Bull. From experience, if it ain't company owned and controlled I don't want it connecting to my network. Why? Because the instant it starts producing data for the company I have to support it and I have to wonder if it's secure.
It's cheaper and safer to buy the employee the equipment to do their job.
This isn't someone reviewing a digital camera here. It is someone abusing their anonymity and deliberately trying to smear another's reputation without basis in fact. That isn't protected speech and it never should be.
My question is this. Where is the public outcry against the imbecile who abused the system and thus got it shut down?
What tricks? This isn't Perry Mason. What SCO does now dictates what they will be able to do later in the trial.
I don't know what you've been reading but IBM has been crucifying SCO's legal team with SCO's rhetoric. If anything, this case is proving to be an textbook example of why you never comment about pending and on-going litigation. Every word SCO utters to the media is going to come back to haunt them in the courtroom. What? Do you really believe that if Darl takes the stand that questions like "Where is that team of MIT rocket scientists?" or "You orignally said millions of lines but after discovery your company could only produce a fraction of that. yes or no?" won't come up?
And who are most people? It became obvious fairly quickly that this case would go on for a long time. Neither side can simply drop it.
Novell filed for the copyrights too. Now that I think about it that's pretty smart. When SCO goes under it's very likely Novell will retain those rights and ruin the possibility that they could go to some third-party - say Canopy Group.
In any event, I highly doubt that IBM will ever get a chance to be awarded SCO's unix assets. More than likely the best IBM will get is the satisfaction of crushing their enemies, seeing them driven before them, and hearing the lamentation of the women.
Without seeing Theo's complete statement you can't tell if the statement is dismissive (something I find difficult to believe) or if it is qualifying - i.e. the exploit only produces a crash.
Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is/. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.
Re:Not to condone writing worms....
on
More MyDoom Gloom
·
· Score: 1
Work productivity gains alone would be staggering to behold.
The problem is this worm may or may not actually DDoS SCO but is hitting some companies mail servers so hard it is bringing them down. Yesterday, our ratio of email-to-MyDoom was 1:1. That's right. For every valid email there was one worm. We managed but others haven't.
My place of work has no SCO servers, does not conduct business with SCO afaik and my co-workers thought I had good points about SCOs claims. Now? It's all about this "Linux weapon of war."
Yes, you're entitled to your opinion but from where I'm standing you are flat out wrong. The only reason to cheer is if you abandon consideration of the current consequences and focus on the purely self-absorbed emotional satisfaction that this could DDoS a company you hate. If it floats your boat, fine. I'd rather advocate doing something constructive.
I probably rank right up their with all the other SCO haters. I'm on GrokLaw everyday and chip in when I can by transcribing documents but I'd never cheer on MyDoom. The stupid thing, because of the damage it's doing (and it is damage), brings an emotional reaction to the SCO debate which undermines all the good arguments the community has developed. Even if it was developed in Russia, cheering it on because it will DDoS SCO just provides SCO and industry analysts more junk to bring up rather than focusing on the real issues.
I totally agree with Bruce on this one and just wish more "advocates" had the maturity and insight to realize this isn't a joke.
Re:Security could be easily enhanced
on
More MyDoom Gloom
·
· Score: 4, Insightful
*sigh*
No patching would have prevented this worm. Look, when MyDoom comes in as a zip file the user has to open it once to access the actual payload. When you open the thing in WinZip it shows up as [random].[doc or whatever] but has the wrong icon. WinZip then identifies it as a pif file and in the screen says DOS executable. After all that, the user has to execute it again to deliver the actual payload.
MyDoom has nothing to do with bad sysadmins. Nada! At work we have the desktops locked down and Outlook is setup to not permit autoexecute. Most executable attachments are dropped at the mailserver. The reason I say most is because we do allow Word documents and the like because surprise, surprise we have to actually run a business. Our signature files are updated daily and if a new virus comes out I do my job to make sure we're at the proper rev and run a manual update if we're not. The one thing I can't do is play Big Brother to a 1000+ employees scattered over the state 365/7 and smack them everytime they try to open some random shiny thing.
And more importantly, how can a sysadmin stop some random Joe User on a home cable connection from executing the stupid worm or patching his damn system?
That soundbite of yours starts getting a little hollow now doesn't it?
Nope the guy who wrote that piece of junk wasted more than 5 minutes of my time at work over a stupid worm.
