> You may was well have stopped here. Once an attacker has physical access just about everything at > the software level becomes moot.
> If an attacker has access to carry out the scenario you outlined, then they'll be just as capable of > using that same level of access to exploit just about anything an ATM is running.
Prove it. Go exploit an OS/2 ATM like this. Then try it with one running IE. I think you'll have an easier time with the IE ATM.
Also, every W1nd0ws game I've ever installed has launched a DirectX installer; this, to me, seems to say that an SDL installer could be launched just as easily.
> You don't understand flightsimmers: we need realism.
You're lying. Flightgear is ultra-realistic. The military uses it in their flight simulators. You know why it's hard to fly? Because you have to know what you're doing. Flying a real plane is not as simple as turning it on and moving a joystick. Flightgear is a true flight simulator, not a fun game to play.
Incorrect. I remember seeing some benchmarks a while ago about running UT2004 under Wine. The windows version under wine was faster than the windows version under windows.
Just goes to show you that Windows isn't good for anything. No security, and games are slow too.
>So since (presumably) these ATMs a) aren't going to be running as an admin user
This is irrelevant. The user that will be exploited has permission to read card numbers/PINs and dispense cash. I doubt hackers want to 0wn the ATMs and install Linux on them. They want ca$h.
> b) aren't going to allow people using them to visit arbitrary websites that exploit IE (either with or > without the user's consent)
Here's a scenario. The attacker with physical access to the ATM unplugs it and it reboots. He then taps the Ethernet cable (I doubt they're using quantum crypto + fiber here) and injects fake DNS replies. The ATM caches the (spoofed) IP adserver.bank.com as 1.2.3.4 (the attacker's webserver). The ATM loads an ad to show and is exploited with a malformed JPEG. The attacker now has a shell running as the ATM user and can do things like dispense some cash or maybe use another local vulnerability to get root and install a rootkit that sniffs packets after they have been decrypted.
Oh.
> where are the security problems going to arise ?
From people that have a slightly-functional brain. Obviously we don't need to worry about you.:)
Engineers, I've found, have a fetish for English units. In my first "real engineering" course, thermodynamics, the professor used pounds, feet, etc. almost exclusively. The first time I heard him talk about pounds I spit out my Descartes (you can't call that shit coffee...) and said "DID YOU JUST SAY 'POUND'!? IS IT STILL 1930!?!?!" (actually I just gave him a weird look, same difference...)
But yeah, despite the fact that scientists and other reasonable human beings standardize on SI, engineers seem to like using pounds.
I think that makes the numbers MORE meaningful, not less! If the big sites are all using Apache and not getting hacked (even though the incentive is high), then that means Apache is doing pretty well!
Compare that to joe-average user who's unknowingly running IIS and getting hacked even there's no incentive for a hacker to 0wn him.
It's your fault for breaking the Internet for yourself. That's not a real solution to whatever problem you're trying to solve.
I think this quote applies: "I'm not interested in security through obscurity. I want real security mechanisms, solutions that work for _everybody_. Yes, that's a lot more difficult than randomly blowing away ``suspicious'' portions of the Internet..., but it's the Right Thing To Do." (djb)
All Linux distros are the same. If something works in Gentoo and not Debian, it's because Gentoo set it up and Debian didn't. If you knew what you were doing, though, you could get it working in Debian, because Debian is the same OS/drivers as Gentoo (with a different name and init scripts).
Anyway, the solution to your problem is:
# modprobe rtc # date -s time # hwclock --systohc
Good luck. (And I hear Ubuntu is a good Debian-based distro.)
I was too far away to get ADSL from them, but SDSL has longer range and they could give it to me. (By the time I found out, though, I had already gotten a connection from a local wireless ISP.)
We do that here in the computer labs to authenticate macs (well the users of the macs, but you know what I mean) to AD. After we upgraded to win2k3 our servers have been severely overloaded and logins take over two minutes! Also, the macs will only authenticate to one of our three domain controllers for no apparent reason. Even if we don't tell the macs about that one controller they still authenticate to it!
(I wasn't responsible for this decision; I wanted to auth the macs to the main LDAP database. Instead someone came in here and reinstalled all the servers one night. Morons.)
We can't have WAPs in our dorms either. But people do. Turn off SSID broadcast and no one will ever know. It is your right as a citizen to pollute the 2.4GHz band with whatever you want.
I would assume that if the emulator can load an entire operating system then simple, first-year ASM isn't going to a problem here. He's writing "Hello, world.", not a SMP VM system!
Google can't just not pay him for traffic. Just because it's a slashdotting doesn't mean that that's not legitimate traffic. Do you see ads on other sites that get slashdotted? They get paid for those!
Let me ask you this: what are you smoking?
Just because he's playing the system doesn't mean google can just not pay him. The can cancel his account, but they have to pay him what he earned.
I agree with you here. Google and Yahoo are constantly harassed by the French. I would just pull out of the country and tell the government to fuck off. French "law" doesn't apply in the US. If they don't like google, then they can block it.
Slashdot Mirror
In Soviet Russia, dihydrogen monoxide cracks down on you!
> You may was well have stopped here. Once an attacker has physical access just about everything at
> the software level becomes moot.
> If an attacker has access to carry out the scenario you outlined, then they'll be just as capable of
> using that same level of access to exploit just about anything an ATM is running.
Prove it. Go exploit an OS/2 ATM like this. Then try it with one running IE. I think you'll have an easier time with the IE ATM.
Can you point me to DirectX on my Mac?
Also, every W1nd0ws game I've ever installed has launched a DirectX installer; this, to me, seems to say that an SDL installer could be launched just as easily.
