bad info in that article - we use ls1edit, efilive
on
Hack Your Ride
·
· Score: 4, Informative
that was a crap article that was poorly researched. the pros use ls1edit and efilive for tuning corvettes. hptuners just came out with similar products too. and if you are building a high HP race corvette, you piggyback the whole system with a FAST or DFI system for engine management.
i'm using ls1edit and efilive to tune my 580 HP blown c5 corvette. http://www.kcpimp.com/cars/c5.html htt p://www.kcpimp.com/gallery/c5 http://www.kcpimp.c om/gallery/dyno
googling for "ken williams" produced the following:
Ken Williams the major league baseball player http://www.baseball-reference.com/w/willik e01.shtm l only problem is i never played baseball
Ken Williams the game developer (Sierra Online) http://www.mobygames.com/developer/sheet/ view/deve loperId,59/ thats not me either
Ken Williams the perl consultant http://conferences.oreillynet.com/cs/o s2002/view/e _spkr/773 not me either
there are also judges, mayors, police chiefs, government officials from US and England, an FBI agent, and numerous criminals convicted of everything from drug trafficking to armed robbery and even murder.
hrm, we use complex filtering software and techniques, and i still get lots of spam. i receive about 200 work related emails each day to a certain account, and about 25% of that is spam.
what i really wonder though is how many legitimate (non-spams) emails i never receive because of filtering software! i frequently get email or calls from people who claim they sent email that i never received. i also frequently get mailing list bounce warning emails (primarily from securityfocus lists though) claiming that emails sent to me are bouncing. hrm...
yep, thats right. when the cable guy came to install Road Runner at my co-workers house, he said he had to install some software. one of the things he installed was a very well-known virus (can't remember the name now) that destroyed everything on the hard drive. before nuking the HD, it also emailed copies of the virus to everybody in his address book - that doesn't look good when you are an infosec professional! my co-worker had to reinstall the OS, lost alot of data, and then realized after the reinstall that he didn't need any RR software anyway to use their cablemodem service. RR did nothing at all to compensate him.
My experience with RR has been great on the other hand. I never let them touch a thing. And they are fine with that. They just want to get out of the house and on to the next call.
A Gardener study released yesterday suggests that bottled water manufacturers will have greater revenue by January 2 than all of the lakes, streams, and oceans in the world combined.
Another Gardener study has indicated that oxygen tank manufacturers will have more revenue by January 2 of next year than the (unnamed and unknown) purveyors of the free air that humans normally consume.
Gardener recommends that corporate executives switch to free water and air.
the Eminem CD was on the shelves and for sale at my local record store on May 21. i purchased it on May 24 (and have the receipt to prove it). of course, when i called the record store today to ask about when the initially put it in the shelves and started selling it, their reply was "Today!". when i told them i purchased it from them on May 24, their reply was "that's entirely possible". when i then asked again when they started selling it, they replied "Today!". i think they were afraid that i might be a spy for the RIAA.;)
yeah, if Ken Williams had been selected, i could have possibly profited in a big way due to the similarity in names. i could have ridden his coat tails to fame and fortune damnit! i get email all the time too for the other ken williams - questions about games (i played them all back in the day too!), people wondering why i left such a lucrative career in games to pursue a career in the incredibly incestuous field of information security, etc. the best one though was the guy who wanted my autograph since i was a famous major league baseball player [http://sportsline.netscape.com/u/baseball/bol/bal lplayers/W/Williams_Ken.html].
in one of the UNIX-based (Sun) labs at NCSU, there was a plaque on the wall thanking M$ for their donation of software for the lab, but obviously nothing in that lab was running M$ products. i always thought that was funny.
what the last asking price was for unix.com
on
UNIX.com On eBay?
·
· Score: 2
beginning of '99, on the unix.com web site, they had their, then current, asking price posted. it was $30,000.
i won't be surprised to see two zeros tacked onto that price when it sells on eBay.
The U.S. Army JEDI soldier concept is describing, perfectly, the typical gun-owning Slashdot reader. Why don't they just recruit Slashdot readers instead?
