Don't have any mod points today, but I agree!:) Poindexter is just one of many I am aware of... I encourage any of you reading either of these posts to go research more. Spread the word.
The people that reported the story did. Hell, the events in question, were attended mostly by people that read 2600 type zines,/., and memstreams.net.
I think that no matter how obvious the relationship is between Interz0ne, PhreakNIC, and se2600 sometimes people will still comment as if they were the first to figure something out. With that said, I am GLAD to see so many people interested in either the cause, the cons, or both. I am not trying to rant, but rather agree and share a bit more information.
Come out to PhreakNIC (the next se2600 con), or Interz0ne III next year... hopefully thinking about them won't be illegal (ref: partriot act II).
Could you, in 24 hours or less, work out whether you (as conference chair) should go ahead with that seminar given that you probably don't know what the participants in question were doing?
What makes you think they did not know EXACTLY what they were going to do? What makes you think the almost 100 times Blackboard hit our website did not warn us? What makes you think that we were not prepared as hell?
With that said, I think it was still a shock, but we come prepared every year. We had well over 10 separate internet connections. If $#1t hit the fan we would have been streaming it live. If some other event "prevented" us from posting the data we would have gotten around that also. As it was, somewhere around 5 minutes after the rant/talk at the con started, we had relevant information sitting in about 5 continents, on at least 15 webservers I knew of. Not counting the untold numbers of relays the information recieved.
Looks like a cheap but effective maneuver to me.
It was very cheap on the lawyers' part. I think they doubted our resolve, our commitment, and our loyalty to our ideals. We had at least a few traitors in our midst, but the funny thing is they did us NO irreperable harm (*watches feds come in and raid me now*) thus far.
We are standing up and fighting it. In the past 48 hours, the local CBS station (who would be doing more, but needs more validated information which they don't yet have), Salon.com and a few other _news_ organizations have been very interested.
Subscribe to root@se2600.org (root-subscribe@se2600.org) if you want to chat with the locals about this... or have tips. The con organizers for likely reasons can't comment on enough information, but other people have... more information.
<b>Definitly!</b><br> There is ALWAYS accountability, but on different grounds than the license, as some have joked about already...<br><br> Mostly, I think it simply involves the Computer Fraud and Abuse Act (?year?) and the DMCA for overriding basic security measures.<br><br>
[scarythought]Wha t if people started to intentionally put trojans in their code? *THE AUTHOR* writing something that no one in their right mind would put on their computer... The M$ platform has already proved this feasible, and the "masses" will do it (a few "free" isps, kazaa, and others use various adware and cpu stealing apps).[/scarythought]<br><br>
I think it a good idea to start an archive of cryptographically signed MD5 hashes for programs. This would take much less bandwidth than storing ALL software in a single location, but still allow people to sign a package if they knew it to be the REAL deal.
What you're saying is perfectly valid, but what if I use common sounding variable names to make it appear as if I was doing something I wasn't? Even with MOST good programmers, they aren't ever trained to debug code in this manner (I know a few CS exams do, for sure, but I have NEVER seen a huge project train people for this).
How about this:
Lets start a few grassroots projects (doesn't matter how many) and work on educating people to read obfuscated code. Identify when strtok, fopen, etc etc is and is not doing harmful things to data - when it may indeed be doing something nefarious.
I started a site myself here to help myself start explaining simple stuff.. and eventually will work up to writing drop-in replacement libraries for other programs, or perhaps ways to trojan executables in memory you might have have control over (ptrace?).
you might give away their secret - listening to wireless keyboards...
Seriously... if you use your PC for any type of business activity (or anything you want to hide - *grin*) I would NEVER consider using wireless. There are plenty of cord management systems, not to mention the fact the higher cost of wireless.
This won't work any better than the anti-CD copying methods RIAA has tried, nor keep people from copying the games any more than putting a piece of tape on a cookie jar will keep a hungry teenager from gettting in.
With any encryption, any digital encoding method... if there is a way to play the game, there is a way to break the code. The question is who will be first? Wait and see.
Other installations like Seul have problems, however... certain things like integrated dependancies and smooth upgrading (on line imho!) from one release version to another set Debian ahead of all other software packages.
RPM at current doesn't even come close... you ever tried to install over 5-10 packages? RPM doesn't upgrade easily at all... Redhat has made some nice tools, but it is slower a 12th grader waking up for school....
And to mention the whole./configure thing... Autoconf/Automake/GNU make can kiss my @$$ even though when the origional packages are built for Debian these are essential, but for the common user, (and respectively for admins with not much time on their hands) custom compiling is hardly ever an option!
One of the problems I have is with these "so called" claims by companies like 'Clownburger' - what if they choose to fight a tiny company out of business?
