story about how something went from blackhat to implemented feature. At some point I discovered a token that would refresh the client's installed list of screen names. Basically, if you had AOL installed on multiple computers, or had multiple copies of the client on one machine, the list of your available screen names would inevitably become outdated across clients: if you created a new screen name on one client, then switched to another, the new name wouldn't show as a sign-on option. Likewise, if you deleted a screen name while you were logged in from one machine, that name would still (incorrectly) display as available on another machine. There was no way to synch up the list of names, so if you created screen name FoobarMan on machine A, the only way to sign onto it from machine B was to reinstall the client.
Well, I found out that if you sent a certain token to the server, it would force a client-side refresh of the screen names on the sign-on list. Having legitimate access to publish things - did I mention I was not only a haxx0r, but also remote staff - I created a little form with a link that would send that token, thus refreshing the client's list of screen names. I passed it on to a TechLive friend who started giving it out to members who were having this (common) problem. Eventually someone inhouse got wind of it. I got reamed, my creation was removed, and a month later a shiny new feature appeared at keyword: NAMES... "Refresh Screen Name List."
Go figure.
Accessing member information is hardly anything new. AOL has a customer management system
Fuck that, I'm waiting for our Congresscritters to figure out that the solution is to ban children. Without children, 99% of the so-called "problems" that the legislature attempts to address would no longer exist.
Open land and cheap power, yeah, that's it. The fact that the Carolinas are awfully close to DC, just a coincidence. And it's not like Google's giant facility in Washington State is going to be a stone's throw away from the NSA facility in Yakima, right?
North and South Carolina don't rank so well in terms of electricity cost per state. If you want cheap tracts of land and cheap electricity, you build a data center in Oklahoma or Kansas (yes, Virginia, there is fiber there), not in Washington or the Carolinas...
If they don't have a problem handing over 15 private residences to Pfizer, I doubt they'd have any problem reappropriating the contents of college students' essays to Turnitin. It's a brave ne[w|ocon] world we're living in.
Dude, I was totally with you until you dissed the American Hot Rod Association. Certainly you must realize that they're one of the most well-respected drag racing organizations in the world. It amazes me that you would lump such a geeky, gear-headed organization amongst your legitimate complaints about ridiculous copyright laws! Personally, I wish that Sonny Bono had been involved in a real crash, AHRA style, instead of colliding with a tree. Everyone knows that real drivers crash other drivers, only drunks crash into trees.
Here is an attorney who not only is familiar with and sees through the RIAA's shotgun tactics, and even refers to them as such in his draft, he is admonishing the opposing counsel in beautifully crafted language. While the written words offer to assist said counsel in resolving a filing mistake, a very clear and very different message is conveyed. Mr. Ledford has just told the RIAA to go fuck their collective selves, and he appears to have the case law to back it up (IANAL, and I'm definitely not licensed to practice in California, so that is only my interpretation). He knows he's right, he knows that the RIAA is not willing to appear in court for a showdown after the issues that he's cited - inappropriate venue, lack of probable cause, history of discredited experts, etc. - and he's finally revealed himself as the man with the balls to make the play.
The entire missive can be summed up from a geek's standpoint in eleven characters: "YHBT. HAND."
I don't know whether or not the Merchant family has actually fronted $6,880.25 for the research that culminated in this letter, and I suspect that either settlement or judgement will negate the fees, but those dollars are worth their weight in gold. I've followed the entire RIAA spectacle with mildly detached interest since they first started filing lawsuits, and to be quite frank, this is the most damning coffin-nail yet.
A model letter, indeed.
..It's more like "time to put an ad in the paper, an onslaught of new customers is coming!" I wish I still had time to do spyware removals and clean up infested computers. Easy money for those who have the time and are willing to make housecalls.
The Coral Cache operates on port 8090. Here is a corrected link, though at this point, all that's cached is proof that the Internet Patrol's copy of WordPress has left a smoldering crater where their server once was...
Wait.. which side is the Fox News mouthpiece, and which side is the guy who sued because he didn't want his image published? I can easily see it going either way.
Does anyone know if there are any special driver requirements, beyond "anyone with a wireless card?" The documentation is rather...sparse. I've got a Broadcom wireless card in my laptop and it's generally a pain to get things like aerodump going; it requires installing a debug driver, then rolling back the driver afterwards, and the network functionality itself is disabled during this period, at least with aerodump.
I'm curious if ferret can sniff without the added hassle...
[1]Geeks will be the exception here; I always set my browsers to download a fresh copy of files "every time" as opposed to the normal default of "once per session."
Give the CDs to nugget. He talks to everyone and loves free CDs.
Seconded... Congrats Merlyn. It sucks that all of this happened in the first place, but you're proof that if you keep fighting, eventually justice can work for "the little guy."
Competition? As in where I get to choose from one of [Verizon|Cingular|Sprint], all of which charge mostly the same, and whichever one I pick, I'm either stuck with them for 2 years or stuck paying exorbitant fees to "fire" them and switch to one of their clones? I'm intentionally glossing over the prepaid services (Virgin Mobile, for example) because they tend to piggyback on other carriers' networks (Virgin is actually Sprint's network, so in essence if you use Virgin Mobile, you're really using Sprint).
Saying there's real competition in the wireless industry is like saying that because Sony, BMG, and Warner all make CDs, there's "real competition" in that industry. Cable companies were forced to accept all comers (see Time Warner's cables being used by Earthlink, often at a lower fee than TW's RoadRunner service) - and hell, my cable company doesn't even lock me into a 2-year contract...
If this isn't a case of a solution looking for a problem (or a politician pandering for votes), I don't know what is. There aren't even laws prohibiting real world bullying, are there? Kids get in fights all the time and here in a large metro area, unless there's a weapon involved, it's usually handled within the school. Are we really such a nation of pansies that we need laws to protect us from being ridiculed on the internet?
Gee, ya think? China has more than a billion people. I know they're not all running around with shiny new laptops, but come on - this is akin to saying that the majority of low-temperature attacks on the United States come from Canada. Well, duh!
I can make the same "cyberattack" claims about my not-worth-cracking dedicated servers and the dinky firewall machine sitting on my cable modem, too, but that doesn't mean I'm engaged in a "cyberwar" with anyone. The majority of rooted machines trying to root mine are in China. Most of this comes in the form of automated attempts to bruteforce ssh, but I've seen targeted attempts where there's clearly a human on the other end of the wire.
While I don't doubt that DoD machines are probably being targeted intentionally, there's an overwhelming amount of garbage traffic coming out of central and eastern Asia, and it hits everyone. Nearly half of all my rejected SMTP traffic is from Chinese netspace, but most of it's trying to peddle western products to American consumers, the Chinese people have nothing to do with it. China's so full of compromised hosts that whoever's actually cracking DoD machines is probably sitting in an internet cafe in Milan, piping data through some rooted
Oh, and the next person to use "spear phishing" in an article is getting a swift kick in the nuts!