The problem with you Aussies is that you're not demonstrating your sincere admiration for US ways. Imitate us. Accept the treaty, use it to get whatever it offers you, then unilaterally declare it terminated. Works great for us, we do it all the time.
Speaking as a cryptographer and longtime security geek, this weakness is about as damning as... using a 128 bit cipher that only gives 120 bits of protection. Look at the big picture. Most people don't even use WEP, let alone limit access by MAC address. The average user is SO oblivious to security, sharing passwords, opening.EXE attachments... I'd hate to recall how many times I found things like.rhosts files with '++' in them among career Unix programmers who must have known better. WEP was a semi-broken protocol, TACACS+ was a totally broken protocol, there was no way one could use them without compromising security. Just as nobody can use a number of commercial software products without compromising security.
WPA, on the other hand, is a very well-designed protocol. It is only as weak as its users are careless. And one need not choose "h^Ne#b8SV@,4g%yP" as a password to avoid this attack, any semi-uncommon phrase of 4 or 5 words will do.
I will deal with this problem by threatening users with a nasty note in their personnel file if they choose a sh*t passphrase -- and terminate their wireless access. And yes, I will try cracking the passwords myself, just as I have done with operating system passwords for several years.
I sure wish all my security problems were so simple! At least WPA *can* be secure, unlike the steaming heap of offal that most folks call a desktop operating system.
Forgive me for such an evil thought, but it occurs to me that it might be possible to demand that SCO's upstream provider shut them down for illegally distributing copyrighted software. Wouldn't that be the most ironic thing in the world?
As of 3:15 PM (Pacific time), www.blackboxvoting.org, Bev Harris' site for activists, appears to have been shut down by its hosting company. Since this closely follows demands by Diebold that very embarassing internal memos of theirs be removed from the site (as Diebold copyrighted material), looks like we may have another case of IP law/DMCA being used to silence those who tell the truth.
I could accept that explanation easily except for one thing -- hasn't MS been making vague allusions to IP issues in Linux for months, well before any of SCO's brouhaha began? Sure, it could be coincidental... but that seems the less likely explanation to me.
It's rather too late to worry about people like drug runners anyway. Eight years ago the Cali cocaine cartel was using an IBM mainframe (with full time operations staff) to manage their information. In the years since, the various cartels have mapped all the radar in the areas important to them, have set up international communications networks with military-grade encryption, and were even reported to have purchased a surplus stealth submarine from a former Soviet state, only to lose it shortly after (due to operation by unqualified staff). They're also said to have a secure website where up to $3B a year in drug funds are laundered with a few easy mouse clicks.
Guys with piles of tax-free money don't need things like Camera/Shy and Peek-a-booty, which are just simple tools for end users. They have long had IT hardcores working for them, and employees who don't follow best security practices, regardless of inconvenience, probably don't live very long.
In short, give it up, the baddies are so far ahead of the goodies in this area that they'd laugh at the resources available to the other 99.999% of us. Who needs LSB stego when you already have $5000 phones with 168-bit encryption built in?
Your misconceptions on this subject are common, indeed I shared them fairly recently, until some Chinese folks straightened me out on it.
There are hundreds of millions of Internet users in China, and the blocking and surveillance there have become much worse over the last year or so. Hacktivismo *did* do its homework, and did talk to people in China (either directly or indirectly) during the design and coding process. I don't mean to be rude, but I suspect that the Chinese know more about conditions there than you do.
I believe what you're referring to is called "editorial stance," like it or not, you will never escape it.
As an old journalist, I can assure you that you will never find any media entity which doesn't have an editorial position. Slashdot's moderation, which I myself have sometimes found arbitrary and annoying (yes, I've been modded down often enough) is no worse than cnn.com's refusal to air some stories, or the emphasis they put on aspects of various stories, or PC Magazine's lack of critical reviews of major advertiser's products. If anything, Slashdot's policies are less harmful. To call them fascist for having an editorial policy is ludicrous. Nobody would ever want to visit a site without such a policy, as the content would be random and directionless.