He'll brag and when he does I hope a real linux advocate drops the dime on him. My suggestion for that person is to take the $250,000 and make a sizable donation to GrokLaw.
It obviously didn't sneak into your network while the AV vendors were still updating signature files then. Didn't bring us down but wasted my time which is enough.
Can just envision it:
Kid: "I want a MyDoom, MiMailer varient worm with optional DDoS ability directed at SCO!"
Santa: "Kid! You'll bring your network down with that."
But your resume would reflect that. Or at least it should. If you put in two years of coursework that needs to go under your education. Otherwise no prospective employer is going to have a clue about the effort you've put in towards developing your skills. A cert is just there to indicate that the vendor thinks you won't break the system by doing a specific task under criteria X. Whether an employer believes that? Well we obviously know Lumpy doesn't.
I'll put my CCNA at the bottom of my resume to get past the gatekeeper but the fact that I've worked with Cisco switches and routers for five years is up at the top.
I currently go to a technical college and have gotten certifications and wasted a few years in college. None of them are really comparable to each other.
A cert, imho, is really only a metric that you can be assigned task X, Y, or Z and be expected to complete it without breaking anything. Of course, during the dotcom days business made the blunder of thinking that if you could pass a test you were a wunderkid so when everybody abused that notion it was really no surprise that there was an inevitable backlash against this metric. It seems that certs are coming back in fashion if it is the right cert. For instance, I think the GIAC certs are well worth the time and effort because not only do you have to take a test but because you have to produce an actual paper that is peer reviewed.
Tech colleges provide the student with a skills oriented focus that is tuned to what local businesses are looking for in a canidate. This isn't a bad thing - especially in IT as long as the student doesn't make the assumption that they are going to be making some obscene salary right off the bat. One nice thing about a tech college is that you can get hands-on experience at a fraction of the price you would spend at a cert boot-camp.
An actual college degree is going to provide you with a broad background and the necessary knowledge to land a good entry level position where you will be promotable. It is probably the best metric to prove that you can learn and have the self-motivation to stick to a task. Where it really benefits a canidate is in salary negotiations.
Honestly, I wish I had the college degree. I'd be making a lot more money doing what I do now. However, the lack of a college degree has not excluded me from getting or keeping a job in IT since I've been able to mitigate that hole in my resume with experience. Now that I'm married with two kids, finishing my college degree isn't feasible atm. So I'm doing the next best thing and working towards an Associate degree in information security and taking some additional courses in project management. It isn't that bad.
Wow! Who would ever think that there should be a methodology for dealing with security incidents? We should all just run around and do our own thing and, of course, the problem will be resolved. And when we catch the guy, our lack of methodology will ensure that any evidence we acquire will be usable in court.
I'm just going to leave it at that. Anything else is just going to be a derogatory rant. IHBT HAND
I used that phrase as an example of what was totally inappropriate. It was meant to be absurdist. Sorry if it offended thine eyes. Obviously we're going to have to agree to disagree. I'm not willing to concede, after having read the entire letter and taking it in as a whole, that one informal clause torpedoes the message.
And if you had taken into consideration the tone of my original response you would have realized that yes I am grown up - even if I did commit the faux pas of not folowing the proper decorum you appear to need in this conversation. You need to quit being so sensitive.
Let's look at what the letter actually said because, quite frankly, trash-talk on/. while infantile is not the same as actually replying back to SCO in a business correspondance. So without further ado:
Before you waste any more of my time or yours, please detail exact information such as the offending lines of code and the kernel versions you contend this code is in. Alternatively if your organization agrees, we can re-address these issues after your current lawsuits regarding these issues are finalized
This is what was actually sent to SCO and quite honestly I don't see anything wrong with it. The first clause is dismissive but the demands are reasonable. Unprofessional would have been something like "Blow me."
So it got to the point without using a bunch of $1.50 words or couched in a slew of legalese cliches. Whatever. It most certainly doesn't merit the criticism it's currently receiving.
Our latest encryption standard (AES) was not created in the US.
SCO is embroiled in multiple litigations and have yet to prove any misappropriations of copyrights that they might not even own.
Linux and OSS might be free for distribution but multi-billion dollar industries have developed for the deployment and support of these solutions.
The Copyright Code explictly allows for the trading of copyrighted works as an incentive. The GPL is essentially a license utilizing this incentive.
Owners of copyright can and do license their code under multiple licenses. GhostScript anyone?
