I think you're confusing what Lamo did with something that the NYT actually gave permission for. I agree with you, that a penetration test should be performed in such a way as to be unexpected, so paranoid admins can't do stupid things to improve the results (like turn off all inbound access for a day). But this wasn't a penetration test, it was nothing more than an uninvited and deeply illegal intrusion plus some spin control for the media.
I know a lot of people look at it and say, "Oh, but he had good intentions, that makes it ok!" It's not really like that...we don't KNOW his real intentions at all, just what he SAYS his intentions are. But, if someone owned your network, would you just trust them when they say they didn't do anything more insidious than they told you about? I wouldn't, and the resulting cleanup to make sure that nothing more was done is an expensive and disruptive process. This is part of why the damages for relatively minor hacks end up being so enormous in many cases.
We're always pushing ourselves to question what we're being told by the media, by our leaders, by our educators, by big business...we should really question anyone who might have an ulterior motive.
Keep in mind that this is a British tabloid that is doing the reporting. The genre is notorious for fluff, demagoguery, and "sports dailies" that are basically half sports, half softcore porn. I'd hope to see something a bit more solid verifying this story before I worried too much about it.
No, no, no, that couldn't be it. It must be something about the wireless gateways that translate between SMTP and SMS. For some unknown reason, the phrase
"stunning performances by both Affleck and Lopez and masterful direction bring forth an epic of a quality not seen since 'Doctor Zhivago'"
gets hashed into
"Christ, I hope these two fuckwits don't breed, this movie blows dead monkeys!"
I'm not surprised it's the Washington Post who is reporting on this. I live in Washington, DC as a consultant, and travel a lot to other cities. I have had cell phones with three carriers, and with all of them I've had much worse trouble here than in cities elsewhere, without exception. On one hand, we have some serious density of equipment here, but on the other hand there are zones where one knows one will lose their cell phone signal; the worst two zones are adjacent to the CIA's facility and the Pentagon, for example. This sort of thing can't be helping the matter.
This strikes me more as being like mesh networking instead. The way they establish their own network by routing amongst themselves is a key characteristic of mesh technology. What I have to wonder is this: how far along will this concept go? Could it be that these are the predecessors of a landmine problem of the information age?
One, don't notify the university directly. If you do, you create a political situation where they still have the ability to shut you up by putting pressure on you. Keep in mind, the university wouldn't make life hard for you because they're run by Darth Vader, they'd make life hard for you to keep you from disclosing.
Two, do notify the vendor, BUT use the disclosure guidelines provided by Rain Forest Puppy (called RFPolicy). This is the best template for fair and equitable disclosure I've ever seen, and I feel it's even a hair better than the policy put forth by @Stake (although theirs is pretty good too). Set up a hushmail account that cannot be traced back to you for this purpose, and proceed from there.
Three, do NOT disclose the proof-of-concept exploit code. Disclosing a vulnerability is enough, there is no reason to automate attacks that take advantage of it.
By the time the university knows anything, they will no longer be able to accomplish anything by making your life hard. Furthermore, you will be in a position of strength, having taken the high road in disclosure and given all parties every opportunity to protect themselves properly.
You're a useless little puke, aren't you?:) The hard part of this equation is not detecting the fingers interacting with the hologram. The hard part is generating a free-standing hologram without any physical component (like a collimator). They don't give a shred of information as to how they accomplish that heretofore impossible feat, and the obvious photoshop-generated nature of their pictures only throw the whole thing into greater question.
(Vent mode on) This is the sort of moronic powermongering that makes me want to stop at a Sports Authority to buy a baseball bat on the way to visiting the local school board. When will these people grasp that they don't have these jobs to develop their own fiefdoms? Does anyone remember a time when the bullies were just other children, or is that just a nostalgic false memory on my part?
And jeez, it's not even like they're powermongering over a difficult audience...these are KIDS for chrissakes! So you can keep an orwellian eye on them...congratufrickilations! Wimp bitches. (Vent mode off)
If venting is worthy of modding down, by all means, do so. I certainly did vent:)
In a nutshell, the Special Master for the court has brought in an outside consultant to do pen-testing of DOI systems. The problem is that this guy is just hacking away willy-nilly, and there are no rules of engagement or lines of communication. In short, there's no way for DOI to know this guy's attacks apart from those of any black-hat, and there's no way to prevent him from doing more harm than good (or notifying DOI should he screw something up, as is prone to happen in pen-testing). SAIC, the company working to improve DOI security, has asked for some changes to this, and was turned down. As a result, the DoJ has intervened, pointing out that what the consultant has been doing is not legal and is actually hacking in the very illegal sense of the word. This is the backlash from the Special Master in return for that.
