At one company, I was paid weekly by check. It was drawn on Bank of America. My bank didn't talk nicely with their system, so there was a 3-4 day delay from deposit to funds available. Because of this, I would go into the BoA branch where the check was drawn. They had a $5 "counter service" fee. Basically, because I talked to a teller, and I was not a BoA account holder, they charged me $5 for the pleasure of standing in line for an hour, and then having my transaction delayed while we ran through countless hoops. It ranged from "We have to request the signature card for that account." to "We don't have that much in cash on hand, you'll need to wait for the next delivery in 1/2 hour." Sometimes they'd question me as if I was a criminal. The manager got to know me, so most of the hoops went away after a few months, but like it or not, they charged me the $5 every time I went in.
After all the headaches, they still had the nerve to ask me if I wanted to open a BoA account. Come on, you run me through these insane hoops, do you think I'd want to put anyone I was paying through the same ones??
From what I understand, the $5 "counter service" fee is gone, but account holders get raped any way the bank can, as frequently as possible. They'd go as far as to delay deposits, just so they could charge overdraft fees. They could be reversed, but it would take an hour of face time at the branch to do it.
A long time ago, I did have an account with them. One day I deposited my paycheck. It took 3 weeks for them to figure out that I had done it. That was 3 weeks of me showing up in the branch, pitching a fit loud enough for ever customer to hear. Meanwhile, I was short a paycheck, so either I could pay their overdraft fees, or end up paying late fees on my bills.
I'd say this is unique to BoA, but really it's not. Any bank will screw you any way that they can. I've seen it happen too many different ways, to too many different people. The only safe, secure bank is a good lockbox in your own house.
The 1947 date does not necessarily dictate a first contact date. It is only the first *publicized* date.
For example, the U-2 didn't exist until Francis Powers was shot down in one in 1960. Its first flight was out of Groom Lake in 1955.
I'd suspect if there was alien contact with humans, it came long before 1947. That was just the first crash that made it into the public awareness. Think about the WWII "foo fighters". That's not to give any credibility to these sightings, it's only an example to what could be.
For a while, I was doing that with a few things, including Apache and the Linux kernel. There were pieces I needed that didn't progress, so I handled my own backporting of various things. That was a long time ago, and those problems were resolved in more current versions, so it hasn't been necessary for years.
But, if you're using say mod_ssl to handle your SSL on Apache, and you're still in the 1.3.x tree, you'd now be scored down. Apache just moved the 1.3.x tree to 1.3.42 (which was mentioned on here recently), but mod_ssl only has their patch for 1.3.41. I haven't checked to see if they're compatible yet, but for the sake of argument, lets say that it isn't. If I had these in production, and I didn't upgrade to 1.3.42, I'd now score badly, even if I applied the security patch which is what the difference between 1.3.41 and 1.3.42 is. All I'd have to do is ask it to say it's Apache 1.3.42, or even say something stupid like IIS 7.5, if I really wanted to throw off any attackers. Sometimes it's better to announce the wrong thing, just to distract potential attackers. By announcing IIS, they'd try their suite of Microsoft attacks, rather than Linux attacks.
Oh, and god forbid you were to do a little honeypot action on your production machines. If you were to put a daemon listening to port 23 (Telnet), to automatically block potential intruders (Connected to port 23? Set an iptables rule immediately), they'd see that port 23 was open, and pitch a fit. That's actually a good security idea, although I don't see it used much in the real world.
I would expect that reverse engineering alien technology wouldn't have been an overnight thing. Even if we had detailed design plans, it would be more than a few years to construct anything comparable. If we're reverse engineering, it would take decades from figuring out what components did, to creating the technology to fabricate something that even resembled it. It could be argued that with the introduction of the idea, its taken this long to even come close. For example, IBM just demonstrated a 1 atom thick processor that runs at 100Ghz. It's not as simple as saying "Oh, lets assemble atoms precisely to make this."
Consider if we lost all of our technology today. Say all of humanity were forced to leave the planet, and dropped on another one, with the ideas of how things worked, but nothing but basic hand tools, and maybe a few electronics. How long would it take to set up to build even a modern computer CPU? Besides the assembly, we'd need to figure out how to design it again, by only looking at an existing one. You're not even looking at just building a CPU. You'd need to create a reliable power generation system, water treatment and filtration systems, air filtration system, etc, etc. Even just building a clean room to do the work in would take an awful long time with nothing to start with.
