Whoever moderated this post to "5" is on crack.;-)
A comment made in jest, obviously. However, I couldn't resist pointing out the flaw in this sort of statement. You don't moderate people because you agree or disagree with them. You moderate if it is a flame or a rude, insensitive, or otherwise blatantly disrespectful comment. Just because you happen to disagree doesn't mean he should be moderated down/not moderated at all.
What kind of users are you talking about? The non-paying kind
You're exactly right. But at an ISP why do you care if the users are using clear-text protocols? Any loss is their loss, not yours. The stakes are much higher at a business or university. Imagine how upset a professor would be if his research was stolen, or a student if his homework was copied. Not very happy I'd imagine. In an ISP environment, however, an administrator's job is simply to provide the ability to use encrypted protocols such as ssh. Then if the luser uses a clear text protocol and has his account hijacked, it's not your problem. It is then your job to secure your systems in the event of a user's account being compromised so that no further damage is done.
As for Frontpage extensions, I really don't think that's relevant here, and it's an entirely different argument.
Unfortunately some web development clients only understand FTP and can't use sftp.
I assume you're referring to applications such as Dreamweaver/Frontpage/Composer. True, these apps can't use FTP, but there's an easy workaround which we've suggested to our users. Check out stunnel. Works great, and it's GPL'd. Yay!
Someone was going to say it.... Why FTP? There is no need for it any more. There is a very long history of remote root exploits and other vulnerabilities. Just use sftp. Ya, so the users complain about it, but they'll get over. The University I attend recently switch from Telnet/ftp to ssh. If we can convert 30,000+ users, so can you:)
The best printer ever, hands down. Fast (10-12 pgs/min), reliable, and compatible - with everything. I never had a problem with them. Perfect for the office environment but perhaps a bit too bulky at home.
Unfortunately they are no longer being made but many can be found on eBay. Yay HP!
Crontabs do not have the ability to run commands say, every other week, or every other month. A simple way to do this is with the following shell script (I'll call it script.sh):
--- begin script ---
#!/bin/sh -xv
FLAGFILE=/path/to/flag
if [ -f $FLAGFILE ]; then
rm -f $FLAGFILE
exit 0
else
touch $FLAGFILE
fi
call command(s) to run here
--- end script ---
Then, in the crontab, enter something like the following:
0 0 * * 1/path/to/script.sh
This will run the script.sh file every monday at 12am, which will execute the intended command every other Monday at 12am.
They had a robot driving the van at the end, sort of. It was remote controlled but still.. then the little camera turned and faced the guy who opened the door. That was funny. Reminded me of Short Circuit..
:) Thanks for your compliments. I am not afraid to admit when I'm wrong, and in this case I was clearly in err. More importantly, I have learned my lesson and I dare say that I will not be taken advantage of so easily in the future.
When I was brand new to Linux (Mid '97), I was 0wned by a script kiddie. Here's what happened:
I had a Red Hat 6.0 box running 2.2.12. I was running Apache, Sendmail, wu-ftpd (2.6?) and bind, as well as all the default services that were running on a stock Red Hat box (all the RPC stuff, portmap and such). I was poking around on my system one day and I saw a user that I didn't create. The name was interesting (can't remember exactly what it was) so I decided to check it out. I first shutdown the gateway interface so the user was disconnected (this wasn't a big deal at the very small business that I worked for at the time). I went into his home directory and didn't see anything obvious - at first. After giving it a second glance I saw two directories with the title... I tried to change to.. and, of course, was changed to the parent directory. After I changed back I did a long directory listing and saw that the directory was actually ".. ". After puzzling over how to get into the directory, rather than up to the parent, I realized I could put quotes around it and I cd'd into it. The contents were very interesting.
The contents were very interesting. There were two items of interest - an eggdrop IRC bot and the code for a wu-ftpd exploit. I knew I had been 0wned and called up a friend who was familiar with Unix. He showed me how to check what services were running. The eggdrop had spawned about 8 processes that were connecting to various IRC networks and were advertising warez/pr0n ftp sites! It was interesting logging into an IRC channel and seeing a bot running off of MY hardware:) I of course killed the bots and removed the eggdrop software. Then I checked out the ftp exploit. This was obviously how the user had gotten into the system. I'm not sure why he uploaded the exploit code to my box. Perhaps so he could 0wn other systems from our server? Probably. In any case, the code was written by a guy known as "wile coyote" (I just googled and couldn't find the exploit). I don't know the details of how the code worked; I think it exploited a SITE EXEC vulnerability. In any case, I saw that the code was written for the version of Wu-FTP that I was running. I e-mailed "wile" and he replied telling me that the code only worked for wu's that were "poorly configured =p". Hehe. I knew I wasn't any good so I just laughed:).
