Well, we could do it like the Discordians do it - make it a holiday!
In the Discordian calendar, there is a holiday that occurs once every four years - it's called "St. Tibbs' Day", and it (miraculously?) falls on the same day as "February 29th"..
Now, the cool thing about St. Tibbs' Day is this: it doesn't exist on the calendar.. in the Discordian Calendar, there are five seasons ("months"), and St. Tibbs' Day is inserted between the 59th and 60th days of the Season of Chaos (The first season..) so the days go "Chaos 59, St. Tibbs Day, Chaos 60..." Your day-of the week doesn't change (Chaos 60 is still "Setting Orange" - or the 5th day of the week)
Now, since we're throwing convention to the wind and revamping the calendar anyway, I see no reason why we couldn't implement something similar..
Although if we're gonna change everything, I'd rather we just move over to the Discordian calendar and be done with it.. it's probably the most sensible approach to date-keeping I've ever seen...
Wrong. It's sent directly to the CC company... but even if you (incorrectly) decided to store it anyway:
1. Sale is approved. You inform the customer and delete the CC#.
2. Sale is declined. You inform the customer and delete the CC#.
In either case, you gained nothing by deciding to store the CC# (even temporarily)
when you go later to settle on the card and collect your $, you will need the CC# along with the authorization # to transmit to the clearinghouse.
No, all you need is the authorization number to settle. If you haven't settled within a week (because you haven't shipped the goods), the authorization is cancelled by the bank.
It doesn't matter if you keep the records around for minutes or years, someone with the right skills and opportunity (ie. your underpaid DBA) can get through.
Huh?!?!?!? You're saying that you can't trust your employees, so you should just throw all security precautions to the wind? That would fly really well..
"Well, John, we can't trust our employees, so let's not spend the money on the safe, let's just keep all our money in the filing cabinet."
Having criminals as employees is completely irrelevant to your arguments. (Or, perhaps you could explain how keeping credit card numbers will somehow negate the fact that employees can't be trusted?)
I repeat again: You do not NEED to store credit card numbers.
If you absolutely must store cc numbers, put them on a backend server behind a firewall.
Nope, this part is wrong - it should read like this:
"If someone in your company thinks you absolutely must store cc numbers, fire them. You absolutely do not, ever need to store credit card numbers."
There is no reason (at all, EVER) for a merchant to store CC numbers. You don't need them to do returns, you don't need them for "one-click shopping" (if you think you do, you don't need to do one-click shopping) you don't need them.
I don't care how much security you have (or think you have) if the data isn't there, you don't need to worry about it.
If MS doesn't recant, here is my solution to this problem:
Stop vendor notification of MS Security holes.
There is a "gentleman's rule" of disclosure that says you should always notify the vendor of any security hole found, and give them time to create a patch, before publicly disclosing the hole.
The solution is to recind this rule for MS products; because there is another "gentleman's rule" that says that vendors will admit to the hole, and issue a public bulletin.
If MS wants to issue private bulletins (which is what they're doing - you're not allowed to quote it verbaitm) then it's time to forego the vendor notification.
This week, MS has said that they no longer will be publishing full bulletins to Bugtraq; they will only publish links to web pages.
This is bad for two reasons:
First, MS has a nasty habit of moving their web pages around, and not using redirects; so the link they publish today may not be available tomorrow (or next week, or next month) even if the vulnerability is still important.
Second, MS can "edit" the web page to say anything they want, after the fact. They can surrepititiously add/remove information from any bulletin at any time, and not tell anybody - an "extension" to a known vulnerability (such as the IIS Unicode bug, which was patched a year ago, but still reared it's ugly head this summer) can be silently "updated", and nobody is any wiser.
Bugtraq is a full disclosure list - and this is a definite step away from full disclosure.
Now personally, I like Katz, but after reading his review, this paragraph from the Filty Critic had me in stitches...