It's possible that there are concerns that we wouldn't even be aware of in the reconstruction of alien technology. Sure, we know that dust and moisture could be detrimental to the construction process, but what if a form of cosmic radiation that were are currently unaware of must be removed from the "clean room"?
Their site says you have to abide by the rules, but the rules aren't posted.
I'd suspect that the rules include that you must post regularly to various specific sites, and/or keep a twitter account updated. It probably says you can't give intentionally misleading information. So, my regular claim of living in Manhattan is completely out.
I'm going to apply. It shouldn't be too hard to distract folks from my real locations. I do it all the time.:) If you're not employed, it's pretty easy to disappear for a month. Find a friend of a friend in a city that you don't usually spend time in, who's house you can crash at, and don't leave their spare room for a month.:) They'll be more than happy to handle your grocery shopping for a month, if you're paying them well to do it. Most of us live fairly mundane lives, it's easy to become just another part of the scenery.
You can find someone who will assert just about anything. It reminds me of my BBS days. As CPU speeds approached 33Mhz, there was a discussion on FidoNet (if I recall correctly), where a few people were terribly insistent that computers would never exceed 100Mhz. Not that it couldn't happen, but when it did, it would be hazardous to be around, the power consumption would be impossibly high, and it would effectively destroy VHF and FM broadcast abilities.
I remember all the folks who screamed that the 2.4Ghz spectrum would kill us all. Any wireless device would be the equivalent of putting an unshielded microwave oven in your lap.
I'm still waiting to die of it. I've been pretty well exposed for quite a few years now, and I'm still alive and kicking.:) I may have almost died a few other ways, but they've never been by any method conspiracy folks have screamed about.
Shhh.. I hear the silent black helicopters coming to take me away now.:)
If it was so spiffy, it wouldn't float around in LEO. The only manned craft that we've sent beyond LEO were to the moon. Whoohoo, advances in technology. Those aliens must have given us some pretty crippled data. If I were in the black ops division of the government, I'd be renegotiating that deal. "So you came from another galaxy, but you'll only tell us how to float just above (relatively) our rock?" Officially, we haven't had a human beyond LEO since 1972.
That is, of course, assuming that those are just the missions that get anyone's attention.:)
If you look at the advancement of human technology from the 1950's to today, you could make a very good argument that many technologies currently in use were influenced from alien technology. They may have been reverse engineered, or supplied directly.
I love making that argument with people. If you do it well enough, it'll leave their heads spinning. You have to be well prepared though. It's best to strike up a conversation in a bar with, so their suspension of belief is already well in place. It's the same suspension of belief that makes them think that the really pretty girl at the other end of the bar would be willing to go home with them, regardless of the fact that she's with someone who rates several points higher than him in many aspects (mainly the fact that he's out with her, and your mark isn't.)
If they had an understanding of the technology, and had done some research, they would recognize that the advances in technology were logical steps forward, and not some conspiracy driven idea.
Come on, if we were building aircraft on alien designs, wouldn't we have an advanced space program by now, and our flagship spacecraft wouldn't be a 40 year old design, easily compromised by styrofoam or a leaky o-ring??
Anonymous sources make the best sources for information for bullshit news stories.
I could find you a dozen anonymous sources who could confirm anything. Hell, I could find you a dozen named (but unreputable) sources who could tie mysterious cosmic rays to brain cancer too.
That's overkill. A good faraday cage grounded to earth would do nicely. Then again, I wouldn't really want to be inside during a thunderstorm. Your house suddenly becomes one of the best lightning rods in the area. It may not hit you, but it'll sure as hell keep hitting your house.:)
I was at a flea market buying something quite a few years ago. Their booth was surrounded with chain link on all four walls and the ceiling. They had bolted through the concrete, which must have made a decent earth ground. I was surprised that my cell phone wouldn't work inside. I guess the frequency was pretty low on that phone. I had to step outside the cage to make a call. Inside, I had no signal. Outside I had full signal strength.
From what I recall doing this for sites that handled credit card processing (me being in the tested side), those tests are pretty much worthless.
If you had 1 vulnerability, you'd get pages of false positives or irrelevant information. I recall a particular 10 page report we got back that we were advised to fix or we'd fail on. The only item to fix was the version of the web server was just one behind current. The changelog indicated that it was to fix a vulnerability on a different platform, so it was completely unrelated to us. We'd frequently have points marked off because we couldn't be pinged or portscanned. I'd have to open the firewall up to them, just to be scanned. Our security would identify an attempted port scan as a hostile action, and react by dropping all traffic from them. Sorry my security stopped your scanning, but that's the intention of it. {sigh}
After opening the firewall to them, and changing the version number on the web server (there were reasons we couldn't do the trivial upgrade), we passed with flying colors.