"How many possible ways can you dodge allegations from multiple sources that you exclusively protect large commercial organizations or large groups of smaller commercial organizations, and largely ignore individuals?"
O'Leary: "We determine this based upon a number of factors..."
I tried yoga for the first time just a few weeks ago. My girlfriend had been going about two months at that point, and loved it so much that I was interested. I never realized yoga was such a workout; my abs were sore for days after (and my abs are, unlike most other geeks, in pretty good shape to being with from rock climbing and mountain biking). If my workplace offered this, I'd be totally into it for all the reasons described.
Although I did feel, being the only guy there and having long hair, that I looked like "sensitive ponytail guy."
That he's in it for the money? Why couldn't it be that he's just patenting it so that nobody else can...he could license it freely, unlike what any number of other companies would do if they managed to patent it instead.
Actually, an Inergen system might not be more expensive at all; the prices of these things have come way down, and sprinklers have an enormous engineering cost associated with the layout of the pipes. The challenge is to ensure that if a significant number of the sprinkler heads along each pipe run are triggered, all the active heads will get the same water pressure. This is done with variations along the plumbing route of that pipe run. Obviously, this has to be engineered on a case-by-case basis, and is simpler to do in office structures than in the architecturally more interesting layout of a home. With a system that uses Inergen, there are no such concerns, one just chooses a storage tank and exhaust port (I think that's what they're called) that are suitable for the size of the room in question; really large rooms get more than one port. And since 9/11, as companies are spending a lot more on this, the cost of them is actually coming down a bit owing to economies of scale in production.
Ok, you can no longer (I'm assuming you're in the USA) get halon, as it is harmful to the ozone layer. What's now used for this purpose is called Inergen. Furthermore, despite all the howling by everyone about the risk of suffocation, keep in mind that it will take a bit of time for an entire home to become filled with the stuff, and the fact that any professionally installed system includes alerts to let you know when the system is activated. Between the warning you get, the air in your lungs and the air that has not been displaced yet, you can be just fine. This kind of system has been put in many types of facilities in all sorts of different ways, and unless it's done incredibly wrong, by no means will it turn your home into a big gas chamber:)
"Inaudible to humans" means one of three things...one, too low to be heard (in which case mosquitoes won't care, or two and three, infrasound and ultrasound, respectively. The problem with that is that a cell phone cannot generate sounds in those frequencies with any reliability...it's not designed to. Infrasound requires a huge driver, and if you've ever looked at those devices that supposedly drive away aggressive dogs with ultrasound you know what an ultrasound transducer looks like, and it's nothing like the piezoelectric speaker a cell phone contains for ringtones. This is just an example of what happens in countries with more relaxed consumer protection statutes.
"Hello?" "Hello, I am sorry for the embarrassment this phone call might cause you as we have not had any correspondence before this phone call. I got your address through my nephew with Nigerian Military Chamber of Commerce industry and Mining during my research for a reliable and trustworthy partner who l can do business with though l did not disclose the nature of the business l intend to do with whoever he recommend for me... "
The fish themselves don't scare me at all...but this paragraph does:
The Night Pearl began as a research tool created by HJ Tsai, a professor at National Taiwan University. He was looking for a way to make fish organs easier to see when studying them, and isolated a gene for a fluorescent protein that he had extracted from jellyfish and inserted it into the genome of a zebrafish. To his astonishment, the jellyfish gene made whole zebrafish glow.
I mean, what made him think only the organs would get the effect? Pretty damned haphazard to me...who knows what other unexpected thing might occur sometime.
I must ask this: why is ANY law that mandates preference for any solution over any other solution good? I think Open Source is wonderful...and that's exactly why I don't think it needs this. In the end, assuming competency of the one in charge, the best solution is most likely to prevail. Naturally, there's going to be deviation from situation to situation on this, but when you're talking about legislation you have to deal with averages, and I feel that this holds true. In truth, I think that if someone ISN'T competent to make the proper choice, I'd rather they not choose Open Source because of some legal requirement or prodding; if something gets all borked up, they'll just point to Open Source software as the cause.
