Surely you misunderstood what I wrote? I'm simply saying that if an item costs more than your perceived value derived from that item, you might opt to not purchase that item.
Now substitute item for labor costs, and you for a company. In the model proposed by Sanders, the cost of hiring or allowing certain part time workers to remain on staff may push the total cost to employ that person past the value generated. If that happens, the company may simply opt to not hire that person.
This legislation will in many cases make the total cost of an employee more than the value the employee brings to the company. When ever this situation occurs, jobs are eliminated. You might be able to legally force a company to increase wages for hired workers, but you can't force a company to keep someone on staff that costs more than the the value they bring to the company.
Likely next steps: elimination of many part time jobs, increased "gig economy" workers, and expedited investments in automation. Net outcome: more dependence on government assistance.
It wasn't our intention to fear monger. In fact if you listen to the whole podcast we actually comment on the "Chicken Little" phenomenon in security research.
For those wanting to stay abreast of these issues as more information is shared publicly, keep an eye on my blog.
I'm trying to keep a link to most news articles there. I've also been able to answer a few questions in the comments through that medium.
Lucky for me (as I said in my original post), I came here with a secure job in hand. After the swedish firm purchased mine, I was relocated in order to manage the new team. My position is at the same level as the CEO, and for a company of 50+, that comes with a measurable amount of city wide respect.
I don't speak Swedish, which has made some of life here.. well, entertaining:). For example, today I closed on a house. Dealing with the bank and the real estate broker, etc would have been damn near impossible without my CEO coming to the meetings and helping with the negotiations and translating.
Also in my advantage is the 3 other americans that came with me during the purchase. I'm also relocating a close friend and a girlfriend. Without them, I would certainly understand feeling alienated.
As for the weather, I'm in Karlskrona, which is the south east part of the country. We are more tempurate than the north:). Our weather is not that different than Colorado/Utah, which are places I lived before being a beach bum in Orange County:). I was here for visits in the winter last year and found the snow to be enjoyable:).
I am planning on learning Swedish, but my company has English as the main language. The younger generation all speak English quite well. It's the older generation that struggles with it. Somewhere around 40+ years old seems to be the cut off point.
I owned an operated a small company out of Orange County California for a number of years before recently having my company purchased by a Swedish firm in the same field. I've been here for about 6 months now and am VERY happy for the change of pace. The taxes are higher here, but they actually do a lot to help the people. There are fewer extremely rich folk, but there are also fewer poor people. There is a happy medium where everyone seems to have enough to be happy.
Sweden so far seems like one of the best places I could have ended up after leaving America. We'll see if I still feel that way after 5+ years:)
What's more, when you treat your legitimate consumers (paid) as criminals (DRM), it encourages finding less cumbersome (pirated non-drm) versions of the content.
Back when I still had time to play video games, I would often find myself using a pirated version of a game I purchased just so I didn't have to keep looking up random words from a page/paragraph question when I first started the game.
The pirated version should never be more convienient to use than the paid for version. DRM doesn't stop piracy, it encourages it.
not that ive gotten that far but here is my (confirmed by mark, thanks) attack....
step 1)
connect to sendmail server say something like
helo me\r\n
mail from: myemail@hotmail.com
rcpt to: root
data
step 2)
wait for server to say go ahead
send about 32767 characters inside a header
note what time it is
step 3)
wait until you get:
451 4.4.1 timeout waiting for input during message collect
step 4)
note what time it was when that message happened
step 5)
youll be dropped back into smtp command mode, now there is a static pointer inside sm_syslog thats your attack vector, youll need to recreate the collect timeout and race into sm_syslog
resend the helo crap
step 6)
wait for server to say go ahead
send about 32767 characters inside a header
and wait the time delta from the earlier 2 measurements
step7)
send more header data (so that its now greater than 32768 bytes)
hopefully sendmail will now race and crash inside sm_syslog because: a) we just sent sendmail into sm_syslog due to the fact that we sent > the max amount of header data b) we have a timeout (SIGALARM, longjmp thingy) that should be pending about the same exact time that we entered sm_syslog
An attacker needs interactive access to the port sendmail is listening on. I'm not sure what your definition of "multi-user system" is trying to imply. If you were running a desktop distro that had sendmail available to the network, an attacker could exploit it.