Eric Raymond is of course a logical fit for commander of the JEDI forces too.
do you want your employers/coworkers/underlings to live in fear that they will get caught if they attempt to find security holes? i'd much prefer that they be encouraged to look for holes and report them, so that they won't be exploited maliciously.
in corporate environments, the only employees who should be doing vulnerability assessments are those contracted specifically to do so, or those (network and security admins) who have this duty listed specifically in their job descriptions.
anybody who trips my honeypot sensors is obviously snooping around where they are not supposed to be - they have no valid reason to be hitting the honeypot. furthermore, they are most likely not doing the tasks/jobs that they were assigned to do.
when you get out into a large corporate environment, you'll quickly learn that the network admins do not want you to be snooping around, and probably that you don't have the time to snoop around anyway.
i do vulnerability assessments and security audits for a living, but if i contact one of the network admins here and tell him that i found a security hole, the first thing he'll ask is why the heck i was poking around HIS servers without HIS expressed, written, contracted permission in the first place. my poking around has created more work for him, and for the other ppl who check those logs, respond to the alarms, etc.
i personally found a security hole once in the censorware running in my the media center of my school library. i informed the librarian of the hole and was promptly banned from the library for the rest of the year. not having read the library's computer use policy, i didn't realize until years later that the policy specifically said to report any security holes found.
corporate life is very different. when you are working on a $500 million project, and the network admin notices that you're poking around in an R&D database that you're supposed to have only limited access to, or no access to at all, you'll be hung, drawn, and quartered, because you are now one of the zillions of people suspected every year of stealing and selling corporate secrets, or of sabotaging the company for whatever reason. after you die, they'll ask your next-of-kin why you were poking around that server in the first place.
if you work someplace where they actually pay you to perform random security audits whenever you get the urge to nmap or smurf all of your corporate nodes, and want you to report your findings, then that's great. i really doubt that any Fortune 1000 (or virtually any) company encourages their employees to practice corporate security audits on the company LANs as a hobby though, especially while working.
(posting anonymously because my employer has really bad security policies)
after you're done packet-fragging the company's production web servers, feel free to contact me to help you develop a more reasonable security policy.
[note: don't take the apparent harshness of my reply personally - i work _very_ long hours and weeks, and it's friday, so i'm using you as my venting scapegoat. i'll return to normal after my second cup of coffee monday morning. thanks for taking the time to comment on my post - you have raised thought-provoking, interesting points.]
99.9% of the people who consider putting honeypots on their networks should instead spend that time securing their vunlerable networks, checking for and applying the latest patches, and reading up on security trends and issues.
that said, honeypots are a really cool concept, nevertheless. but a network or security admin needs to focus on more fundamental security issues though. those NT network admins, for instance, should be deploying a second, or third, or fourth firewall on BSDi or Linux, instead of wasting time and compromising their security with a misconfigured NT honeypot. honeypots are best left for IT security research environments, or for people who have too much time to waste.
a notable exception is NAI's Cybercop Sting. Sting emulates Cisco IOS 11.2, Solaris 2.6, and WinNT 4, running common services. with Sting, you can pipe all of your legitimate traffic thrugh Sting, and utilize the excellent logging capabilities of Sting for an added layer of security. additionally, Sting can be, should be, and often is utilized to monitor employees (i.e. internal hacking/cracking attempts). since most of the security incidents will be from internal sources, honeypots are an excellent way to monitor for suspicious LAN activity.
there was an excellent discussion recently of the honeypot concept, with a wide range of opinions and views from all sectors of the Net population, on the Security Focus Incidents mailing list. the thread was entitled "Cracked; rootkit - entrapment question?", and was back in late February and early March.
for those who have more interest in honeypots, check out the following:
post your query to the cypherpunks-unedited mailing list... i'll add your email addy to my cypherpunks-unedited procmail "classic flames" filter, and get a good chuckle at your expense.
some of the most creative flamers lurk on that list - funny as hell if you're a connoisseur of fine Net flameage, like me.
there are lots and lots of excellent tutorials, docs, glossaries, and links to many of the great crypto sites in the world at all of the URLs above.
for the best info on NSA, ECHELON, misc paranoia, you should first check out Cryptome/JYA. i archived quite a bit of stuff related to your questions at the packetstorm site too - packetstorm.securify.com/crypt/nsa/.
feel free to email me directly if you like too. over the years, i have had some interesting experiences with the NSA, BXA, etc - primarily regarding my hosting of crypto archives, and personal investigations of NSA, ECHELON. if you want to discuss these things, get the pgp key for ken.williams@ey.com from www.keyserver.net, and send your key(s) and crypted msgs to tattooman@genocide2600.com
I just got off the phone with a representative of the Minnesota Attorney General's office, and have a couple points, based on what the gentleman said -
1) (criminal) "intent" is very relevant in cases such as this
2) there are no laws in the locality mentioned in the article that have any wording like "possession of burglary or theft tools", therefore, the two people could not have been charged with "possession of burglary or theft tools". hence, once again, the issue is really the "spin" that the media has put on this.
how many times have we faced this "media reporting" issue before?