The Open Source world of software came out of nowhere, and didn't require big marketing budgets, lobbyists, or snappy ad campaigns...and it certainly doesn't need a law to pressure others into using it.
I do consulting in the Washington DC area, and have been in a lot of federal agencies. At the point where products are chosen and designs are built, nobody really cares what any politicians think. It comes down to the people who are in charge, at the agency level, of that project. At times, it isn't even up to them, as they hand that duty off to the contractor or even subcontractor. Good example: we once did a Citrix solution for Raytheon as part of a larger solution that went to the FAA...and only one person at FAA even knew what we were doing.
While the NSA was granting Common Criteria Certification to Checkpoint Firewall-1 (an Israeli product), relative small-fry in multiple agencies were afraid to use it due to the classic federal urban legend about Israeli backdoors or other malware embedded into it. The US Army has a collossal site license (or at least had, some years ago) for Netscape products, so that's what they used when possible. Ultimately, the people in charge of choosing the solution do so without significant awareness or care of what politicians say, think, or feel...and this is both good and bad.
There's just one problem with this. You can't just say, "I'm bankrupt!" and get court protection. You have to essentially ask for it...and if you've done it within a certain amount of time in the near past, you can't do it again. Furthermore, if the court looks at your past and thinks you're trying the tactic of racking up debt (which, mind you, you won't be able to do for about 7 years anyways after the bankruptcy is finished, due to your credit score), it will refuse to grant you bankruptcy status.
So it's not all that simple to just keep living large, going broke, getting a clean slate and starting over anew again.
Yes, but you're also missing a larger point here. The demand for bandwidth from home users is increasing...but rather than see this as a good opportunity, ISPs are whining about it! P2P is the application that provides options for them to grow, to take advantage of some of that dark fiber and make money using it, and yet, they are complaining about the demand. Doesn't make much sense to me...if I ran an ISP, I'd even produce a set of advertisments highlighting the idea.
"In a follow-up, we've also uncovered that 60% of home electrical use can be attributed to television usage. Now, we go live to Jack McDuh..."
"Thank you, Beavis...apparently, the majority of home electrical usage is going to things like watching television, playing video games, or playing music on a stereo. I have with me Mr. Mxlyplk, the general manager of ConEd for this region. Tell us, Mr. Mxlyplk, what can you tell us about this discovery?"
"Well, Jack, it's rather shocking. All along we assumed that home users were using our electrical output to cure cancer or develop space travel or something like that. But apparently, people who dutifully pay their monthly fees for a utility think they can just use it any way they want to, for any old purpose!"
Slashdot Mirror
I think you're confusing what Lamo did with something that the NYT actually gave permission for. I agree with you, that a penetration test should be performed in such a way as to be unexpected, so paranoid admins can't do stupid things to improve the results (like turn off all inbound access for a day). But this wasn't a penetration test, it was nothing more than an uninvited and deeply illegal intrusion plus some spin control for the media.
I know a lot of people look at it and say, "Oh, but he had good intentions, that makes it ok!" It's not really like that...we don't KNOW his real intentions at all, just what he SAYS his intentions are. But, if someone owned your network, would you just trust them when they say they didn't do anything more insidious than they told you about? I wouldn't, and the resulting cleanup to make sure that nothing more was done is an expensive and disruptive process. This is part of why the damages for relatively minor hacks end up being so enormous in many cases.
We're always pushing ourselves to question what we're being told by the media, by our leaders, by our educators, by big business...we should really question anyone who might have an ulterior motive.
Keep in mind that this is a British tabloid that is doing the reporting. The genre is notorious for fluff, demagoguery, and "sports dailies" that are basically half sports, half softcore porn. I'd hope to see something a bit more solid verifying this story before I worried too much about it.
I'm not surprised it's the Washington Post who is reporting on this. I live in Washington, DC as a consultant, and travel a lot to other cities. I have had cell phones with three carriers, and with all of them I've had much worse trouble here than in cities elsewhere, without exception. On one hand, we have some serious density of equipment here, but on the other hand there are zones where one knows one will lose their cell phone signal; the worst two zones are adjacent to the CIA's facility and the Pentagon, for example. This sort of thing can't be helping the matter.
This strikes me more as being like mesh networking instead. The way they establish their own network by routing amongst themselves is a key characteristic of mesh technology. What I have to wonder is this: how far along will this concept go? Could it be that these are the predecessors of a landmine problem of the information age?