For a small initial investment of money and greater investment of personal time OSS allows a self-motivated individual the opprotunity to improve their job prospects and station in life without resorting to software piracy - an excellent example of the proverbial American Dream.
This is obviously just the tip of the iceburg. Anyone have more?
Fax.com claims they can pump out 3 million faxes a day. Make the following assumptions.
Each fax eats a sheet of letter head. That means each day companies receiving unsolicited faxes from this one entity have consumed 6000 reams of paper.
Assume that each ream of paper costs on average $5. That's $30,000/day industry pays. 52 weeks in a year, 5 day workweek minus about 10 holidays is 250 days. So the annual cost is $7.5 million dollars.
This does not include cost of toner, maintenance of fax machine, lost productivity, etc., etc.. I figure my estimate is conservative.
Yeah, it's a huge pity that they can't exploit their business model and wound up out-of-business. Tito, hand me a tissue.
The DNS servers are not a monoculture. We've already had situations where the majority of the root servers were incapacitated and the Internet stayed up. And, most importantly, not every DNS server is going to be bone-headed and resolve every query from the root server. Most sane solutions will cache com., edu., net., etc., etc..
And why are you assuming that everyone has their DNS entries set to expire in a day? IIRC, taking in your assumption, it would take three days for those entries to expire. (Sorry if I'm wrong. My mind is mush right now.) DNS might have a lot of problems but it is pretty resilent overall.
Who the fuck is going to let utility control systems be directly connected to the Internet? What? Private networks are going to totally go the way of the dino? We're all going to smoke crack and forget how to implement redundacy and high-availability? We won't be able to take the systems off the Internet, burn them to the ground and rebuild them incorportating the patch? Explain to me how all backups are going to be unrecoverable and more importantly how such an event is going to remain undetectable? What? No one will be running a HIDS five years from now?
What about advances in security technology? Tageted IDS is still in its infancy. What about CERT's research into survivable systems engineering? Patch management software is going to suddenly go the way of the Dodo?
From my understanding the general concensus is that SOX auditing will eventually include all systems which run the business - not just the ones involved in financial reporting. That auditing requires a verified disaster recovery procedure and security documentation.
Am I saying there is absolutely no chance it could happen? No. But a lot of security people much better than me are going to have to be lobotomized before I think a digital "Pearl Harbor" is plausible.
Slashdot Mirror
It's cheaper and safer to buy the employee the equipment to do their job.
My question is this. Where is the public outcry against the imbecile who abused the system and thus got it shut down?
I don't know what you've been reading but IBM has been crucifying SCO's legal team with SCO's rhetoric. If anything, this case is proving to be an textbook example of why you never comment about pending and on-going litigation. Every word SCO utters to the media is going to come back to haunt them in the courtroom. What? Do you really believe that if Darl takes the stand that questions like "Where is that team of MIT rocket scientists?" or "You orignally said millions of lines but after discovery your company could only produce a fraction of that. yes or no?" won't come up?
And who are most people? It became obvious fairly quickly that this case would go on for a long time. Neither side can simply drop it.
In any event, I highly doubt that IBM will ever get a chance to be awarded SCO's unix assets. More than likely the best IBM will get is the satisfaction of crushing their enemies, seeing them driven before them, and hearing the lamentation of the women.
Of course, that's pretty good too.
Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is /. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.
Work productivity gains alone would be staggering to behold.
My place of work has no SCO servers, does not conduct business with SCO afaik and my co-workers thought I had good points about SCOs claims. Now? It's all about this "Linux weapon of war."
Yes, you're entitled to your opinion but from where I'm standing you are flat out wrong. The only reason to cheer is if you abandon consideration of the current consequences and focus on the purely self-absorbed emotional satisfaction that this could DDoS a company you hate. If it floats your boat, fine. I'd rather advocate doing something constructive.
HTH
I totally agree with Bruce on this one and just wish more "advocates" had the maturity and insight to realize this isn't a joke.
No patching would have prevented this worm. Look, when MyDoom comes in as a zip file the user has to open it once to access the actual payload. When you open the thing in WinZip it shows up as [random].[doc or whatever] but has the wrong icon. WinZip then identifies it as a pif file and in the screen says DOS executable. After all that, the user has to execute it again to deliver the actual payload.
