I read "Travels with Samantha" not too long ago when I ran across a link to it. As a result, I poked around photo.net a bit, and ended up buying a paper copy of "Phil and Alex's Guide to Web Publishing." Great book, recommended. Even though it's on the web, it reads better on paper, the book is nicely put together, nice heavy paper, and the photos look good (all stuff Phil will tell you, too.:) )
My question is this:
In most of your writing, you often put some statement out there as fact, when it is actually an opinion. In many cases, I can spot it as such, and just roll my eyes a bit if I happen to disagree. Are you aware that you do this, do you worry about it, or do you expect your readers to spot it and take it as an opinion? Or are you a typcial college professor whose opinion IS fact, and won't be told otherwise?:)
The reason I ask is that I do a little writing myself, and I find it a unnerving to put something in print that becomes more-or-less unchangeable. I.e. I just worry about being "wrong" either because I am plain wrong, or wasn't clear in my statements.
Marcus J. Ranum, author of the Firewall Toolkit, which is one of the pieces of TIS cod eunder discussion, has said that there are still a few glaring bugs in there that no one was pointed out yet.
You can't do that with closed-source software. Since you don't have the source code, you can't alter the code. So you (or that contract programmer who the company is letting go at the end of the month) can't run a little in-house exploit.
Of course I can. Never seen rootkit? Never seen either of the open-source Windows clones?
Lesse... out of all the exisitng Palms, here's what I want in my new one:
Color (IIIc) Wireless (VII) Rechargable (V) 8MB or more (x)
That would be a superset of all the exisitng Palms, and do a lot to eliminate some confusion. Sure, I suppose there will still be a use for models that are cheaper, so they have some of the features knocked off.
Now, for software/sevices..
I want it to function as a pager. This is probably pretty easy.. someone just needs to do the telephone front-end. Possibly a slight improvement in sound would be needed. I could forego a vibrate mode.
I want real IP (could be there now... I've never used the VII) so that I can do (painfully slow) telnet, ssh, VPN, etc..
And of course I want the service to be reasonably priced. Ideally, flat-rate.
That occurred, but that presumes I'll actually *use* the service... (I won't, I've got DSL at home. I also happen to have a pre-mod and agreement $99 box, but if I didn't I'd be tempted to pay $99 + 3 mos.)
Can anyone explain to me, if Netpliance is worried about cost, why they still sell them for $99 and only require 3 months service? That's still only $165, plus shipping if any, right?
Either they are much cheaper to produce than folks think, or Netpliance just doesn't learn.
The only other difference (so far) with the new arrangement is that they have apparantly clipped 4 of the HD pins, made a BIOS update (which so far no one has demonstrated is "disabled" in any way) and epoxied the BIOS chip.
Well... some sort of soldering iron and EEPROM burner is in order.
A real life example would be to walk down the street in a crimeridden neighborhood looking like an easy target, then when you get mugged, shouting "I got you" "I got you!" and pulling out a gun and holfding them until the police arrived.
Building a honeypot isn't hard. Any box that you don't care about getting broken into will do.
Properly watching a honeypot can be challenging. You don't need one if you're not going to pay close attention to it. You also need to be concerned that ownership of the honeypot doesn't jeopardize any real systems, either due to network trust, or increased ability to do traffic monitoring. You also have to consider that you'll be a danger to other sites on the net. At least one poster to our Incidents forum claimed that when he contacted the admin of a box that was being used to attack him, the admin knew it was 0wned, and refused to take it down because he was monitoring the attacker.
You need to consider why you want a honeypot. It's probably an easy choice to put one up if you're in the business of watching crackers. If not, some folks think they want one to distract or act as early warning. What do you do when you catch a cracker? Unless you've got a clear trail back to the attacker in the same country as you, not much. You can notify his admin, which has mixed results. You can try law enforcement, which also has mixed results.. especially when you're talking about a honeypot, and can't really place a dollar value on "damages".
Consider whether you want to take a chance on pissing off a cracker. Lots of crackers are untouchable from where they are. Unless you already piss off the crackers by your very existence (MS, Antionline..) Most people don't want to be targeted by a cracker with no fear of being punished.
Most security folks believe that the intersection of sets of people who break into systems and people who are good hackers is small. That means that chances are small that you'll see some unknown attack against your particular honeypot. You can certainly set one up with the common holes, but then you'll be tracking common crackers.
