the shmoo group's data gives an idea of the type of attack tools that are most commonly used in intrusion attempts, but if you want to know the tools and techniques that are the most likely to
succeed, it would be good to talk to Caezar or some other member of the
ghettohackers. After all, they are the ones who win at capture the flag year after year....
Nicholas Negroponte is fairly bright, but I think some of the things
he talks about (e.g. giving UN membership to
Nation1, a "virtual nation" composed of the world's internet-enabled
children) are a bit too loony to be taken seriously
GEEK STAR TREK CODE [t++@($)]
My tendencies on this issue range from: "It's the best show around. I have all the episodes and the movies on tape and can quote entire scenes verbatim. I've built a few of the model kits too. But you'll never catch me at one of those conventions. Those people are kooks. But that varies...", to: "It's just another TV show. Getting paid for it!"
I'm glad you mentioned having different controls for different groups of users. I can easily imagine jobs where it is impossible to get anything done without being able to install software, and that's not just developers. Sysadmins need to be able to install and test software, too. In general, I would recommend that non-IT people have their boxes locked down tight, that tech support people have the ability to minor changes (new wallpaper or screen saver so they don't hate their job so much), and developers, sysadmins and security goons be given the ability to do what they want, with the provision that their keystrokes and traffic *will* be monitored.
I sort of understand the move to make computer crime a terrorist act;
the feds can see that everything is moving to computerized control,
and they want to prevent attacks on our
critical infrastructure. That makes sense, but I'm not sure
they are approaching this the right way. If it is possible to disrupt an
airport control tower for six hours
with a war dialer, we would be
better off requiring secure communications channels for air traffic
control data than we would be trying to track down every 12 year old
who runs ToneLoc and charging them as terrorists.
Instead of trying to use the latest, most trendy technologies
(e.g. using web based controls and XML to create the
Joint Battlespace Infosphere Infrastructure) or
opting for the cheapest method of getting things done, we should think about
how these things might be attacked and design them to be
infrastructure, and should design them to be
resistant to attacks.
open source is an alternative that gives users more power to control their computing environment than closed source software does, but it is *NOT* a war!
We need to stop describing stuff in such combative terms. That's part of what turns businesses off and prevents them from trying open source software. Businesses view people who talk about software choices as war as a bunch of loons. If you want to get linux on the desktop, point out that it is a high quality, low cost alternative to the software they are currently using. Give specific examples that match their current products.
Remember, this is not war, noone will die over this.
If they do they do this, they will alienate their consumer base. Many Microsoft customers tend to choose their products because of ease of use. Taking something that is insecure and knowing how much to open up to get your applications to
work is more difficult than installing it and just having it work right away because all the features you need (...and all the ones you don't) are already activated.
It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.
If they do they do this, they will alienate their consumer base. Many Microsoft customers tend to choose their products because of ease of use. Taking something that is insecure and knowing how much to open up to get your applications to work is more difficult than installing it and just having it work right away because all the features you need (...and all the ones you don't) are already activated.
It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.
...how many of these propane fuel cells would be needed to power an electric car. Think about it, decent range, fast speeds, and the low end
torque of an electric.
"The affects of this worm are detrimental to all and we'd like to give each
member a chance to secure their machines. However, after 9/23/01,
Speakeasy's Abuse Team will be freezing the DSL circuit hooked to any
machine infected with the worm. We apologize for the inconvenience of
this, but it is imperative that we ensure our network is not assisting in
the propogation of this, or any, worm. All of us are part of a larger
community, and it really isn't cool to infect your neighbors."
If they put up an FTP site that includes a) all the original source code used for the product, and b) all the modifications, there should not be a problem. The GPL allows the sale of products based on GPL'd code, but you have to give your changes back to your customers. They probably only have to give the source code and their changes to customers, though, and not to the general public.
"A government should not mobilize an army out of anger, military leaders
should not provoke war out of wrath. Act when it is beneficial, desist
if it is not....a nation destroyed cannot be restored to existence,
and the dead cannot be restored to life. Therefore an enlightened
government is careful about this, a good military leadership is alert
to this. This is the way to secure a nation and keep the armed forces
whole."
-- Sun Tzu,
Art of War 12:10
If dubya believes that a strike back is strategically/tactically beneficial to the USA, he should order the armed forces to kill our enemies. If the response is simply an act of retaliation fueled by anger, though, he really ought to think about if this helps or not...
