Every time I hear news like this I have to remind myself that 50% of the human race is below average intelligence. Usually when I mention this to someone they say "that can't be true!" Then I know that they are one of the lower half. A fool and his money.....
Actually, it is safe to make the ChallengeResponseAuthentication no change and restart, until you upgrade. But, you can not assume your version is vulnerable solely from the config file, it's a compile time option that makes it vulnerable, and this is different on many systems, so be safe, do the workaround until you upgrade.
My current employer asked me to put together a spam mail for one of their products, I flatly refused. Not only did I refuse, I told them I wouldn't want to work for a company that does that kind of shit.
They went ahead and did it without me, the spam yielded no profit at all, and I'm still working for them, but considering other job offers.
I explained politely as I could how spamming is not a good business practice, and even though I have many years in the software business, I was ignored. It's sad when companies trust their upshot marketing people over the more qualified seasoned employees.
Here is a copy of part of my hosts file, taken from a program that blocks ads. It works for most sites, I surf ad free, mostly, that hosts file and a few things to block popups, I see nothing. Some people should use 127.0.0.1 for the 0.0.0.0 that I have there, and some people may experience a slowdown on their surfing if using some windows versions, but I haven't seen that on w2k using this hosts file (the hosts file can be found on windows (2k/NT) systems in your "winnt/system32/drivers/etc/" dir - if I'm wrong someone will correct me) linux users know where it is...
Start with documenting the code first! Since the code is what must be maintained in the long run, this is the critical place to make sure you have decent documentation so any programmer can pick up where the last one left off. Well documented code should contain as much comments (if not more) as code.
Once the code is well commented, pull the comments out and use that as a start for technical documentation, a reference to the design, functionality, and interaction with other programs, modules, etc.
Once this is complete, then, and only then, should you start documenting the programming project as a whole, mapping out database layouts, etc. (note: this is from the standpoint that you did not do it correctly the first time and are basically working from scratch). No matter what you use to document the system in, it should be a common format between all projects and systems. Databases should be documented using a decent data modeler, and don't forget to document the stored procedures (in the procedures as well as external documentation).
Once all the technical documentation is complete, then you should start thinking about documenting the project from a user's point of view. If a system works well and is easy to navigate, the users will rarely reference a help file.
I have walked into too many projects that were completed in haste, and looked at way too much code that was not commented at all to know that had the previous programmer done his/her job well, it would have saved me half the time trying to understand why they had done something the way they did. When writing code it's easy to assume that the code you write is blatantly obvious, but to someone not knowing the system from the start, it won't be, keep that in mind and all your code will end up being well commented, and writing documentation will be easier later for anyone looking at the system.
In the future, remember that a well organized programming project will involve much more planning and pre-documentation then actual coding.
But I have learned to detach myself from the managers and the results that my work "should" produce.
I have programmed for over 13 years in a professional sense and come to realize
that the work that I do, although I do very diligent work, much of what I
program will never come to fruition or even be seen by more then me and my
co-workers. I have lost sight of making a killer-app or even making an impact on
any of the many industries that I have worked in. Most of my great work has been
lost in miss-funded, under-funded projects, mismanaged projects, companies that
go under before the product comes to market.... etc, etc.
I have not lost faith in my abilities by other's problems or misfortunes, I
know that I can make a decent piece of code if needed, and meet deadlines,
without sacrificing code quality, if needed, my work is still my own. Hell, toss
off other's problems as their own and not yours, poor management is not a fault
of the people below the managers, DUH!
Just work your ass off, like your job (or get another if you don't like
programming) and in the meantime, do your own projects that you can at least
have a REAL impact upon, and stop complaining about business, you can't change
it (unless, of course you become...URG! a manager!)
Microsoft has known for years that one of their major flaws is the
"security" that it's products offer. This statement by Bill is just a
campaign to cover up the problems that exist and quell the fears of some of the
major corp. consumers that are "on the edge". Microsoft has a sold
foundation in many companies and will continue to do so for many years. However,
the recent public "discoveries" of the down side to the lack of
security in Microsoft products is putting a damper on Microsoft's rapid takeover
of many market segments.
This (the "new" public awareness, and "new" anti-M$ press
coverage) should be viewed as a blessing to those that use Microsoft products as
well as those that wish they would just die a horrible death. Press coverage
that actually tells the truth, instead of just covering the bells and whistles
added onto an insecure product, will help make large companies realize that they
can not continue to put crap products out once a year, and do much more to help
the growing usage of more secure, less-known OS's (linux, x-BSD, etc.).
