If I understand the issue... sprintf() has no sanity checking. So anything that uses it becomes a potential buffer overflow vulnerability. In fact, this article on buffer overflows and countermeasures mentions sprintf() and a few others (such as strcpy, strcat, gets) which are common sources of this kind of problem.
Yes, I do. Sometimes there are some really good posts that just don't catch moderator attention.
And yes, karma-dropping doesn't always guarentee positive moderation. But the success of the tactic isn't the point. The issue is whether you've really got something to say or are just posing. Of course, I suppose if a post is ignored or moderated down, the poster can feel like a martyr. So even then, its successful.
Agreed. I'm inclined to just automatically moderate down any posts that pull that goofy over-dramatic martyrdom stunt.
That's been my knee-jerk reaction too. But I don't. I still look for the contentent of the post - although the karma dramatics do interfere.
By the way, I see you got moderated down. This is why you should most certainly have begun your post with 'time to get rid of some of that excess karma.'
I had began doing that... but removed it. I wasn't sure the target audience would have gotten the joke.
Yes - I do metamoderate. But I try to keep moderation as something other than a tool for expressing agreement or disagreement with a post. Granted - its not easy to do. I'm more inclined to mod up a post I disagree with as "interesting" than "insightful".
Is it me, or is every time a post begins by mentioning karma, the actual content is some uninspired drivel supposedly making insightful criticism of some perceived Slashdot sacred cow?
What is it? Some reverse psycology tactic? Pre-positioning onself for the role of martyr? In any case, it screams "lack of conviction."
State your argument and let it stand on its own merrits... or lack thereof.
Years ago, I did desktop support for a large government installation. I would get assigned a handfull of cases per location at a time. Inevitably, one of those cases would be for someone who was away from their desk with their desktop locked via screensaver. It was good that they were following policy and used either a timed or manual lock - it was bad that normally I'd have to leave a "sorry we missed you" card and their case would go back in to the cue (and further delayed).
Then I burned an autorun CD that would kill their screensaver when popped in to their CDROM drive. I very rarely ran in to a workstation with autorun disabled. What I usually got was quick desktop access and often a customer comment card thanking me for the quick turn-around.
The really interesting part of this little mixup is how quickly misinformation travels. While this episode might not be all that serious in the grand scale of things, I wouldn't be surprised if one day this same sort of mix up (ie- online news sites reporting some rumor story that spreads like fire through blogs and other online portals) will create a real problem or crisis.
I figured this was exactly how the stock market worked. Or, at least, how it worked in the hayday of day-traders, online news and 'investment' gossip forums... and clicky-clicky friendly online tool sets.
It looks like that text has been removed - at least, I don't notice it at that URL (or during a cursory search through the site). Having said that - this does put forward an interesting question.
How are contracted researchers expected to behave in such a situation?
It seems that the usual "full disclosure" notice comes from an audit of a product by an external group / individual without contract or invitation by the producer of that product (publicity-grabbing "hacker challenges" aside). Such reports certainly warn the product's user base. But they also seem to be an attempt to embarass the producer of that product to action - patching the current issue and perhapse increasing future quality control.
What if the research group is hired by WidgetSoft to audit the Widget2000 and they discover a major vulnerability? It is unlikely the public will ever hear of it from the research group. WidgetSoft will likely develop the patch, and release it with their own report based on the research group's findings.
But what if WidgetSoft decides to bury the findings? Then our hypothetical research group has a dilema. It would be wise for this group to be sure their business contract specifically avoids conflicting with their morals.
Unless, of course, they're in the business of the shake-down.
...and you're saying the same people who think LNUX is everything "Linux" is going to know anything about the EFF? Or that the EFF is having a fund raiser in SanFran? And that this fundraiser includes a "boxing match"/political statement?
Here's another concept - the ACLU, NRA, AARP, and NAACP have a whole hosts of people who view them as extremist nutcases out to actively destroy what's Right (according to their critic's definition, and not as in "right-wing"). EFF will have critics just because of who and what they are. Political rights lobby groups are as respected as they are reviled.