For them, they were interested in the version numbers handed off by the server, not what they actually were. For example, if it was Apache, we could have it report Apache version 9.9.9, and that would have made us pass on that part without fail for years.
... and name the file the md5 of the file, rather than the sequence number.:) I wonder how many CD's a sharpie can get through. Some may be illegible. Aw heck, don't bother to mark 'em, that would make it too easy.:)
I'd bet if they were subpoena'd they wouldn't pay for the cost of the disks, nor the manhours to make them anyways.
Knowing how they can be, they'd just take the 21Tb array used to store them, and then penalize you for not keeping the logs while you're replacing the seized equipment.
Hiding out in the bush is boring. Well, nice to experience nature, but not the best place to hide, especially if law enforcement is after you. If you're in a county, state, or federal park, you'll likely encounter a fish & wildlife officer or park ranger. If you're on private property, you'll likely get a visit from the local Sheriff's department, when the landowner or a neighbor calls. No matter how isolated you think you are, someone will notice you, and complain.
The best place to hide anything, including yourself, is in plain sight. In a rural area, you may be the only person for miles. In Manhattan, your face is mingled with hundreds of thousands of others, who wouldn't remember seeing you walking down the street. You're no different than anyone else they see.
But, the best way to hide is to not be obvious. Book a hotel room under another name, preferably with all the required credentials. You can be out of sight, and out of mind, without being out of the area.
The 100 yards from the organizers facility isn't a bad idea, but it has to be done right. Sleeping in your car or a camper in their parking lot will raise suspicions. A nearby hotel with a view of the front door of their building is much more advantageous. It's also more entertaining to provide pictures of the staffers entering and exiting, *AFTER* the contest is done. You'll get the urge to brag, and when you send the first picture, it's a matter of elimination to figure out where it was shot from.
As always, know your environment. In the hotel, there may be a main elevator to the lobby, and that would be watched. What about stairways? I spent some time in a hotel for work. The elevators opened in the lobby, in plain sight. From the 2nd floor, you could take the stairs closest to the room to the 3rd floor. From there, you could cross the floor and take the other stairwell to an outside exit, without tripping a fire alarm. I wasn't scouting it because I was worried I was being followed. I was bored and exploring. It turned out that if I took the stairs to the 3rd floor, walked the length of the floor, and took the other stairwell down, it was quicker to get to always empty parking. That was faster than going the lobby route.
Pay attention to available spaces. Can you go in the laundry room, and lock the door from the inside? How about a janitorial closet that's usually unlocked.
At some point, you'll need food. In a high density environment, you won't be noticed.
Sometimes it's easy to leave all traces of yourself in one state, while being in another. Give someone your credit card and cell phone. Have them use the cards, and phone on a regular basis, to give the illusion that you are still there. Loan him your car for the duration. Folks believe I am in one state, and I'm actually in a distant state. My friend with the phone knows my new disposable cell phone number. I wander around, turn the phone on, check my voicemails that the friend leaves, and then return to my "home base".
Where am I today? I could be at a friends house. I could be in a hotel. I may be sleeping in my car in between locations. My IP? VPN'd to the state where I want to appear to be, on a private VPN. If I even begin to believe my location is burnt, I move on. Don't settle in one place too long. Have your bags ready to move within 5 minutes.
Traveling on cash for gas, and sleeping in the car leaves little evidence of my travels. I be anywhere in the US within a few days, and I still look like I'm home. Use your car like the burn phones. Buy one on Craigslist, slap the old plate on, and keep moving. If you're caught driving with the wrong plate, you can produce the bill of sale showing that you just bought it, and say you are going to properly register once you get back to your home state. With the title in hand, it's easy to swap ca
Google has a lot of data, but that doesn't mean it's easy to find things in it.
I do a lot of research on news stories, so we can accurately portray the topic (oh my gosh, researching a story). My searches have included improvised explosives, home made weapons, etc, etc. More than once, I've searched for information on Semtex and PETN. A lot of times, I've uncovered interesting information, but the lead on the story wasn't valid enough to justify running the story. Sometimes, it's been a simple matter of "they easily found instructions on the Internet to make...." Fill in what you'd like there. If it's so easy for the criminal mastermind, lets see what the search finds. I have found some really scary information out there on things that would be easily made and very dangerous, but I opt to forget about those pretty quickly.