Check out the article below (from 2/17/2000). Although it involves a case related to criminal activities, the charges imply that *anybody* simply in possession of L0phtcrack is committing a felony.
This is important because L0phtcrack, if you are not familiar with the software program, is widely used (legitimately!) by Network and Security Administrators, and Security Consultants for Network and System Security Audits.
Logical extrapolation of the charges mentioned in the article implies that Microsoft is guilty of a number of felonies, and conspiracy to commit numerous additional felonies, in Minnesota, because they manufacture the NT Resource Kit, a favorite "criminal hacker tool". In fact, anybody in possession of the popular Unix "Crack" program, in the state of Minnesota, is surely also guilty.
According to this article (and a Hopkins Minnesota police department), it is a felony to posess l0phtcrack. Two people were charged with "...two counts of possession of burglary or theft tools (specifically, a software program for extracting user IDs and passwords from a computer system). "
Later, the articles explains that these two people '...accessed the VP Projects computer system and installed a software program called LOphtCrack, which is designed to extract user IDs and passwords. "
According to the article, its also a felony to attempt to gain access using it as well as another felony when you actually gain access. -----
Slashdot Mirror
fire yourself and outsource to India.
that was a crap article that was poorly researched. the pros use ls1edit and efilive for tuning corvettes. hptuners just came out with similar products too. and if you are building a high HP race corvette, you piggyback the whole system with a FAST or DFI system for engine management.
t p://www.kcpimp.com/gallery/c5c om/gallery/dyno
i'm using ls1edit and efilive to tune my 580 HP blown c5 corvette.
http://www.kcpimp.com/cars/c5.html
ht
http://www.kcpimp.
links:
ls1edit: http://www.carputing.com/
EFILive: http://www.efilive.com/
FAST: http://www.fuelairspark.com/
DFI: http://go.mrgasket.com/
hptuners: www.hptuners.com
Regards,
kw
p.s. and only an idiot would pay $17k to replace a blown 03 cobra motor. you can get short blocks all day for well under $5k.
googling for "ken williams" produced the following:
k e01.shtm l
/ view/deve loperId,59/
o s2002/view/e _spkr/773
Ken Williams the major league baseball player
http://www.baseball-reference.com/w/willi
only problem is i never played baseball
Ken Williams the game developer (Sierra Online)
http://www.mobygames.com/developer/sheet
thats not me either
Ken Williams the perl consultant
http://conferences.oreillynet.com/cs/
not me either
there are also judges, mayors, police chiefs, government officials from US and England, an FBI agent, and numerous criminals convicted of everything from drug trafficking to armed robbery and even murder.
hrm, we use complex filtering software and techniques, and i still get lots of spam. i receive about 200 work related emails each day to a certain account, and about 25% of that is spam.
...
what i really wonder though is how many legitimate (non-spams) emails i never receive because of filtering software! i frequently get email or calls from people who claim they sent email that i never received. i also frequently get mailing list bounce warning emails (primarily from securityfocus lists though) claiming that emails sent to me are bouncing. hrm
yep, thats right. when the cable guy came to install Road Runner at my co-workers house, he said he had to install some software. one of the things he installed was a very well-known virus (can't remember the name now) that destroyed everything on the hard drive. before nuking the HD, it also emailed copies of the virus to everybody in his address book - that doesn't look good when you are an infosec professional! my co-worker had to reinstall the OS, lost alot of data, and then realized after the reinstall that he didn't need any RR software anyway to use their cablemodem service. RR did nothing at all to compensate him.
My experience with RR has been great on the other hand. I never let them touch a thing. And they are fine with that. They just want to get out of the house and on to the next call.
A Gardener study released yesterday suggests that bottled water manufacturers will have greater revenue by January 2 than all of the lakes, streams, and oceans in the world combined.
Another Gardener study has indicated that oxygen tank manufacturers will have more revenue by January 2 of next year than the (unnamed and unknown) purveyors of the free air that humans normally consume.
Gardener recommends that corporate executives switch to free water and air.
thanks for playing! please insert another quarter and try again.
no. there were not any anti-piracy measures.
the Eminem CD was on the shelves and for sale at my local record store on May 21. i purchased it on May 24 (and have the receipt to prove it). of course, when i called the record store today to ask about when the initially put it in the shelves and started selling it, their reply was "Today!". when i told them i purchased it from them on May 24, their reply was "that's entirely possible". when i then asked again when they started selling it, they replied "Today!". i think they were afraid that i might be a spy for the RIAA. ;)
using OSINT to gather info on the CIA - http://www.trustmatta.com/services/docs/Matta_Coun terintelligence.pdf
i just configured my firewall to redirect all hostile connection attempts from the RIAA to cia.gov.
http://www.antioffline.com/ has interviews with the following. not as serious in nature, but funny and interesting if you're in the security industry.