Claims of legal recourse allow more for Lawyers fees than they do valid equal recourse (for both the weak as well as the strong).
NO right? What are you, a micro wenie from the dark ages? Linux runs great for just about any type of system, given the right tools (albeit sometimes you must buy minimal tools to make it functional in very few situations)... I hate people that spew off about how "Linux has no..." bleh!
Linux runs great here at our office and on 200+ servers pushing several hundred megabits of continuous data. Tell me its not efficient, secure, cheap, and stable -- and I'll prove you wrong.
You have a Perl script emailing them "your" condolances? Interesting approach... at least it shows ingenuity that most HR companies (read: not hr departments, the headhunter agencies) do not even understand.
No... what I meant is that I severly dislike job search companies (they never know what answers to expect for their canned questions) for highly technical positions... I think the person fielding for the position shoudl have at least worked for the company and especially prob. for that job at one time... its not hard to rotate interviewing between mgmt....
I realize, as a programmer for a large webhosting company, that finding good candidates for each job can be daunting. As a member of the 2600 community, I also realize there's a lot of BS floating around relating to job skill, etc.
Basically... give them a test... think up anything your company might face, that wouldn't give away too much of your security procedures. Make them implement something to stop/fix/help/whatever you've put in front of them. Don't rush them... a few hours if they need it might be a better judgement of what kind of attention to detail, accuracy, etc.
Anything you can do to relax the work atmosphere always helps.. not interviewing the candidate(s) with 2 guys in suits may help them relax and feel more at home.
DO NOT HIRE FSCKING JOB HUNTERS (i will not repeat this one)
What are you talking about, trafficing devices? He proved that Adobe's encryption was unreliable. He did NOT allow all eBooks to be breached - he simply provided proof that anyone wishing to entrust Adobe's software with sensitive material would do so at their own peril.
Slashdot Mirror
Don't have any mod points today, but I agree! :)
Poindexter is just one of many I am aware of... I encourage any of you reading either of these posts to go research more. Spread the word.
The people that reported the story did. Hell, the events in question, were attended mostly by people that read 2600 type zines, /., and memstreams.net.
I think that no matter how obvious the relationship is between Interz0ne, PhreakNIC, and se2600 sometimes people will still comment as if they were the first to figure something out. With that said, I am GLAD to see so many people interested in either the cause, the cons, or both. I am not trying to rant, but rather agree and share a bit more information.
Come out to PhreakNIC (the next se2600 con), or Interz0ne III next year... hopefully thinking about them won't be illegal (ref: partriot act II).
Iridium
Could you, in 24 hours or less, work out whether you (as conference chair) should go ahead with that seminar given that you probably don't know what the participants in question were doing?
What makes you think they did not know EXACTLY what they were going to do? What makes you think the almost 100 times Blackboard hit our website did not warn us? What makes you think that we were not prepared as hell?
With that said, I think it was still a shock, but we come prepared every year. We had well over 10 separate internet connections. If $#1t hit the fan we would have been streaming it live. If some other event "prevented" us from posting the data we would have gotten around that also. As it was, somewhere around 5 minutes after the rant/talk at the con started, we had relevant information sitting in about 5 continents, on at least 15 webservers I knew of. Not counting the untold numbers of relays the information recieved.
Looks like a cheap but effective maneuver to me.
It was very cheap on the lawyers' part. I think they doubted our resolve, our commitment, and our loyalty to our ideals. We had at least a few traitors in our midst, but the funny thing is they did us NO irreperable harm (*watches feds come in and raid me now*) thus far.
I think it was a bluff, but it may or may not remain that way. Keep in touch and stay updated.
support our troops!
We've done that. See my other posts.
-iridium
http://www.yak.net/acidus was removed. Look elsewhere or google
We are standing up and fighting it. In the past 48 hours, the local CBS station (who would be doing more, but needs more validated information which they don't yet have), Salon.com and a few other _news_ organizations have been very interested.
Subscribe to root@se2600.org (root-subscribe@se2600.org) if you want to chat with the locals about this... or have tips. The con organizers for likely reasons can't comment on enough information, but other people have... more information.
-Iridium (on that list)
fucking years!
Sorry, this story really got me mad, and since 600+ other comments have already been made, I will just reiterate the collaborative thought.
A few non - european services were affected as well - namely ALL security updates for Debain (the primary mirror anyhow) were offline for a while.
Brings up a good point in disaster recovery: How many organizations have machines at various places that they can't recover from a total loss?