I'm sure there are thousands of overfed, socially-retarded comic-book collectors out there who will find Unbreakable to be brilliant, some sort of validation of their hobby as socially acceptable. But, this review is for normal people, folks who know how to talk to other adults, leave home before age 27 and bathe regularly.
a firewall should have prevented the attacker from exploiting the open port
Who said anything about an open port?
I'm sorry, but to a determined hacker, no firewall in the world will be able to stop a properly-written trojan.
First, you're assuming that the trojan simply opened a telnet port and waited for connections (al-la backorifice) - a firewall (or more correctly packet filter) would solve this, but there are LOTS of other ways a trojan could have operated.
Let's look at some of the other ways to get in from the outside (Just off the top of my head):
Outbound sessions - have the victim initiate the TCP session. So instead of Attacker->Victim, you have Victim->Attacker. Set the destination port to something that the client may be likely to do (Such as port 80, or perhaps 22 or 25) to enhance the likelyhood that any packet filter would allow it.
Use UDP to do the transfer - again have the victim initiate the session, and send control packets via the UDP-return mechanism. This is harder to implement than TCP (you have to handle dropped packets and retransmits yourself,) but probably the best way to do it, considering the way that the MS Netmeeting protocol works. (If the victim is allowed to use Netmeeting to anywhere on the 'net, then you can't block unknown UDP packets.
Use another protocol, such as ICMP, or maybe a combination of UDP and ICMP - the victim sends data/ack/heartbeat packets to to the attacker, and the attacker sends commands embedded in ICMP destination-unreachable packets (IIRC, this is how the TRINOO trojans work - this is what was used in last year's DDOS attacks.)
The bottom line is that packet filters aren't the final solution to security - they are certainly a part of any good security plan, but relying solely on them won't protect you from someone who really wants into your network.
In fact, it's probably the biggest misconception he made.
Relying solely on a firewall is the single biggest mistake a company can make.
True, a proprely configured firewall can make a huge difference, but _real_ security involves securing every machine on the network. A firewall won't fix a problem with bad client (such as Outlook) executing code it's not supposed to. A firewall won't fix a problem with a web/mail/whatever server running behind it.
The bottom line is that if a machine needs to talk to the internet, it _needs_ to be secured, because an improperly written app can make any firewall completely useless.
Re:s/NT/stupidly trojan-enabled software/
on
Microsoft Cracked
·
· Score: 1
it's easy to get the same functionallity if you KNOW how to administrate a WindowsNT
OK, I'll bite..
So you're saying that the company that wrote NT doesn't know how to administrate it?
(and please don't blame 'untrained users' - on a properly configured *nix system, an untrained user couldn't do any harm...)
What if a spanish speaker buys MS word? He can't read the document... what if I *PURPOSEFULLY* don't read it?
What if my Nephew (who is 12) comes over and installs software on my computer..
He's a minor, so he can't legally enter a contract - I didn't install the software, so am I liable to uphold the EULA?
Another example: what if my wife installs something on my system? Am I liable to uphold the EULA? Again, I didn't install it, I didn't agree to anything, so I can then reverse-engineer (or whatever) the software even though the EULA 'forbids' it
Canadian banks gennerally dont care about there customers, because they dont make that much money off us, compared to the corporations..
Well, that implies that they care about thier corporate clients.. which is dead wrong.
Try setting up a business (especially an internet-based one).. they STILL won't give a damn about you - Want to set up to take Credit Cards? sure, we'll just need a $10,000 cash deposit for EACH CARD TYPE - can't afford it? well, that's just your tough luck. There was a recent StatsCan report that said that most Canadian businesses aren't offering their services over the internet - GEE, I WONDER WHY!
Canadian banks are probably the only corporations that I can say are worse than Microsoft.
The spam envelope is actually to you, even if it doesn't show - check the received: lines in the header - any recent sendmail install (or decent sysadmin) will include the $u macro in the received line of the header, which will list the email address that the mail was 'really' sent to.
The "to:" line is usually bogus in most spam - in reality it's completely decorative, and not used by the mail server at all.
the way they blackhole anyone who runs an open SMTP server, even if it's not being used for spamming
I think you have them confused with ORBS.