> You don't understand flightsimmers: we need realism.
You're lying. Flightgear is ultra-realistic. The military uses it in their flight simulators. You know why it's hard to fly? Because you have to know what you're doing. Flying a real plane is not as simple as turning it on and moving a joystick. Flightgear is a true flight simulator, not a fun game to play.
Incorrect. I remember seeing some benchmarks a while ago about running UT2004 under Wine. The windows version under wine was faster than the windows version under windows.
Just goes to show you that Windows isn't good for anything. No security, and games are slow too.
We don't use the term "car park" in the US. I'm willing to be Bush has never had the need to say "car park" (or "par cark").
"STFU" means "shut the fuck up".
>So since (presumably) these ATMs a) aren't going to be running as an admin user
:)
This is irrelevant. The user that will be exploited has permission to read card numbers/PINs and dispense cash. I doubt hackers want to 0wn the ATMs and install Linux on them. They want ca$h.
> b) aren't going to allow people using them to visit arbitrary websites that exploit IE (either with or
> without the user's consent)
Here's a scenario. The attacker with physical access to the ATM unplugs it and it reboots. He then taps the Ethernet cable (I doubt they're using quantum crypto + fiber here) and injects fake DNS replies. The ATM caches the (spoofed) IP adserver.bank.com as 1.2.3.4 (the attacker's webserver). The ATM loads an ad to show and is exploited with a malformed JPEG. The attacker now has a shell running as the ATM user and can do things like dispense some cash or maybe use another local vulnerability to get root and install a rootkit that sniffs packets after they have been decrypted.
Oh.
> where are the security problems going to arise ?
From people that have a slightly-functional brain. Obviously we don't need to worry about you.
Engineers, I've found, have a fetish for English units. In my first "real engineering" course, thermodynamics, the professor used pounds, feet, etc. almost exclusively. The first time I heard him talk about pounds I spit out my Descartes (you can't call that shit coffee...) and said "DID YOU JUST SAY 'POUND'!? IS IT STILL 1930!?!?!" (actually I just gave him a weird look, same difference...)
But yeah, despite the fact that scientists and other reasonable human beings standardize on SI, engineers seem to like using pounds.
There's an OS X version of Windows media player. (I wouldn't install it, though, because once you do you can never get rid of it!)
I think that makes the numbers MORE meaningful, not less! If the big sites are all using Apache and not getting hacked (even though the incentive is high), then that means Apache is doing pretty well!
Compare that to joe-average user who's unknowingly running IIS and getting hacked even there's no incentive for a hacker to 0wn him.
It's your fault for breaking the Internet for yourself. That's not a real solution to whatever problem you're trying to solve.
..., but it's the Right Thing To Do." (djb)
I think this quote applies: "I'm not interested in security through obscurity. I want real security mechanisms, solutions that work for _everybody_. Yes, that's a lot more difficult than randomly blowing away ``suspicious'' portions of the Internet
Any OS that lets any random user interrupt the CPU shouldn't... uh... be teaching CS. lol.
All Linux distros are the same. If something works in Gentoo and not Debian, it's because Gentoo set it up and Debian didn't. If you knew what you were doing, though, you could get it working in Debian, because Debian is the same OS/drivers as Gentoo (with a different name and init scripts).
Anyway, the solution to your problem is:
# modprobe rtc
# date -s time
# hwclock --systohc
Good luck. (And I hear Ubuntu is a good Debian-based distro.)
Do you really want late-night soft core pr0n or whenever-you-want hard core pr0n? If you want the second, get a 'net connection :)
There's no ??? step, though. Step 2 is obviously profit generating.
:)
1) Patent other people's inventions
2) ???
3) Profit!!!
Would be the outline. These people figured out what step 2 actually is
I was too far away to get ADSL from them, but SDSL has longer range and they could give it to me. (By the time I found out, though, I had already gotten a connection from a local wireless ISP.)
> bash-2.05b# cat /dev/mem | strings | grep -i llama
> Shit, my RAM is full of llamas...
Perhaps because the argument 'llama' to grep is... stored in memory?
We do that here in the computer labs to authenticate macs (well the users of the macs, but you know what I mean) to AD. After we upgraded to win2k3 our servers have been severely overloaded and logins take over two minutes! Also, the macs will only authenticate to one of our three domain controllers for no apparent reason. Even if we don't tell the macs about that one controller they still authenticate to it!
(I wasn't responsible for this decision; I wanted to auth the macs to the main LDAP database. Instead someone came in here and reinstalled all the servers one night. Morons.)
We can't have WAPs in our dorms either. But people do. Turn off SSID broadcast and no one will ever know. It is your right as a citizen to pollute the 2.4GHz band with whatever you want.
Who cares what Oracle and M$ say about it? Just use Free Software and you can use as many cores as you want! End of discussion.
Even if they didn't spend public money it wouldn't matter. Don't want me taking pictures of it? DON'T PUT IT OUTSIDE IN THE THIRD LARGEST CITY!!!!
I would assume that if the emulator can load an entire operating system then simple, first-year ASM isn't going to a problem here. He's writing "Hello, world.", not a SMP VM system!
Google can't just not pay him for traffic. Just because it's a slashdotting doesn't mean that that's not legitimate traffic. Do you see ads on other sites that get slashdotted? They get paid for those!
Let me ask you this: what are you smoking?
Just because he's playing the system doesn't mean google can just not pay him. The can cancel his account, but they have to pay him what he earned.
I agree with you here. Google and Yahoo are constantly harassed by the French. I would just pull out of the country and tell the government to fuck off. French "law" doesn't apply in the US. If they don't like google, then they can block it.