I'm all for full disclosure, but is it really necessary for people to include exploit code?
some things are easiest to communicate with sample code. in the absence of the original source code, in which case you could say "look, this function is overrunning this buffer," it would probably be easiest to demonstrate the exact nature of a security flaw using exploit code. although even in the circumstances where you have the original source, having exploit code to look at couldn't hurt in fixing the problem.
my personal feelings on this is that exploit code should first be sent to the maintainer of the original program, with a deadline for the release of a patch. there should also be a public release describing the problem in a very generic nature. after the deadline, release the exploit, even if the patch isn't out yet. this gives developers time to fix the problem without putting the exploit in the hands of script kiddies. plus, the developers are under a deadline to get it fixed. granted, it's entirely possible for the kiddies to already have code to exploit it, but why give them the tools before it's necessary?
not only that, but there's a million other programs out there that allow for access to the shell. less, for instance. it could look like somebody is innocently reading a config file as root (well, innocent as long as that's part of their job...) but they could use shell escapes to do just about anything. before you give anybody access to anything using sudo, think about how it could be used to obtain a root shell.
and i'm not talking out of my ass here. i've run into situations at work a couple times when i couldn't find the full time admin and needed to get something done, so i used my sudo access to get a root shell. (of course i had been given permission to root our boxen in case of emergency)
bouncing mail with procmail
on
Eliza for Spam
·
· Score: 3, Interesting
you can tell procmail to exit with whatever exit code you feel like it. there's an exit code for "no such user" if you can detect your spam with procmail and any combination of scripts, you can force it to send a bounce message saying that the user doesn exist. if you want, you can even force that sendmail-generated bounce message, and still receive the mail.
consider the following recipes:
EXITCODE=67 #addressee unknown
:0 cW
| ${HOME}/.bin/isitspam.pl
:0 a
mail/worms
EXITCODE=0 #successful termination
this would have you still able to read your spam, if you're so inclined. (deliver it to/dev/null if you're not.) i would tend to think that a "user does not exist" bounce message would be better for preventing future spam than an annoying little eliza-generated email
Re:Ease of use/installation can go to far
on
KDE 2.2 Tagged
·
· Score: 1
but of course... what other distribution would i use? *duck and cover*
Ease of use/installation can go to far
on
KDE 2.2 Tagged
·
· Score: 2
lynx -source http://go-gnome.com | sh
dude, that is too sick. far too sick.
but aside from the fact that i'm floored by your hoopy voodoo hack, i have a fundamental objection to asking people to run a shell script (as root!) without having them look at it. true, you never said "don't read it, just run it." but shouldn't we be discouraging this "su and say" behavior? especially just having people run a shell script that's stored remotely. making things easy to install is good, but "configure && make && make install" is good enough for me. (although i don't even encourage that. do a "./configure --help" first and decide what you really want/need. and do a "make -n install" to try and figure out what's going where in case things break.) A lot of people prefer package management schemes like rpm or apt, but i always feel like i lack a degree of control when i use those. anything past installing rpms is going too far for ease of use. (note to those who think my grandma should be able to use linux: i never said there couldn't be a gui frontend to rpm.)
yeah, i laughed when i got a port 80 hit from cust2120.EzSecureHosting.com it's apparently not as secure as they would have people think, so customer 2120 could probably sue them.
and microsoft has the same "we make no guarantees" clauses that free software licenses have, so either the case would be dismissed, or clauses like that would be ruled illegal, which could be bad for free software, unless they only made it illegal to attach those clauses to commercial software
but on the other hand, if you're exposing yourself to new music using mp3s, you're also subverting the economics that the record companies expect. they expect that if they force you to listen to something on the radio or mtv, then you'll go out and buy it. that's why n'sync and all the other shit like that is popular. nobody likes it because they normally would find it appealing. people like it because they're trained to like it.
if you start liking music on your own and ignore the schlock that you're force-fed, then you're adding unknowns to the system, and the record companies can't consolidate their catalogs to accomodate a universal taste, a goal to which they've been aspiring recently. During the merger-mania the record companies were going through last year, a lot of bands were dropped to slim down the rosters to a small pile of the most profitable "musicians." They WANT to produce as little variety of product as possible to reduce costs, and still sell enough to keep a nice fat income. finding new music on your own gets in the way of that goal.
the anagrams were most likely created by whoever wrote the scripts to the films. The screenplay for Lolita was written by Vladimir Nabokov, as was the book. Another user pointed out that Vivian Darkbloom was even in the original book.