From the MAPS site:
"the most common reason for a host or network being in the MAPS RBL is that it was used by a spammer as a mail relay... Open relays may be entered immediately onto the RBL to stop spam-in-progress"
MAPS does not scan for open relays, so how do they know that a relay is open unless a spammer uses it?
Contrary to your belief, it's _HARD_ to get into the MAPS RBL - you have to screw up and refuse to fix it; it's also very easy to get off the RBL - fix your relay, and notify them.
You should visit the MAPS page at maps.vix.com for more information.
If your ISP was on the list, it's because they didn't do anything to stop the guy from spamming. (after it happened)
My guess is they got contacted by MAPS and your ISP told them to fuck off
If your ISP doesn't care about spam, you should find another ISP. It's exactly selective enough. I use MAPS, for exactly that reason. If your ISP was responsible, they wouldn't be on the list.
<i>Spam is as much a form of speech as tele-marketing.</i>
Spam is even less <b>less</b> a form of free speech (if there is such a thing), because it's theft of service (someone is paying for that bandwidth, and it's not the spammer) - telemarketing steals time, spam steals time and money.
Spam is _NOT_ (by any definition) constitutionally protected speech.
If someone were to get a big megaphone, and walk up to your bedroom window at 3:00 AM and start screaming obsceneties at you, would this qualify as "free speech"
Not on your life.
If a telemarketer were to call your home COLLECT, saying it's from "Your uncle John" so that you'd accept the charges, only to start telling you how you can make a million dollars in a week through some pyramid scam, would THIS be considered "free speech"?
Again, NO.
Spam is theft, spam is harrassment.
Spam is NOT free speech.
And to answer your last question: if it's opt-in, it's not spam.
You win today's "Conspiracy Theory" award.
:o)
Except for the fact that a conspiracy requires two or more people.
One person being a premeditated asshole is (by definition) not a conspiracy.
Where's the Grammar Nazi when you really need him?
Discordians already do this..
If you ask a Discordian what time it is, they will reply "Five O'Clock" - because somewhere, it is.
This is basically done in protest to timezones and Standard Time. (They feel pretty much the same way you do about it..)
Well, we could do it like the Discordians do it - make it a holiday!
In the Discordian calendar, there is a holiday that occurs once every four years - it's called "St. Tibbs' Day", and it (miraculously?) falls on the same day as "February 29th"..
Now, the cool thing about St. Tibbs' Day is this: it doesn't exist on the calendar.. in the Discordian Calendar, there are five seasons ("months"), and St. Tibbs' Day is inserted between the 59th and 60th days of the Season of Chaos (The first season..) so the days go "Chaos 59, St. Tibbs Day, Chaos 60..." Your day-of the week doesn't change (Chaos 60 is still "Setting Orange" - or the 5th day of the week)
Now, since we're throwing convention to the wind and revamping the calendar anyway, I see no reason why we couldn't implement something similar..
Although if we're gonna change everything, I'd rather we just move over to the Discordian calendar and be done with it.. it's probably the most sensible approach to date-keeping I've ever seen...
You are not allowed to remember the contents of this book
(Because that means that you're storing a copy of it in your brain - which is copyright infringement.)
Just don't print anything ON the book.
:o) (Obligatory blonde-joke reference :o)
Umm, would that include using white-out on the screen?
During that time, its stored *somewhere*, right?
Wrong. It's sent directly to the CC company... but even if you (incorrectly) decided to store it anyway:
1. Sale is approved. You inform the customer and delete the CC#.
2. Sale is declined. You inform the customer and delete the CC#.
In either case, you gained nothing by deciding to store the CC# (even temporarily)
when you go later to settle on the card and collect your $, you will need the CC# along with the authorization # to transmit to the clearinghouse.
No, all you need is the authorization number to settle. If you haven't settled within a week (because you haven't shipped the goods), the authorization is cancelled by the bank.