> Also, saying it doesn't affect Windows is unclear. Does it not affect Windows when you use some official.exe? When you compile it yourself? When compiled/run via Cygwin? If you run under Wine, do you see the bug or not? Are all versions of Windows safe, or would the bug be exposed under certain versions?
The function that is being exploited is doing syslog functions (sm_syslog). Not sure what the differences are with the windows version (haven't looked at it yet).
We have independently researched and verified that this bug is legit. More details to follow later tonight/tomorrow on the usuall lists (daily dave, full-disclosure, etc).
> Sure, it has some in that they provide a bugfixed release, but we don't know how long the bug has existed and therefore have absolutely bugger all way of quantifying what the risk is that a server has already been compromised. It only prevents uncompromised servers from being attacked by this method in future.
They saw this bug coming. We've known about this class of attack on sendmail since before 2001 (see http://seclists.org/lists/bugtraq/2001/May/0271.ht ml as an example). Unfortunately, we're not convinced that the workaround/patch in 8.13.6 is good enough. It only closes this one particular attack vector.
> Just because the press release is dated XYZ does not mean that every Black Hat under the sun hasn't got a CD-ROM filled with exploits for it and a list of backdoors on cracked sites from three years back. XYZ is merely the date the rest of us know about it.
The main reason I support full and immediate disclosure is A) It provides the information to organizations that they need to test if they are affected by the reported bug. But more importantly B) it forces one to realize that we need better security controls. Technologies like SE Linux, Trusted Solaris, etc are definitely steps in the right direction. The "find a bug" and "patch a bug" game is fruitless without part B kicking into effect.
> You don't maintain a secure system by assuming all crackers only know the exploits you've fixed. You maintain a secure system by assuming at least one cracker has the means to discover the exploits you've neither heard of nor have patches for - ie: by assuming you're running buggy software and taking the necessary steps to limit what those bugs can do.
Agreed. A properly configured SE Linux installation would not have been exploitable for this particular bug.
We've been playing with this bug for a few hours now. We can independently confirm it is exploitable. We will be releasing details about it to the Daily Dave list later tonight.
This is a funny one to exploit though. It'll take up to two hours to pull off on a stock install. Who ever releases the PoC exploit should include a game of Tetris in the exploit for the poor pen-tester to play while waiting =)
Open Source would allow people who run linux on non-x86 hardware could have a shot of running the Adobe reader. I miss acroread. Xpdf is good, but it's not as functional as the Adobe reader.
I'm not sure what program you saw, but I think you're mistaking another website with ISECOM's HHS program.
If you go to http://www.hackerhighschool.org/lessons.shtml and http://www.osstmm.org you're going to see no signs of a free ipod:).
In the next release, we're going to try to incorporate even more traditional security fundamentals. Essential core pieces of the Orange Book (http://www.radium.ncsc.mil/tpep/library/rainbow/5 200.28-STD.pdf), the Red Book (http://www.radium.ncsc.mil/tpep/library/rainbow/N CSC-TG-005.pdf), and Common Criteria (http://www.commoncriteriaportal.org/) will be injected.
I think you need to double check which links you visited in the past. Your comments don't seem to relfect anything related to ISECOM.
Also, I know a thing or two about the program... I've helped contribute and I've trained other teachers how to teach it:).
I'm part of the ISECOM family, so I'll take a stab at addressing this concern:
The concept of the class is to teach kids about the ethics and legalities of life online. Unfortunately, calling the class "Internet Ethics and Legalities" is going to draw far fewer kids in than "Hacker Highschool".
However, if you look into ISECOM's other programs, such as the OSSTMM Professional Security Analyst (http://www.opsa.org) or the OSSTMM Professional Security Tester (http://www.opst.org), you'll notice a downplay of the whole "hacker" mystique. The OPST/OPSA classes are for the professional adults that are tired of the "come learn how to be a hacker (ie, learn nmap/nessus)" classes.