I've probably searched enough things to place myself very happily on a few watch lists, but at least I can still fly.:) They don't park the black vans outside my house very often, but I still don't have an accurate count on the unmarked silent black helicopters flying overhead. (If you can't see them, and can't hear them, they must be there....)
Really, I'm not so much of a conspiracy nut, but it's fun to play one. I'm sitting outside as I write this, and I don't see anything flying above me. Then again, that doesn't mean they don't have a spy satellite trained on me 24/7.:) Nah, I'm not that interesting. I'm sure they just check up on my posts here to see what I'm doing.:)
I'd expect the logs would require IP's and/or hostnames.
HTTP, it's trivial to sniff hostnames.
HTTPS, it's trivial to see the destination IP.
HTTPS only works one IP per host, so that gives a positive track to where they were going.
Of course, domains change ownership, and IP's change, so what an IP is today, could be anything else tomorrow.
I'm curious to if by "ISP", they mean the residential line providers, or both ends? At my old job, they'd end up with about 2Gb of log files per day per server. There were 15 redundant servers. That was just for one site. I don't even care to think about how much storage was required for all the logs across 150 servers. No, it didn't scale evenly. The web server logs were dumped every few hours, just so it didn't fill up the drives, but left enough for forensics, if we needed them.
(15 * 2) * 365 * 2 = 21,900Gb. I would love to still be there, and have them ask for 22Tb of logs.:) I was joking with someone about how to deliver those. I suggested burnt CD's. 14,500 CD's would be fun to offer up. We then thought a little harder, and though paper tape would be the way to go.:) I know there would be better methods, but we were looking for the entertainment value in it.:) I'd feel really sorry for the guy who had to feed 14,500 CD's into a machine to burn for the feds on demand.:)
Logistically, this would become a nightmare for almost any provider, except for mom & pop shops.
I've been a member of the former, but not the later, for over a year.
No one knows where to find me. If I want to be seen, I find them.
They don't want me playing the game. They'll see me to check in, so that they know I exist, and then won't be able to find me again until the day I show up to collect my cash. Sorry, part of living free is not needing to have a bank account. It's too easy to track your motions through your own bank records.
Too bad their site is down. I'd already have signed up. Maybe I'll have to just show up to their office some night, and leave a note saying "I'm in."
I think his question went beyond the question of how secure the session is, even though he did say it.
Which is more secure, to leave a shell opened indefinitely, or to close it?
Unless he's not a normal person, at some point every day, he'll use the restroom. During the work day, he may even go get some food or drinks.
He admitted to using a Windows machine. I won't even comment on how many viruses and trojans are running around, which may compromise his desktop. All it takes is one virus that gives remote access to his desktop that would give someone a clear shot to his servers.
As anyone who's worked in an office long enough would know, once in a great while, you'll get dragged away from your desk, and not lock the console. Maybe someone shoulder surfed your password. Maybe you used the same password for your email account, and it was sniffed in the clear (tisk, tisk, should have used an encrypted method).
Of course, his information may really be worth something. Maybe that root shell will be worth a fortune. What exactly is a dump of the full Bank Of America database worth on the black market? How many fake credit cards can you print up before they reissue every single BoA credit card in circulation? In that case, it would be worth it to visit his home with force. One bump key to the back door, and one silenced shot to the back of the head, and you'd have hours (or days) before you were discovered. As always, there is no security without physical security, and that isn't only the server side of things.
I'm sure someone can name the XKCD issue which points this out the brute force flaw in any security system. A $5 wrench will break any security, if applied properly.
I'll assume his information isn't all that interesting, since he can access remotely without some serious levels of security. I'd believe we're talking about a few low traffic web servers, and a newbie admin impressing himself that he can keep his connection up for days.
I'm not sure where you were going there. I don't like sour cream. A lot of people don't. Sometimes I like a few good chips though. It really depends on it. If it's vinegar and chili powder, well, I'd have to side with the baked potato.
Maybe you were just going with the good ol', "to each his own."
You do see the inherent problem in that, right? 2020 > 2012. Little did they say about the "end of the world" was that computers were to be outlawed in 2012, and no more production of any sort would continue. The quantum brain prototype will be shelved, right along with Duke Nukem Forever Part II.
Nah, that could never happen. Us humans are the most powerful force in the universe. No asteroid passing through a supernova, and then flying through intergalactic space, and finally crashing on the Earth, could possibly go through more stress than say a water filled carbon based container at a Metallica concert.
American banks charge for anything they can.