The Berferd story was interesting because they caught a semi-skillful attacker. Stoll's case was interesting for much the same reason. In neither case did they start out with a honeypot. They built a jail for Berferd. In Stoll's case, he used production systems for his "honeypots". This was back in an age when these sorts of things were much less common, and you didn't have hundreds of script kiddies scanning the entire Internet looking for machines to own. The owning has even become much less interesting, due to the DDoS tools the crackers now want to install and move on..
If you want the excitement of an evening with Berferd on your system, don't run a honeypot. Watch your real systems very carefully, and polish your tools for tracking him when he shows up.
I have seen a co-worker plug in an EEPROM backwards.. We figured out what was wrong when the machine wouldn't boot, and we saw it emitting light from the little UV window.
Seriously, though... same as with any dongle type copy protection... you don't hack the dongle, you rip out the code that checks for the dongle. Copy protection doesn't work.
VFS sounds interesting.. I hadn't heard of it before. Any chance it'll be ported to NT? I've often thought it would be useful to walk the registry from a command prompt as if it were a filesystem.
Well, anyhow, what I can talk about and is unclassified is that most of the military communications formats are encrypted, jamproof and in many ways just really dang hard to deal with. There are two exceptions. One of them is used to control airplanes remotely (usually for Automatic Takeoff and Landing, for carriers). It's not encrypted. Granted, the format of these communications isn't something the average joe can get a hold of easily. And there's probably a way for a pilot to shut down the communications.
Can one do arbitrary remote control via that interface? (i.e. any maneouver I want?) First thing after I hijack the control connection, could I pull one of those 20G moves someone mentioned earlier, killing the pilot to prevent him from shutting down?
How about killing the VTOL engines, and dropping the plane on the deck? Perhaps with the bombs armed?
No one wants to hear it, but all security is security through obscurity. It's simply a matter of whether something is obscure enough.
Hoping you're safe because you haven't publicized that your web server exists, even though it has holes, probably isn't obscure enough. Port scans happen all day, every day.
Hoping your e-mail is secure because someone shouldn't be able to randomly bang on the keyboard and generate your 2048-bit key IS probably obscure enough.
In both cases, if the attacker knew what they needed to know, they'd succeed.
OBOSS: We've been breaking commercial, closed-source software for way too many years to believe that not having the source code slows us down.
35,765 people cast votes remotely in what the Arizona Democrats believe to be the first legally binding public election in the world conducted via the Internet. This number is almost triple the 12,800 people which voted in Arizona's 1996 Democratic Primary.
Oh, sorry. My vote bot got out of hand.
On the plus side, Mudge is the new representative form Arizona.
That's not a bad idea, and it might be workable. Problem with hashes is that you can't check for near matches or variants, which means you have to generate a bunch of variants ahead of time, rather than being able to compare on the fly.
Obviously I don't use one of the products, but from what I've read they often will block things like www.pron.edu/* . They'd also have to think up all the variants that still work, like, pron.edu/pron.html, www.pron.edu/pron.html., www.pron.edu/pron.html?, 192.168.0.1/pron.html, ad infinitum...
The product would also have to look at the current URL, and walk it up to see if it was blocked at a higher level. If I'm going after www.pron.edu/really/bizarre/solo/doorknobsex.html, it has to try all the directories (and variants) in the hash table, until it gets up to www.pron.edu. (Of course, it could shortcut things by checking if entire sites are blocked first.)
In short, hashes might work, but the table would get really huge quickly, and any new variant I come up with will bypass the filter.
And the hash tables will still be vulnerable to dictionary attack.
March 2, 2000 Download IGDecode, a program that can decrypt the list of sites blocked by I-Gear. We decrypted I-Gear's list and determined that of the first 50 URL's in the.edu domain blocked as "pornography", 38 of those were errors, for a 76% error rate. We also discovered that when you install I-Gear, it scans in your real name used to register your copy of Windows, and uploads this information to Symantec
>And then there's the question of why Symantec is >using lousy crypto in the first place
Because it's not possible to keep secrets on an untrusted computer that needs to access them. If the program needs to decrypt the URL list itself, than so can anyone with a copy of the program, if they spend the effort. You can sue the best crypto alogrithm in the world, but then they key is stored somewhere in the program, where the owenr of the computer can get at it.
This is a fancy version of copy protection and client-side security. It can't be made unbreakable.