And when he had opened the fifth seal, i saw under the altar the souls of them that were slain for the effects. The acorn is the external coating of fat chicks kicking it og style.
Did not say patches were harder to find. My definition of an uninformed person is one who is not paying attention to announcements, whether they be advisory announcements or patch announcements.
These are the people who are affected by the worms which exploit problems that already have vendor patches.
The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.
When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.
Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.
An uninformed person will not only miss the advisory, but will likely miss the patch as well.
Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.
I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.
It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn.. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?
The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.
When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.
Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.
An uninformed person will not only miss the advisory, but will likely miss the patch as well.
Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.
I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.
It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn.. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?
Many of them see port scans and other "intrusion" attempts in their IDS logs and want to do something about it. We generally explain that when you give a machine a public IP address on a public network it implies that you want the public to be able to have access to it. If you wanted to disallow access to the resource, you would not make it available.
Though it is not a good technical defense for keeping people out, having a login and password and a banner message saying that "unauthorized use is prohibited" is a reasonable legal defense to show you didn't want public access to the machine.
The bottom line here is that any resource you make publicly available should have the assumed implication that you meant to make the resource publicly available.
Slashdot Mirror
Surely you misunderstood what I wrote? I'm simply saying that if an item costs more than your perceived value derived from that item, you might opt to not purchase that item.
Now substitute item for labor costs, and you for a company. In the model proposed by Sanders, the cost of hiring or allowing certain part time workers to remain on staff may push the total cost to employ that person past the value generated. If that happens, the company may simply opt to not hire that person.
This is not speculation, this is simply rational.
This legislation will in many cases make the total cost of an employee more than the value the employee brings to the company. When ever this situation occurs, jobs are eliminated. You might be able to legally force a company to increase wages for hired workers, but you can't force a company to keep someone on staff that costs more than the the value they bring to the company.
Likely next steps: elimination of many part time jobs, increased "gig economy" workers, and expedited investments in automation. Net outcome: more dependence on government assistance.
https://www.thepiratebay.org/search/defcad/0/99/0
https://github.com/maduce/fosscad-repo/archive/master.zip
OpenBSD is still DAC. Not really directly comparable to SE Linux (MAC).
Read this for an idea of an OS designed with security in mind.
http://www.commoncriteriaportal.org/files/epfiles/solaris10ext-sec-e.pdf
It wasn't our intention to fear monger. In fact if you listen to the whole podcast we actually comment on the "Chicken Little" phenomenon in security research.
For those wanting to stay abreast of these issues as more information is shared publicly, keep an eye on my blog.
I'm trying to keep a link to most news articles there. I've also been able to answer a few questions in the comments through that medium.
--Robert
Or perhaps he got it from that nice young 16 year old he's been chatting with from the office.
Lucky for me (as I said in my original post), I came here with a secure job in hand. After the swedish firm purchased mine, I was relocated in order to manage the new team. My position is at the same level as the CEO, and for a company of 50+, that comes with a measurable amount of city wide respect.
.. well, entertaining :). For example, today I closed on a house. Dealing with the bank and the real estate broker, etc would have been damn near impossible without my CEO coming to the meetings and helping with the negotiations and translating.
:). Our weather is not that different than Colorado/Utah, which are places I lived before being a beach bum in Orange County :). I was here for visits in the winter last year and found the snow to be enjoyable :).
I don't speak Swedish, which has made some of life here
Also in my advantage is the 3 other americans that came with me during the purchase. I'm also relocating a close friend and a girlfriend. Without them, I would certainly understand feeling alienated.
As for the weather, I'm in Karlskrona, which is the south east part of the country. We are more tempurate than the north
I am planning on learning Swedish, but my company has English as the main language. The younger generation all speak English quite well. It's the older generation that struggles with it. Somewhere around 40+ years old seems to be the cut off point.
What part of Sweden is your cousin in?
I owned an operated a small company out of Orange County California for a number of years before recently having my company purchased by a Swedish firm in the same field. I've been here for about 6 months now and am VERY happy for the change of pace. The taxes are higher here, but they actually do a lot to help the people. There are fewer extremely rich folk, but there are also fewer poor people. There is a happy medium where everyone seems to have enough to be happy.