At one company, I was paid weekly by check. It was drawn on Bank of America. My bank didn't talk nicely with their system, so there was a 3-4 day delay from deposit to funds available. Because of this, I would go into the BoA branch where the check was drawn. They had a $5 "counter service" fee. Basically, because I talked to a teller, and I was not a BoA account holder, they charged me $5 for the pleasure of standing in line for an hour, and then having my transaction delayed while we ran through countless hoops. It ranged from "We have to request the signature card for that account." to "We don't have that much in cash on hand, you'll need to wait for the next delivery in 1/2 hour." Sometimes they'd question me as if I was a criminal. The manager got to know me, so most of the hoops went away after a few months, but like it or not, they charged me the $5 every time I went in.
After all the headaches, they still had the nerve to ask me if I wanted to open a BoA account. Come on, you run me through these insane hoops, do you think I'd want to put anyone I was paying through the same ones??
From what I understand, the $5 "counter service" fee is gone, but account holders get raped any way the bank can, as frequently as possible. They'd go as far as to delay deposits, just so they could charge overdraft fees. They could be reversed, but it would take an hour of face time at the branch to do it.
A long time ago, I did have an account with them. One day I deposited my paycheck. It took 3 weeks for them to figure out that I had done it. That was 3 weeks of me showing up in the branch, pitching a fit loud enough for ever customer to hear. Meanwhile, I was short a paycheck, so either I could pay their overdraft fees, or end up paying late fees on my bills.
I'd say this is unique to BoA, but really it's not. Any bank will screw you any way that they can. I've seen it happen too many different ways, to too many different people. The only safe, secure bank is a good lockbox in your own house.
The 1947 date does not necessarily dictate a first contact date. It is only the first *publicized* date.
For example, the U-2 didn't exist until Francis Powers was shot down in one in 1960. Its first flight was out of Groom Lake in 1955.
I'd suspect if there was alien contact with humans, it came long before 1947. That was just the first crash that made it into the public awareness. Think about the WWII "foo fighters". That's not to give any credibility to these sightings, it's only an example to what could be.
You're very correct on that.
For a while, I was doing that with a few things, including Apache and the Linux kernel. There were pieces I needed that didn't progress, so I handled my own backporting of various things. That was a long time ago, and those problems were resolved in more current versions, so it hasn't been necessary for years.
But, if you're using say mod_ssl to handle your SSL on Apache, and you're still in the 1.3.x tree, you'd now be scored down. Apache just moved the 1.3.x tree to 1.3.42 (which was mentioned on here recently), but mod_ssl only has their patch for 1.3.41. I haven't checked to see if they're compatible yet, but for the sake of argument, lets say that it isn't. If I had these in production, and I didn't upgrade to 1.3.42, I'd now score badly, even if I applied the security patch which is what the difference between 1.3.41 and 1.3.42 is. All I'd have to do is ask it to say it's Apache 1.3.42, or even say something stupid like IIS 7.5, if I really wanted to throw off any attackers. Sometimes it's better to announce the wrong thing, just to distract potential attackers. By announcing IIS, they'd try their suite of Microsoft attacks, rather than Linux attacks.
Oh, and god forbid you were to do a little honeypot action on your production machines. If you were to put a daemon listening to port 23 (Telnet), to automatically block potential intruders (Connected to port 23? Set an iptables rule immediately), they'd see that port 23 was open, and pitch a fit. That's actually a good security idea, although I don't see it used much in the real world.
I would expect that reverse engineering alien technology wouldn't have been an overnight thing. Even if we had detailed design plans, it would be more than a few years to construct anything comparable. If we're reverse engineering, it would take decades from figuring out what components did, to creating the technology to fabricate something that even resembled it. It could be argued that with the introduction of the idea, its taken this long to even come close. For example, IBM just demonstrated a 1 atom thick processor that runs at 100Ghz. It's not as simple as saying "Oh, lets assemble atoms precisely to make this."
Consider if we lost all of our technology today. Say all of humanity were forced to leave the planet, and dropped on another one, with the ideas of how things worked, but nothing but basic hand tools, and maybe a few electronics. How long would it take to set up to build even a modern computer CPU? Besides the assembly, we'd need to figure out how to design it again, by only looking at an existing one. You're not even looking at just building a CPU. You'd need to create a reliable power generation system, water treatment and filtration systems, air filtration system, etc, etc. Even just building a clean room to do the work in would take an awful long time with nothing to start with.
It's possible that there are concerns that we wouldn't even be aware of in the reconstruction of alien technology. Sure, we know that dust and moisture could be detrimental to the construction process, but what if a form of cosmic radiation that were are currently unaware of must be removed from the "clean room"?
