Yes, the joke between us for quite some time was that she would normally have gotten the email address windows@microsoft.com...but it seemed to have already been taken.
Inside Man had quite possibly the worst ending of any film I've ever seen. Denzel Washington could have suddenly found himself to be a Kryptonian, used newly discovered X-Ray Vision powers to find the bad guy, and then put on a pair of glasses and have a newly borne secret identity -- and it still would have been more plausable than the crap they threw on the ass end of this film.
(Superman has its own awful coincidences -- but then, it's Superman, I'm not expecting even mild plausibility.)
One of the Big Ideas in HTML is that it was the first major format (other than.txt) that could handle garbage input. HTML was probably the first dumb-fuzz resilient protocol in common use.
But fuzzing has gotten smarter. We need stronger parsers.
This has nothing to do with charging Google for video, and everything to do with this:
Thank you for your message.
The Comcast @Home product is, and has always been, designated as a residential service and does not allow the use of commercial applications. A VPN or Virtual Private Network is primarily used to connect Internet users to her or his work LAN from an Internet access point.
High traffic telecommuting while utilizing a VPN can adversely affect the condition of the network while disrupting the connection of our regular residential subscribers.
To accommodate the needs of our customers who do choose to operate VPN, Comcast offers the Comcast @Home Professional product. @Home Pro is designed to meet the needs of the ever growing population of small office/home office customers and telecommuters that need to take advantage of protocols such as VPN. This product will cost $95 per month, and afford you with standards which differ from the standard residential product.
If you're interested in upgrading your current Comcast @Home service to Comcast @Home Pro, please e-mail your name, address, and phone number to: sales@comcastpc.com. Prior to Sept 15th, you will be contacted by one of our Comcast @Home Pro representatives to discuss upgrading from your current Comcast @Home residential service.
While VPN is not a prohibited use of the @Home Pro product, Comcast does not provide support for VPN technology. All inquiries regarding VPN should be directed toward your company's network administrator.
Currently, the Comcast @Work commercial services do provide VPN support. If your company pays for your internet service, or if you would like to use supported VPN or IP tunneling, please contact our commercial services at 888-638-4338 or visit www.comcastwork.com.
If there is anything else we can help you with, please contact us. Thank you for choosing Comcast@Home.
Yeah, it's a big ol' mess. They knew some of us were speakers at the Black Hat Briefings, so they called us Black Hat Hackers...because we're at Black Hat...yeah.
In the Summer of 2003, the Internet suffered three major worms: Blaster, Nachi, and SoBig.
We haven't had a worm since. There have been no systemic outbreaks in over three years. Sure, we've had mild rashes, but Zotob vs. Nachi isn't even a comparison, nor is Blaster vs. WMF.
IE attacks are deeply problematic -- they're wonderfully targetable, among other things. But there's really no replacement for zero-interaction, receive-a-packet-and-you're-owned style vulnerabilities. SP2 put a firewall on every desktop that cared. Since then, no worms.
That's not to say we're not fighting a painful battle. Really, every day we get to still bank online is another day I'm surprised. But the fact that SP2 was written, was free, and was actually deployed enough to matter is one hell of a win.
What can I say? I got the data, saw what it said, rubbed my eyes and said...
No, that's just...not...possible.
And yet, the data just keeps coming back loud and clear.
It doesn't do this for all names. Certainly, Sunncomm Mediamaxx is reported on far fewer networks -- 50K, maybe? And as mentioned, I threw out hundreds of thousands of servers for returning values they shouldn't already have cached.
You know, if I was wrong -- and I'd love to be, it's a rare day in security where things are *better* than you thought -- you'd think Sony would have corrected me by now. But look at their very own figures:
2.1M CD's sold. 38% Penetration of the PC code.
That's ~700K systems, which is vaguely in line. No, the count is not what's interesting...it's the international nature of the data. That just has no explanation to speak of.