On the other hand, this "security problem" is not really a
major flaw, 99% of people using M$ products have many, many, other ways of being
tracked using products like Outlook Express in the default settings. Just
viewing an e-mail with default settings in OE will allow spammers to know your
address is valid (with the right embedded code).
People (the average consumer) will never wise up and start using more secure
products, it will take bad press, and cash flow changes to make companies stop
creating insecure OS's.
I have to say that I'm not that happy with this. One other thing they changed
was the ability to use your own mail server for outgoing mail. With the problems
that I previously had with @HOME mail (it NEVER worked) this is a huge change in
service. I have no other alternatives for service in my area (other then paying
about $1100/mo for a T1), thanks a lot AT&T!
I am still without cable modem access, and without any other choice for a
high speed connection.
As soon as I do have a choice, I'll be running away from AT&T. This debacle
is AT&T's fault, they failed their customers, and should have had an
immediate backup plan when this happened.
Well, I am one of the many that has been disconnected today. I got online by doing the following:
Bought a PCI modem from staples $49.95
Bought a magazine at Barnes & Noble for $2.95
Used the AOL CD to get connected using one of my last surviving Windows 98 computers in my house (one out of about 20 computers here)
Back on line and getting trolled in IRC for using AOL, so not much difference in the connection, but at least I am connected;-)
now, if I could find that AOL Teens for Jesus chat room I could have some fun!
I have no choice in the matter, changing DNS does nothing for me, I am SOL, and not having any internet connection this was a fast choice to get my e-mail back up (I use my own) and AT&T owns everything around here, cable TV, cable internet, phone service, and I have no access to DSL. I'd like to thank the US government for the choices they have provided the consumer when allowing AT&T to take over so many local cable companies!
ephemeral (-fmr-l)
adj.
Lasting for a markedly brief time: "There remain some truths too ephemeral to be captured in the cold pages of a court transcript" (Irving R. Kaufman).
Living or lasting only for a day, as certain plants or insects do.
"In a few years from now, it will either be a Java-Linux world, or a.NET world. The choice is ours."
I highly doubt that one will win out on the other totally. Either there will be somewhat of a crossover in the technology or a new candidate will come into the frey. Apache is solid, IIS has been proven to be somewhat insecure. Yes, as IIS becomes more stable it will be accepted by a wider audience.
"Now this is going to be controversial and will not win me many friends, but I think the Open Source community has to get real about a couple of things."
That comment I totally agree with, if the Open Source community wants to compare itself to, and compete with companies that are driven by profit, they have to appeal to the people that use the products for profit, Microsoft sees this, and takes advantage of the fact that people want solutions that can be developed quickly, trading a loss in performance and security for a solution that is first to market. The point about the lack of a GUI config for Apache is a good point, and should not be brushed off by those (including me) that don't have a problem configuring a httpd.conf file through vi (or emacs).
Companies are looking for solutions that require less cost in implementing, and when you (well, not most programmers, but the management "you") compare the cost of training someone to use Apache vs pressing a button to run IIS.....
"My biggest concern is that signing off on these proposals opens the field to allow monitoring of every keystroke and basically makes an individual's computer an open book,"
And all along I had assumed that when at work, the computer I was working on was my employer's property, and they could monitor it. Maybe all laws should be tested on the legislators (and judicial branch that upholds such laws) so they can feel the effects. Heh, maybe it would even lead to police and the US President following some of the laws that the rest of us have to live under.
If a company did not lay people off after a large acquisition, it would be an atypical situation. Most acquisitions are mainly driven by the need/want of the services that the acquired company provides, redundant personnel are given their walking papers, and the combined company is seen by stockholders to be operating more efficiently. These layoffs shouldn't be a surprise at all, it's the way the business world works.
The ONLY thing that @HOME, or at least AT&T@HOME, scans for is the usage of news servers, and I think that is the least of their concerns. I'm sure they won't change their policy (and I hope they don't since I run many other servers off my @HOME connection).
It's not the ISP's problem to monitor the usage of their clients unless it results in a bandwidth problem for them, or a legal problem for them providing a client the bandwidth (to use illegally).
This still boils down to stupid users, stupid people. I've had over 20 times the amount of hits from this codered II worm then the first codered one last month. It's modified to attack cable modem users specifically, I'd assume, and rightfully so. Maybe it will shed light on the problems with installing microCrap(tm) products.