Their site says you have to abide by the rules, but the rules aren't posted.
I'd suspect that the rules include that you must post regularly to various specific sites, and/or keep a twitter account updated. It probably says you can't give intentionally misleading information. So, my regular claim of living in Manhattan is completely out.
I'm going to apply. It shouldn't be too hard to distract folks from my real locations. I do it all the time. :) If you're not employed, it's pretty easy to disappear for a month. Find a friend of a friend in a city that you don't usually spend time in, who's house you can crash at, and don't leave their spare room for a month. :) They'll be more than happy to handle your grocery shopping for a month, if you're paying them well to do it. Most of us live fairly mundane lives, it's easy to become just another part of the scenery.
As I said, unreputable sources. :)
You can find someone who will assert just about anything. It reminds me of my BBS days. As CPU speeds approached 33Mhz, there was a discussion on FidoNet (if I recall correctly), where a few people were terribly insistent that computers would never exceed 100Mhz. Not that it couldn't happen, but when it did, it would be hazardous to be around, the power consumption would be impossibly high, and it would effectively destroy VHF and FM broadcast abilities.
I remember all the folks who screamed that the 2.4Ghz spectrum would kill us all. Any wireless device would be the equivalent of putting an unshielded microwave oven in your lap.
I'm still waiting to die of it. I've been pretty well exposed for quite a few years now, and I'm still alive and kicking. :) I may have almost died a few other ways, but they've never been by any method conspiracy folks have screamed about.
Shhh.. I hear the silent black helicopters coming to take me away now. :)
If it was so spiffy, it wouldn't float around in LEO. The only manned craft that we've sent beyond LEO were to the moon. Whoohoo, advances in technology. Those aliens must have given us some pretty crippled data. If I were in the black ops division of the government, I'd be renegotiating that deal. "So you came from another galaxy, but you'll only tell us how to float just above (relatively) our rock?" Officially, we haven't had a human beyond LEO since 1972.
That is, of course, assuming that those are just the missions that get anyone's attention. :)
If you look at the advancement of human technology from the 1950's to today, you could make a very good argument that many technologies currently in use were influenced from alien technology. They may have been reverse engineered, or supplied directly.
I love making that argument with people. If you do it well enough, it'll leave their heads spinning. You have to be well prepared though. It's best to strike up a conversation in a bar with, so their suspension of belief is already well in place. It's the same suspension of belief that makes them think that the really pretty girl at the other end of the bar would be willing to go home with them, regardless of the fact that she's with someone who rates several points higher than him in many aspects (mainly the fact that he's out with her, and your mark isn't.)
If they had an understanding of the technology, and had done some research, they would recognize that the advances in technology were logical steps forward, and not some conspiracy driven idea.
Come on, if we were building aircraft on alien designs, wouldn't we have an advanced space program by now, and our flagship spacecraft wouldn't be a 40 year old design, easily compromised by styrofoam or a leaky o-ring??
Anonymous sources make the best sources for information for bullshit news stories.
I could find you a dozen anonymous sources who could confirm anything. Hell, I could find you a dozen named (but unreputable) sources who could tie mysterious cosmic rays to brain cancer too.
That's overkill. A good faraday cage grounded to earth would do nicely. Then again, I wouldn't really want to be inside during a thunderstorm. Your house suddenly becomes one of the best lightning rods in the area. It may not hit you, but it'll sure as hell keep hitting your house. :)
I was at a flea market buying something quite a few years ago. Their booth was surrounded with chain link on all four walls and the ceiling. They had bolted through the concrete, which must have made a decent earth ground. I was surprised that my cell phone wouldn't work inside. I guess the frequency was pretty low on that phone. I had to step outside the cage to make a call. Inside, I had no signal. Outside I had full signal strength.
All the noise, and we all know you won't come through. I'd view, just for the entertainment value, as long as it wasn't a pay site trap.
From what I recall doing this for sites that handled credit card processing (me being in the tested side), those tests are pretty much worthless.
If you had 1 vulnerability, you'd get pages of false positives or irrelevant information. I recall a particular 10 page report we got back that we were advised to fix or we'd fail on. The only item to fix was the version of the web server was just one behind current. The changelog indicated that it was to fix a vulnerability on a different platform, so it was completely unrelated to us. We'd frequently have points marked off because we couldn't be pinged or portscanned. I'd have to open the firewall up to them, just to be scanned. Our security would identify an attempted port scan as a hostile action, and react by dropping all traffic from them. Sorry my security stopped your scanning, but that's the intention of it. {sigh}
After opening the firewall to them, and changing the version number on the web server (there were reasons we couldn't do the trivial upgrade), we passed with flying colors.