If you can't live with slashdot's policies, by all means post elsewhere! Would you expect a Communist site to welcome Republican-slanted posts from you, or vice versa? I think not. This is not the only site in the world, and you can always start your own if you can't be happy with anyone else's.
In addition, someone misused a Korean school's resources and bandwidth, probably getting them blackholed for quite a while. That's damage. Under California's civil spam laws, it's clear that UCE is considered tantamount to theft of bandwidth, ISPs with "no spam" policies may collect $5 per recipient from the spammers for abusing their network and bandwidth.
Pity that the California laws are mostly untested theory. I'd bet that in the years they've been on the books, not a single spammer has spent a day in jail.
Forging an email address is a criminal activity in California, regardless of whether or not it's commercial. It is a crime to:
"Knowingly and without permission uses the Internet domain name of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages, and thereby damages or causes damage to a computer, computer system, or computer network."
Whoever forged the MSN address while really going through a Korean relay would seem to be a criminal.
Re:Google doesn't accept money, but accepts cheate
on
Search Engine Payola
·
· Score: 1
I'm amazed that nobody has yet brought up dmoz.org. They are where AOL, MSN, and others get their *good* links. And porn spammers can't do a thing to fool the dmoz editors!
They're every bit as useful as Google, I recommend them to everyone as the *other* reasonable choice.
Re:This still won't work!
on
Peek-a-Boo(ty)
·
· Score: 1
"The obvious solution... is to publish a list of nodes... but that won't work here."
Exactly right. That approach can NEVER work well to circumvent a determined censor. There is no way a piece of software can tell who is a good guy and who is a bad guy, and any centralized server which gave out addresses would be immediately blocked anyway. Glad we have that out of the way.
"Peek-A-Booty has not solved this problem."
Of course not. Nothing but a change in China's politics can solve that. Anyone who thinks there is a foolproof technical solution to this is overlooking something. That Peek-a-booty does not solve impossible problems related to network topologies which it does not use is a rather lame complaint.
"That's right -- the only way to connect to a Peek-A-Booty network is word-of-mouth, which is horribly ineffective."
Not at all. We had at least a hundred Chinese users on a proxy run by some sysadmins at work, and they happily downloaded many gigabytes of stuff over a period of months. Eventually the porn in their downloads got the attention of the Information Security department, and the proxy was shut down. But the Chinese employed word of mouth extremely effectively, lots of people were using the proxy, and the government never blocked it. Peek-a-booty brings thousands of new proxies into the equation. What's your problem with that?
"Trust the wrong person, and your whole network is exposed."
No, trust the wrong person and one address gets blocked. Fortunately, there will be thousands of other addresses available.
"Worst of all, they could just offer some huge incentive to people for turning in their friends."
Oh, you mean exactly like they've done in every sphere of life for decades?
If your critique offered any sort of hope for the Chinese that would be one thing, but you pose no solutions. The fact is that they have been circumventing censorship for years using much less secure methods than Peek-a-booty (primarily normal http proxies). If people can access the Peek-a-booty network with a browser, the user will be exposed to ZERO risks they are not exposed to now, but monitoring the content will be impossible (due to SSL) and blocking or monitoring the addresses will be a lot harder, since there will be so many more. Nodes running on DHCP connections will change address regularly, so blocking them all will be extremely difficult. The only reliable option would be for the government to block almost all ports on almost all of the Internet (since the Peek-a-booty port number is a configuration option).
From everything I can see about it (and I am familiar with the source code, BTW), Peek-a-booty alleviates a lot of problems that the Chinese (and Saudis, and UAE residents) are facing now, but does not introduce any new problems. I fail to see what about this is grounds for criticism, especially criticism that offers no source code, or pseudocode, or even ideas. Peek-a-booty isn't perfect, and nobody involved in the project would ever claim otherwise. It's just a big improvement from how things are now.
The problem here is just that there is no "aggregate Microsoft" category. Heck, there's not even a W95/98/ME category! But if you lumped together all W95/98/ME/2K/NT/XP vulnerabilities, then made sure that you dealt with apps evenhandedly, "aggregate Linux" would start looking great all of a sudden.