Actually... you're wrong on both accounts. Slashdot covered an educational licencing program from Microsoft a few months back. The basic layout was a department would count the number of computers and accept a flat fee per computer - no matter what the machine was already running (one theory was that most of them would probably be Windows or MacOS and the package included software for both). If an institution wanted educational licensing - THIS was the option.
In this case, you would potentially have machines that are being double-charged (or if they're runng, say, Linux - overcharged) at no risk of future sales. After all, the educational package included staples such as Office.
It seems like a lot of technical certifications and standards... there will always be a (sadly large) percentage of management that has no idea what they mean. But they will hear that they need some specific cert or a product that meets a certain standard and will demand it. It provides something for the chronically inept to shoot for.
You've missed the difference between having the source code available (sometimes referred to as "open source") and Open Source.
In short, having source code available does not make a project Open Source - its all about the licensing. And not all Open Source projects match the Free Software definition (witness FSF vs BSD jihads).
Though this raise an interesting question. What would it take for, say, RedHat to offer their services in Peru (and exactly what kind of support infrastructure does Microsoft have in-country)? And would business with Peru justify the cost of putting any additional infrastructure in place.
Note to all ethical hackers, script kiddies, and whistle-blowers: the US Government does not want your help. If you point out insecurities (glaringly obvious or otherwise) in any Government host or network, do not expect thanks. Instead, you should expect to be the subject of investigation.
There are three things one should consider when dealing with the US Government on information security issues. First, the US Government's business is law, not technology - they have much more understanding of the former than latter. Secondly, the US Government tends to not understand information security issues. Their expertise deals with government and Cold War policy - the modern infosec environment has aspects of that era... but it is quite different. Finally, the US Government is not interested in information security issues. Lets address these points.
Before going further on this rant... I'd like to make one qualifying statement. Like all large groups, there are individuals within various Government bureaucracies who are exceptions to these observations. I like to think I was one of them. And I know some excellent people working information security within their departments who defy the norm. But nonetheless, the norm does exist. Despite these excellent few examples, it is the leadership and the vast majority of management in US Government institutions who generate the following attitude.
The business of Government is not information technology, it is law. Any manager within Government is a bureaucrat in one way or another... including IT. One does not gain any such level of trust without understanding the political system in which one operates. This often leads to IT managers who have a limited familiarity with IT systems, but are very comfortable with rules and law. This can work for them if they're forced to fight for their environment's budget. If a Government agency is lucky, they have enough pull to win a decent budget and easily meet their needs. Many agencies are forced to make due on what little IT budget they are able to scrounge. This leads to few resources be it equipment or manpower. With this in mind, the highly skilled IT worker is few and far between within Government. And those few dedicated souls will likely be overworked.
Governmental infosec agents tend to have a physical security / Cold War background. They are used to dealing with entirely different environment than what is commonly found today. This leads to a slew of misconceptions, but we'll focus on a few specifics. They value secrecy over disclosure. They have a hard time accepting hacking (malicious or not) as entertainment / educational. They believe anybody exposing a system's vulnerabilities have only malicious motives.
I'd like to demonstrate these two points with a quick story. I was attending a monthly cross-contract infosec meeting for a large US Government facility. The meeting started with a nice presentation of a recent vulnerability and how to mitigate the threat. There were a few attentive audience members, but the vast majority sat there with a dazed look as the presentation washed over them. Then the local FBI agent stood up to make a presentation on a recent compromise of one of the facility labs. The lab manager was on hand to give testimony on the damage caused to his environment and the loss of resources to the FBI as they confiscated equipment to collect evidence for the future prosecution phase of the case. The room lit up. There were notes being taken, questions being asked and an overall enthusiasm for the process of catching the perpetrators of this damage. The interesting point was that this same manager had told me two months prior that he didn't wish to deal with any of the infosec procedures I had been suggesting as the changes would be "more disruptive than anything those hackers could do." If the audience in that room paid more attention, time, and funds to improving their security stance they would spend MUCH less time and funds in recovering from attacks. The point was always lost on them.
