Sheesh...Take Bill Gates and Steve Ballmer out back, execute them distastefully, give all the Microsoft employees time to evacuate, then bomb the freaking campus. And make it known that anyone who writes stupid code like this again, will get the same treatment.
Ok ok ok that was fantasy-land, I know. Lighten up..
But really, fix the problem here, not the symptom. Seriously, Microsoft as a whole breeds insecurity and stupidity. Start with 1 Microsoft Way campus. Either sanction them via DoJ, or have the SEC do something. Whatever it is, Microsoft has to go away.
Why? Let them all die. Fuck 'em. If they can't spend the time to learn how to use the machine PROPERLY, then they deserve to get fucked up. Same deal with your car. If you use it improperly, you (or it) will get fucked up.
This isn't very hard to understand. Normal people should never have computers. They can't handle it. There's a reason the upper echelon of scientists and geeks made computers to begin with. You honestly think Average Joe would have? HAH! Avg Joe would rather buy stupid lighted-free-spinning rims on his car. Rather than do something useful and productive.
Tell them once so they can be aware of it. If they still choose to ignore you, then fuck 'em. (IOW, give them 1 chance, you never know. Someone might be useful after all. Beyond that, let Darwinism take it from there.)
Also, my favorite is "Let them go!" Just let all the lemmings do their stupid i-follow-along and i-can't-think-for-myself crap. Does Darwinism apply to the Internet? or something like that....
I'd just let all the 'normal' people and 'users' have their IE and it's security holes. I'm still waiting for an UltraMegaSuper Worm(tm) to get developed.
I think these tr0jan and v1rus/wr0m writers are missing a GREAT opportunity here. Seriously, if these holes and sploits were viewed in the same sense as 'market research', you'd have an awesome Base Of Stupidity(tm) on which to build a UMS Worm(tm). Because you can look back and see "Nope, a lot of stupid windows users have not patched their systems. EVER." and then you can see "12% patched for FOO."
With this kind of 'market research' data, you can begin to design ALL KINDS of models to make your UMS Worm(tm) behave.
But ultimately, UMS Worm(tm) authors need to make damn sure to format and wipe out any system after a hibernation period. We NEED an Internet Meltdown event. But only Windows users will melt. The rest of us will thrive nicely. Yaaay natural selection!
Only then, after a serious meltdown, will we have their undivided attention.
The *SWANs are IPsec. OpenVPN is not. IPsec is cross platform and cross-vendor (hang on, before you get excited, let me finish) and is a (series of) RFCs. IPsec also gets you plenty of perks such as kernel-space (fast, secure, etc).
Now for the "reply" trigger-happy, OpenVPN does do SSL/TLS, is all in user-space, and does neat things, yes. However, with the *SWANs, you can also get x509, nat-t, dpd, foo, and bar. And yes, OpenVPN is cross-platform.
The problem lies in not being cross-vendor. And you also have to realize that there is a very large inter-web out there and not everyone uses the same platforms and vendors, etc.
For example, as a security engineer, I often have to build VPNs between disparate vendors, devices, and software versions. Even with IPsec/IKE it's difficult enough. And they've all pretty much agreed on how to speak IKE well enough to at least have a meet-and-greet among each other. Unfortunately, there is plenty of room for interpretation, so each vendor has a slightly different dialect.
The point being, OpenVPN isn't a "standards-based VPN" whereas an IKE-based VPN is. I know it's not necessarily a great answer to the question, but it is the truth. (Besides, OpenVPN even says so on their site...it does not do IKE.)
(whoa, poet and didn't know it) (woops, i did it again!)
it's been half an hour and my phone hasn't rung yet and i don't have an email saying "Welcome to the secret nextel wireless society!" WHAT GIVES? I NEED THE BROADBAND!!! I MU5T HAVE IT!!...
Seriously, tho, this is excellent news! Nextel has often done some nifty things, and for a business-class service, it's very nice. Sure the phones aren't sexy, but that's business-class. It's not for your girlfriend and her bubble-gum crew. I drop my phone several times a day on concrete (the stupid belt holder is worn out, it's 2 years old I think, and gets heavy usage), and the phone has some scratches but no failures in functionality. It's been hurled against the wall in my house, thrown across the room, and tossed on the furniture daily, and it keeps on ticking.