For them, they were interested in the version numbers handed off by the server, not what they actually were. For example, if it was Apache, we could have it report Apache version 9.9.9, and that would have made us pass on that part without fail for years.
I'd bet if they were subpoena'd they wouldn't pay for the cost of the disks, nor the manhours to make them anyways.
Knowing how they can be, they'd just take the 21Tb array used to store them, and then penalize you for not keeping the logs while you're replacing the seized equipment.
If they're wildcard certs, sure. So it went to *.offshore_kiddie_porn.com. That's still something to look for.
Hiding out in the bush is boring. Well, nice to experience nature, but not the best place to hide, especially if law enforcement is after you. If you're in a county, state, or federal park, you'll likely encounter a fish & wildlife officer or park ranger. If you're on private property, you'll likely get a visit from the local Sheriff's department, when the landowner or a neighbor calls. No matter how isolated you think you are, someone will notice you, and complain.
The best place to hide anything, including yourself, is in plain sight. In a rural area, you may be the only person for miles. In Manhattan, your face is mingled with hundreds of thousands of others, who wouldn't remember seeing you walking down the street. You're no different than anyone else they see.
But, the best way to hide is to not be obvious. Book a hotel room under another name, preferably with all the required credentials. You can be out of sight, and out of mind, without being out of the area.
The 100 yards from the organizers facility isn't a bad idea, but it has to be done right. Sleeping in your car or a camper in their parking lot will raise suspicions. A nearby hotel with a view of the front door of their building is much more advantageous. It's also more entertaining to provide pictures of the staffers entering and exiting, *AFTER* the contest is done. You'll get the urge to brag, and when you send the first picture, it's a matter of elimination to figure out where it was shot from.
As always, know your environment. In the hotel, there may be a main elevator to the lobby, and that would be watched. What about stairways? I spent some time in a hotel for work. The elevators opened in the lobby, in plain sight. From the 2nd floor, you could take the stairs closest to the room to the 3rd floor. From there, you could cross the floor and take the other stairwell to an outside exit, without tripping a fire alarm. I wasn't scouting it because I was worried I was being followed. I was bored and exploring. It turned out that if I took the stairs to the 3rd floor, walked the length of the floor, and took the other stairwell down, it was quicker to get to always empty parking. That was faster than going the lobby route.
Pay attention to available spaces. Can you go in the laundry room, and lock the door from the inside? How about a janitorial closet that's usually unlocked.
At some point, you'll need food. In a high density environment, you won't be noticed.
Sometimes it's easy to leave all traces of yourself in one state, while being in another. Give someone your credit card and cell phone. Have them use the cards, and phone on a regular basis, to give the illusion that you are still there. Loan him your car for the duration. Folks believe I am in one state, and I'm actually in a distant state. My friend with the phone knows my new disposable cell phone number. I wander around, turn the phone on, check my voicemails that the friend leaves, and then return to my "home base".
Where am I today? I could be at a friends house. I could be in a hotel. I may be sleeping in my car in between locations. My IP? VPN'd to the state where I want to appear to be, on a private VPN. If I even begin to believe my location is burnt, I move on. Don't settle in one place too long. Have your bags ready to move within 5 minutes.
Traveling on cash for gas, and sleeping in the car leaves little evidence of my travels. I be anywhere in the US within a few days, and I still look like I'm home. Use your car like the burn phones. Buy one on Craigslist, slap the old plate on, and keep moving. If you're caught driving with the wrong plate, you can produce the bill of sale showing that you just bought it, and say you are going to properly register once you get back to your home state. With the title in hand, it's easy to swap ca
Most appreciated. Thank you. :)
I thought they were all on Geocities.
Oh...
Google has a lot of data, but that doesn't mean it's easy to find things in it.
I do a lot of research on news stories, so we can accurately portray the topic (oh my gosh, researching a story). My searches have included improvised explosives, home made weapons, etc, etc. More than once, I've searched for information on Semtex and PETN. A lot of times, I've uncovered interesting information, but the lead on the story wasn't valid enough to justify running the story. Sometimes, it's been a simple matter of "they easily found instructions on the Internet to make ...." Fill in what you'd like there. If it's so easy for the criminal mastermind, lets see what the search finds. I have found some really scary information out there on things that would be easily made and very dangerous, but I opt to forget about those pretty quickly.