Doctor Strangelove started out as a book entitled "Red Alert" by Peter George, and it was a suspense novel. Kubrick decided to make a movie out of it, and he and Peter George collaborated on the screenplay. In the process of writing it, they realized that the plot had amazing comic potential, so they invited Terry Southern to join them. My bet is that Bat Guano was not an accident by any means. However, I would bet that that's one of Terry Southern's contributions to the film.
On to 2001... Originally it was the short story "The Sentinal" by Arthur C. Clarke. Kubrick decided to use the events in that story as a small part of his next project, and invited Clarke to collaborate with him in a screenplay. Wheat makes a good case for the Odysseus and Zarathustra analogies, but some of it, is just farfetched. "NO MEAT" might be feasible, but is probably just a side effect of some sort of drugs. either that, or Wheat has spent his entire life as a more-intellectual-than-thou prick. but the bathroom tiles?!? that's a little too far gone for me.
i remember when i was 14 or so, and i discovered that ms bookshelf had an audio file for the sample pronunciation of "motherfucker" i thought it was absolutely hilarious to have that monotone voice demonstrate to me how to swear.
that's what i was getting at. they're selective "protection of the children" indicates that their agenda isn't really to protect the children, but more a direct manifestation of their own puritanical ideas, using the chidren only as an excuse.
(and for the record, i don't like the idea of filtering in libraries. not that it's bad in theory to limit people to sites related to academic pursuits, but in practice, it's impossible.)
as i recall, if you just randomly stumble across something that you find horribly objectionable, then, legally, you've just fallen victim to a subtle form of assault. it's completely assinine, but that's the way it is. apparently the supreme court has decided that the freedom to not be offended is more valuable than the freedom of speech. so i couldn't put porn on a billboard, and i can't say "fuck" over broadcast channels, because *gasp* i might offend someone, and somehow that would violate their rights. but i'm pretty sure i'm allowed to stand in a public place and yell "fuck" at the top of my lungs. (hell, i did it the other day.) the whole system is just a big, puritanical mess.
And given how many restrictions to free speech are proposed in the name of "protecting the children",
that's just the point. it's all said and done in the name of the children, but they're very selective of how they help the children. it's just more puritanical witchhunting. now spewing toxins into the atmosphere isn't generally a topic covered when churches decide what needs to be abolished as sinful, so that can continue. just as long as the children don't see anyone naked.
Redistribution is one legal issue with this, but hardly the only one. You can't redistribute the binary version of GPL code linked to non-free code.
so, then what's linking? does inserting the virus into the binary file count as linking it? if so, you can't give anyone your newly-infected program that's binary-redistributable. it's linked to GPL code and doing so would violate the license on the virus.
honestly, is there any point at all to even having a license on a virus? especially the GPL, which has all sorts of bizarre legal quirks that merely propogating the virus would violate.
on top of all of that, we need to think of the effects of this on the legal standing of the GPL. this can only serve to disredit it, for several reasons. first, it's a virus. almost nobody respects virus authors, and especially not non-technical judges and juries. this gives the GPL a sort of guilt by association for some people. second, there's no way the author could have possibly expected anybody to obey the terms of the GPL in redistibuting the virus. in essence, it's meaningless. that intended meaninglesness also detracts from the credibility of the GPL, at least in this instance.
it depends what you drink. if you get a large cup of really good coffee, it can run you $10. for instance, Jave Hut, a coffee shop here in worcester mass. has a drink called the psycho blast. if i remeber right, the ingredients are as follows: 8 shots of espresso (brewed with caffeinated water), ground chocolate covered espresso beans, high caffeine coffee ice cream, and whipped cream on top. served chilled.
just in case you don't get the parent, it's a parody of the opening monologe of the first season of Babylon 5.