It doesn't matter if you keep the records around for minutes or years, someone with the right skills and opportunity (ie. your underpaid DBA) can get through.
Huh?!?!?!? You're saying that you can't trust your employees, so you should just throw all security precautions to the wind? That would fly really well..
"Well, John, we can't trust our employees, so let's not spend the money on the safe, let's just keep all our money in the filing cabinet."
Having criminals as employees is completely irrelevant to your arguments. (Or, perhaps you could explain how keeping credit card numbers will somehow negate the fact that employees can't be trusted?)
I repeat again: You do not NEED to store credit card numbers.
Read that again..
Nobody _NEEDS_ to do one-click shopping.
And if you think you _NEED_ to do one-click shopping, you _STILL_ don't need a CC#...
Ever hear of C.O.D. ?
Again, rule #1 of e-commerce security: YOU DON'T NEED TO STORE THE CREDIT CARD NUMBERS
If you absolutely must store cc numbers, put them on a backend server behind a firewall.
Nope, this part is wrong - it should read like this:
"If someone in your company thinks you absolutely must store cc numbers, fire them. You absolutely do not, ever need to store credit card numbers."
There is no reason (at all, EVER) for a merchant to store CC numbers. You don't need them to do returns, you don't need them for "one-click shopping" (if you think you do, you don't need to do one-click shopping) you don't need them.
I don't care how much security you have (or think you have) if the data isn't there, you don't need to worry about it.
It's technical term is DNIS - and every termserver that I know of supports it.
You get your terminal server to send the DNIS to the Radius accounting server, and the Radius server to log it in the accounting records.
If someone is using a forged/stolen CC number, you give this information to the police, and send the bastard to jail.
Credit card fraud is taken _very_ seriously by the police.
If MS doesn't recant, here is my solution to this problem:
Stop vendor notification of MS Security holes.
There is a "gentleman's rule" of disclosure that says you should always notify the vendor of any security hole found, and give them time to create a patch, before publicly disclosing the hole.
The solution is to recind this rule for MS products; because there is another "gentleman's rule" that says that vendors will admit to the hole, and issue a public bulletin.
If MS wants to issue private bulletins (which is what they're doing - you're not allowed to quote it verbaitm) then it's time to forego the vendor notification.
This week, MS has said that they no longer will be publishing full bulletins to Bugtraq; they will only publish links to web pages.
This is bad for two reasons:
First, MS has a nasty habit of moving their web pages around, and not using redirects; so the link they publish today may not be available tomorrow (or next week, or next month) even if the vulnerability is still important.
Second, MS can "edit" the web page to say anything they want, after the fact. They can surrepititiously add/remove information from any bulletin at any time, and not tell anybody - an "extension" to a known vulnerability (such as the IIS Unicode bug, which was patched a year ago, but still reared it's ugly head this summer) can be silently "updated", and nobody is any wiser.
Bugtraq is a full disclosure list - and this is a definite step away from full disclosure.
Who said anything about an open port?
I'm sorry, but to a determined hacker, no firewall in the world will be able to stop a properly-written trojan.
First, you're assuming that the trojan simply opened a telnet port and waited for connections (al-la backorifice) - a firewall (or more correctly packet filter) would solve this, but there are LOTS of other ways a trojan could have operated.
Let's look at some of the other ways to get in from the outside (Just off the top of my head):
The bottom line is that packet filters aren't the final solution to security - they are certainly a part of any good security plan, but relying solely on them won't protect you from someone who really wants into your network.
Mike Myers played this up big time in the movie "Wayne's World"..
You could tell that he was forced to do the "product placements", and had a good laugh at the expense of the movie industry.
rated it a 5 out of 10 for harmfullness
:o)
I wonder if they'll re-asses it now?
In fact, it's probably the biggest misconception he made.
Relying solely on a firewall is the single biggest mistake a company can make.
True, a proprely configured firewall can make a huge difference, but _real_ security involves securing every machine on the network. A firewall won't fix a problem with bad client (such as Outlook) executing code it's not supposed to. A firewall won't fix a problem with a web/mail/whatever server running behind it.