Info from BugTraq, where to send your log files...
on
Code Red Back For More
·
· Score: 1
---------- Forwarded message ----------
Date: Sat, 4 Aug 2001 23:00:39 -0600 (MDT)
From: Alfred Huger
To: incidents@securityfocus.com
Subject: Code Red Revision
Evening all,
I had planned on sending out a thanks this evening to all of the
contributors (in terms of logs) who came through on the Code Red (revision
2) surge last week. Regrettably it looks like I will have to wait due to a
new variant or rather new worm on the loose.
As some of you know a new worm has been released into the wild which uses
the same exploit - the Microsoft Indexing Server/Indexing Services ISAPI
Buffer Overflow Attack (http://www.securityfocus.com/bid/2880). However,
this is most likely not a revision of the initial Code Red worm but a new
worm which simply uses uses the same entry point. It carries an actual
malicious payload and has a number of other very interesting features. The
SecurityFocus ARIS Team and eEye Digital Security will be releasing an
in-depth writeup in the next hour or two with technical details as well as
information about it's spread to date.
As opposed to filling the list with logs of attacks I will reserve the
list for discussion of the worm's payload and features - after we post an
analysis. So very shortly. Until then, it would be fantastic if you can
send your log files to:
aris-report@securityfocus.com
Because we have caught this very early we plan on starting the
notification process tonight. We sent close to 400,000 notifications
against Code Red 1 & 2 previously - hopefully because we are on top of
this our notifications now will help address the situation much, much
faster.
If you would like to send offending IP data - Please send it in the
following format:
IP ADDRESS DATE/TIME
Or something similar to this. Please ensure the information is contained
to IP address and date per line as we do our notification automatically
and our system needs to be to understand the los you send us.
We will be posting more shortly.
-Al
VP Engineering
SecurityFocus.com
"Vae Victis"
Yeah, right. Until they get enough people on it and tell you they are increasing the cost and providing you with better content (heh, they they are making the internet content better?!).
Slashdot Mirror
Every time I hear news like this I have to remind myself that 50% of the human race is below average intelligence. Usually when I mention this to someone they say "that can't be true!" Then I know that they are one of the lower half. A fool and his money.....
Answers here (post more):
Q: Coin in bottle
A: Simply push the cork into the bottle and shake the coin out.
Actually, take a look at this article. Microsoft is attempting to sneak in as much control of your computer as possible.
Mouse Mod
How about the Irish potato famine, and England's control of the food traffic within the country? They effectively created an Irish holocost.
Source code for the worm
Actually, it is safe to make the ChallengeResponseAuthentication no change and restart, until you upgrade. But, you can not assume your version is vulnerable solely from the config file, it's a compile time option that makes it vulnerable, and this is different on many systems, so be safe, do the workaround until you upgrade.
locate the "ChallengeResponseAuthentication" line in /etc/ssh/sshd_config (typically) change to :
"ChallengeResponseAuthentication no" and restart sshd
They went ahead and did it without me, the spam yielded no profit at all, and I'm still working for them, but considering other job offers.
I explained politely as I could how spamming is not a good business practice, and even though I have many years in the software business, I was ignored. It's sad when companies trust their upshot marketing people over the more qualified seasoned employees.
Here is a copy of part of my hosts file, taken from a program that blocks ads. It works for most sites, I surf ad free, mostly, that hosts file and a few things to block popups, I see nothing. Some people should use 127.0.0.1 for the 0.0.0.0 that I have there, and some people may experience a slowdown on their surfing if using some windows versions, but I haven't seen that on w2k using this hosts file (the hosts file can be found on windows (2k/NT) systems in your "winnt/system32/drivers/etc/" dir - if I'm wrong someone will correct me) linux users know where it is...
maybe we are being hacked: check out this site
Start with documenting the code first! Since the code is what must be
maintained in the long run, this is the critical place to make sure you have
decent documentation so any programmer can pick up where the last one left off.
Well documented code should contain as much comments (if not more) as
code.
Once the code is well commented, pull the comments out and use that as a
start for technical documentation, a reference to the design, functionality, and
interaction with other programs, modules, etc.
Once this is complete, then, and only then, should you start documenting the
programming project as a whole, mapping out database layouts, etc. (note: this
is from the standpoint that you did not do it correctly the first time and are
basically working from scratch). No matter what you use to document the system
in, it should be a common format between all projects and systems. Databases
should be documented using a decent data modeler, and don't forget to document
the stored procedures (in the procedures as well as external
documentation).