I've probably searched enough things to place myself very happily on a few watch lists, but at least I can still fly. :) They don't park the black vans outside my house very often, but I still don't have an accurate count on the unmarked silent black helicopters flying overhead. (If you can't see them, and can't hear them, they must be there....)
Really, I'm not so much of a conspiracy nut, but it's fun to play one. I'm sitting outside as I write this, and I don't see anything flying above me. Then again, that doesn't mean they don't have a spy satellite trained on me 24/7. :) Nah, I'm not that interesting. I'm sure they just check up on my posts here to see what I'm doing. :)
I'd expect the logs would require IP's and/or hostnames.
HTTP, it's trivial to sniff hostnames.
HTTPS, it's trivial to see the destination IP.
HTTPS only works one IP per host, so that gives a positive track to where they were going.
Of course, domains change ownership, and IP's change, so what an IP is today, could be anything else tomorrow.
I'm curious to if by "ISP", they mean the residential line providers, or both ends? At my old job, they'd end up with about 2Gb of log files per day per server. There were 15 redundant servers. That was just for one site. I don't even care to think about how much storage was required for all the logs across 150 servers. No, it didn't scale evenly. The web server logs were dumped every few hours, just so it didn't fill up the drives, but left enough for forensics, if we needed them.
(15 * 2) * 365 * 2 = 21,900Gb. I would love to still be there, and have them ask for 22Tb of logs. :) I was joking with someone about how to deliver those. I suggested burnt CD's. 14,500 CD's would be fun to offer up. We then thought a little harder, and though paper tape would be the way to go. :) I know there would be better methods, but we were looking for the entertainment value in it. :) I'd feel really sorry for the guy who had to feed 14,500 CD's into a machine to burn for the feds on demand. :)
Logistically, this would become a nightmare for almost any provider, except for mom & pop shops.
I've been a member of the former, but not the later, for over a year.
No one knows where to find me. If I want to be seen, I find them.
They don't want me playing the game. They'll see me to check in, so that they know I exist, and then won't be able to find me again until the day I show up to collect my cash. Sorry, part of living free is not needing to have a bank account. It's too easy to track your motions through your own bank records.
Too bad their site is down. I'd already have signed up. Maybe I'll have to just show up to their office some night, and leave a note saying "I'm in."
I think his question went beyond the question of how secure the session is, even though he did say it.
Which is more secure, to leave a shell opened indefinitely, or to close it?
Unless he's not a normal person, at some point every day, he'll use the restroom. During the work day, he may even go get some food or drinks.
He admitted to using a Windows machine. I won't even comment on how many viruses and trojans are running around, which may compromise his desktop. All it takes is one virus that gives remote access to his desktop that would give someone a clear shot to his servers.
As anyone who's worked in an office long enough would know, once in a great while, you'll get dragged away from your desk, and not lock the console. Maybe someone shoulder surfed your password. Maybe you used the same password for your email account, and it was sniffed in the clear (tisk, tisk, should have used an encrypted method).
Of course, his information may really be worth something. Maybe that root shell will be worth a fortune. What exactly is a dump of the full Bank Of America database worth on the black market? How many fake credit cards can you print up before they reissue every single BoA credit card in circulation? In that case, it would be worth it to visit his home with force. One bump key to the back door, and one silenced shot to the back of the head, and you'd have hours (or days) before you were discovered. As always, there is no security without physical security, and that isn't only the server side of things.
I'm sure someone can name the XKCD issue which points this out the brute force flaw in any security system. A $5 wrench will break any security, if applied properly.
I'll assume his information isn't all that interesting, since he can access remotely without some serious levels of security. I'd believe we're talking about a few low traffic web servers, and a newbie admin impressing himself that he can keep his connection up for days.
They running Windows on their desktops, the NSA already had access.
I'm not sure where you were going there. I don't like sour cream. A lot of people don't. Sometimes I like a few good chips though. It really depends on it. If it's vinegar and chili powder, well, I'd have to side with the baked potato.
Maybe you were just going with the good ol', "to each his own."
You do see the inherent problem in that, right? 2020 > 2012. Little did they say about the "end of the world" was that computers were to be outlawed in 2012, and no more production of any sort would continue. The quantum brain prototype will be shelved, right along with Duke Nukem Forever Part II.
Nah, that could never happen. Us humans are the most powerful force in the universe. No asteroid passing through a supernova, and then flying through intergalactic space, and finally crashing on the Earth, could possibly go through more stress than say a water filled carbon based container at a Metallica concert.