One, don't notify the university directly. If you do, you create a political situation where they still have the ability to shut you up by putting pressure on you. Keep in mind, the university wouldn't make life hard for you because they're run by Darth Vader, they'd make life hard for you to keep you from disclosing.
Two, do notify the vendor, BUT use the disclosure guidelines provided by Rain Forest Puppy (called RFPolicy). This is the best template for fair and equitable disclosure I've ever seen, and I feel it's even a hair better than the policy put forth by @Stake (although theirs is pretty good too). Set up a hushmail account that cannot be traced back to you for this purpose, and proceed from there.
Three, do NOT disclose the proof-of-concept exploit code. Disclosing a vulnerability is enough, there is no reason to automate attacks that take advantage of it.
By the time the university knows anything, they will no longer be able to accomplish anything by making your life hard. Furthermore, you will be in a position of strength, having taken the high road in disclosure and given all parties every opportunity to protect themselves properly.
You're a useless little puke, aren't you? :) The hard part of this equation is not detecting the fingers interacting with the hologram. The hard part is generating a free-standing hologram without any physical component (like a collimator). They don't give a shred of information as to how they accomplish that heretofore impossible feat, and the obvious photoshop-generated nature of their pictures only throw the whole thing into greater question.
Then it would give new meaning to the term, "vaporware."
(Vent mode on)
:)
This is the sort of moronic powermongering that makes me want to stop at a Sports Authority to buy a baseball bat on the way to visiting the local school board. When will these people grasp that they don't have these jobs to develop their own fiefdoms? Does anyone remember a time when the bullies were just other children, or is that just a nostalgic false memory on my part?
And jeez, it's not even like they're powermongering over a difficult audience...these are KIDS for chrissakes! So you can keep an orwellian eye on them...congratufrickilations! Wimp bitches.
(Vent mode off)
If venting is worthy of modding down, by all means, do so. I certainly did vent
In a nutshell, the Special Master for the court has brought in an outside consultant to do pen-testing of DOI systems. The problem is that this guy is just hacking away willy-nilly, and there are no rules of engagement or lines of communication. In short, there's no way for DOI to know this guy's attacks apart from those of any black-hat, and there's no way to prevent him from doing more harm than good (or notifying DOI should he screw something up, as is prone to happen in pen-testing). SAIC, the company working to improve DOI security, has asked for some changes to this, and was turned down. As a result, the DoJ has intervened, pointing out that what the consultant has been doing is not legal and is actually hacking in the very illegal sense of the word. This is the backlash from the Special Master in return for that.
"How many possible ways can you dodge allegations from multiple sources that you exclusively protect large commercial organizations or large groups of smaller commercial organizations, and largely ignore individuals?"
O'Leary:
"We determine this based upon a number of factors..."
By 2060, half of THOSE jobs will be outsourced to robots in India!
I tried yoga for the first time just a few weeks ago. My girlfriend had been going about two months at that point, and loved it so much that I was interested. I never realized yoga was such a workout; my abs were sore for days after (and my abs are, unlike most other geeks, in pretty good shape to being with from rock climbing and mountain biking). If my workplace offered this, I'd be totally into it for all the reasons described.
Although I did feel, being the only guy there and having long hair, that I looked like "sensitive ponytail guy."
That he's in it for the money? Why couldn't it be that he's just patenting it so that nobody else can...he could license it freely, unlike what any number of other companies would do if they managed to patent it instead.
Actually, an Inergen system might not be more expensive at all; the prices of these things have come way down, and sprinklers have an enormous engineering cost associated with the layout of the pipes. The challenge is to ensure that if a significant number of the sprinkler heads along each pipe run are triggered, all the active heads will get the same water pressure. This is done with variations along the plumbing route of that pipe run. Obviously, this has to be engineered on a case-by-case basis, and is simpler to do in office structures than in the architecturally more interesting layout of a home. With a system that uses Inergen, there are no such concerns, one just chooses a storage tank and exhaust port (I think that's what they're called) that are suitable for the size of the room in question; really large rooms get more than one port. And since 9/11, as companies are spending a lot more on this, the cost of them is actually coming down a bit owing to economies of scale in production.