Attrition
Dugsong
Ghetto Hackers
Hackweiser
K2
Lance Spitnzer
Mixter
Obecian
Rain Forest Puppy
ShadowVX
s0ft Project
Technotronic
w00w00
yeah, if Ken Williams had been selected, i could have possibly profited in a big way due to the similarity in names. i could have ridden his coat tails to fame and fortune damnit! i get email all the time too for the other ken williams - questions about games (i played them all back in the day too!), people wondering why i left such a lucrative career in games to pursue a career in the incredibly incestuous field of information security, etc. the best one though was the guy who wanted my autograph since i was a famous major league baseball player [http://sportsline.netscape.com/u/baseball/bol/bal lplayers/W/Williams_Ken.html].
in one of the UNIX-based (Sun) labs at NCSU, there was a plaque on the wall thanking M$ for their donation of software for the lab, but obviously nothing in that lab was running M$ products. i always thought that was funny.
beginning of '99, on the unix.com web site, they had their, then current, asking price posted. it was $30,000.
i won't be surprised to see two zeros tacked onto that price when it sells on eBay.
The U.S. Army JEDI soldier concept is describing, perfectly, the typical gun-owning Slashdot reader. Why don't they just recruit Slashdot readers instead?
Eric Raymond is of course a logical fit for commander of the JEDI forces too.
a search of the article turned up no occurances of "pooped" or "what do you think?".
very thorough, interesting, well-documented, well-researched, and well-witten article, Jon. your best work yet.
[note: i have no opinion on the subject matter itself, due to professional interests.]
do you want your employers/coworkers/underlings to live in fear that they will get caught if they attempt to find security holes? i'd much prefer that they be encouraged to look for holes and report them, so that they won't be exploited maliciously.
in corporate environments, the only employees who should be doing vulnerability assessments are those contracted specifically to do so, or those (network and security admins) who have this duty listed specifically in their job descriptions.
anybody who trips my honeypot sensors is obviously snooping around where they are not supposed to be - they have no valid reason to be hitting the honeypot. furthermore, they are most likely not doing the tasks/jobs that they were assigned to do.
when you get out into a large corporate environment, you'll quickly learn that the network admins do not want you to be snooping around, and probably that you don't have the time to snoop around anyway.
i do vulnerability assessments and security audits for a living, but if i contact one of the network admins here and tell him that i found a security hole, the first thing he'll ask is why the heck i was poking around HIS servers without HIS expressed, written, contracted permission in the first place. my poking around has created more work for him, and for the other ppl who check those logs, respond to the alarms, etc.
i personally found a security hole once in the censorware running in my the media center of my school library. i informed the librarian of the hole and was promptly banned from the library for the rest of the year. not having read the library's computer use policy, i didn't realize until years later that the policy specifically said to report any security holes found.
corporate life is very different. when you are working on a $500 million project, and the network admin notices that you're poking around in an R&D database that you're supposed to have only limited access to, or no access to at all, you'll be hung, drawn, and quartered, because you are now one of the zillions of people suspected every year of stealing and selling corporate secrets, or of sabotaging the company for whatever reason. after you die, they'll ask your next-of-kin why you were poking around that server in the first place.
if you work someplace where they actually pay you to perform random security audits whenever you get the urge to nmap or smurf all of your corporate nodes, and want you to report your findings, then that's great. i really doubt that any Fortune 1000 (or virtually any) company encourages their employees to practice corporate security audits on the company LANs as a hobby though, especially while working.
(posting anonymously because my employer has really bad security policies)
after you're done packet-fragging the company's production web servers, feel free to contact me to help you develop a more reasonable security policy.
[note: don't take the apparent harshness of my reply personally - i work _very_ long hours and weeks, and it's friday, so i'm using you as my venting scapegoat. i'll return to normal after my second cup of coffee monday morning. thanks for taking the time to comment on my post - you have raised thought-provoking, interesting points.]