Now consider exploitability. Let's take Mandrake for example -- although their figures are already way lower than NT's (or, no doubt, 95/98/ME's), a default install includes 'libsafe', which means that none of the buffer overflows or format bug exploits will work. There go 3/4 of the theoretical vulnerabilities, including the ones which haven't been discovered yet. And a libsafe rpm could be installed on almost any Linux system in a matter of seconds without breaking anything, making the whole raw tally concept very questionable.
The only way to secure an MS system that broadly and quickly is to cut the Ethernet cable.
I leave my Linux box on the Internet without worry, and my investment in security has been maybe an hour and $0.00. I can and do take my time on patches because I know that almost none of the bugs have any chance of being exploited on my system. That is a realistic measure of Linux security, and I will delightedly compare it to Windows any day of the week. Securityfocus' figures, taken by themselves, don't mean anything.
That was what I said when Microsoft released that
silly Windows product. Great, now PC programs
can look like they're running on a Mac. How
worthless, nobody will ever buy it!
When I saw this whole discussion I had to scratch my head. In several years of administering hundreds of Solaris machines, I never once saw a copy of IE running under Solaris. As a member of the security staff, I did my best to eliminate IE and Outlook from the company desktop as products which were too dangerous to use. To my mind, using products like that under Unix/Linux would be a little like putting Hyundai parts into a Bugatti, and it has never surprised me that Unix IE seems to exist only in theory.
Absolutely. Is Hitbox counting me? No, for several reasons. Here are a couple of them:
apps/kcookiejar/cookies:vwr1.hitbox.com.hitbox.com / 2064623875 100 id OPT_OUT 0
apps/kcookiejar/cookies:www.hitboxenterprise.com 2051222400 100 id OPT_OUT 0
apps/kcookiejar/cookies:hitboxenterprise.com 2051222400 100 id OPT_OUT 0/etc/junkbuster/blocklist:hitbox.com
I don't normally accept cookies anyway, and all my browsers lie about my system. I
regularly use an anonymizing proxy. The question isn't even whether hitbox will have accurate data on people like me, but in how many different ways on a single system they are getting blocked.
Pretty many proxies report IE/Windoze user agents for all users. Almost every Linux browser can lie about its identity, and this feature is very often used for compatibility reasons (IE can't even lie, so it's naturally the one overreported browser). People at work are more likely to use anonymizing proxies, so if Linux is more dominant in the workplace, there's another source of inaccuracy. If they check the proxy logs, they will see the Linux browsers lying for compatibility reasons, and give false results. Europe has a larger percentage of Linux users than North America. Did they survey a lot of non-English language websites? My guess is that the great majority of the sites hitbox does business with are in the US.
I think if you check the configuration of your own Linux system, at least 4 out of 5 of you (Linux users) will find that you are blocking hitbox's tracking mechanisms. A report of.25% from them and 1-1.5% from everyone else makes a whole lot of sense. Grossly inaccurate, but not at all surprising. We could be at 3-4% and show figures like this, easily.
My local retailers all devote over 25% as much shelf space to Linux as they do to MS OSes. Is one to believe that they are really so out of touch with the marketplace that they'd do this with for a low ticket item that only sold 1/400th as much?
My first and foremost wish, by a wide margin,
would be: repeal pretty much everything passed
in the last couple of years. When our sites are
attacked, we go down a checklist: 1) Was there
over $10K in damages? If not, stop here. 2)
Will trying to prosecute the hackers most likely
just result in bad PR and pissed-off hackers?
Yes, almost always, end of story.
In short, we're not getting much protection, and
we don't really expect any. The Internet just
doesn't regulate well, and your average
legislation seems to be clueless and harmful.
We need protection of our privacy, but we only
get the opposite. We need open scrutiny of
security problems, we get the opposite. I've
written to my representatives, and it seems
clear that they don't understand the bills well
enough to do anything much but vote like their
whip told them to.
At this point I am afraid of suggesting anything
beyond the stringent enforcement of antitrust
law, just because I'd be afraid that they'd
totally screw the bills up. So I's happily
settle for as little government intervention as
possible.