It was the dawn of the third age of mankind, ten years after the Earth/Minbari war. The Babylon Project was a dream given form. Its goal, to prevent another war by creating a place where humans and aliens could work out their differences peacefully. It's a port of call - home away from home for diplomats, hustlers, entrepreneurs, and wanderers. Humans and aliens wrapped in two million, five hundred thousand tons of spinning metal, all alone in the night. It can be a dangerous place, but it's our last best hope for peace. This is the story of the last of the Babylon stations. The year is 2258. The name of the place is Babylon 5.
- Commander Sinclair
i can think of two cases of that kind of social engineering succeeding against aol just of the top of my head:
A girl named Amber Applebaum found out Trent Reznor's email address. (he used to have MTRez@aol.com) she proceeded to call tech sypport and say that she was Trent's wife (he's not married) and she needed the password. then she proceeded to send email from his account for a while. she was later arrested for it.
There was a case a while ago where there was a web page run my an anonymous member of the u.s. navy dedicated to gay sex. the navy just called up, without any of the allegedly necessary paperwork, such as a subpoena, and asked who it was, then gave him a dishonourable discharge. (i'm pretty sure it was the navy at least. i don't remember details.)
in both of those cases, aol specifically stated that the operators violated aol policy. and who knows how many cases of that i don't know about...
as i recall, numbers alone can never be considered intellectual property. that's what bit intel in the ass with the 486. all the companies that made knockoffs were calling them 486's, diluting the namespace. so intel came out with "pentium" to solve that problem.
the question now is whether the courts would consider this just a number, or an encoding of the decss data into a number.
There's a GPL'd Java app called WeirdX that functions as an X server. Since That covers the remote X on win9x part. I'm don't know of any way to use it securely, though. (hmm, maybe that would be a good project, a Java ssh client with X forwarding...)
it's not just on the internet. who do you think it is that uses the alternate camera angle feature on dvds? who do you think was the first to accept vhs? the porn industry has been innovating for much longer than microsoft, and on top of that, they're better at it.
libraries are traditional. they've been around for a long, long time and nobody around today could come close to remembering a time without libriaries in the world. They're accepted because they're there. ebooks are new and different, and to a lot of people, scary.
because of point 1, the legality of a library has been affirmed, whereas the legality of having a repository of ebooks on gnutella hasn't been fully established, one way or the other.
libraries offer you one hard copy of a book, which you have to return. ebooks you get to keep on your hard drive indefinitely, and potentially share further.
don't get me wrong, i'm not against ebooks. i like them for their grepability. i'm just playing devil's advocate.
yes, their second test was fair, and revealed problems. I never disputed that. but that first test was essentially rigged in favor of nt, and there's no denying it.
I really find it hard NOT to have a problem with benchmarking NT as tweaked out as they had it (4 NICs and 4 processors, 1 NIC bound to each processor with separate stacks as i recall) with an out of the box Red Hat installation.
Slashdot Mirror
I'm all for full disclosure, but is it really necessary for people to include exploit code?
some things are easiest to communicate with sample code. in the absence of the original source code, in which case you could say "look, this function is overrunning this buffer," it would probably be easiest to demonstrate the exact nature of a security flaw using exploit code. although even in the circumstances where you have the original source, having exploit code to look at couldn't hurt in fixing the problem.
my personal feelings on this is that exploit code should first be sent to the maintainer of the original program, with a deadline for the release of a patch. there should also be a public release describing the problem in a very generic nature. after the deadline, release the exploit, even if the patch isn't out yet. this gives developers time to fix the problem without putting the exploit in the hands of script kiddies. plus, the developers are under a deadline to get it fixed. granted, it's entirely possible for the kiddies to already have code to exploit it, but why give them the tools before it's necessary?
not only that, but there's a million other programs out there that allow for access to the shell. less, for instance. it could look like somebody is innocently reading a config file as root (well, innocent as long as that's part of their job...) but they could use shell escapes to do just about anything. before you give anybody access to anything using sudo, think about how it could be used to obtain a root shell.