Anyway, I look forward to the new data package. It will be awesome to have broadband access whilst having online access to GPS and street map info. Weeee....
And now I can AIM while driving:) hahahaha! Wait, I already do that with my Nextel Online mobile AIM service....er..../me whistles quietly....
IIRC, Columbia was the only shuttle with a big enough payload bay to hold the Hubble. Also, Columbia was the shuttle that put the Hubble up there to begin with. Atlantis, Discovery, and Endeavor have all made service visits since then, tho. Columbia was also the heaviest of the others (which is why it couldn't get to the ISS even if they wanted to), thus capable of holding Hubble's mass and transporting it.
Since we no longer have Columbia, I wonder if one of the others could go up and perform a tear-down mission and bring it back in 2 parts for reassembly? I'm sure the geeks at NASA have pondered that already, but that's one of my thoughts.
Here's a good chance to mention the Gaim-Encryption plugin project. For self-compiling people you can grab the plugin source, (get the gaim source too, they have to match), and compile the plugin. Then enjoy.
Sadly, there's a licensing issue with the Win32 plugin. The author, Bill, was distributing an installer with the Gaim binary, the plugin binary, and the OpenSSL-for-Win32 dlls in one package. Apparently that's a GPL No-No (does this mean GPL is evil now??). So he ceased the distribution of the Win32 port.
However, you can still get the Gaim source, Gaim-Encryption plugin source, the OpenSSL-for-Win32 package, and follow the instructions on the plugin project page to compile it all yourself under Cygwin + MinGW. (That was a huge sentence)
It all uses RSA through OpenSSL to make it work. It works with Gaim so it will do crypto over all of Gaim's IM networks it supports (AIM, ICQ, etc). It's fantastic and open source:)
A few shameless plugs, yes, but the facts remain. Gaim is available for a plethora of platforms. Of those platforms, the Gaim-Encryption plugin works on 4 of them: Solaris (Sparc), Linux (x86), Win32, and Familiar Linux on the iPAQ (arm).
The Gaim-Encryption plugin uses OpenSSL with RSA keys, auto key exchange, etc. Really really good stuff. And best I can tell, gaim is now the ONLY IM client with cross-platform encryption. The encrypt plugin lets you talk crypto across ANY of the IM platforms gaim supports, which is not a short list: AIM, MSN, IRC, Jabber, Yahoo!, ICQ, Napster(?), Zephyr, and Gadu-Gadu.
The Gaim-Encryption maintainer provides pre-built packages and installers for several distros and Win32. So you can get it all in one spot.
Nextel offers the capability to upload Java applications to their java-enabled Motorola phones here at their site.
They also have an OTA (over-the-air) feature to download the apps to all phones in your business/group/whatever collective you are in.
Motorola also has a Developer site which has a user support board with active Motorola people helping answer questions, etc. here at THEIR site
I'm not a java coder and have little desire to do so, but perhaps when I'm old and grizzly with nothing else to do I'll write my first "hello phone" j2me app:)
But I am glad java is on the phones, and I most certainly look forward to Linux.
Glad to see you not succumbing entirely to the Borg. However, check out Bluefish sometime. It does a lot of what you mentioned with the other obvious side-effects (gpl, gtk1 and gtk2 ports, etc.) Dunno if there is work to port it to win32.
I do see the merit of your claims, and you are quite correct (damn honest truth). However, wouldn't it be worthy to note that by replacing the current Microsoft environment with Linux (even.. >gasp!< RedHat 8), the cost of the Personal Computer would be even cheaper?
I've finally managed to convince my mom that Linux is good. She's got RedHat 8 on her laptop dual booting Win2k. She'll be my 2nd Linux test configuration. (Don't tell her I put rh8 on my ex-girlfriend's computer!).
(ok the last one was a floating point integer, but you get the idea)
It addresses every issue you pointed above. I challenge you to install RedHat 8. I'm certain that each of your points above have been addressed and a solution is available.