Once all the technical documentation is complete, then you should start
thinking about documenting the project from a user's point of view. If a system
works well and is easy to navigate, the users will rarely reference a help file.
I have walked into too many projects that were completed in haste, and looked
at way too much code that was not commented at all to know that had the previous
programmer done his/her job well, it would have saved me half the time trying to
understand why they had done something the way they did. When writing code it's
easy to assume that the code you write is blatantly obvious, but to someone not
knowing the system from the start, it won't be, keep that in mind and all your
code will end up being well commented, and writing documentation will be easier
later for anyone looking at the system.
In the future, remember that a well organized programming project will
involve much more planning and pre-documentation then actual coding.
I do love my job.
But I have learned to detach myself from the managers and the results that my work "should" produce.
I have programmed for over 13 years in a professional sense and come to realize that the work that I do, although I do very diligent work, much of what I program will never come to fruition or even be seen by more then me and my co-workers. I have lost sight of making a killer-app or even making an impact on any of the many industries that I have worked in. Most of my great work has been lost in miss-funded, under-funded projects, mismanaged projects, companies that go under before the product comes to market.... etc, etc.
I have not lost faith in my abilities by other's problems or misfortunes, I know that I can make a decent piece of code if needed, and meet deadlines, without sacrificing code quality, if needed, my work is still my own. Hell, toss off other's problems as their own and not yours, poor management is not a fault of the people below the managers, DUH!
Just work your ass off, like your job (or get another if you don't like programming) and in the meantime, do your own projects that you can at least have a REAL impact upon, and stop complaining about business, you can't change it (unless, of course you become...URG! a manager!)
heh.
Microsoft has known for years that one of their major flaws is the
"security" that it's products offer. This statement by Bill is just a
campaign to cover up the problems that exist and quell the fears of some of the
major corp. consumers that are "on the edge". Microsoft has a sold
foundation in many companies and will continue to do so for many years. However,
the recent public "discoveries" of the down side to the lack of
security in Microsoft products is putting a damper on Microsoft's rapid takeover
of many market segments.
This (the "new" public awareness, and "new" anti-M$ press
coverage) should be viewed as a blessing to those that use Microsoft products as
well as those that wish they would just die a horrible death. Press coverage
that actually tells the truth, instead of just covering the bells and whistles
added onto an insecure product, will help make large companies realize that they
can not continue to put crap products out once a year, and do much more to help
the growing usage of more secure, less-known OS's (linux, x-BSD, etc.).
On the other hand, this "security problem" is not really a
major flaw, 99% of people using M$ products have many, many, other ways of being
tracked using products like Outlook Express in the default settings. Just
viewing an e-mail with default settings in OE will allow spammers to know your
address is valid (with the right embedded code).
People (the average consumer) will never wise up and start using more secure
products, it will take bad press, and cash flow changes to make companies stop
creating insecure OS's.
Here's a link to the services that AT&T promised as they were switching.
http://newuser.attbi.com/attbi_welcome_page.html#a bout
I have to say that I'm not that happy with this. One other thing they changed was the ability to use your own mail server for outgoing mail. With the problems that I previously had with @HOME mail (it NEVER worked) this is a huge change in service. I have no other alternatives for service in my area (other then paying about $1100/mo for a T1), thanks a lot AT&T!
Here is a link to the migration timings for AT&T customers:
http://help.broadband.att.com/faq.jsp?name=srvc_av ailable_frmrtci
I am still without cable modem access, and without any other choice for a high speed connection.
As soon as I do have a choice, I'll be running away from AT&T. This debacle is AT&T's fault, they failed their customers, and should have had an immediate backup plan when this happened.
Well, I am one of the many that has been disconnected today. I got online by doing the following:
;-)
Bought a PCI modem from staples $49.95
Bought a magazine at Barnes & Noble for $2.95
Used the AOL CD to get connected using one of my last surviving Windows 98 computers in my house (one out of about 20 computers here)
Back on line and getting trolled in IRC for using AOL, so not much difference in the connection, but at least I am connected
now, if I could find that AOL Teens for Jesus chat room I could have some fun!
I have no choice in the matter, changing DNS does nothing for me, I am SOL, and not having any internet connection this was a fast choice to get my e-mail back up (I use my own) and AT&T owns everything around here, cable TV, cable internet, phone service, and I have no access to DSL. I'd like to thank the US government for the choices they have provided the consumer when allowing AT&T to take over so many local cable companies!
ephemeral (-fmr-l)
adj.