Finally, the Government is not interested in information security. If they were, they would fund it. And they don't. I would constantly hear phrases along the lines of "we would do that if we had the funding, but we can't spend that much time on that kind of activity without specific funding for it... and we've been trying to get funding for infosec, but can't." I always found it ironic when a defaced web page would include instructions from the attacker on how to secure the machine. Its not (always) that the sysadmin was incompetent and needed instruction. Often its that he/she doesn't have the time or permission to deal with it. The sad fact is that compromising.gov IP space is child's play.
So what if you STILL want to blow the whistle? First, make it public and embarassing - nothing gets a beurocracy moving faster than public embarassment. That usually means the press. But the trick is to find a reporter you can trust to keep your identity anonymous. The last thing you want is an embarassed beurocrat trying to cover their tail by shifting the blame on to you.
Re:One omission in the articles...
on
WarTalking Arrest
·
· Score: 4, Interesting
This is quite facinating. There are a couple really important statements made in that article:
The network had not yet been set up, they said, and neither Puffer nor anyone else could have done any damage.
...
But because the county's main system and the independent one run by Bacarisse are connected, Puffer was able to show Jennings that he could get information about the county computer network. ...
Bacarisse said his staff found a pornographic picture on one of its servers Tuesday that he suspected was planted by Puffer. He said he would refer the incident to the District Attorney's Office. ...
Bacarisse accused Jennings of giving Puffer information to help him access the system and hinted that Jennings was trying to use the demonstration to increase his authority over systems that he didn't control.
Jennings and Puffer vehemently denied that.
These quotes lead to a lot of questions. If this was a test network that couldn't present any threat to the government's network... how come Puffer was able to access the County network? Furthermore, why is Puffer being convicted? And how would he have been able to post a pornographic photograph?
This has all the markings of beurocratic infighting. A techie quiting after a short, stormy tenure. A beucrocrat implementing an insecure network and assuring that it was no threat... and then convicting on charges of altering government systems. And that same beurocrat accusing another government worker of moving in on his personal feifdom.
The only thing I'm suprised is that after having seen the insides of all this, Puffer was stupid enough to make his name known. Big hint to whistle-blowers: use the press and insist on being anonymous.
Isn't it partially the responsibility of our ambassador to promote trade with Peru? Why would an ambassador tell a country to take action to decrease the import from the US?
I missed the part where the ambassador mentioned that the US has some of the world's leading Open Source solution providers.
[U.S. Ambassador John Hamilton] added that by excluding proprietary software companies like Microsoft, Peru would be hurting an industry that "has the potential to create 15,000" jobs in the local economy.
I'm kind of curious as to where this the 15k job figure comes from. Just what kind of jobs are we talking about? And how is Microsoft the only key to such jobs?
An IT industry covers quite a spectrum of jobs. There are your lower-level technicians and support staff. There are higher-level system and network administrators. There are system architects who identify organization's need and designs an appropriate sytem from available components (or identies components needed). There are programmers who build those additional components.
The only time any of these jobs require Microsoft is when the organization has already invested in Microsoft solutions. And even then - change will happen whether Microsoft is used or not (witness the slow deprecation of many long-standing Novell networks and the migration from one version of Windows to another).
If the Government of Peru invests heavily in a Linux or *BSD infrastructure, it will still have to hire a whole gambit of IT workers to support its environment. If the 15k job figure is correct then it will be 15k IT professionals with a background in Open Source systems and software.
Oh yea. You never see anything similar for other platforms such as Windows.
Say - since Win2K makes a pretty nice gaming platform does that mean Win2K isn't ready for work time either? I shudder to think what that means about WinXP. Heck, OS X is out too. Lesse... there's Solaris... oh, wait... Quake ruined that. Damn those geeks having fun!
Damn. I guess we're just going to have to go back to paper and pens. Oh well. The whole "IT industry" scam was fun while it lasted.