I followed the 30second install overview, and although it took 20minutes to get working, that 20minutes included a distributed kernel compile across 2 of my systems here: a p3-500 and p3-700, 512meg ram each. very nice. i like it!
I posted my message on the last story (but it was never modded up, i guess the other letters were more worthy). So i can say "I fed-back to carly-&-crew". And i was fairly polite, and used similar wording as you described above.
I agree with the parent post. Here's my letter. Adapt as you wish.
Re: Story on CNet (http://news.com.com/2100-1023-947325.html)
I am writing to express my dissatisfaction with HP's public handling of the recent security vulnerability in it's Tru64 UNIX platform.
I am very disappointed in HP's decision to handle this security incident in such an immature and irresponsible fashion. It also with great displeasure to learn of HP's unwillingness to cooperate with the security communities to allow a quick, satisfactory and agreeable solution to a potentially devasting software vulnerability.
I am a software developer myself, and understand that we are capable of making mistakes. However, it is the manner in which we handle these mistakes that reflects upon our character. HP's manner of handling this issue reflects poorly upon the company and it's leaders.
Please reconsider the true ramifications of invoking such a controversial law (the DMCA) upon the community which is trying to help manage and address the mistakes made in your software.
Another name for your environment is "A Honeypot". A wonderful thing to have, once you're a bit more experienced and know WHAT to look for. In this case, WHEN to look for it is just as important. The Honeynet Project has TONS of fantastic info. Everyone should look there in their travels. Participating is recommended!
Linuxsecurity.com has a mailing list you can subscribe to in order to get frequent updates on things. Another poster stated a few obvious things (which are always good advices) including: CERT, SANS, BUGTRAQ, linux networking, etc.
A few bible-books in my library include:
"TCP/IP Illustrated Vol.1" by Richard Stevens published by Addison-Wesley
"Intrustion Detection: An Analysts Handbook" by Stephen Northcutt published by New Riders
"Unix System Administration" aka The Red Book by Nemeth, et. al. I believe the Purple Book is the 3rd edition (I am open to corrections)
2600 The Hacker Quartlery. A quarerly zine that most slashdotters have read, subscribe to, (or in this new-age, have either never heard of it and/or will flame or mod this into oblivion)
the "Hacking Exposed" series by Stuart McClure, et. al.
Grab any or all of these (ESPECIALLY the Stevens book above!!) and start reading. Install more than 1 linux box (and RedHat, SuSE, Debian [and anything else that's popular] DOES NOT count. Use Slackware so you can have some semblance of control and learn how things work). Don't install X; tough it out with the shell. <elitism>We all did.</elitism> Grab your hands on a Solaris machine, x86 will suffice but try to get a Sparc. That way you'll understand how to do things across multiple platforms. Setup a network and a routing firewall inside (ie: no masquerading). Then learn that and setup a masquerading firewall for all that to get to the Internet through your gateway. Oh, Get nmap! And learn how to use it SAFELY and WISELY on your own stuff. Read Read Read Read Read! Drop your girlfriend. Sex is good but if you wanna learn it hard, she'll have to go. If she's a geeky girl, have her help you out. She can learn too.
After that, let us know how you did. Take a security test somewhere. Online or Real World, it don't matter. It's fun shit! We love it. But it's hard work to learn it. Once you do, you'll never be the same again and you'll be very very l33t.
The best and free (as in beer with InfraGard) resources is to hookup with your local InfraGard chapter. It's sponsored by the FBI so you get good info, and being a member is free (as in beer) and you get really great security updates and e-mails delivered daily.
For HTCIA (HighTech Crime Investigation Association), the atmosphere is similar as there is a lot of info-sharing between HTCIA and InfraGard. HTCIA does require annual dues and per-meeting dues (self-sponsored organization).
You can visit InfraGard's main site to see where you and your local chapter are. Then find the next meeting time and follow any applicable directions to get there and show up! I'm a member of our local chapter, and we welcome anyone and everyone dealing with InfoSec, Technology, and general Security. InfraGard is a bit more popular due to the local law enforcement participation (at least in our chapter). Our local chapter is here for anyone in the North Carolina RTP area.