Ok, you can no longer (I'm assuming you're in the USA) get halon, as it is harmful to the ozone layer. What's now used for this purpose is called Inergen. Furthermore, despite all the howling by everyone about the risk of suffocation, keep in mind that it will take a bit of time for an entire home to become filled with the stuff, and the fact that any professionally installed system includes alerts to let you know when the system is activated. Between the warning you get, the air in your lungs and the air that has not been displaced yet, you can be just fine. This kind of system has been put in many types of facilities in all sorts of different ways, and unless it's done incredibly wrong, by no means will it turn your home into a big gas chamber :)
"Inaudible to humans" means one of three things...one, too low to be heard (in which case mosquitoes won't care, or two and three, infrasound and ultrasound, respectively. The problem with that is that a cell phone cannot generate sounds in those frequencies with any reliability...it's not designed to. Infrasound requires a huge driver, and if you've ever looked at those devices that supposedly drive away aggressive dogs with ultrasound you know what an ultrasound transducer looks like, and it's nothing like the piezoelectric speaker a cell phone contains for ringtones. This is just an example of what happens in countries with more relaxed consumer protection statutes.
"Hello?"
"Hello,
I am sorry for the embarrassment this phone call might cause you as we have not had any correspondence before this phone call. I got your address through my nephew with Nigerian Military Chamber of Commerce industry and Mining during my research for a reliable and trustworthy partner who l can do business with though l did not disclose the nature of the business l intend to do with whoever he recommend for me... "
I mean, what made him think only the organs would get the effect? Pretty damned haphazard to me...who knows what other unexpected thing might occur sometime.
I must ask this: why is ANY law that mandates preference for any solution over any other solution good? I think Open Source is wonderful...and that's exactly why I don't think it needs this. In the end, assuming competency of the one in charge, the best solution is most likely to prevail. Naturally, there's going to be deviation from situation to situation on this, but when you're talking about legislation you have to deal with averages, and I feel that this holds true. In truth, I think that if someone ISN'T competent to make the proper choice, I'd rather they not choose Open Source because of some legal requirement or prodding; if something gets all borked up, they'll just point to Open Source software as the cause.
The Open Source world of software came out of nowhere, and didn't require big marketing budgets, lobbyists, or snappy ad campaigns...and it certainly doesn't need a law to pressure others into using it.
I do consulting in the Washington DC area, and have been in a lot of federal agencies. At the point where products are chosen and designs are built, nobody really cares what any politicians think. It comes down to the people who are in charge, at the agency level, of that project. At times, it isn't even up to them, as they hand that duty off to the contractor or even subcontractor. Good example: we once did a Citrix solution for Raytheon as part of a larger solution that went to the FAA...and only one person at FAA even knew what we were doing.
While the NSA was granting Common Criteria Certification to Checkpoint Firewall-1 (an Israeli product), relative small-fry in multiple agencies were afraid to use it due to the classic federal urban legend about Israeli backdoors or other malware embedded into it. The US Army has a collossal site license (or at least had, some years ago) for Netscape products, so that's what they used when possible. Ultimately, the people in charge of choosing the solution do so without significant awareness or care of what politicians say, think, or feel...and this is both good and bad.
There's just one problem with this. You can't just say, "I'm bankrupt!" and get court protection. You have to essentially ask for it...and if you've done it within a certain amount of time in the near past, you can't do it again. Furthermore, if the court looks at your past and thinks you're trying the tactic of racking up debt (which, mind you, you won't be able to do for about 7 years anyways after the bankruptcy is finished, due to your credit score), it will refuse to grant you bankruptcy status.
So it's not all that simple to just keep living large, going broke, getting a clean slate and starting over anew again.
Yes, but you're also missing a larger point here. The demand for bandwidth from home users is increasing...but rather than see this as a good opportunity, ISPs are whining about it! P2P is the application that provides options for them to grow, to take advantage of some of that dark fiber and make money using it, and yet, they are complaining about the demand. Doesn't make much sense to me...if I ran an ISP, I'd even produce a set of advertisments highlighting the idea.
"In a follow-up, we've also uncovered that 60% of home electrical use can be attributed to television usage. Now, we go live to Jack McDuh..."
"Thank you, Beavis...apparently, the majority of home electrical usage is going to things like watching television, playing video games, or playing music on a stereo. I have with me Mr. Mxlyplk, the general manager of ConEd for this region. Tell us, Mr. Mxlyplk, what can you tell us about this discovery?"
"Well, Jack, it's rather shocking. All along we assumed that home users were using our electrical output to cure cancer or develop space travel or something like that. But apparently, people who dutifully pay their monthly fees for a utility think they can just use it any way they want to, for any old purpose!"