Associated Press
Tuesday, September 11, 2001; 9:08 AM
NEW YORK - An aircraft crashed into the upper floors of one of the World Trade Center towers Tuesday morning, and black smoke poured out of two gaping holes, witnesses said. Shortly afterward a second explosion rocked the other tower.
There was no immediate word on injuries or fatalities in the disaster, which happened shortly before 9 a.m.
The plane was coming in low and... it looked like it hit at a slight angle," said Sean Murtagh, a CNN vice president, the network reported.
Large holes were visible in two sides of the 110-story building, one of landmark twin towers.
There was no immediate word on injuries or fatalities in the twin disasters, which happened shortly before 9 a.m. and then right around 9 a.m.
The towers were struck by bombers in February 1993.
"The plane was coming in low and... it looked like it hit at a slight angle," said Sean Murtagh, a CNN vice president, the network reported.
Large holes were visible in sides of the 110-story buildings, landmark twin towers.
The tops of the twin towers were obscured by the smoke.
Thousands of pieces of what appeared to be office paper came drifting over Brooklyn, about three miles from the tower, one witness said.
The center bombingon Feb. 26, 1993, killing six people and injured more than 1,000 others.
In 1945, an Army Air Corps B-25, a twin-engine bomber, crashed into the 79th floor of the Empire State Building in dense fog.
Since RIAA backed down and Felton got to present his research, we may have lost the best case we had to try and get section 1201 of the DMCA overturned.:(
Sklyarov did nothing beneficial for society, he merely found yet another way to steal and publicized it
He did benefit society. Specifically, he
helped the blind read electronic documents. (All PDF's can be read by their voice to speech translators. Not all eBooks can.)
He exposed a flaw that was almost certainly would have been used to defraud the publishers and authors who depended upon the non-existand security of eBooks. (According to
Dmitry's talk, eBooks are only obfusicated by XORing the compressed PDF file with the string "encrypted". I'm sure that other people would have found that out and put eBook cracks up on warez sites. The authors should thank him for exposing the flaw. Adobe gave them a lifetime guarantee on the software, so that means that the authors will get the upgrades to the newer, safer eBook format for free. The only people who suffer are Adobe, who *OUGHT* to feel some economic pain for selling broken software like that)
eBooks are designed to take away rights we have in meatspace; i.e. take a book and loan it to a friend, or to carry it with us and read it anywhere we want to. Dmitry created a program that restores some of those rights by giving people outside the USA the ability to view eBook content on more than one computer.
we take men like Sklyarov who delight in playing a sort of twisted Robin Hood and turn them into our heroes. We rationalize the crimes ("Free speech", "Information wants to be free", blah blah blah)
Why compare him to a thief like Robin Hood? Sklyarov didn't steal anything. What did he do?
He spoke about how something could be done, specifically, he described an decryption technique that, if used, might make stealing possible. Ian Flemming's novels described the techniques James Bond might use to kill a person. Should Ian have been charged with murder just because someone else *could* read the books and use those techniques to commit a murder? I don't think so. What else did Dmitry do? He wrote a program that could be used to make stealing easier. Do you think Walther or Colt executives should be charged with murder just because the guns their companies manufacture *might* be used to murder someone?
The simple fact is that Dmitry's only crime in the USA is that of speaking about something that you don't want the rest of the world to know about. The bill of rights is supposed to protect speech, even speech that is not popular with you. The DMCA's anti-circumvention provisions contradict the bill of rights, and these provisions ought to be overturned.
You seem to be confusing two legal issues that involve Adobe. The Adobe infringement suit with the German law company involved KDE's KIllustrator. I don't think the arrest of the defcon speaker has anything to do with that. --
"Weapons should be hardy rather than decorative" - Musashi
BTW, I use mutt mainly because I HATE pico. PINE never included the functionality to plugin your own editor. You have to use pico first, and then exit to your own editor.
You only have to use pico when filling in the header info. The entire body is in the editor of your choice. That is not a major problem, IMHO
--
"Weapons should be hardy rather than decorative" - Musashi
I think that IPF is done for. My guess is that the other bsds will want to adopt pf, and I'm certain that the COTS software vendors who have ipf-based products will do the same, since there's no question about the licence changing on a whim like happened with IPF. --
"Weapons should be hardy rather than decorative" - Musashi
Some anonymous coward said: what this joker is suggesting is that each employee should have a separate PC to be used exclusively for such vital tasks
as reading Slashdot and crunching SETI data.