Slashdot Mirror
The problem with you Aussies is that you're not demonstrating your sincere admiration for US ways. Imitate us. Accept the treaty, use it to get whatever it offers you, then unilaterally declare it terminated. Works great for us, we do it all the time.
Speaking as a cryptographer and longtime security geek, this weakness is about as damning as... using a 128 bit cipher that only gives 120 bits of protection. Look at the big picture. Most people don't even use WEP, let alone limit access by MAC address. The average user is SO oblivious to security, sharing passwords, opening .EXE attachments... I'd hate to recall how many times I found things like .rhosts files with '++' in them among career Unix programmers who must have known better. WEP was a semi-broken protocol, TACACS+ was a totally broken protocol, there was no way one could use them without compromising security. Just as nobody can use a number of commercial software products without compromising security.
WPA, on the other hand, is a very well-designed protocol. It is only as weak as its users are careless. And one need not choose "h^Ne#b8SV@,4g%yP" as a password to avoid this attack, any semi-uncommon phrase of 4 or 5 words will do.
I will deal with this problem by threatening users with a nasty note in their personnel file if they choose a sh*t passphrase -- and terminate their wireless access. And yes, I will try cracking the passwords myself, just as I have done with operating system passwords for several years.
I sure wish all my security problems were so simple! At least WPA *can* be secure, unlike the steaming heap of offal that most folks call a desktop operating system.
Forgive me for such an evil thought, but it occurs to me that it might be possible to demand that SCO's upstream provider shut them down for illegally distributing copyrighted software. Wouldn't that be the most ironic thing in the world?
MUAHAHAHAHAHAHAHA!
From www.webcraft.com:
The site www.forbes.com is running Apache/1.3.26 (Unix) on FreeBSD.
As of 3:15 PM (Pacific time), www.blackboxvoting.org, Bev Harris' site for activists, appears to have been shut down by its hosting company. Since this closely follows demands by Diebold that very embarassing internal memos of theirs be removed from the site (as Diebold copyrighted material), looks like we may have another case of IP law/DMCA being used to silence those who tell the truth.
I could accept that explanation easily except for one thing -- hasn't MS been making vague allusions to IP issues in Linux for months, well before any of SCO's brouhaha began? Sure, it could be coincidental... but that seems the less likely explanation to me.
It's rather too late to worry about people like drug runners anyway. Eight years ago the Cali cocaine cartel was using an IBM mainframe (with full time operations staff) to manage their information. In the years since, the various cartels have mapped all the radar in the areas important to them, have set up international communications networks with military-grade encryption, and were even reported to have purchased a surplus stealth submarine from a former Soviet state, only to lose it shortly after (due to operation by unqualified staff). They're also said to have a secure website where up to $3B a year in drug funds are laundered with a few easy mouse clicks.
Guys with piles of tax-free money don't need things like Camera/Shy and Peek-a-booty, which are just simple tools for end users. They have long had IT hardcores working for them, and employees who don't follow best security practices, regardless of inconvenience, probably don't live very long.
In short, give it up, the baddies are so far ahead of the goodies in this area that they'd laugh at the resources available to the other 99.999% of us. Who needs LSB stego when you already have $5000 phones with 168-bit encryption built in?
Your misconceptions on this subject are common, indeed I shared them fairly recently, until some Chinese folks straightened me out on it.
There are hundreds of millions of Internet users in China, and the blocking and surveillance there have become much worse over the last year or so. Hacktivismo *did* do its homework, and did talk to people in China (either directly or indirectly) during the design and coding process. I don't mean to be rude, but I suspect that the Chinese know more about conditions there than you do.
For those who find that the Hacktivismo site is slashdotted, Camera/Shy is also available for anonymous download from:
a no graphy/camerashy/
http://www.mirrors.wiretapped.net/security/steg
or
ftp://mailprivately.com
I believe what you're referring to is called "editorial stance," like it or not, you will never escape it.
As an old journalist, I can assure you that you will never find any media entity which doesn't have an editorial position. Slashdot's moderation, which I myself have sometimes found arbitrary and annoying (yes, I've been modded down often enough) is no worse than cnn.com's refusal to air some stories, or the emphasis they put on aspects of various stories, or PC Magazine's lack of critical reviews of major advertiser's products. If anything, Slashdot's policies are less harmful. To call them fascist for having an editorial policy is ludicrous. Nobody would ever want to visit a site without such a policy, as the content would be random and directionless.