and i'm not talking out of my ass here. i've run into situations at work a couple times when i couldn't find the full time admin and needed to get something done, so i used my sudo access to get a root shell. (of course i had been given permission to root our boxen in case of emergency)
you can tell procmail to exit with whatever exit code you feel like it. there's an exit code for "no such user" if you can detect your spam with procmail and any combination of scripts, you can force it to send a bounce message saying that the user doesn exist. if you want, you can even force that sendmail-generated bounce message, and still receive the mail.
consider the following recipes:this would have you still able to read your spam, if you're so inclined. (deliver it to /dev/null if you're not.) i would tend to think that a "user does not exist" bounce message would be better for preventing future spam than an annoying little eliza-generated email
but of course... what other distribution would i use?
*duck and cover*
dude, that is too sick. far too sick.
but aside from the fact that i'm floored by your hoopy voodoo hack, i have a fundamental objection to asking people to run a shell script (as root!) without having them look at it. true, you never said "don't read it, just run it." but shouldn't we be discouraging this "su and say" behavior? especially just having people run a shell script that's stored remotely. making things easy to install is good, but "configure && make && make install" is good enough for me. (although i don't even encourage that. do a "./configure --help" first and decide what you really want/need. and do a "make -n install" to try and figure out what's going where in case things break.) A lot of people prefer package management schemes like rpm or apt, but i always feel like i lack a degree of control when i use those. anything past installing rpms is going too far for ease of use. (note to those who think my grandma should be able to use linux: i never said there couldn't be a gui frontend to rpm.)
yeah, i laughed when i got a port 80 hit from cust2120.EzSecureHosting.com it's apparently not as secure as they would have people think, so customer 2120 could probably sue them.
and microsoft has the same "we make no guarantees" clauses that free software licenses have, so either the case would be dismissed, or clauses like that would be ruled illegal, which could be bad for free software, unless they only made it illegal to attach those clauses to commercial software
but on the other hand, if you're exposing yourself to new music using mp3s, you're also subverting the economics that the record companies expect. they expect that if they force you to listen to something on the radio or mtv, then you'll go out and buy it. that's why n'sync and all the other shit like that is popular. nobody likes it because they normally would find it appealing. people like it because they're trained to like it.
if you start liking music on your own and ignore the schlock that you're force-fed, then you're adding unknowns to the system, and the record companies can't consolidate their catalogs to accomodate a universal taste, a goal to which they've been aspiring recently. During the merger-mania the record companies were going through last year, a lot of bands were dropped to slim down the rosters to a small pile of the most profitable "musicians." They WANT to produce as little variety of product as possible to reduce costs, and still sell enough to keep a nice fat income. finding new music on your own gets in the way of that goal.
too true. i could really use to be able to just:
kill -KILL "the theme song from Beverly Hills Cop repeating incessantly in my head"
the anagrams were most likely created by whoever wrote the scripts to the films. The screenplay for Lolita was written by Vladimir Nabokov, as was the book. Another user pointed out that Vivian Darkbloom was even in the original book.
Doctor Strangelove started out as a book entitled "Red Alert" by Peter George, and it was a suspense novel. Kubrick decided to make a movie out of it, and he and Peter George collaborated on the screenplay. In the process of writing it, they realized that the plot had amazing comic potential, so they invited Terry Southern to join them. My bet is that Bat Guano was not an accident by any means. However, I would bet that that's one of Terry Southern's contributions to the film.
On to 2001... Originally it was the short story "The Sentinal" by Arthur C. Clarke. Kubrick decided to use the events in that story as a small part of his next project, and invited Clarke to collaborate with him in a screenplay. Wheat makes a good case for the Odysseus and Zarathustra analogies, but some of it, is just farfetched. "NO MEAT" might be feasible, but is probably just a side effect of some sort of drugs. either that, or Wheat has spent his entire life as a more-intellectual-than-thou prick. but the bathroom tiles?!? that's a little too far gone for me.
i remember when i was 14 or so, and i discovered that ms bookshelf had an audio file for the sample pronunciation of "motherfucker" i thought it was absolutely hilarious to have that monotone voice demonstrate to me how to swear.
ah, the memories...
that's what i was getting at. they're selective "protection of the children" indicates that their agenda isn't really to protect the children, but more a direct manifestation of their own puritanical ideas, using the chidren only as an excuse.