Just a meager, heads-up: Slackware-8.x full-install sits nicely on 1 CD and it all fits nicely inside 800meg. The only modern-day OS that can match that would be one of the BSD family members.
/WARNING.
But in agreement, yes, the base RedHat and "other" distro installations are getting insane. I saw a SuSE install that made me cringe. So that's why I use Slackware; It makes me l33t. I can't be l33t with RedHat (if you don't RPM everything you fux0r the whole system when you try to add packages later. How bloody retarded...)
Argh..I posted a comment but it was replied to the wrong thread by accident. Crap.. Anyway, here's what I had to say. Hope it helps. (I hope I'm not going to get flamed for anything on this but I probably will).
Me and woolley chatted on irc tonite and i verified his patch [theaimsgroup.com] does indeed work. You will have to manually adjust apache_1.3.26/src/ap/Makefile.tmpl to add the three object files to line 7:
ap_hook.o ap_ctx.o ap_mm.o
The patch will cause a rejection due to modifications between 1.3.24 and 1.3.26 to the file.
The patch applies to apache-1.3.24, btw. And be sure to use mod_ssl-2.8.8-1.3.24 and add --force on the mod_ssl configure line.
Me and woolley chatted on irc tonite and i verified his
patch does indeed work. You will have to manually adjust apache_1.3.26/src/ap/Makefile.tmpl to add the three object files to line 7:
ap_hook.o ap_ctx.o ap_mm.o
The patch will cause a rejection due to modifications between 1.3.24 and 1.3.26 to the file.
The patch applies to apache-1.3.24, btw. And be sure to use mod_ssl-2.8.8-1.3.24 and add --force on the mod_ssl configure line.
Slashdot Mirror
Um, fix the problem not the symptoms.
Have you people learned NOTHING from history?!?!
Sheesh...Take Bill Gates and Steve Ballmer out back, execute them distastefully, give all the Microsoft employees time to evacuate, then bomb the freaking campus. And make it known that anyone who writes stupid code like this again, will get the same treatment.
Ok ok ok that was fantasy-land, I know. Lighten up..
But really, fix the problem here, not the symptom. Seriously, Microsoft as a whole breeds insecurity and stupidity. Start with 1 Microsoft Way campus. Either sanction them via DoJ, or have the SEC do something. Whatever it is, Microsoft has to go away.
Beginning? You MUST be new to 'computers and stuff'... Wow... IE was insecure from DAY 0, yo.
Why? Let them all die. Fuck 'em. If they can't spend the time to learn how to use the machine PROPERLY, then they deserve to get fucked up. Same deal with your car. If you use it improperly, you (or it) will get fucked up.
This isn't very hard to understand. Normal people should never have computers. They can't handle it. There's a reason the upper echelon of scientists and geeks made computers to begin with. You honestly think Average Joe would have? HAH! Avg Joe would rather buy stupid lighted-free-spinning rims on his car. Rather than do something useful and productive.
Tell them once so they can be aware of it. If they still choose to ignore you, then fuck 'em. (IOW, give them 1 chance, you never know. Someone might be useful after all. Beyond that, let Darwinism take it from there.)
EXACTLY! Great point you've made, carnildo!
Also, my favorite is "Let them go!" Just let all the lemmings do their stupid i-follow-along and i-can't-think-for-myself crap. Does Darwinism apply to the Internet? or something like that....
I'd just let all the 'normal' people and 'users' have their IE and it's security holes. I'm still waiting for an UltraMegaSuper Worm(tm) to get developed.
I think these tr0jan and v1rus/wr0m writers are missing a GREAT opportunity here. Seriously, if these holes and sploits were viewed in the same sense as 'market research', you'd have an awesome Base Of Stupidity(tm) on which to build a UMS Worm(tm). Because you can look back and see "Nope, a lot of stupid windows users have not patched their systems. EVER." and then you can see "12% patched for FOO."
With this kind of 'market research' data, you can begin to design ALL KINDS of models to make your UMS Worm(tm) behave.
But ultimately, UMS Worm(tm) authors need to make damn sure to format and wipe out any system after a hibernation period. We NEED an Internet Meltdown event. But only Windows users will melt. The rest of us will thrive nicely. Yaaay natural selection!