99.9% of the people who consider putting honeypots on their networks should instead spend that time securing their vunlerable networks, checking for and applying the latest patches, and reading up on security trends and issues.
that said, honeypots are a really cool concept, nevertheless. but a network or security admin needs to focus on more fundamental security issues though. those NT network admins, for instance, should be deploying a second, or third, or fourth firewall on BSDi or Linux, instead of wasting time and compromising their security with a misconfigured NT honeypot. honeypots are best left for IT security research environments, or for people who have too much time to waste.
a notable exception is NAI's Cybercop Sting. Sting emulates Cisco IOS 11.2, Solaris 2.6, and WinNT 4, running common services. with Sting, you can pipe all of your legitimate traffic thrugh Sting, and utilize the excellent logging capabilities of Sting for an added layer of security. additionally, Sting can be, should be, and often is utilized to monitor employees (i.e. internal hacking/cracking attempts). since most of the security incidents will be from internal sources, honeypots are an excellent way to monitor for suspicious LAN activity.
there was an excellent discussion recently of the honeypot concept, with a wide range of opinions and views from all sectors of the Net population, on the Security Focus Incidents mailing list. the thread was entitled "Cracked; rootkit - entrapment question?", and was back in late February and early March.
for those who have more interest in honeypots, check out the following:
To Build a Honeypot - article by Lanace Spitzner
CyberCop Sting - product by NAI
dtk - Fred Cohen's Deception Toolkit
NFR's BackOffice Friendly - product by Marcus Ranum and L0pht
and finally, a cool new product that i saw at RSA2000
ManTrap - product by Recourse Technologies that is based on Solaris 7
post your query to the cypherpunks-unedited mailing list ... i'll add your email addy to my cypherpunks-unedited procmail "classic flames" filter, and get a good chuckle at your expense.
some of the most creative flamers lurk on that list - funny as hell if you're a connoisseur of fine Net flameage, like me.
http://www.cryptome.org
....
http://jya.com/crypto-free.htm
Learning About Cryptography
Ritter's Crypto Glossary and
Dictionary of Technical Cryptography
Encryption & Security Tutorial
N.A. Crypto Archives
International PGP site
NSA National Cryptologic Museum
EFF
attrition.org crypto archive
Bruce Schneier's Crypto-Gram
and last, but not least (the archive i developed)
PacketStorm Crypto Archives
there are lots and lots of excellent tutorials, docs, glossaries, and links to many of the great crypto sites in the world at all of the URLs above.
for the best info on NSA, ECHELON, misc paranoia, you should first check out Cryptome/JYA. i archived quite a bit of stuff related to your questions at the packetstorm site too - packetstorm.securify.com/crypt/nsa/.
feel free to email me directly if you like too. over the years, i have had some interesting experiences with the NSA, BXA, etc - primarily regarding my hosting of crypto archives, and personal investigations of NSA, ECHELON. if you want to discuss these things, get the pgp key for ken.williams@ey.com from www.keyserver.net, and send your key(s) and crypted msgs to tattooman@genocide2600.com
better ideas and info can be found here:
http://packetstorm.securify.com/distri buted/
http://packetstorm.securify.com/pap ers/contest/
Make sure to check out the papers by Mixter, RFP, and Simple Nomad.
I just got off the phone with a representative of the Minnesota Attorney General's office, and have a couple points, based on what the gentleman said -
1) (criminal) "intent" is very relevant in cases such as this
2) there are no laws in the locality mentioned in the article that have any wording like "possession of burglary or theft tools", therefore, the two people could not have been charged with "possession of burglary or theft tools". hence, once again, the issue is really the "spin" that the media has put on this.
how many times have we faced this "media reporting" issue before?
a few things to keep in mind ...
- criminal intent
- "technologically challenged" District Attorney
- appeals court
Check out the article below (from 2/17/2000). Although it involves a case related to criminal activities, the charges imply that *anybody* simply in possession of L0phtcrack is committing a felony.
This is important because L0phtcrack, if you are not familiar with the software program, is widely used (legitimately!) by Network and Security Administrators, and Security Consultants for Network and System Security Audits.
Logical extrapolation of the charges mentioned in the article implies that Microsoft is guilty of a number of felonies, and conspiracy to commit numerous additional felonies, in Minnesota, because they manufacture the NT Resource Kit, a favorite "criminal hacker tool". In fact, anybody in possession of the popular Unix "Crack" program, in the state of Minnesota, is surely also guilty.
-----
http://www.channe l4000.com/news/stories/news-20000217-164727.html
According to this article (and a Hopkins Minnesota police department), it is a felony to posess l0phtcrack. Two people were charged with
"...two counts of possession of burglary or theft tools (specifically, a software program for extracting user IDs and passwords from a computer
system). "
Later, the articles explains that these two people '...accessed the VP Projects computer system and installed a software program called LOphtCrack, which is designed to extract user IDs and passwords. "
According to the article, its also a felony to attempt to gain access using it as well as another felony when you actually gain access.
-----