The bottom line is that if a machine needs to talk to the internet, it _needs_ to be secured, because an improperly written app can make any firewall completely useless.
it's easy to get the same functionallity if you KNOW how to administrate a WindowsNT
OK, I'll bite..
So you're saying that the company that wrote NT doesn't know how to administrate it?
(and please don't blame 'untrained users' - on a properly configured *nix system, an untrained user couldn't do any harm...)
What if a spanish speaker buys MS word? He can't read the document... what if I *PURPOSEFULLY* don't read it?
What if my Nephew (who is 12) comes over and installs software on my computer..
He's a minor, so he can't legally enter a contract - I didn't install the software, so am I liable to uphold the EULA?
Another example: what if my wife installs something on my system? Am I liable to uphold the EULA? Again, I didn't install it, I didn't agree to anything, so I can then reverse-engineer (or whatever) the software even though the EULA 'forbids' it
Canadian banks gennerally dont care about there customers, because they dont make that much money off us, compared to the corporations..
Well, that implies that they care about thier corporate clients.. which is dead wrong.
Try setting up a business (especially an internet-based one).. they STILL won't give a damn about you - Want to set up to take Credit Cards? sure, we'll just need a $10,000 cash deposit for EACH CARD TYPE - can't afford it? well, that's just your tough luck. There was a recent StatsCan report that said that most Canadian businesses aren't offering their services over the internet - GEE, I WONDER WHY!
Canadian banks are probably the only corporations that I can say are worse than Microsoft.
One of the main rules of advertising is that as soon as you mention your competitor in your ad you're already dead.
Anyone ever tell this to Pepsico?
Pepsi mentions Coke in almost all of their adverts.. any wonder they're still number two?
The spam envelope is actually to you, even if it doesn't show - check the received: lines in the header - any recent sendmail install (or decent sysadmin) will include the $u macro in the received line of the header, which will list the email address that the mail was 'really' sent to.
The "to:" line is usually bogus in most spam - in reality it's completely decorative, and not used by the mail server at all.
the way they blackhole anyone who runs an open SMTP server, even if it's not being used for spamming
... Open relays may be entered immediately onto the RBL to stop spam-in-progress"
I think you have them confused with ORBS.
From the MAPS site:
"the most common reason for a host or network being in the MAPS RBL is that it was used by a spammer as a mail relay
MAPS does not scan for open relays, so how do they know that a relay is open unless a spammer uses it?
Contrary to your belief, it's _HARD_ to get into the MAPS RBL - you have to screw up and refuse to fix it; it's also very easy to get off the RBL - fix your relay, and notify them.
You should visit the MAPS page at maps.vix.com for more information.
Really, MAPS is not ORBS.
If your ISP was on the list, it's because they didn't do anything to stop the guy from spamming. (after it happened)
My guess is they got contacted by MAPS and your ISP told them to fuck off
If your ISP doesn't care about spam, you should find another ISP. It's exactly selective enough. I use MAPS, for exactly that reason. If your ISP was responsible, they wouldn't be on the list.
You almost got it...
<i>Spam is as much a form of speech as tele-marketing.</i>
Spam is even less <b>less</b> a form of free speech (if there is such a thing), because it's theft of service (someone is paying for that bandwidth, and it's not the spammer) - telemarketing steals time, spam steals time and money.
The simple answer to your question is NO.
Spam is _NOT_ (by any definition) constitutionally protected speech.
If someone were to get a big megaphone, and walk up to your bedroom window at 3:00 AM and start screaming obsceneties at you, would this qualify as "free speech"
Not on your life.
If a telemarketer were to call your home COLLECT, saying it's from "Your uncle John" so that you'd accept the charges, only to start telling you how you can make a million dollars in a week through some pyramid scam, would THIS be considered "free speech"?
Again, NO.
Spam is theft, spam is harrassment.
Spam is NOT free speech.
And to answer your last question: if it's opt-in, it's not spam.