Only then, after a serious meltdown, will we have their undivided attention.
The *SWANs are IPsec. OpenVPN is not. IPsec is cross platform and cross-vendor (hang on, before you get excited, let me finish) and is a (series of) RFCs. IPsec also gets you plenty of perks such as kernel-space (fast, secure, etc).
Now for the "reply" trigger-happy, OpenVPN does do SSL/TLS, is all in user-space, and does neat things, yes. However, with the *SWANs, you can also get x509, nat-t, dpd, foo, and bar. And yes, OpenVPN is cross-platform.
The problem lies in not being cross-vendor. And you also have to realize that there is a very large inter-web out there and not everyone uses the same platforms and vendors, etc.
For example, as a security engineer, I often have to build VPNs between disparate vendors, devices, and software versions. Even with IPsec/IKE it's difficult enough. And they've all pretty much agreed on how to speak IKE well enough to at least have a meet-and-greet among each other. Unfortunately, there is plenty of room for interpretation, so each vendor has a slightly different dialect.
The point being, OpenVPN isn't a "standards-based VPN" whereas an IKE-based VPN is. I know it's not necessarily a great answer to the question, but it is the truth. (Besides, OpenVPN even says so on their site...it does not do IKE.)
(whoa, poet and didn't know it)
(woops, i did it again!)
it's been half an hour and my phone hasn't rung yet and i don't have an email saying "Welcome to the secret nextel wireless society!" WHAT GIVES? I NEED THE BROADBAND!!! I MU5T HAVE IT!! ...
:) hahahaha! Wait, I already do that with my Nextel Online mobile AIM service....er.... /me whistles quietly....
Seriously, tho, this is excellent news! Nextel has often done some nifty things, and for a business-class service, it's very nice. Sure the phones aren't sexy, but that's business-class. It's not for your girlfriend and her bubble-gum crew. I drop my phone several times a day on concrete (the stupid belt holder is worn out, it's 2 years old I think, and gets heavy usage), and the phone has some scratches but no failures in functionality. It's been hurled against the wall in my house, thrown across the room, and tossed on the furniture daily, and it keeps on ticking.
Anyway, I look forward to the new data package. It will be awesome to have broadband access whilst having online access to GPS and street map info. Weeee....
And now I can AIM while driving
doo bee doo bee doooo...
I, for one, welcome our new Nextel Wireless Broadband overlords...
IIRC, Columbia was the only shuttle with a big enough payload bay to hold the Hubble. Also, Columbia was the shuttle that put the Hubble up there to begin with. Atlantis, Discovery, and Endeavor have all made service visits since then, tho. Columbia was also the heaviest of the others (which is why it couldn't get to the ISS even if they wanted to), thus capable of holding Hubble's mass and transporting it.
Since we no longer have Columbia, I wonder if one of the others could go up and perform a tear-down mission and bring it back in 2 parts for reassembly? I'm sure the geeks at NASA have pondered that already, but that's one of my thoughts.
Here's a good chance to mention the Gaim-Encryption plugin project. For self-compiling people you can grab the plugin source, (get the gaim source too, they have to match), and compile the plugin. Then enjoy.
:)
Sadly, there's a licensing issue with the Win32 plugin. The author, Bill, was distributing an installer with the Gaim binary, the plugin binary, and the OpenSSL-for-Win32 dlls in one package. Apparently that's a GPL No-No (does this mean GPL is evil now??). So he ceased the distribution of the Win32 port.
However, you can still get the Gaim source, Gaim-Encryption plugin source, the OpenSSL-for-Win32 package, and follow the instructions on the plugin project page to compile it all yourself under Cygwin + MinGW. (That was a huge sentence)
It all uses RSA through OpenSSL to make it work. It works with Gaim so it will do crypto over all of Gaim's IM networks it supports (AIM, ICQ, etc). It's fantastic and open source
Enjoy!
A few shameless plugs, yes, but the facts remain. Gaim is available for a plethora of platforms. Of those platforms, the Gaim-Encryption plugin works on 4 of them: Solaris (Sparc), Linux (x86), Win32, and Familiar Linux on the iPAQ (arm).