I thought I had cleaned up the mess after I'd removed the user, the exploit, and patched wu. I was wrong. I had been foolish and hadn't run a port scan. After a week or so I saw another user on my system that I wasn't aware of! Same deal as before; running eggdrop code, this time no exploit. I killed the user and asked some local guru's about what to do. One of them introduced me to nmap. After running it (and seeing many, many unessential services wide open), there was a very interesting one: a bash shell exposed to some high port (~50000). I telnetted to the port and I was r00t, just like that. No password authentication or anything (who knows the command to do this?). The guru helped me find where the exploit was. The guy had left a backdoor for himself in/etc/inetd.conf. I had no idea! At this point I decided I couldn't know what else he had done. I decided to redo the system (with a focus on security this time). I learned my lesson and now I know a great deal more about securing a network. I don't run wu-ftp anymore:)
Wow, I am very surprised at that response. Rather than a typical form response, like most customer service areas, or no response at all, Intuit responded in a very professional way. Reading the paragraph at the bottom of his statement and the results of the test on the link at the bottom are convincingly positive. While the software does alter the boot sector, it doesn't seem to be in the interest of controlling their users' data. Rather, it seems to be a convenience to the customer. I won't disregard their software in the future; I'm always impressed by good customer service.
In that respect, Ibex PC and Hamilton Beach customer service departments are also very helpful.
> Freeman Dyson's take on the science in the novel, which according to Dyson, was BAD.
This VERY well could be. I wouldn't have any idea. There is at least one code snippet in the book and I remember it being very vague and it certainly didn't add to the novel much. I'll be the first to admit that most of his novels aren't very accurate at all (Sphere, Congo, Andromeda Strain). I think Timeline is one exception. His books are very entertaining, at least in my opinion, and he still puts in a lot of research. He just has to spice it up a little for entertainment's sake. It is a fiction, after all:)
I'm sorry to hear all this negative banter about Sony. I did a lot of research and read a lot of reviews before I decided on my 27" Wega last June. So far I have been extremely happy with it. It would be sweet if I had a chance to use it once in a while... my a%$ roommates are always on it. Some people watch TV ALL THE DAMN TIME. They must watch it 8 hours/day or more.
if the source for say MS Word were included and you *could* modify it...
Who said anything about modifying it? This is simply for evaluation purposes. We can now examine the code to be sure that it is of quality before we purchase. This might be only useful for large purchases or interested parties, but I still think it's a great idea.
The only users who would really understand it are the programmers, and even then they would need to spend a LOT of time analyzing it...
What about Open Source projects? The linux kernel, for example is a HUGE program. Much larger than many (most?) commercial products. It is constantly modified and dissected by thousands of interested users. There would be plenty of people itching to get their hands on the inside of Oracle's database engine, I assure you.
The only people who would benefit are the releasing company's rivals, who would have the time & money to sit down and reverse engineer the code, and then rerelease it as their own.
As you said, RTFA. He addressed these points explicitly with the Tom Clancy analogy.
BankDirect's web site has a different privacy policy, which reassuringly states 'We restrict access to nonpublic personal information about you to those employees who need to know that information to provide products or services to you.' Hmmm..."
Wow. That seems like a glaring contradiction to me. How could they send out the e-mail you included above when their privacy policy is much more conservative? That seems like a lawsuit in the making...
---- "For a number of years I have been familiar with the observation that the quality of programmers is a decreasing function of the density of go to statements in the programs they produce."
- Edsger Djikstra
Ya 1 & 2, I remember them both too. c64 emu's are around, I've played with them. I probably still have the disk. I could find it if I hunted around for it enough. I have about a thousand disks with games for c64. Damn I loved that thing..
Are you thinking of the C-64 crossroads, where you had the little guy that you went around a maze with and shot up different colored monsters?
Man, I was the king of that game... once I found a bug and somehow warped up like 500 levels and had this insane score.. but then my Dad jerked the power and I lost it:(
Slashdot Mirror
Whoever moderated this post to "5" is on crack. ;-)
A comment made in jest, obviously. However, I couldn't resist pointing out the flaw in this sort of statement. You don't moderate people because you agree or disagree with them. You moderate if it is a flame or a rude, insensitive, or otherwise blatantly disrespectful comment. Just because you happen to disagree doesn't mean he should be moderated down/not moderated at all.
Sorry, I thought that stunnel was the solution. Instead, try this link.
Hope that helps.
