Sorry, I meant to say MODERN civic scientist. I was by NO MEANS suggesting that Dr. Sagan was more exemplary as a "civic scientist" vis a vis Ben Franklin.
I think that the late Carl Sagan should be a more exemplary choice of a "Civic Scientist".
For those among the slashdot readership who are not wholly familiar with Dr. Sagan's
TV series (Cosmos); it's worth buying on DVD cold.
He's written a great many books for the layperson. The last of which, Billions and Billions, approach
subjects such as religion, politics, environmental concerns, family planning, etc.
He was a member of NORML, frequently spoke out against nuclear weapons production,
and was a diehard liberal to his last day.
-jcw
Those of us who follow Islam (and probably some other religions) sometimes consider practices such as Yoga, firmly based on Hinduism, Shirk (Polytheism). I think that it would be much more sensitive to offer something like Tai-Chi, a practice which is much more based in Philosophical rather than religious teachings.
General meditation is great, but I wonder if any employers will offer up dhiker sessions for those of us who prefer to seek closness to Allah (SWT) rather than focusing on chakras.
It is worth applauding, though, that employers seek to address spiritual matters.
Sure, I have some bias against big corporate "Information Security" shops. Especially ones where former hackers kick back in their leather chairs in Brooks Brothers suits, fly with AMEX corporate, and bill more bartabs to clients than the sparse meals that I (no longer in infosec) am used to now. This aside, here are some facts about the biz that may be of some relevance.
1) The customer has the money. Because of this, companies like ISS want to maintain a good relationship with their customers. If this means duping some CIO's into thinking that their "engineers" shit marble... then so be it. I know some people at ISS and I feel terrible about being so g/d damn angry at them (iss, not my associates)... unfortuatly, however, this is the way that it is. 2) The customer runs MS operating systems. This is a whole different rant. The customer had some security with just the win9x being vulnerable.. now bo2k runs on NT and that is bad. 3) The customer likes being able to sleep at night... Exactly, so what do we do to keep that happening and keep them as a customer??? We hype up some findings about some new threat and toss in some buzz words (fuzz words;) ) and know that 90% of the cio's dont talk to their hardcore engineers.
I am still FUMING about the "we dont hire hackers" comment that Mr. Klaus said in an interview with someone (infoweek? I forget). I wont even talk about EY's "Extreme Hacking"... the hacking that is extreme "But has no nose rings".... well not since I left them, anyway....
Bitter, Tired, and wanting OUT of the industry forever.. -johnny waters... freak, hacker, and future bondage store owner:)
Re:Facts from the con
on
BO2K cracked
·
· Score: 1
OK, I am with you here... except xor is not encryption at all. nothing more technical than a pad of paper and a pencil is needed to cryptanalize a message xor'd with a key...
In #2 are you referring to ISS or IIS? Assuming you meant ISS, the company, whose X-Force (X-Farce?:) ) research team published these findings on bo2k.
I am, and continue to be unimpressed by this starched-collar attempt at information security. The big five and outfits like ISS have to understand that there are people that know better.
AND ANYWAY... I think that the detection of BO referred to is detection of client/server communication. NT's ability to find bo2k is of no vested interest in me, as I can not stand nor do I ever work with NT.
Oh, Hi Kewp:P been a while I think that ISS needs to get it's head out of the sand and realize who they are pissing off.... and I am not talking about the cdc
Re:this may be an accomplishment!
on
BO2K cracked
·
· Score: 1
Any decent programmer need not read comments. COme to think of it, any decent programmer need not any source code at all. Anyone who has read bugtraq has seen Dr. Mudge's uncanny ability to second-guess developer's programming decisions and reconstruct one or two likey code fragments that would result in the particular vulnerability in question. Dr. Mudge, BTW is a cdc member and decidedly NOT a teenager with "nothing better to do"
Getting back on topic. A Coward here seems to be missing the point. The point is not how well BO is written, what the source is doing, and wether or not some "expert" can read a code listing. The issue that ISS is pressing is that BO2k can be detected with thier flagship IDS product. In "reverse engineering" bo2k, iss can now see it's traffic on a network and alert the ISO, staff, or whoever runs their software that it is present. Keep in mind that ISS is in the business of selling software and keeping customers. These press releases are more marketing hype than hard technical accomplishments. Otherwise ISS would be patting the hacker community on the back rather than denying it's roots and berateing the people that gave them their technology, initial support, and reason for existance.