Right. But that's the final condition. Note that the other conditions (kids, criminals, adopters, etc) are not stated as mandatory. And when the challenge was made - it did not request examples that have already lead to mandatory tracking.
Now is the time to oppose center mounted reciprocating framjets otherwise they may become mandatory, and we can't take that chance.
Really? Can you demonstrate where reciprocating framjets are being used in a questionable manner - mandated by law or not? And can you demonstrate a trend that would lead to their being mandated if they're not already?:)
I do agree with your point. Jumping in and opposing a technology entirely based on the possibility of its misuse is foolish. The old cliche of the hammer as tool or weapon applies here. The rational approuch is being aware how a piece of technology is being used and opposing its misuse.
My concern is that this technology is especially suited to abuse. This demands carefull attention - something our current social and political environment doesn't always provide. Although, I do not share the same paranoid breathlessness expressed in the origional post.
I guess I jumped in this thread to play Devil's Advocate more than whip up additional paranoid fantasy.:)
You must LOVE the old joke:
patient: Doctor, it hurts when I do this.
doctor: Well then, don't do that!
If I understand the issue... sprintf() has no sanity checking. So anything that uses it becomes a potential buffer overflow vulnerability. In fact, this article on buffer overflows and countermeasures mentions sprintf() and a few others (such as strcpy, strcat, gets) which are common sources of this kind of problem.
And yes, karma-dropping doesn't always guarentee positive moderation. But the success of the tactic isn't the point. The issue is whether you've really got something to say or are just posing. Of course, I suppose if a post is ignored or moderated down, the poster can feel like a martyr. So even then, its successful.
Yes - I do metamoderate. But I try to keep moderation as something other than a tool for expressing agreement or disagreement with a post. Granted - its not easy to do. I'm more inclined to mod up a post I disagree with as "interesting" than "insightful".
Is it me, or is every time a post begins by mentioning karma, the actual content is some uninspired drivel supposedly making insightful criticism of some perceived Slashdot sacred cow?
What is it? Some reverse psycology tactic? Pre-positioning onself for the role of martyr? In any case, it screams "lack of conviction."
State your argument and let it stand on its own merrits... or lack thereof.
Years ago, I did desktop support for a large government installation. I would get assigned a handfull of cases per location at a time. Inevitably, one of those cases would be for someone who was away from their desk with their desktop locked via screensaver. It was good that they were following policy and used either a timed or manual lock - it was bad that normally I'd have to leave a "sorry we missed you" card and their case would go back in to the cue (and further delayed).
Then I burned an autorun CD that would kill their screensaver when popped in to their CDROM drive. I very rarely ran in to a workstation with autorun disabled. What I usually got was quick desktop access and often a customer comment card thanking me for the quick turn-around.
Isn't ignorant generalizations fun?
I have 3 theories -
1) This is the output of a script that is fed various anti-fanboi posts and strings togeather clippings to generate new posts.
2) Its one of those odd humor pieces that pokes fun at Star Wars fans, their critics, and ignorant youth.
3) Its actually a post by an ignorant youth.
In any case, its funny. The only thing left is to figure out if one should be applauding the mastery or be amazed by the stupidity.
It looks like that text has been removed - at least, I don't notice it at that URL (or during a cursory search through the site). Having said that - this does put forward an interesting question.
How are contracted researchers expected to behave in such a situation?
It seems that the usual "full disclosure" notice comes from an audit of a product by an external group / individual without contract or invitation by the producer of that product (publicity-grabbing "hacker challenges" aside). Such reports certainly warn the product's user base. But they also seem to be an attempt to embarass the producer of that product to action - patching the current issue and perhapse increasing future quality control.
What if the research group is hired by WidgetSoft to audit the Widget2000 and they discover a major vulnerability? It is unlikely the public will ever hear of it from the research group. WidgetSoft will likely develop the patch, and release it with their own report based on the research group's findings.