From a security standpoint, the resignation standpoint appears flawed. The resigner has full control of when he delivers the information, so he can simply delay his announcement until he's completed his malicious activity. It would take a very stupid attacker to steal materials _after_ providing notice.
But empirically, it may very well be that there are some very stupid attackers.
OK, so this is a fairly painful post to make. Ron Gula and Renaud Deraison were the first guys to bring me out for an interview after I graduated from college, and I've been supporting their attempts to manage those who really do just steal Nessus. But, in the interest of intellectual honesty, I've been asking around regarding the closing of the Nessus source.
First of all, according to multiple sources, apparently the reason why there isn't a significant number of free plugins is because Renaud et al simply don't accept them, or when they do accept them, they substantially rewrite them enough such that a non-free version is what eventually makes it into the source. Now, I don't know this from personal experience -- and Renaud et al are welcome to deny this -- but this preference for suppressing the GPL component of Nessus has been strong enough that contributed free plugins have been suppressed because of overlap with non-free.
Such behavior does not grow a developer community. Tenable has implied that there's alot of leeches out there, and while indeed they have to suffer the most pernicious of parasites (companies that just rebrand their code!), there's good evidence that says the reason they don't get much code from the community is that they supposedly refuse what they do get.
I wouldn't speak up on this, but I have to balance my continuing appreciation for Renaud et al's work (which, mind you, still has a very nice license for our needs) against the need to stem accusations that nobody ever tried to give back to Nessus. People have tried.
Well, if RIM is being held hostage, there's always their nuclear option:
Take the product off the market. Not just their product, but all wireless email, everywhere, in the states.
After all, it's unimaginable that RIM has no patents themselves that could block others from creating products. And with SMS arguably a form of wireless email, that can go too.
Perhaps this is an option that shouldn't be available to them. I'm sure they'd be the first to call for global disarmament. But -- if the patent endgame is facing them, they can always return the favor. Anything that would invalidate their patents would surely hit NTP as well!
Routing is disabled. Doesn't mean the box doesn't parse IPv6 before trashing 'em.
As for the link-local -- the point of Mike's attack wasn't that he could take out arbitrary hosts, it was that shellcode on IOS was possible. The nasty thing is, on 100% Cisco networks (go look up Cisco Powered Network), you break the first hop, then the next, then the next, then the next...everything is link local when every hop is vulnerable.
Mike's attack was significant another front too -- getting an attack vector is one thing, actually using it is such a PITA that Jim Duncan of Cisco PSIRT (someone I know and highly respect) actually reacted with... ahem... "unexpectedly strong disbelief" when Mike said he could exploit the box using what he'd found.
No. Mike's "first cut" was against the link-local IPv6 parser (a fact not disclosed publically by Mike, but by Cisco). Once in, he actually figured out how to execute arbitrary code -- something way harder than even Mike's slides describe.
He could get into pretty much any Cisco router w/ his attack, whereas this proxy attack isn't going to affect anything on the global net.
If this were deployed in every pool, there would be competition, and with competition would be significantly reduced prices. Honestly, just a "bottom-of-the-pool cam" to every lifeguard, with an alarm for sections of the bottom that aren't changing but do have someone -- this would catch quite a bit, and be really cheap to implement.
Slashdot Mirror
Yes, the joke between us for quite some time was that she would normally have gotten the email address windows@microsoft.com...but it seemed to have already been taken.
Inside Man had quite possibly the worst ending of any film I've ever seen. Denzel Washington could have suddenly found himself to be a Kryptonian, used newly discovered X-Ray Vision powers to find the bad guy, and then put on a pair of glasses and have a newly borne secret identity -- and it still would have been more plausable than the crap they threw on the ass end of this film.
(Superman has its own awful coincidences -- but then, it's Superman, I'm not expecting even mild plausibility.)
OK, Trustworthy One-Clicking is probably the funniest concept I've seen in a while. AC FTW.
One of the Big Ideas in HTML is that it was the first major format (other than .txt) that could handle garbage input. HTML was probably the first dumb-fuzz resilient protocol in common use.