I apologize for bringing mudge up (sorry>:)).... He is a true prodigy. He is another Erdos, only this time human:). When asked to describe what the quintessential programmer is.... I can only think of him
thank you for your time -jcw
In response to A. Coward's comment on crypto
on
BO2K cracked
·
· Score: 1
Not quite, any nontrivial cryptosystem should be able to old up when it's underlying logic is examined. If that were not the case, we would all be walking around with hardware crypto-devices that explode when we tamper with them... and we dont do that... right?:)
I think that we are getting off-topic a bit.. ISS claimed to have figured out BO2K's crypto. I personally think that this is true. But it is irrelevant. What is important is wether or not they are capable of monitoring the connection between the client and the server for any and all keys known or unknown. I do not think this is true. As for their analysis of the network traffic between the client and the server. That is trivial. Anyone with five spare minutes and tcpdump can do that. What is important is to recognize that this is all for nought. When was the last time that anyone took a look at how commercial IDS work? When was the last time that someone put together some programs that try to confuse IDS sensors by fragmenting packets, munging flags, tossing around impossible rst's, and sending packets slightly out-of order (but with good seq's)? I personally question ISS's (and all IDS vendors) ability to stand up to this test..
What ISS did was pretty trivial. The "detection" system simply looks at the properties of the network connection. When testing IDS systems at a client site, I found that certain systems, which I can not elaborate on, could not "see" connections if certain operations were carried out on the packets that make up the connection prior to their transission. This effectivly serves as verification of of Timothy Newsham and Thom Ptacek's excellent paper on problems with IDS software. Here is the URL, thus absolving me from being accused of inventing this idea myself:) http://www.nai.com/media/ps/nai_labs/ids.ps
Enjoy -johnny waters, former Information Security Professional (Being a Dillitante is not so bad)
Slashdot Mirror
Sorry, I meant to say MODERN civic scientist.
I was by NO MEANS suggesting that Dr. Sagan was more exemplary as a "civic scientist" vis a vis Ben Franklin.
not by any stretch of the imagination...
-jcw
I think that the late Carl Sagan should be a more exemplary choice of a "Civic Scientist".
For those among the slashdot readership who are not wholly familiar with Dr. Sagan's
TV series (Cosmos); it's worth buying on DVD cold.
He's written a great many books for the layperson. The last of which, Billions and Billions, approach
subjects such as religion, politics, environmental concerns, family planning, etc.
He was a member of NORML, frequently spoke out against nuclear weapons production,
and was a diehard liberal to his last day.
-jcw
Those of us who follow Islam (and probably some other religions) sometimes consider practices such as Yoga, firmly based on Hinduism, Shirk (Polytheism). I think that it would be much more sensitive to offer something like Tai-Chi, a practice which is much more based in Philosophical rather than religious teachings.
General meditation is great, but I wonder if any employers will offer up dhiker sessions for those of us who prefer to seek closness to Allah (SWT) rather than focusing on chakras.
It is worth applauding, though, that employers seek to address spiritual matters.
Sure, I have some bias against big corporate "Information Security" shops. Especially ones where former hackers kick back in their leather chairs in Brooks Brothers suits, fly with AMEX corporate, and bill more bartabs to clients than the sparse meals that I (no longer in infosec) am used to now. This aside, here are some facts about the biz that may be of some relevance.
;) ) and know that 90% of the cio's dont talk to their hardcore engineers.
:)
1) The customer has the money.
Because of this, companies like ISS want to maintain a good relationship with their customers. If this means duping some CIO's into thinking that their "engineers" shit marble... then so be it. I know some people at ISS and I feel terrible about being so g/d damn angry at them (iss, not my associates)... unfortuatly, however, this is the way that it is.
2) The customer runs MS operating systems.