But what if WidgetSoft decides to bury the findings? Then our hypothetical research group has a dilema. It would be wise for this group to be sure their business contract specifically avoids conflicting with their morals.
Unless, of course, they're in the business of the shake-down.
...and you're saying the same people who think LNUX is everything "Linux" is going to know anything about the EFF? Or that the EFF is having a fund raiser in SanFran? And that this fundraiser includes a "boxing match"/political statement?
Here's another concept - the ACLU, NRA, AARP, and NAACP have a whole hosts of people who view them as extremist nutcases out to actively destroy what's Right (according to their critic's definition, and not as in "right-wing"). EFF will have critics just because of who and what they are. Political rights lobby groups are as respected as they are reviled.
Actually - I believe the origional BSD license with its "advertising clause" had some negative comment from the FSF. (shrug).
But hey - I like both the BSD and GPL. So I tend not to track those arguments.
Actually... you're wrong on both accounts. Slashdot covered an educational licencing program from Microsoft a few months back. The basic layout was a department would count the number of computers and accept a flat fee per computer - no matter what the machine was already running (one theory was that most of them would probably be Windows or MacOS and the package included software for both). If an institution wanted educational licensing - THIS was the option.
In this case, you would potentially have machines that are being double-charged (or if they're runng, say, Linux - overcharged) at no risk of future sales. After all, the educational package included staples such as Office.
It seems like a lot of technical certifications and standards... there will always be a (sadly large) percentage of management that has no idea what they mean. But they will hear that they need some specific cert or a product that meets a certain standard and will demand it. It provides something for the chronically inept to shoot for.
Actually... if you really want to get pedantic...
You've missed the difference between having the source code available (sometimes referred to as "open source") and Open Source.
In short, having source code available does not make a project Open Source - its all about the licensing. And not all Open Source projects match the Free Software definition (witness FSF vs BSD jihads).
IBM.
Though this raise an interesting question. What would it take for, say, RedHat to offer their services in Peru (and exactly what kind of support infrastructure does Microsoft have in-country)? And would business with Peru justify the cost of putting any additional infrastructure in place.
Note to all ethical hackers, script kiddies, and whistle-blowers: the US Government does not want your help. If you point out insecurities (glaringly obvious or otherwise) in any Government host or network, do not expect thanks. Instead, you should expect to be the subject of investigation.
.gov IP space is child's play.
There are three things one should consider when dealing with the US Government on information security issues. First, the US Government's business is law, not technology - they have much more understanding of the former than latter. Secondly, the US Government tends to not understand information security issues. Their expertise deals with government and Cold War policy - the modern infosec environment has aspects of that era... but it is quite different. Finally, the US Government is not interested in information security issues. Lets address these points.
Before going further on this rant... I'd like to make one qualifying statement. Like all large groups, there are individuals within various Government bureaucracies who are exceptions to these observations. I like to think I was one of them. And I know some excellent people working information security within their departments who defy the norm. But nonetheless, the norm does exist. Despite these excellent few examples, it is the leadership and the vast majority of management in US Government institutions who generate the following attitude.
The business of Government is not information technology, it is law. Any manager within Government is a bureaucrat in one way or another... including IT. One does not gain any such level of trust without understanding the political system in which one operates. This often leads to IT managers who have a limited familiarity with IT systems, but are very comfortable with rules and law. This can work for them if they're forced to fight for their environment's budget. If a Government agency is lucky, they have enough pull to win a decent budget and easily meet their needs. Many agencies are forced to make due on what little IT budget they are able to scrounge. This leads to few resources be it equipment or manpower. With this in mind, the highly skilled IT worker is few and far between within Government. And those few dedicated souls will likely be overworked.
Governmental infosec agents tend to have a physical security / Cold War background. They are used to dealing with entirely different environment than what is commonly found today. This leads to a slew of misconceptions, but we'll focus on a few specifics. They value secrecy over disclosure. They have a hard time accepting hacking (malicious or not) as entertainment / educational. They believe anybody exposing a system's vulnerabilities have only malicious motives.