The Gaim-Encryption plugin uses OpenSSL with RSA keys, auto key exchange, etc. Really really good stuff. And best I can tell, gaim is now the ONLY IM client with cross-platform encryption. The encrypt plugin lets you talk crypto across ANY of the IM platforms gaim supports, which is not a short list: AIM, MSN, IRC, Jabber, Yahoo!, ICQ, Napster(?), Zephyr, and Gadu-Gadu.
The Gaim-Encryption maintainer provides pre-built packages and installers for several distros and Win32. So you can get it all in one spot.
Seriously, "It Works. Well(tm)".
Nextel offers the capability to upload Java applications to their java-enabled Motorola phones here at their site.
:)
They also have an OTA (over-the-air) feature to download the apps to all phones in your business/group/whatever collective you are in.
Motorola also has a Developer site which has a user support board with active Motorola people helping answer questions, etc. here at THEIR site
I'm not a java coder and have little desire to do so, but perhaps when I'm old and grizzly with nothing else to do I'll write my first "hello phone" j2me app
But I am glad java is on the phones, and I most certainly look forward to Linux.
Glad to see you not succumbing entirely to the Borg. However, check out Bluefish sometime. It does a lot of what you mentioned with the other obvious side-effects (gpl, gtk1 and gtk2 ports, etc.) Dunno if there is work to port it to win32.
Development environment for Linux/Unix:
1) vi
2) man man
3) groups.google.com
4) a clue
Oh to long for moderation points... but alas....
I do see the merit of your claims, and you are quite correct (damn honest truth). However, wouldn't it be worthy to note that by replacing the current Microsoft environment with Linux (even.. >gasp!< RedHat 8), the cost of the Personal Computer would be even cheaper?
I've finally managed to convince my mom that Linux is good. She's got RedHat 8 on her laptop dual booting Win2k. She'll be my 2nd Linux test configuration. (Don't tell her I put rh8 on my ex-girlfriend's computer!).
For the record, I, too, am a "Linux Luver".
Three words for you:
RedHat Linux 8.0
(ok the last one was a floating point integer, but you get the idea)
It addresses every issue you pointed above. I challenge you to install RedHat 8. I'm certain that each of your points above have been addressed and a solution is available.
Happy Hacking!
I followed the 30second install overview, and although it took 20minutes to get working, that 20minutes included a distributed kernel compile across 2 of my systems here: a p3-500 and p3-700, 512meg ram each. very nice. i like it!
I posted my message on the last story (but it was never modded up, i guess the other letters were more worthy). So i can say "I fed-back to carly-&-crew". And i was fairly polite, and used similar wording as you described above.
Power to the people!
I agree with the parent post. Here's my letter. Adapt as you wish.
Re: Story on CNet (http://news.com.com/2100-1023-947325.html)
I am writing to express my dissatisfaction with HP's public handling of the recent security vulnerability in it's Tru64 UNIX platform.
I am very disappointed in HP's decision to handle this security incident in such an immature and irresponsible fashion. It also with great displeasure to learn of HP's unwillingness to cooperate with the security communities to allow a quick, satisfactory and agreeable solution to a potentially devasting software vulnerability.
I am a software developer myself, and understand that we are capable of making mistakes. However, it is the manner in which we handle these mistakes that reflects upon our character. HP's manner of handling this issue reflects poorly upon the company and it's leaders.
Please reconsider the true ramifications of invoking such a controversial law (the DMCA) upon the community which is trying to help manage and address the mistakes made in your software.
Another name for your environment is "A Honeypot". A wonderful thing to have, once you're a bit more experienced and know WHAT to look for. In this case, WHEN to look for it is just as important. The Honeynet Project has TONS of fantastic info. Everyone should look there in their travels. Participating is recommended!