If you can't live with slashdot's policies, by all means post elsewhere! Would you expect a Communist site to welcome Republican-slanted posts from you, or vice versa? I think not. This is not the only site in the world, and you can always start your own if you can't be happy with anyone else's.
In summation: dude, get a grip.
In addition, someone misused a Korean school's resources and bandwidth, probably getting them blackholed for quite a while. That's damage. Under California's civil spam laws, it's clear that UCE is considered tantamount to theft of bandwidth, ISPs with "no spam" policies may collect $5 per recipient from the spammers for abusing their network and bandwidth.
Pity that the California laws are mostly untested theory. I'd bet that in the years they've been on the books, not a single spammer has spent a day in jail.
Forging an email address is a criminal activity in California, regardless of whether or not it's commercial. It is a crime to:
"Knowingly and without permission uses the Internet domain name of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages, and thereby damages or causes damage to a computer, computer system, or computer network."
Whoever forged the MSN address while really going through a Korean relay would seem to be a criminal.
I'm amazed that nobody has yet brought up dmoz.org. They are where AOL, MSN, and others get their *good* links. And porn spammers can't do a thing to fool the dmoz editors!
They're every bit as useful as Google, I recommend them to everyone as the *other* reasonable choice.
"The obvious solution... is to publish a list of nodes... but that won't work here."
Exactly right. That approach can NEVER work well to circumvent a determined censor. There is no way a piece of software can tell who is a good guy and who is a bad guy, and any centralized server which gave out addresses would be immediately blocked anyway. Glad we have that out of the way.
"Peek-A-Booty has not solved this problem."
Of course not. Nothing but a change in China's politics can solve that. Anyone who thinks there is a foolproof technical solution to this is overlooking something. That Peek-a-booty does not solve impossible problems related to network topologies which it does not use is a rather lame complaint.
"That's right -- the only way to connect to a Peek-A-Booty network is word-of-mouth, which is horribly ineffective."
Not at all. We had at least a hundred Chinese users on a proxy run by some sysadmins at work, and they happily downloaded many gigabytes of stuff over a period of months. Eventually the porn in their downloads got the attention of the Information Security department, and the proxy was shut down. But the Chinese employed word of mouth extremely effectively, lots of people were using the proxy, and the government never blocked it. Peek-a-booty brings thousands of new proxies into the equation. What's your problem with that?
"Trust the wrong person, and your whole network is exposed."
No, trust the wrong person and one address gets blocked. Fortunately, there will be thousands of other addresses available.
"Worst of all, they could just offer some huge incentive to people for turning in their friends."
Oh, you mean exactly like they've done in every sphere of life for decades?
If your critique offered any sort of hope for the Chinese that would be one thing, but you pose no solutions. The fact is that they have been circumventing censorship for years using much less secure methods than Peek-a-booty (primarily normal http proxies). If people can access the Peek-a-booty network with a browser, the user will be exposed to ZERO risks they are not exposed to now, but monitoring the content will be impossible (due to SSL) and blocking or monitoring the addresses will be a lot harder, since there will be so many more. Nodes running on DHCP connections will change address regularly, so blocking them all will be extremely difficult. The only reliable option would be for the government to block almost all ports on almost all of the Internet (since the Peek-a-booty port number is a configuration option).
From everything I can see about it (and I am familiar with the source code, BTW), Peek-a-booty alleviates a lot of problems that the Chinese (and Saudis, and UAE residents) are facing now, but does not introduce any new problems. I fail to see what about this is grounds for criticism, especially criticism that offers no source code, or pseudocode, or even ideas. Peek-a-booty isn't perfect, and nobody involved in the project would ever claim otherwise. It's just a big improvement from how things are now.
The problem here is just that there is no "aggregate Microsoft" category. Heck, there's not even a W95/98/ME category! But if you lumped together all W95/98/ME/2K/NT/XP vulnerabilities, then made sure that you dealt with apps evenhandedly, "aggregate Linux" would start looking great all of a sudden.