What kind of users are you talking about? The non-paying kind
You're exactly right. But at an ISP why do you care if the users are using clear-text protocols? Any loss is their loss, not yours. The stakes are much higher at a business or university. Imagine how upset a professor would be if his research was stolen, or a student if his homework was copied. Not very happy I'd imagine. In an ISP environment, however, an administrator's job is simply to provide the ability to use encrypted protocols such as ssh. Then if the luser uses a clear text protocol and has his account hijacked, it's not your problem. It is then your job to secure your systems in the event of a user's account being compromised so that no further damage is done.
As for Frontpage extensions, I really don't think that's relevant here, and it's an entirely different argument.
Unfortunately some web development clients only understand FTP and can't use sftp.
I assume you're referring to applications such as Dreamweaver/Frontpage/Composer. True, these apps can't use FTP, but there's an easy workaround which we've suggested to our users. Check out stunnel. Works great, and it's GPL'd. Yay!
Probably HTTP, SMTP, FTP, SSH that's all.
:)
Someone was going to say it.... Why FTP? There is no need for it any more. There is a very long history of remote root exploits and other vulnerabilities. Just use sftp. Ya, so the users complain about it, but they'll get over. The University I attend recently switch from Telnet/ftp to ssh. If we can convert 30,000+ users, so can you
The best printer ever, hands down. Fast (10-12 pgs/min), reliable, and compatible - with everything. I never had a problem with them. Perfect for the office environment but perhaps a bit too bulky at home.
Unfortunately they are no longer being made but many can be found on eBay. Yay HP!
- Ben
w00t, 2nd post, 5th dupe :)
d00d, your Mama's so slow, I fragged her before she even booted this morning..
Very interesting, thank you. I was actually referring to a Solaris box; however, I wasn't aware that linux had that ability.
A simple trick that I use...
/path/to/script.sh
:)
Crontabs do not have the ability to run commands say, every other week, or every other month. A simple way to do this is with the following shell script (I'll call it script.sh):
--- begin script ---
#!/bin/sh -xv
FLAGFILE=/path/to/flag
if [ -f $FLAGFILE ]; then
rm -f $FLAGFILE
exit 0
else
touch $FLAGFILE
fi
call command(s) to run here
--- end script ---
Then, in the crontab, enter something like the following:
0 0 * * 1
This will run the script.sh file every monday
at 12am, which will execute the intended
command every other Monday at 12am.
They had a robot driving the van at the end, sort of. It was remote controlled but still.. then the little camera turned and faced the guy who opened the door. That was funny. Reminded me of Short Circuit..
:) Thanks for your compliments. I am not afraid to admit when I'm wrong, and in this case I was clearly in err. More importantly, I have learned my lesson and I dare say that I will not be taken advantage of so easily in the future.
netstat -lp does the job just as well. However, nmap is exponentially more useful in that I can use it to scan other machines on the network as well :)
For example, kernel 2.2.12 has been released in August 1999. You are saying you ran it in mid '97.
You're right, my mistake. Got the dates confused. It was '99 after all... somehow it seemed further back. I should've taken the time to verify it.
Ben
When I was brand new to Linux (Mid '97), I was 0wned by a script kiddie. Here's what happened:
... I tried to change to .. and, of course, was changed to the parent directory. After I changed back I did a long directory listing and saw that the directory was actually ".. ". After puzzling over how to get into the directory, rather than up to the parent, I realized I could put quotes around it and I cd'd into it. The contents were very interesting.
:) I of course killed the bots and removed the eggdrop software. Then I checked out the ftp exploit. This was obviously how the user had gotten into the system. I'm not sure why he uploaded the exploit code to my box. Perhaps so he could 0wn other systems from our server? Probably. In any case, the code was written by a guy known as "wile coyote" (I just googled and couldn't find the exploit). I don't know the details of how the code worked; I think it exploited a SITE EXEC vulnerability. In any case, I saw that the code was written for the version of Wu-FTP that I was running. I e-mailed "wile" and he replied telling me that the code only worked for wu's that were "poorly configured =p". Hehe. I knew I wasn't any good so I just laughed :).