Lasting for a markedly brief time: "There remain some truths too ephemeral to be captured in the cold pages of a court transcript" (Irving R. Kaufman).
Living or lasting only for a day, as certain plants or insects do.
n.
A markedly short-lived thing.
"In a few years from now, it will either be a Java-Linux world, or a .NET world. The choice is ours."
I highly doubt that one will win out on the other totally. Either there will be somewhat of a crossover in the technology or a new candidate will come into the frey. Apache is solid, IIS has been proven to be somewhat insecure. Yes, as IIS becomes more stable it will be accepted by a wider audience.
"Now this is going to be controversial and will not win me many friends, but I think the Open Source community has to get real about a couple of things."
That comment I totally agree with, if the Open Source community wants to compare itself to, and compete with companies that are driven by profit, they have to appeal to the people that use the products for profit, Microsoft sees this, and takes advantage of the fact that people want solutions that can be developed quickly, trading a loss in performance and security for a solution that is first to market. The point about the lack of a GUI config for Apache is a good point, and should not be brushed off by those (including me) that don't have a problem configuring a httpd.conf file through vi (or emacs).
Companies are looking for solutions that require less cost in implementing, and when you (well, not most programmers, but the management "you") compare the cost of training someone to use Apache vs pressing a button to run IIS.....
"My biggest concern is that signing off on these proposals opens the field to allow monitoring of every keystroke and basically makes an individual's computer an open book," And all along I had assumed that when at work, the computer I was working on was my employer's property, and they could monitor it. Maybe all laws should be tested on the legislators (and judicial branch that upholds such laws) so they can feel the effects. Heh, maybe it would even lead to police and the US President following some of the laws that the rest of us have to live under.
If a company did not lay people off after a large acquisition, it would be an atypical situation. Most acquisitions are mainly driven by the need/want of the services that the acquired company provides, redundant personnel are given their walking papers, and the combined company is seen by stockholders to be operating more efficiently. These layoffs shouldn't be a surprise at all, it's the way the business world works.
The ONLY thing that @HOME, or at least AT&T@HOME, scans for is the usage of news servers, and I think that is the least of their concerns. I'm sure they won't change their policy (and I hope they don't since I run many other servers off my @HOME connection). It's not the ISP's problem to monitor the usage of their clients unless it results in a bandwidth problem for them, or a legal problem for them providing a client the bandwidth (to use illegally). This still boils down to stupid users, stupid people. I've had over 20 times the amount of hits from this codered II worm then the first codered one last month. It's modified to attack cable modem users specifically, I'd assume, and rightfully so. Maybe it will shed light on the problems with installing microCrap(tm) products.
---------- Forwarded message ---------- Date: Sat, 4 Aug 2001 23:00:39 -0600 (MDT) From: Alfred Huger To: incidents@securityfocus.com Subject: Code Red Revision Evening all, I had planned on sending out a thanks this evening to all of the contributors (in terms of logs) who came through on the Code Red (revision 2) surge last week. Regrettably it looks like I will have to wait due to a new variant or rather new worm on the loose. As some of you know a new worm has been released into the wild which uses the same exploit - the Microsoft Indexing Server/Indexing Services ISAPI Buffer Overflow Attack (http://www.securityfocus.com/bid/2880). However, this is most likely not a revision of the initial Code Red worm but a new worm which simply uses uses the same entry point. It carries an actual malicious payload and has a number of other very interesting features. The SecurityFocus ARIS Team and eEye Digital Security will be releasing an in-depth writeup in the next hour or two with technical details as well as information about it's spread to date. As opposed to filling the list with logs of attacks I will reserve the list for discussion of the worm's payload and features - after we post an analysis. So very shortly. Until then, it would be fantastic if you can send your log files to: aris-report@securityfocus.com Because we have caught this very early we plan on starting the notification process tonight. We sent close to 400,000 notifications against Code Red 1 & 2 previously - hopefully because we are on top of this our notifications now will help address the situation much, much faster. If you would like to send offending IP data - Please send it in the following format: IP ADDRESS DATE/TIME Or something similar to this. Please ensure the information is contained to IP address and date per line as we do our notification automatically and our system needs to be to understand the los you send us. We will be posting more shortly. -Al VP Engineering SecurityFocus.com "Vae Victis"
Yeah, right. Until they get enough people on it and tell you they are increasing the cost and providing you with better content (heh, they they are making the internet content better?!).
"Discarded paper table "linen" and rayon underwear are bought by chemical factories to be converted into candy." "Trick or treat"