:)
Sweden so far seems like one of the best places I could have ended up after leaving America. We'll see if I still feel that way after 5+ years
What's more, when you treat your legitimate consumers (paid) as criminals (DRM), it encourages finding less cumbersome (pirated non-drm) versions of the content.
Back when I still had time to play video games, I would often find myself using a pirated version of a game I purchased just so I didn't have to keep looking up random words from a page/paragraph question when I first started the game.
The pirated version should never be more convienient to use than the paid for version. DRM doesn't stop piracy, it encourages it.
Robert
Jack from Dyad Security just posted this link:n dmail.html
;]
h ingy.tar.gz
http://www.rapturesecurity.org/jack/exploiting_se
Quoted:
written in a rush, pardon the mess
not that ive gotten that far but here is my (confirmed by mark, thanks) attack....
step 1)
connect to sendmail server say something like
helo me\r\n
mail from: myemail@hotmail.com
rcpt to: root
data
step 2)
wait for server to say go ahead
send about 32767 characters inside a header
note what time it is
step 3)
wait until you get:
451 4.4.1 timeout waiting for input during message collect
step 4)
note what time it was when that message happened
step 5)
youll be dropped back into smtp command mode, now there is a static pointer inside sm_syslog thats your attack vector, youll need to recreate the collect timeout and race into sm_syslog
resend the helo crap
step 6)
wait for server to say go ahead
send about 32767 characters inside a header
and wait the time delta from the earlier 2 measurements
step7)
send more header data (so that its now greater than 32768 bytes)
hopefully sendmail will now race and crash inside sm_syslog because:
a) we just sent sendmail into sm_syslog due to the fact that we sent > the max amount of header data
b) we have a timeout (SIGALARM, longjmp thingy) that should be pending about the same exact time that
we entered sm_syslog
Also posted is a PoC to test if you are vulnerable. This needs a lot more work, and is not an exploit, but is a start:
http://rapturesecurity.org/jack/sendmail_tester_t
An attacker needs interactive access to the port sendmail is listening on. I'm not sure what your definition of "multi-user system" is trying to imply. If you were running a desktop distro that had sendmail available to the network, an attacker could exploit it.
Robert E. Lee
Dyad Security
> Also, saying it doesn't affect Windows is unclear. Does it not affect Windows when you use some official .exe? When you compile it yourself? When compiled/run via Cygwin? If you run under Wine, do you see the bug or not? Are all versions of Windows safe, or would the bug be exposed under certain versions?
t ml as an example). Unfortunately, we're not convinced that the workaround/patch in 8.13.6 is good enough. It only closes this one particular attack vector.
The function that is being exploited is doing syslog functions (sm_syslog). Not sure what the differences are with the windows version (haven't looked at it yet).
We have independently researched and verified that this bug is legit. More details to follow later tonight/tomorrow on the usuall lists (daily dave, full-disclosure, etc).
> Sure, it has some in that they provide a bugfixed release, but we don't know how long the bug has existed and therefore have absolutely bugger all way of quantifying what the risk is that a server has already been compromised. It only prevents uncompromised servers from being attacked by this method in future.
They saw this bug coming. We've known about this class of attack on sendmail since before 2001 (see http://seclists.org/lists/bugtraq/2001/May/0271.h
> Just because the press release is dated XYZ does not mean that every Black Hat under the sun hasn't got a CD-ROM filled with exploits for it and a list of backdoors on cracked sites from three years back. XYZ is merely the date the rest of us know about it.
The main reason I support full and immediate disclosure is A) It provides the information to organizations that they need to test if they are affected by the reported bug. But more importantly B) it forces one to realize that we need better security controls. Technologies like SE Linux, Trusted Solaris, etc are definitely steps in the right direction. The "find a bug" and "patch a bug" game is fruitless without part B kicking into effect.