I'd like to demonstrate these two points with a quick story. I was attending a monthly cross-contract infosec meeting for a large US Government facility. The meeting started with a nice presentation of a recent vulnerability and how to mitigate the threat. There were a few attentive audience members, but the vast majority sat there with a dazed look as the presentation washed over them. Then the local FBI agent stood up to make a presentation on a recent compromise of one of the facility labs. The lab manager was on hand to give testimony on the damage caused to his environment and the loss of resources to the FBI as they confiscated equipment to collect evidence for the future prosecution phase of the case. The room lit up. There were notes being taken, questions being asked and an overall enthusiasm for the process of catching the perpetrators of this damage. The interesting point was that this same manager had told me two months prior that he didn't wish to deal with any of the infosec procedures I had been suggesting as the changes would be "more disruptive than anything those hackers could do." If the audience in that room paid more attention, time, and funds to improving their security stance they would spend MUCH less time and funds in recovering from attacks. The point was always lost on them.
Finally, the Government is not interested in information security. If they were, they would fund it. And they don't. I would constantly hear phrases along the lines of "we would do that if we had the funding, but we can't spend that much time on that kind of activity without specific funding for it... and we've been trying to get funding for infosec, but can't." I always found it ironic when a defaced web page would include instructions from the attacker on how to secure the machine. Its not (always) that the sysadmin was incompetent and needed instruction. Often its that he/she doesn't have the time or permission to deal with it. The sad fact is that compromising
So what if you STILL want to blow the whistle? First, make it public and embarassing - nothing gets a beurocracy moving faster than public embarassment. That usually means the press. But the trick is to find a reporter you can trust to keep your identity anonymous. The last thing you want is an embarassed beurocrat trying to cover their tail by shifting the blame on to you.
This has all the markings of beurocratic infighting. A techie quiting after a short, stormy tenure. A beucrocrat implementing an insecure network and assuring that it was no threat... and then convicting on charges of altering government systems. And that same beurocrat accusing another government worker of moving in on his personal feifdom.
The only thing I'm suprised is that after having seen the insides of all this, Puffer was stupid enough to make his name known. Big hint to whistle-blowers: use the press and insist on being anonymous.
An IT industry covers quite a spectrum of jobs. There are your lower-level technicians and support staff. There are higher-level system and network administrators. There are system architects who identify organization's need and designs an appropriate sytem from available components (or identies components needed). There are programmers who build those additional components.
The only time any of these jobs require Microsoft is when the organization has already invested in Microsoft solutions. And even then - change will happen whether Microsoft is used or not (witness the slow deprecation of many long-standing Novell networks and the migration from one version of Windows to another).
If the Government of Peru invests heavily in a Linux or *BSD infrastructure, it will still have to hire a whole gambit of IT workers to support its environment. If the 15k job figure is correct then it will be 15k IT professionals with a background in Open Source systems and software.
Oh yea. You never see anything similar for other platforms such as Windows.
Say - since Win2K makes a pretty nice gaming platform does that mean Win2K isn't ready for work time either? I shudder to think what that means about WinXP. Heck, OS X is out too. Lesse... there's Solaris... oh, wait... Quake ruined that. Damn those geeks having fun!
Damn. I guess we're just going to have to go back to paper and pens. Oh well. The whole "IT industry" scam was fun while it lasted.
Right. But that's the final condition. Note that the other conditions (kids, criminals, adopters, etc) are not stated as mandatory. And when the challenge was made - it did not request examples that have already lead to mandatory tracking.
I do agree with your point. Jumping in and opposing a technology entirely based on the possibility of its misuse is foolish. The old cliche of the hammer as tool or weapon applies here. The rational approuch is being aware how a piece of technology is being used and opposing its misuse.
My concern is that this technology is especially suited to abuse. This demands carefull attention - something our current social and political environment doesn't always provide. Although, I do not share the same paranoid breathlessness expressed in the origional post.
I guess I jumped in this thread to play Devil's Advocate more than whip up additional paranoid fantasy.