<b>Definitly!</b><br>
There is ALWAYS accountability, but on different grounds than the license, as some have joked about already...<br><br>
Mostly, I think it simply involves the Computer Fraud and Abuse Act (?year?) and the DMCA for overriding basic security measures.<br><br>
[scarythought]Wha t if people started to intentionally put trojans in their code? *THE AUTHOR* writing something that no one in their right mind would put on their computer... The M$ platform has already proved this feasible, and the "masses" will do it (a few "free" isps, kazaa, and others use various adware and cpu stealing apps).[/scarythought]<br><br>
I think it a good idea to start an archive of cryptographically signed MD5 hashes for programs. This would take much less bandwidth than storing ALL software in a single location, but still allow people to sign a package if they knew it to be the REAL deal.
What you're saying is perfectly valid, but what if I use common sounding variable names to make it appear as if I was doing something I wasn't? Even with MOST good programmers, they aren't ever trained to debug code in this manner (I know a few CS exams do, for sure, but I have NEVER seen a huge project train people for this).
How about this:Lets start a few grassroots projects (doesn't matter how many) and work on educating people to read obfuscated code. Identify when strtok, fopen, etc etc is and is not doing harmful things to data - when it may indeed be doing something nefarious.
I started a site myself here to help myself start explaining simple stuff.. and eventually will work up to writing drop-in replacement libraries for other programs, or perhaps ways to trojan executables in memory you might have have control over (ptrace?).
Lets all learn a bit, and share the knowledge.
[plug]Damn my sig makes strange sense now[/plug]
you might give away their secret - listening to wireless keyboards...
Seriously... if you use your PC for any type of business activity (or anything you want to hide - *grin*) I would NEVER consider using wireless. There are plenty of cord management systems, not to mention the fact the higher cost of wireless.
This won't work any better than the anti-CD copying methods RIAA has tried, nor keep people from copying the games any more than putting a piece of tape on a cookie jar will keep a hungry teenager from gettting in.
With any encryption, any digital encoding method... if there is a way to play the game, there is a way to break the code. The question is who will be first? Wait and see.
--
Other installations like Seul have problems, however... certain things like integrated dependancies and smooth upgrading (on line imho!) from one release version to another set Debian ahead of all other software packages.
./configure thing... Autoconf/Automake/GNU make can kiss my @$$ even though when the origional packages are built for Debian these are essential, but for the common user, (and respectively for admins with not much time on their hands) custom compiling is hardly ever an option!
RPM at current doesn't even come close... you ever tried to install over 5-10 packages? RPM doesn't upgrade easily at all... Redhat has made some nice tools, but it is slower a 12th grader waking up for school....
And to mention the whole
j00 s3rve the dev1l!
all the pr0n we serve
....and patent it.
One of the problems I have is with these "so called" claims by companies like 'Clownburger' - what if they choose to fight a tiny company out of business?
Claims of legal recourse allow more for Lawyers fees than they do valid equal recourse (for both the weak as well as the strong).
I know that guy is annoying but gator reminds me of that a-hole's graphic :-)
resent, not resemble perhaps?
NO right? What are you, a micro wenie from the dark ages? Linux runs great for just about any type of system, given the right tools (albeit sometimes you must buy minimal tools to make it functional in very few situations)... I hate people that spew off about how "Linux has no..." bleh!
Linux runs great here at our office and on 200+ servers pushing several hundred megabits of continuous data. Tell me its not efficient, secure, cheap, and stable -- and I'll prove you wrong.
You have a Perl script emailing them "your" condolances? Interesting approach... at least it shows ingenuity that most HR companies (read: not hr departments, the headhunter agencies) do not even understand.
-
No... what I meant is that I severly dislike job search companies (they never know what answers to expect for their canned questions) for highly technical positions... I think the person fielding for the position shoudl have at least worked for the company and especially prob. for that job at one time... its not hard to rotate interviewing between mgmt....
I realize, as a programmer for a large webhosting company, that finding good candidates for each job can be daunting. As a member of the 2600 community, I also realize there's a lot of BS floating around relating to job skill, etc.
Basically... give them a test... think up anything your company might face, that wouldn't give away too much of your security procedures. Make them implement something to stop/fix/help/whatever you've put in front of them. Don't rush them... a few hours if they need it might be a better judgement of what kind of attention to detail, accuracy, etc.
Anything you can do to relax the work atmosphere always helps.. not interviewing the candidate(s) with 2 guys in suits may help them relax and feel more at home.
DO NOT HIRE FSCKING JOB HUNTERS (i will not repeat this one)
Good luck!
ok... sometimes details get lost.. :-)
interesting to know...
What are you talking about, trafficing devices? He proved that Adobe's encryption was unreliable. He did NOT allow all eBooks to be breached - he simply provided proof that anyone wishing to entrust Adobe's software with sensitive material would do so at their own peril.