/etc/inetd.conf. I had no idea! At this point I decided I couldn't know what else he had done. I decided to redo the system (with a focus on security this time). I learned my lesson and now I know a great deal more about securing a network. I don't run wu-ftp anymore :)
I had a Red Hat 6.0 box running 2.2.12. I was running Apache, Sendmail, wu-ftpd (2.6?) and bind, as well as all the default services that were running on a stock Red Hat box (all the RPC stuff, portmap and such). I was poking around on my system one day and I saw a user that I didn't create. The name was interesting (can't remember exactly what it was) so I decided to check it out. I first shutdown the gateway interface so the user was disconnected (this wasn't a big deal at the very small business that I worked for at the time). I went into his home directory and didn't see anything obvious - at first. After giving it a second glance I saw two directories with the title
The contents were very interesting. There were two items of interest - an eggdrop IRC bot and the code for a wu-ftpd exploit. I knew I had been 0wned and called up a friend who was familiar with Unix. He showed me how to check what services were running. The eggdrop had spawned about 8 processes that were connecting to various IRC networks and were advertising warez/pr0n ftp sites! It was interesting logging into an IRC channel and seeing a bot running off of MY hardware
I thought I had cleaned up the mess after I'd removed the user, the exploit, and patched wu. I was wrong. I had been foolish and hadn't run a port scan. After a week or so I saw another user on my system that I wasn't aware of! Same deal as before; running eggdrop code, this time no exploit. I killed the user and asked some local guru's about what to do. One of them introduced me to nmap. After running it (and seeing many, many unessential services wide open), there was a very interesting one: a bash shell exposed to some high port (~50000). I telnetted to the port and I was r00t, just like that. No password authentication or anything (who knows the command to do this?). The guru helped me find where the exploit was. The guy had left a backdoor for himself in
Ben
Wow, I am very surprised at that response. Rather than a typical form response, like most customer service areas, or no response at all, Intuit responded in a very professional way. Reading the paragraph at the bottom of his statement and the results of the test on the link at the bottom are convincingly positive. While the software does alter the boot sector, it doesn't seem to be in the interest of controlling their users' data. Rather, it seems to be a convenience to the customer. I won't disregard their software in the future; I'm always impressed by good customer service.
In that respect, Ibex PC and Hamilton Beach customer service departments are also very helpful.
Ben
> Freeman Dyson's take on the science in the novel, which according to Dyson, was BAD.
:)
This VERY well could be. I wouldn't have any idea. There is at least one code snippet in the book and I remember it being very vague and it certainly didn't add to the novel much. I'll be the first to admit that most of his novels aren't very accurate at all (Sphere, Congo, Andromeda Strain). I think Timeline is one exception. His books are very entertaining, at least in my opinion, and he still puts in a lot of research. He just has to spice it up a little for entertainment's sake. It is a fiction, after all
Ben
Or, for a lighter read, try Prey by Michael Crichton. Excellent novel, though not quite as good as some of his previous work (Timeline, anyone?).
> Hopefully they will learn some grammer as well.
Or maybe they will learn some grammar in the process....
I'm sorry to hear all this negative banter about Sony. I did a lot of research and read a lot of reviews before I decided on my 27" Wega last June. So far I have been extremely happy with it. It would be sweet if I had a chance to use it once in a while... my a%$ roommates are always on it. Some people watch TV ALL THE DAMN TIME. They must watch it 8 hours/day or more.
Whatever. Only 5 months to go...
if the source for say MS Word were included and you *could* modify it...
Who said anything about modifying it? This is simply for evaluation purposes. We can now examine the code to be sure that it is of quality before we purchase. This might be only useful for large purchases or interested parties, but I still think it's a great idea.
The only users who would really understand it are the programmers, and even then they would need to spend a LOT of time analyzing it...
What about Open Source projects? The linux kernel, for example is a HUGE program. Much larger than many (most?) commercial products. It is constantly modified and dissected by thousands of interested users. There would be plenty of people itching to get their hands on the inside of Oracle's database engine, I assure you.
The only people who would benefit are the releasing company's rivals, who would have the time & money to sit down and reverse engineer the code, and then rerelease it as their own.
As you said, RTFA. He addressed these points explicitly with the Tom Clancy analogy.
BankDirect's web site has a different privacy policy, which reassuringly states 'We restrict access to nonpublic personal information about you to those employees who need to know that information to provide products or services to you.' Hmmm..."
Wow. That seems like a glaring contradiction to me. How could they send out the e-mail you included above when their privacy policy is much more conservative? That seems like a lawsuit in the making...
----
"For a number of years I have been familiar with the observation that the quality of programmers is a decreasing function of the density of go to statements in the programs they produce."
- Edsger Djikstra
Ya 1 & 2, I remember them both too. c64 emu's are around, I've played with them. I probably still have the disk. I could find it if I hunted around for it enough. I have about a thousand disks with games for c64. Damn I loved that thing..
Are you thinking of the C-64 crossroads, where you had the little guy that you went around a maze with and shot up different colored monsters?
:(
Man, I was the king of that game... once I found a bug and somehow warped up like 500 levels and had this insane score.. but then my Dad jerked the power and I lost it