(and for the record, i don't like the idea of filtering in libraries. not that it's bad in theory to limit people to sites related to academic pursuits, but in practice, it's impossible.)
as i recall, if you just randomly stumble across something that you find horribly objectionable, then, legally, you've just fallen victim to a subtle form of assault. it's completely assinine, but that's the way it is. apparently the supreme court has decided that the freedom to not be offended is more valuable than the freedom of speech. so i couldn't put porn on a billboard, and i can't say "fuck" over broadcast channels, because *gasp* i might offend someone, and somehow that would violate their rights. but i'm pretty sure i'm allowed to stand in a public place and yell "fuck" at the top of my lungs. (hell, i did it the other day.) the whole system is just a big, puritanical mess.
And given how many restrictions to free speech are proposed in the name of "protecting the children",
that's just the point. it's all said and done in the name of the children, but they're very selective of how they help the children. it's just more puritanical witchhunting. now spewing toxins into the atmosphere isn't generally a topic covered when churches decide what needs to be abolished as sinful, so that can continue.
just as long as the children don't see anyone naked.
Redistribution is one legal issue with this, but hardly the only one. You can't redistribute the binary version of GPL code linked to non-free code.
so, then what's linking? does inserting the virus into the binary file count as linking it? if so, you can't give anyone your newly-infected program that's binary-redistributable. it's linked to GPL code and doing so would violate the license on the virus.
honestly, is there any point at all to even having a license on a virus? especially the GPL, which has all sorts of bizarre legal quirks that merely propogating the virus would violate.
on top of all of that, we need to think of the effects of this on the legal standing of the GPL. this can only serve to disredit it, for several reasons. first, it's a virus. almost nobody respects virus authors, and especially not non-technical judges and juries. this gives the GPL a sort of guilt by association for some people. second, there's no way the author could have possibly expected anybody to obey the terms of the GPL in redistibuting the virus. in essence, it's meaningless. that intended meaninglesness also detracts from the credibility of the GPL, at least in this instance.
it depends what you drink. if you get a large cup of really good coffee, it can run you $10. for instance, Jave Hut, a coffee shop here in worcester mass. has a drink called the psycho blast. if i remeber right, the ingredients are as follows: 8 shots of espresso (brewed with caffeinated water), ground chocolate covered espresso beans, high caffeine coffee ice cream, and whipped cream on top. served chilled.
(god, my kidneys must hate me.)
just in case you don't get the parent, it's a parody of the opening monologe of the first season of Babylon 5.
http://www.midwinter.com/lurk/universe/setting-1.h tml
there's also an ac sibling in here that's a parody of the season 3 opening
i can think of two cases of that kind of social engineering succeeding against aol just of the top of my head:
in both of those cases, aol specifically stated that the operators violated aol policy. and who knows how many cases of that i don't know about...
as i recall, numbers alone can never be considered intellectual property. that's what bit intel in the ass with the 486. all the companies that made knockoffs were calling them 486's, diluting the namespace. so intel came out with "pentium" to solve that problem.
the question now is whether the courts would consider this just a number, or an encoding of the decss data into a number.
There's a GPL'd Java app called WeirdX that functions as an X server. Since That covers the remote X on win9x part. I'm don't know of any way to use it securely, though. (hmm, maybe that would be a good project, a Java ssh client with X forwarding...)
it's not just on the internet. who do you think it is that uses the alternate camera angle feature on dvds? who do you think was the first to accept vhs? the porn industry has been innovating for much longer than microsoft, and on top of that, they're better at it.
don't get me wrong, i'm not against ebooks. i like them for their grepability. i'm just playing devil's advocate.
yes, their second test was fair, and revealed problems. I never disputed that. but that first test was essentially rigged in favor of nt, and there's no denying it.
I really find it hard NOT to have a problem with benchmarking NT as tweaked out as they had it (4 NICs and 4 processors, 1 NIC bound to each processor with separate stacks as i recall) with an out of the box Red Hat installation.
actually, for a second when i saw the title of the story, i thought it was talking about buggering web pages.