A few bible-books in my library include:
- "TCP/IP Illustrated Vol.1" by Richard Stevens published by Addison-Wesley
- "Intrustion Detection: An Analysts Handbook" by Stephen Northcutt published by New Riders
- "Unix System Administration" aka The Red Book by Nemeth, et. al. I believe the Purple Book is the 3rd edition (I am open to corrections)
- 2600 The Hacker Quartlery. A quarerly zine that most slashdotters have read, subscribe to, (or in this new-age, have either never heard of it and/or will flame or mod this into oblivion)
- the "Hacking Exposed" series by Stuart McClure, et. al.
Grab any or all of these (ESPECIALLY the Stevens book above!!) and start reading.Install more than 1 linux box (and RedHat, SuSE, Debian [and anything else that's popular] DOES NOT count. Use Slackware so you can have some semblance of control and learn how things work).
Don't install X; tough it out with the shell. <elitism>We all did.</elitism>
Grab your hands on a Solaris machine, x86 will suffice but try to get a Sparc. That way you'll understand how to do things across multiple platforms.
Setup a network and a routing firewall inside (ie: no masquerading). Then learn that and setup a masquerading firewall for all that to get to the Internet through your gateway.
Oh, Get nmap! And learn how to use it SAFELY and WISELY on your own stuff.
Read Read Read Read Read! Drop your girlfriend. Sex is good but if you wanna learn it hard, she'll have to go. If she's a geeky girl, have her help you out. She can learn too.
After that, let us know how you did. Take a security test somewhere. Online or Real World, it don't matter. It's fun shit! We love it. But it's hard work to learn it. Once you do, you'll never be the same again and you'll be very very l33t.
The best and free (as in beer with InfraGard) resources is to hookup with your local InfraGard chapter. It's sponsored by the FBI so you get good info, and being a member is free (as in beer) and you get really great security updates and e-mails delivered daily.
For HTCIA (HighTech Crime Investigation Association), the atmosphere is similar as there is a lot of info-sharing between HTCIA and InfraGard. HTCIA does require annual dues and per-meeting dues (self-sponsored organization).
You can visit InfraGard's main site to see where you and your local chapter are. Then find the next meeting time and follow any applicable directions to get there and show up! I'm a member of our local chapter, and we welcome anyone and everyone dealing with InfoSec, Technology, and general Security. InfraGard is a bit more popular due to the local law enforcement participation (at least in our chapter). Our local chapter is here for anyone in the North Carolina RTP area.
******WARNING: LINUX DEFENSE!!!!************
Just a meager, heads-up:
Slackware-8.x full-install sits nicely on 1 CD and it all fits nicely inside 800meg. The only modern-day OS that can match that would be one of the BSD family members.
/WARNING.
But in agreement, yes, the base RedHat and "other" distro installations are getting insane. I saw a SuSE install that made me cringe. So that's why I use Slackware; It makes me l33t. I can't be l33t with RedHat (if you don't RPM everything you fux0r the whole system when you try to add packages later. How bloody retarded...)
Computers suck. I wanna be a plumber.
Those who would give up privacy and freedom for temporary safety deserve neither.
Argh..I posted a comment but it was replied to the wrong thread by accident. Crap.. Anyway, here's what I had to say. Hope it helps. (I hope I'm not going to get flamed for anything on this but I probably will).
Me and woolley chatted on irc tonite and i verified his patch [theaimsgroup.com] does indeed work. You will have to manually adjust apache_1.3.26/src/ap/Makefile.tmpl to add the three object files to line 7:
ap_hook.o ap_ctx.o ap_mm.o
The patch will cause a rejection due to modifications between 1.3.24 and 1.3.26 to the file.
The patch applies to apache-1.3.24, btw. And be sure to use mod_ssl-2.8.8-1.3.24 and add --force on the mod_ssl configure line.
Woolley's patch works great.
Me and woolley chatted on irc tonite and i verified his patch does indeed work. You will have to manually adjust apache_1.3.26/src/ap/Makefile.tmpl to add the three object files to line 7:
ap_hook.o ap_ctx.o ap_mm.o
The patch will cause a rejection due to modifications between 1.3.24 and 1.3.26 to the file.
The patch applies to apache-1.3.24, btw. And be sure to use mod_ssl-2.8.8-1.3.24 and add --force on the mod_ssl configure line.
Woolley's patch works great.