I'm the "joker" who submitted the article, and I didn't mean that at all.:) I mean that a critical infrastructure like the power grid should *NEVER* have a connection, not even an indirect connection, to the internet. I don't think it is smart to put a computer that can manage the grid on the same network as a PC that will be used to browse the web, or answer email, do SETI@home, look at pr0n, or what ever else lusers do that involves the internet.
Any of that stuff - even reading business related email - should be happening on a separate network from the computers for the grid. I'm not talking about a subnet that is supposedly isolated from the rest of the network by a switch. (What if I flood your switch with so many MAC advertisements on one port that it fails open and turns into a big, fat hub?) What they need is an honest air gap to separate their grid computers from their computers that can access the internet.
I was not trying to defend the actions of the employees who were violating TVA's computer policy when I said, "I'm wondering why using SETI@Home on PCs with
access to the internet would be a problem. As cheap as PCs are, you'd think that TVA
would have separate internet/email PCs on every desktop..." I was saying that a proper setup (e.g. using separate computers with an air gap) is not expensive, and it would have prevented an employee policy violation from becoming a breech of computer security.
--
"Weapons should be hardy rather than decorative" - Musashi
Slashdot Mirror
Microsoft's email client caused some people on the wireless network almost as much grief during blackhat this year. ;-)
-Joey
the shmoo group's data gives an idea of the type of attack tools that are most commonly used in intrusion attempts, but if you want to know the tools and techniques that are the most likely to succeed, it would be good to talk to Caezar or some other member of the ghettohackers. After all, they are the ones who win at capture the flag year after year....
I don't know about defcon 9 (2001), but I seem to recall them only being able to get part of the traffic at defcon 8 (2000).
[*] my emphasis, not theirs
Nicholas Negroponte is fairly bright, but I think some of the things he talks about (e.g. giving UN membership to Nation1, a "virtual nation" composed of the world's internet-enabled children) are a bit too loony to be taken seriously
I'm glad you mentioned having different controls for different groups of users. I can easily imagine jobs where it is impossible to get anything done without being able to install software, and that's not just developers. Sysadmins need to be able to install and test software, too. In general, I would recommend that non-IT people have their boxes locked down tight, that tech support people have the ability to minor changes (new wallpaper or screen saver so they don't hate their job so much), and developers, sysadmins and security goons be given the ability to do what they want, with the provision that their keystrokes and traffic *will* be monitored.
Instead of trying to use the latest, most trendy technologies (e.g. using web based controls and XML to create the Joint Battlespace Infosphere Infrastructure) or opting for the cheapest method of getting things done, we should think about how these things might be attacked and design them to be infrastructure, and should design them to be resistant to attacks.
open source is an alternative that gives users more power to control their computing environment than closed source software does, but it is *NOT* a war!
We need to stop describing stuff in such combative terms. That's part of what turns businesses off and prevents them from trying open source software. Businesses view people who talk about software choices as war as a bunch of loons. If you want to get linux on the desktop, point out that it is a high quality, low cost alternative to the software they are currently using. Give specific examples that match their current products.
Remember, this is not war, noone will die over this.
work is more difficult than installing it and just having it work right away because all the features you need (...and all the ones you don't) are already activated.
It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.
It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.
...how many of these propane fuel cells would be needed to power an electric car. Think about it, decent range, fast speeds, and the low end
torque of an electric.
this article mentions java-based smart card readers that work with Linux. Does anyone know of a similar biometric product?
"The affects of this worm are detrimental to all and we'd like to give each member a chance to secure their machines. However, after 9/23/01, Speakeasy's Abuse Team will be freezing the DSL circuit hooked to any machine infected with the worm. We apologize for the inconvenience of this, but it is imperative that we ensure our network is not assisting in the propogation of this, or any, worm. All of us are part of a larger community, and it really isn't cool to infect your neighbors."
I'm glad they are doing this. It is about time
If they put up an FTP site that includes a) all the original source code used for the product, and b) all the modifications, there should not be a problem. The GPL allows the sale of products based on GPL'd code, but you have to give your changes back to your customers. They probably only have to give the source code and their changes to customers, though, and not to the general public.
If dubya believes that a strike back is strategically/tactically beneficial to the USA, he should order the armed forces to kill our enemies. If the response is simply an act of retaliation fueled by anger, though, he really ought to think about if this helps or not...
Associated Press
... it looked like it hit at a slight angle," said Sean Murtagh, a CNN vice president, the network reported.