> You don't maintain a secure system by assuming all crackers only know the exploits you've fixed. You maintain a secure system by assuming at least one cracker has the means to discover the exploits you've neither heard of nor have patches for - ie: by assuming you're running buggy software and taking the necessary steps to limit what those bugs can do.
Agreed. A properly configured SE Linux installation would not have been exploitable for this particular bug.
Robert E. Lee
Dyad Security
We've been playing with this bug for a few hours now. We can independently confirm it is exploitable. We will be releasing details about it to the Daily Dave list later tonight.
This is a funny one to exploit though. It'll take up to two hours to pull off on a stock install. Who ever releases the PoC exploit should include a game of Tetris in the exploit for the poor pen-tester to play while waiting =)
Cheers,
Robert E. Lee
Dyad Security
Open Source would allow people who run linux on non-x86 hardware could have a shot of running the Adobe reader. I miss acroread. Xpdf is good, but it's not as functional as the Adobe reader.
Which courses did you take? When? Who taught them?
I'm not sure what program you saw, but I think you're mistaking another website with ISECOM's HHS program.
:).
5 200.28-STD.pdf), the Red Book (http://www.radium.ncsc.mil/tpep/library/rainbow/N CSC-TG-005.pdf), and Common Criteria (http://www.commoncriteriaportal.org/) will be injected.
:).
If you go to http://www.hackerhighschool.org/lessons.shtml and http://www.osstmm.org you're going to see no signs of a free ipod
In the next release, we're going to try to incorporate even more traditional security fundamentals. Essential core pieces of the Orange Book (http://www.radium.ncsc.mil/tpep/library/rainbow/
I think you need to double check which links you visited in the past. Your comments don't seem to relfect anything related to ISECOM.
Also, I know a thing or two about the program... I've helped contribute and I've trained other teachers how to teach it
I'm part of the ISECOM family, so I'll take a stab at addressing this concern:
The concept of the class is to teach kids about the ethics and legalities of life online. Unfortunately, calling the class "Internet Ethics and Legalities" is going to draw far fewer kids in than "Hacker Highschool".
However, if you look into ISECOM's other programs, such as the OSSTMM Professional Security Analyst (http://www.opsa.org) or the OSSTMM Professional Security Tester (http://www.opst.org), you'll notice a downplay of the whole "hacker" mystique. The OPST/OPSA classes are for the professional adults that are tired of the "come learn how to be a hacker (ie, learn nmap/nessus)" classes.
And when he had opened the fifth seal, i saw under the altar the souls of them that were slain for the effects. The acorn is the external coating of fat chicks kicking it og style.
VI your pdf file some time. I think you'll find that you can modify the text. Granted it is painful, but definately possible.
Did not say patches were harder to find. My definition of an uninformed person is one who is not paying attention to announcements, whether they be advisory announcements or patch announcements.
These are the people who are affected by the worms which exploit problems that already have vendor patches.
The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.
.. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?
When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.
Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.
An uninformed person will not only miss the advisory, but will likely miss the patch as well.
Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.
I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.
It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn
The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.
.. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?
When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.
Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.
An uninformed person will not only miss the advisory, but will likely miss the patch as well.
Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.
I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.
It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn
that I have with our customers.
Many of them see port scans and other "intrusion" attempts in their IDS logs and want to do something about it. We generally explain that when you give a machine a public IP address on a public network it implies that you want the public to be able to have access to it. If you wanted to disallow access to the resource, you would not make it available.
Though it is not a good technical defense for keeping people out, having a login and password and a banner message saying that "unauthorized use is prohibited" is a reasonable legal defense to show you didn't want public access to the machine.
The bottom line here is that any resource you make publicly available should have the assumed implication that you meant to make the resource publicly available.
It is either arrogance or naivety to want to surpress the vulnerability information from flowing...
.. or naivety to believe that no one else has already found it.
Arrogance to think that only "good" people can find it
I will never understand the "Let's bury our heads in the sand" defense to security problems.
I will never understand the "let's bury our heads in the sand" defense to security problems.
.. or naivety to believe that no one else has already found it.
It is either arrogance or naivety to want to surpress the vulnerability information from flowing...
Arrogance to think that only "good" people can find it