But fuzzing has gotten smarter. We need stronger parsers.
There's more storage in a hard drive than just what exists on the disc.
S.M.A.R.T. is an obscure, but very useful logging mechanism.
Thank you for your message.
The Comcast @Home product is, and has always been, designated as a residential service and does not allow the use of commercial applications. A VPN or Virtual Private Network is primarily used to connect Internet users to her or his work LAN from an Internet access point.
High traffic telecommuting while utilizing a VPN can adversely affect the condition of the network while disrupting the connection of our regular residential subscribers.
To accommodate the needs of our customers who do choose to operate VPN, Comcast offers the Comcast @Home Professional product. @Home Pro is designed to meet the needs of the ever growing population of small office/home office customers and telecommuters that need to take advantage of protocols such as VPN. This product will cost $95 per month, and afford you with standards which differ from the standard residential product.
If you're interested in upgrading your current Comcast @Home service to Comcast @Home Pro, please e-mail your name, address, and phone number to: sales@comcastpc.com. Prior to Sept 15th, you will be contacted by one of our Comcast @Home Pro representatives to discuss upgrading from your current Comcast @Home residential service.
While VPN is not a prohibited use of the @Home Pro product, Comcast does not provide support for VPN technology. All inquiries regarding VPN should be directed toward your company's network administrator.
Currently, the Comcast @Work commercial services do provide VPN support. If your company pays for your internet service, or if you would like to use supported VPN or IP tunneling, please contact our commercial services at 888-638-4338 or visit www.comcastwork.com.
If there is anything else we can help you with, please contact us. Thank you for choosing Comcast@Home.
Steve Comcast@Home Email Response Specialist
Stop talking about this like it has anything to do with video. This has nothing to do with video, and everything to do with them turning off telecommuting (indeed, any encrypted communication) by default.
Closed source has a far bigger anti-capitalist problem with EULAs (name a car that limits where you can drive it) than Open source will ever have.
The assertion that a EULA can be indefinitely scoped is the most unbounded liability in the entire product marketplace.
--Dan
No, it's this annoying misunderstanding. A couple of us speak at Black Hat, so clearly we're "Black Hat Hackers".
*sighs*
Yeah, it's a big ol' mess. They knew some of us were speakers at the Black Hat Briefings, so they called us Black Hat Hackers...because we're at Black Hat...yeah.
--Dan
Wrong black hat, though yeah, that could have been phrased better.
Bit of a clarification...they mean this sort of Black Hat.
Yeah, seriously. You'd think refineries would be blowing up left and right.
Oh. Wait.
In the Summer of 2003, the Internet suffered three major worms: Blaster, Nachi, and SoBig.
We haven't had a worm since. There have been no systemic outbreaks in over three years. Sure, we've had mild rashes, but Zotob vs. Nachi isn't even a comparison, nor is Blaster vs. WMF.
IE attacks are deeply problematic -- they're wonderfully targetable, among other things. But there's really no replacement for zero-interaction, receive-a-packet-and-you're-owned style vulnerabilities. SP2 put a firewall on every desktop that cared. Since then, no worms.
That's not to say we're not fighting a painful battle. Really, every day we get to still bank online is another day I'm surprised. But the fact that SP2 was written, was free, and was actually deployed enough to matter is one hell of a win.
What can I say? I got the data, saw what it said, rubbed my eyes and said...
No, that's just...not...possible.
And yet, the data just keeps coming back loud and clear.
It doesn't do this for all names. Certainly, Sunncomm Mediamaxx is reported on far fewer networks -- 50K, maybe? And as mentioned, I threw out hundreds of thousands of servers for returning values they shouldn't already have cached.
You know, if I was wrong -- and I'd love to be, it's a rare day in security where things are *better* than you thought -- you'd think Sony would have corrected me by now. But look at their very own figures:
2.1M CD's sold.
38% Penetration of the PC code.