Slashdot Mirror
I read "Travels with Samantha" not too long ago when I ran across a link to it. As a result, I poked around photo.net a bit, and ended up buying a paper copy of "Phil and Alex's Guide to Web Publishing." Great book, recommended. Even though it's on the web, it reads better on paper, the book is nicely put together, nice heavy paper, and the photos look good (all stuff Phil will tell you, too. :) )
:)
My question is this:
In most of your writing, you often put some statement out there as fact, when it is actually an opinion. In many cases, I can spot it as such, and just roll my eyes a bit if I happen to disagree. Are you aware that you do this, do you worry about it, or do you expect your readers to spot it and take it as an opinion? Or are you a typcial college professor whose opinion IS fact, and won't be told otherwise?
The reason I ask is that I do a little writing myself, and I find it a unnerving to put something in print that becomes more-or-less unchangeable. I.e. I just worry about being "wrong" either because I am plain wrong, or wasn't clear in my statements.
Marcus J. Ranum, author of the Firewall Toolkit, which is one of the pieces of TIS cod eunder discussion, has said that there are still a few glaring bugs in there that no one was pointed out yet.
Of course I can. Never seen rootkit? Never seen either of the open-source Windows clones?
Lesse... out of all the exisitng Palms, here's what I want in my new one:
Color (IIIc)
Wireless (VII)
Rechargable (V)
8MB or more (x)
That would be a superset of all the exisitng Palms, and do a lot to eliminate some confusion. Sure, I suppose there will still be a use for models that are cheaper, so they have some of the features knocked off.
Now, for software/sevices..
I want it to function as a pager. This is probably pretty easy.. someone just needs to do the telephone front-end. Possibly a slight improvement in sound would be needed. I could forego a vibrate mode.
I want real IP (could be there now... I've never used the VII) so that I can do (painfully slow) telnet, ssh, VPN, etc..
And of course I want the service to be reasonably priced. Ideally, flat-rate.
kettle, black.
That occurred, but that presumes I'll actually *use* the service... (I won't, I've got DSL at home. I also happen to have a pre-mod and agreement $99 box, but if I didn't I'd be tempted to pay $99 + 3 mos.)
Can anyone explain to me, if Netpliance is worried about cost, why they still sell them for $99 and only require 3 months service? That's still only $165, plus shipping if any, right?
Either they are much cheaper to produce than folks think, or Netpliance just doesn't learn.
The only other difference (so far) with the new arrangement is that they have apparantly clipped 4 of the HD pins, made a BIOS update (which so far no one has demonstrated is "disabled" in any way) and epoxied the BIOS chip.
Well... some sort of soldering iron and EEPROM burner is in order.
Hey, it works for Charles Bronson.
Building a honeypot isn't hard. Any box that you don't care about getting broken into will do.
Properly watching a honeypot can be challenging. You don't need one if you're not going to pay close attention to it. You also need to be concerned that ownership of the honeypot doesn't jeopardize any real systems, either due to network trust, or increased ability to do traffic monitoring. You also have to consider that you'll be a danger to other sites on the net. At least one poster to our Incidents forum claimed that when he contacted the admin of a box that was being used to attack him, the admin knew it was 0wned, and refused to take it down because he was monitoring the attacker.
You need to consider why you want a honeypot. It's probably an easy choice to put one up if you're in the business of watching crackers. If not, some folks think they want one to distract or act as early warning. What do you do when you catch a cracker? Unless you've got a clear trail back to the attacker in the same country as you, not much. You can notify his admin, which has mixed results. You can try law enforcement, which also has mixed results.. especially when you're talking about a honeypot, and can't really place a dollar value on "damages".
Consider whether you want to take a chance on pissing off a cracker. Lots of crackers are untouchable from where they are. Unless you already piss off the crackers by your very existence (MS, Antionline..) Most people don't want to be targeted by a cracker with no fear of being punished.
Most security folks believe that the intersection of sets of people who break into systems and people who are good hackers is small. That means that chances are small that you'll see some unknown attack against your particular honeypot. You can certainly set one up with the common holes, but then you'll be tracking common crackers.
The Berferd story was interesting because they caught a semi-skillful attacker. Stoll's case was interesting for much the same reason. In neither case did they start out with a honeypot. They built a jail for Berferd. In Stoll's case, he used production systems for his "honeypots". This was back in an age when these sorts of things were much less common, and you didn't have hundreds of script kiddies scanning the entire Internet looking for machines to own. The owning has even become much less interesting, due to the DDoS tools the crackers now want to install and move on..