... it looked like it hit at a slight angle," said Sean Murtagh, a CNN vice president, the network reported.
Tuesday, September 11, 2001; 9:08 AM
NEW YORK - An aircraft crashed into the upper floors of one of the World Trade Center towers Tuesday morning, and black smoke poured out of two gaping holes, witnesses said. Shortly afterward a second explosion rocked the other tower.
There was no immediate word on injuries or fatalities in the disaster, which happened shortly before 9 a.m.
The plane was coming in low and
Large holes were visible in two sides of the 110-story building, one of landmark twin towers.
There was no immediate word on injuries or fatalities in the twin disasters, which happened shortly before 9 a.m. and then right around 9 a.m.
The towers were struck by bombers in February 1993.
"The plane was coming in low and
Large holes were visible in sides of the 110-story buildings, landmark twin towers.
The tops of the twin towers were obscured by the smoke.
Thousands of pieces of what appeared to be office paper came drifting over Brooklyn, about three miles from the tower, one witness said.
The center bombingon Feb. 26, 1993, killing six people and injured more than 1,000 others.
In 1945, an Army Air Corps B-25, a twin-engine bomber, crashed into the 79th floor of the Empire State Building in dense fog.
I can't get to www.abcnews.com, either
They are one of the requirements of a Trusted OS
Since RIAA backed down and Felton got to present his research, we may have lost the best case we had to try and get section 1201 of the DMCA overturned. :(
we take men like Sklyarov who delight in playing a sort of twisted Robin Hood and turn them into our heroes. We rationalize the crimes ("Free speech", "Information wants to be free", blah blah blah)
Why compare him to a thief like Robin Hood? Sklyarov didn't steal anything. What did he do? He spoke about how something could be done, specifically, he described an decryption technique that, if used, might make stealing possible. Ian Flemming's novels described the techniques James Bond might use to kill a person. Should Ian have been charged with murder just because someone else *could* read the books and use those techniques to commit a murder? I don't think so. What else did Dmitry do? He wrote a program that could be used to make stealing easier. Do you think Walther or Colt executives should be charged with murder just because the guns their companies manufacture *might* be used to murder someone?
The simple fact is that Dmitry's only crime in the USA is that of speaking about something that you don't want the rest of the world to know about. The bill of rights is supposed to protect speech, even speech that is not popular with you. The DMCA's anti-circumvention provisions contradict the bill of rights, and these provisions ought to be overturned.
You seem to be confusing two legal issues that involve Adobe. The Adobe infringement suit with the German law company involved KDE's KIllustrator. I don't think the arrest of the defcon speaker has anything to do with that.
--
"Weapons should be hardy rather than decorative" - Musashi
You only have to use pico when filling in the header info. The entire body is in the editor of your choice. That is not a major problem, IMHO
--
"Weapons should be hardy rather than decorative" - Musashi
I think that IPF is done for. My guess is that the other bsds will want to adopt pf, and I'm certain that the COTS software vendors who have ipf-based products will do the same, since there's no question about the licence changing on a whim like happened with IPF.
--
"Weapons should be hardy rather than decorative" - Musashi
Being compared to a classic arcade game is pretty cool! :)
--
"Weapons should be hardy rather than decorative" - Musashi
I'm the "joker" who submitted the article, and I didn't mean that at all. :) I mean that a critical infrastructure like the power grid should *NEVER* have a connection, not even an indirect connection, to the internet. I don't think it is smart to put a computer that can manage the grid on the same network as a PC that will be used to browse the web, or answer email, do SETI@home, look at pr0n, or what ever else lusers do that involves the internet.
Any of that stuff - even reading business related email - should be happening on a separate network from the computers for the grid. I'm not talking about a subnet that is supposedly isolated from the rest of the network by a switch. (What if I flood your switch with so many MAC advertisements on one port that it fails open and turns into a big, fat hub?) What they need is an honest air gap to separate their grid computers from their computers that can access the internet.
I was not trying to defend the actions of the employees who were violating TVA's computer policy when I said, "I'm wondering why using SETI@Home on PCs with access to the internet would be a problem. As cheap as PCs are, you'd think that TVA would have separate internet/email PCs on every desktop..." I was saying that a proper setup (e.g. using separate computers with an air gap) is not expensive, and it would have prevented an employee policy violation from becoming a breech of computer security.
--
"Weapons should be hardy rather than decorative" - Musashi