MyDoom has nothing to do with bad sysadmins. Nada! At work we have the desktops locked down and Outlook is setup to not permit autoexecute. Most executable attachments are dropped at the mailserver. The reason I say most is because we do allow Word documents and the like because surprise, surprise we have to actually run a business. Our signature files are updated daily and if a new virus comes out I do my job to make sure we're at the proper rev and run a manual update if we're not. The one thing I can't do is play Big Brother to a 1000+ employees scattered over the state 365/7 and smack them everytime they try to open some random shiny thing.
And more importantly, how can a sysadmin stop some random Joe User on a home cable connection from executing the stupid worm or patching his damn system?
That soundbite of yours starts getting a little hollow now doesn't it?
He'll brag and when he does I hope a real linux advocate drops the dime on him. My suggestion for that person is to take the $250,000 and make a sizable donation to GrokLaw.
Now that would be justice.
Can just envision it:
Kid: "I want a MyDoom, MiMailer varient worm with optional DDoS ability directed at SCO!"
Santa: "Kid! You'll bring your network down with that."
I'll put my CCNA at the bottom of my resume to get past the gatekeeper but the fact that I've worked with Cisco switches and routers for five years is up at the top.
A cert, imho, is really only a metric that you can be assigned task X, Y, or Z and be expected to complete it without breaking anything. Of course, during the dotcom days business made the blunder of thinking that if you could pass a test you were a wunderkid so when everybody abused that notion it was really no surprise that there was an inevitable backlash against this metric. It seems that certs are coming back in fashion if it is the right cert. For instance, I think the GIAC certs are well worth the time and effort because not only do you have to take a test but because you have to produce an actual paper that is peer reviewed.
Tech colleges provide the student with a skills oriented focus that is tuned to what local businesses are looking for in a canidate. This isn't a bad thing - especially in IT as long as the student doesn't make the assumption that they are going to be making some obscene salary right off the bat. One nice thing about a tech college is that you can get hands-on experience at a fraction of the price you would spend at a cert boot-camp.
An actual college degree is going to provide you with a broad background and the necessary knowledge to land a good entry level position where you will be promotable. It is probably the best metric to prove that you can learn and have the self-motivation to stick to a task. Where it really benefits a canidate is in salary negotiations.
Honestly, I wish I had the college degree. I'd be making a lot more money doing what I do now. However, the lack of a college degree has not excluded me from getting or keeping a job in IT since I've been able to mitigate that hole in my resume with experience. Now that I'm married with two kids, finishing my college degree isn't feasible atm. So I'm doing the next best thing and working towards an Associate degree in information security and taking some additional courses in project management. It isn't that bad.
Reread what you just posted and think about what it is saying instead of just reacting to the suggestion that you should limit encrypted connections.
I'm just going to leave it at that. Anything else is just going to be a derogatory rant. IHBT HAND
fwiw, this came up on Groklaw and the answer was no. I personally didn't verify it myself. HTH
And if you had taken into consideration the tone of my original response you would have realized that yes I am grown up - even if I did commit the faux pas of not folowing the proper decorum you appear to need in this conversation. You need to quit being so sensitive.
This is what was actually sent to SCO and quite honestly I don't see anything wrong with it. The first clause is dismissive but the demands are reasonable. Unprofessional would have been something like "Blow me."
So it got to the point without using a bunch of $1.50 words or couched in a slew of legalese cliches. Whatever. It most certainly doesn't merit the criticism it's currently receiving.
This is obviously just the tip of the iceburg. Anyone have more?
Yeah, it's a huge pity that they can't exploit their business model and wound up out-of-business. Tito, hand me a tissue.
And why are you assuming that everyone has their DNS entries set to expire in a day? IIRC, taking in your assumption, it would take three days for those entries to expire. (Sorry if I'm wrong. My mind is mush right now.) DNS might have a lot of problems but it is pretty resilent overall.
What about advances in security technology? Tageted IDS is still in its infancy. What about CERT's research into survivable systems engineering? Patch management software is going to suddenly go the way of the Dodo?
From my understanding the general concensus is that SOX auditing will eventually include all systems which run the business - not just the ones involved in financial reporting. That auditing requires a verified disaster recovery procedure and security documentation.
Am I saying there is absolutely no chance it could happen? No. But a lot of security people much better than me are going to have to be lobotomized before I think a digital "Pearl Harbor" is plausible.
Running on a SPARC.
Fear Hokuto no Tux!