If you want the excitement of an evening with Berferd on your system, don't run a honeypot. Watch your real systems very carefully, and polish your tools for tracking him when he shows up.
Re: Cracked; rootkit - entrapment question?
There was no real final resolution to the entrapment question. There's some good arguement for both sides, though.
Some of can write and have written programs directly in machine code, by toggling switches, or punching in hex, etc..
The end result is that the "source code" is no different that the executable machine code. Why shouldn't that also be protected speech?
I have to write in a high-level language to have protected speech?
I have seen a co-worker plug in an EEPROM backwards.. We figured out what was wrong when the machine wouldn't boot, and we saw it emitting light from the little UV window.
www.hackernews.com
nah... I'd just hand out dandruff with my warez.
Seriously, though... same as with any dongle type copy protection... you don't hack the dongle, you rip out the code that checks for the dongle. Copy protection doesn't work.
VFS sounds interesting.. I hadn't heard of it before. Any chance it'll be ported to NT? I've often thought it would be useful to walk the registry from a command prompt as if it were a filesystem.
How about adding a license statement to the BIOS message? A "boot-through" license?
Time for some cable modem X-box hacking. (well, in 18 months I guess.)
Ought to be fun watching @Home trying to ask X-Box owners to check their machines for TFN2001.
"What's netstat? I don't have that disc.."
Can one do arbitrary remote control via that interface? (i.e. any maneouver I want?) First thing after I hijack the control connection, could I pull one of those 20G moves someone mentioned earlier, killing the pilot to prevent him from shutting down?
How about killing the VTOL engines, and dropping the plane on the deck? Perhaps with the bombs armed?
>would not have been able to decipher the
>password so quickly...
http://www.thievco.com/advisor ies/nspreferences.html
No one wants to hear it, but all security is security through obscurity. It's simply a matter of whether something is obscure enough.
Hoping you're safe because you haven't publicized that your web server exists, even though it has holes, probably isn't obscure enough. Port scans happen all day, every day.
Hoping your e-mail is secure because someone shouldn't be able to randomly bang on the keyboard and generate your 2048-bit key IS probably obscure enough.
In both cases, if the attacker knew what they needed to know, they'd succeed.
OBOSS: We've been breaking commercial, closed-source software for way too many years to believe that not having the source code slows us down.
Oh, sorry. My vote bot got out of hand.
On the plus side, Mudge is the new representative form Arizona.
Silly me, I thought that was the Bernoulli effect.
That's not a bad idea, and it might be workable. Problem with hashes is that you can't check for near matches or variants, which means you have to generate a bunch of variants ahead of time, rather than being able to compare on the fly.
, it has to try all the directories (and variants) in the hash table, until it gets up to www.pron.edu. (Of course, it could shortcut things by checking if entire sites are blocked first.)
Obviously I don't use one of the products, but from what I've read they often will block things like www.pron.edu/* . They'd also have to think up all the variants that still work, like, pron.edu/pron.html, www.pron.edu/pron.html., www.pron.edu/pron.html?, 192.168.0.1/pron.html, ad infinitum...
The product would also have to look at the current URL, and walk it up to see if it was blocked at a higher level. If I'm going after www.pron.edu/really/bizarre/solo/doorknobsex.html
In short, hashes might work, but the table would get really huge quickly, and any new variant I come up with will bypass the filter.
And the hash tables will still be vulnerable to dictionary attack.
From:
.edu domain blocked as "pornography", 38 of those were errors, for a 76% error rate. We also discovered that when you install I-Gear, it scans in your real name used to register your copy of Windows, and uploads this information to Symantec
.edu sites have porn?
http://www.peacefire.org/
March 2, 2000
Download IGDecode, a program that can decrypt the list of sites blocked by I-Gear. We decrypted I-Gear's list and determined that of the first 50 URL's in the
...
So, uhh...12 of the first 50
>And then there's the question of why Symantec is
>using lousy crypto in the first place
Because it's not possible to keep secrets on an untrusted computer that needs to access them. If the program needs to decrypt the URL list itself, than so can anyone with a copy of the program, if they spend the effort. You can sue the best crypto alogrithm in the world, but then they key is stored somewhere in the program, where the owenr of the computer can get at it.
This is a fancy version of copy protection and client-side security. It can't be made unbreakable.