Now consider exploitability. Let's take Mandrake for example -- although their figures are already way lower than NT's (or, no doubt, 95/98/ME's), a default install includes 'libsafe', which means that none of the buffer overflows or format bug exploits will work. There go 3/4 of the theoretical vulnerabilities, including the ones which haven't been discovered yet. And a libsafe rpm could be installed on almost any Linux system in a matter of seconds without breaking anything, making the whole raw tally concept very questionable.
The only way to secure an MS system that broadly and quickly is to cut the Ethernet cable.
I leave my Linux box on the Internet without worry, and my investment in security has been maybe an hour and $0.00. I can and do take my time on patches because I know that almost none of the bugs have any chance of being exploited on my system. That is a realistic measure of Linux security, and I will delightedly compare it to Windows any day of the week. Securityfocus' figures, taken by themselves, don't mean anything.
That was what I said when Microsoft released that
silly Windows product. Great, now PC programs
can look like they're running on a Mac. How
worthless, nobody will ever buy it!
When I saw this whole discussion I had to scratch my head. In several years of administering hundreds of Solaris machines, I never once saw a copy of IE running under Solaris. As a member of the security staff, I did my best to eliminate IE and Outlook from the company desktop as products which were too dangerous to use. To my mind, using products like that under Unix/Linux would be a little like putting Hyundai parts into a Bugatti, and it has never surprised me that Unix IE seems to exist only in theory.
Office? Who needs it?
Absolutely. Is Hitbox counting me? No, for several reasons. Here are a couple of them: apps/kcookiejar/cookies:vwr1.hitbox.com .hitbox.com / 2064623875 100 id OPT_OUT 0
apps/kcookiejar/cookies:www.hitboxenterprise.com 2051222400 100 id OPT_OUT 0
apps/kcookiejar/cookies:hitboxenterprise.com 2051222400 100 id OPT_OUT 0 /etc/junkbuster/blocklist:hitbox.com
I don't normally accept cookies anyway, and all my browsers lie about my system. I
regularly use an anonymizing proxy. The question isn't even whether hitbox will have accurate data on people like me, but in how many different ways on a single system they are getting blocked.
Pretty many proxies report IE/Windoze user agents for all users. Almost every Linux browser can lie about its identity, and this feature is very often used for compatibility reasons (IE can't even lie, so it's naturally the one overreported browser). People at work are more likely to use anonymizing proxies, so if Linux is more dominant in the workplace, there's another source of inaccuracy. If they check the proxy logs, they will see the Linux browsers lying for compatibility reasons, and give false results. Europe has a larger percentage of Linux users than North America. Did they survey a lot of non-English language websites? My guess is that the great majority of the sites hitbox does business with are in the US.
I think if you check the configuration of your own Linux system, at least 4 out of 5 of you (Linux users) will find that you are blocking hitbox's tracking mechanisms. A report of .25% from them and 1-1.5% from everyone else makes a whole lot of sense. Grossly inaccurate, but not at all surprising. We could be at 3-4% and show figures like this, easily.
My local retailers all devote over 25% as much shelf space to Linux as they do to MS OSes. Is one to believe that they are really so out of touch with the marketplace that they'd do this with for a low ticket item that only sold 1/400th as much?
My first and foremost wish, by a wide margin, would be: repeal pretty much everything passed in the last couple of years. When our sites are attacked, we go down a checklist: 1) Was there over $10K in damages? If not, stop here. 2) Will trying to prosecute the hackers most likely just result in bad PR and pissed-off hackers? Yes, almost always, end of story. In short, we're not getting much protection, and we don't really expect any. The Internet just doesn't regulate well, and your average legislation seems to be clueless and harmful. We need protection of our privacy, but we only get the opposite. We need open scrutiny of security problems, we get the opposite. I've written to my representatives, and it seems clear that they don't understand the bills well enough to do anything much but vote like their whip told them to. At this point I am afraid of suggesting anything beyond the stringent enforcement of antitrust law, just because I'd be afraid that they'd totally screw the bills up. So I's happily settle for as little government intervention as possible.