This is a whole different rant. The customer had some security with just the win9x being vulnerable.. now bo2k runs on NT and that is bad.
3) The customer likes being able to sleep at night...
Exactly, so what do we do to keep that happening and keep them as a customer??? We hype up some findings about some new threat and toss in some buzz words (fuzz words
I am still FUMING about the "we dont hire hackers" comment that Mr. Klaus said in an interview with someone (infoweek? I forget). I wont even talk about EY's "Extreme Hacking"... the hacking that is extreme "But has no nose rings".... well not since I left them, anyway....
Bitter, Tired, and wanting OUT of the industry forever..
-johnny waters... freak, hacker, and future bondage store owner
OK, I am with you here... except xor is not encryption at all. nothing more technical than a pad of paper and a pencil is needed to cryptanalize a message xor'd with a key...
:) ) research team published these findings on bo2k.
:P been a while
In #2 are you referring to ISS or IIS?
Assuming you meant ISS, the company, whose X-Force (X-Farce?
I am, and continue to be unimpressed by this starched-collar attempt at information security. The big five and outfits like ISS have to understand that there are people that know better.
AND ANYWAY... I think that the detection of BO referred to is detection of client/server communication. NT's ability to find bo2k is of no vested interest in me, as I can not stand nor do I ever work with NT.
Oh, Hi Kewp
I think that ISS needs to get it's head out of the sand and realize who they are pissing off....
and I am not talking about the cdc
Any decent programmer need not read comments. COme to think of it, any decent programmer need not any source code at all. Anyone who has read bugtraq has seen Dr. Mudge's uncanny ability to second-guess developer's programming decisions and reconstruct one or two likey code fragments that would result in the particular vulnerability in question.
:)).... He is a true prodigy. He is another Erdos, only this time human :). When asked to describe what the quintessential programmer is.... I can only think of him
Dr. Mudge, BTW is a cdc member and decidedly NOT a teenager with "nothing better to do"
Getting back on topic. A Coward here seems to be missing the point. The point is not how well BO is written, what the source is doing, and wether or not some "expert" can read a code listing. The issue that ISS is pressing is that BO2k can be detected with thier flagship IDS product. In "reverse engineering" bo2k, iss can now see it's traffic on a network and alert the ISO, staff, or whoever runs their software that it is present.
Keep in mind that ISS is in the business of selling software and keeping customers. These press releases are more marketing hype than hard technical accomplishments. Otherwise ISS would be patting the hacker community on the back rather than denying it's roots and berateing the people that gave them their technology, initial support, and reason for existance.
I apologize for bringing mudge up (sorry>
thank you for your time
-jcw
Not quite, any nontrivial cryptosystem should be able to old up when it's underlying logic is examined. If that were not the case, we would all be walking around with hardware crypto-devices that explode when we tamper with them... and we dont do that... right? :)
I think that we are getting off-topic a bit.. ISS claimed to have figured out BO2K's crypto. I personally think that this is true. But it is irrelevant. What is important is wether or not they are capable of monitoring the connection between the client and the server for any and all keys known or unknown. I do not think this is true.
As for their analysis of the network traffic between the client and the server. That is trivial. Anyone with five spare minutes and tcpdump can do that. What is important is to recognize that this is all for nought. When was the last time that anyone took a look at how commercial IDS work? When was the last time that someone put together some programs that try to confuse IDS sensors by fragmenting packets, munging flags, tossing around impossible rst's, and sending packets slightly out-of order (but with good seq's)? I personally question ISS's (and all IDS vendors) ability to stand up to this test..
-jcw
What ISS did was pretty trivial. The "detection" system simply looks at the properties of the network connection. When testing IDS systems at a client site, I found that certain systems, which I can not elaborate on, could not "see" connections if certain operations were carried out on the packets that make up the connection prior to their transission. This effectivly serves as verification of of Timothy Newsham and Thom Ptacek's excellent paper on problems with IDS software. :)
Here is the URL, thus absolving me from being accused of inventing this idea myself
http://www.nai.com/media/ps/nai_labs/ids.ps
Enjoy
-johnny waters, former Information Security Professional (Being a Dillitante is not so bad)