That's ~700K systems, which is vaguely in line. No, the count is not what's interesting...it's the international nature of the data. That just has no explanation to speak of.
From a security standpoint, the resignation standpoint appears flawed. The resigner has full control of when he delivers the information, so he can simply delay his announcement until he's completed his malicious activity. It would take a very stupid attacker to steal materials _after_ providing notice.
But empirically, it may very well be that there are some very stupid attackers.
thogard--
There are entire companies that just take Nessus, slap a new UI on it, and release a 1U appliance that audits enterprise networks.
OK, so this is a fairly painful post to make. Ron Gula and Renaud Deraison were the first guys to bring me out for an interview after I graduated from college, and I've been supporting their attempts to manage those who really do just steal Nessus. But, in the interest of intellectual honesty, I've been asking around regarding the closing of the Nessus source.
First of all, according to multiple sources, apparently the reason why there isn't a significant number of free plugins is because Renaud et al simply don't accept them, or when they do accept them, they substantially rewrite them enough such that a non-free version is what eventually makes it into the source. Now, I don't know this from personal experience -- and Renaud et al are welcome to deny this -- but this preference for suppressing the GPL component of Nessus has been strong enough that contributed free plugins have been suppressed because of overlap with non-free.
Such behavior does not grow a developer community. Tenable has implied that there's alot of leeches out there, and while indeed they have to suffer the most pernicious of parasites (companies that just rebrand their code!), there's good evidence that says the reason they don't get much code from the community is that they supposedly refuse what they do get.
I wouldn't speak up on this, but I have to balance my continuing appreciation for Renaud et al's work (which, mind you, still has a very nice license for our needs) against the need to stem accusations that nobody ever tried to give back to Nessus. People have tried.
Well, if RIM is being held hostage, there's always their nuclear option:
Take the product off the market. Not just their product, but all wireless email, everywhere, in the states.
After all, it's unimaginable that RIM has no patents themselves that could block others from creating products. And with SMS arguably a form of wireless email, that can go too.
Perhaps this is an option that shouldn't be available to them. I'm sure they'd be the first to call for global disarmament. But -- if the patent endgame is facing them, they can always return the favor. Anything that would invalidate their patents would surely hit NTP as well!
--Dan
Two pages, same hashes, etc. (This is the guy who wrote the MD5 someday paper.)
http://www.doxpara.com/t1.html
http://www.doxpara.com/t2.html
How are you playing WoW on Linux?
One of the WINE branches?
Using something native (Jack), I've achieved 32 bytes at a time, double period (quite a bit less than 1ms of audio), stable on Linux.
Routing is disabled. Doesn't mean the box doesn't parse IPv6 before trashing 'em.
As for the link-local -- the point of Mike's attack wasn't that he could take out arbitrary hosts, it was that shellcode on IOS was possible. The nasty thing is, on 100% Cisco networks (go look up Cisco Powered Network), you break the first hop, then the next, then the next, then the next...everything is link local when every hop is vulnerable.
Active by default.
... ahem ... "unexpectedly strong disbelief" when Mike said he could exploit the box using what he'd found.
Mike's attack was significant another front too -- getting an attack vector is one thing, actually using it is such a PITA that Jim Duncan of Cisco PSIRT (someone I know and highly respect) actually reacted with
No. Mike's "first cut" was against the link-local IPv6 parser (a fact not disclosed publically by Mike, but by Cisco). Once in, he actually figured out how to execute arbitrary code -- something way harder than even Mike's slides describe.
He could get into pretty much any Cisco router w/ his attack, whereas this proxy attack isn't going to affect anything on the global net.
I've heard surprisingly good things about Communigate Pro, though I have no idea if it scales that high.
Mirapoint is probably _the_ vendor to speak to, though.
If this were deployed in every pool, there would be competition, and with competition would be significantly reduced prices. Honestly, just a "bottom-of-the-pool cam" to every lifeguard, with an alarm for sections of the bottom that aren't changing but do have someone -- this would catch quite a bit, and be really cheap to implement.