Re:Roots on Windows aren't as l337
on
Windows Rootkits
·
· Score: 1
whoops:) Minor oversight, I forgot about that....
Re:How to clean boot Windows?
on
Windows Rootkits
·
· Score: 3, Interesting
Id have to agree with this. With the exception of the Emergency Recovery Console, in Win2k and WinXP, there isnt really a safe way that I can think of to clean out a infected Windows box the same way as the old Dos days (or even up to WinME). In Unix you could at least boot off a floppy or CD like Knoppix and mount the drive in some form of a safe manner. Ive heard that there is supposidly a way to do this with Windows, but since I have no real desire to go back to Windows nor do I support Windows, so I dont know the legitimacy of that statement nor have I checked. If a Win2k or winXP system is partitioned for FAT32, you could still boot off a floppy and run, but like you said, NTFS is a bitch. If theres some sort of corruption of the boot sector or fat table, mounting it secondary in another system would be suspect, and I have seen viruses that disable virus scanners (or at least attempt to) so installing one after the fact is only partially reliable, if at all. Anyone have any ideas on this?
Re:Roots on Windows aren't as l337
on
Windows Rootkits
·
· Score: 4, Interesting
A windows command prompt is only the beggining of the fun. Once there, you can install a hidden VNC server and get your remote desktop, as outlined in "Hacking Exposed" 2nd and 3rd editions in the section under Windows NT and Windows 2000. Also, if it is a Win2k box, you can enable the terminal service and run something like RT client or in linux Rdesktop to get a remote desktop. There are other things you can do with a command prompt to, such as install any other trojan along the lines of BO, or Sub7 for remote control havoc, not to mention things like run irc bots, zombies, or be really lame and set up crappy things like DDOS nodes. Or if you feel like cheating at SETI, you can set up a remote SETI client, or as some people saw, there was a virus/trojan that ran around and set up a Distributed.net client. Those are just basic examples of what you can do, and if there were a good Root kit for Windows, you could hide those processes. In truth, you could do all the same things you could do with a Windows root kit that can be done with a Unix one, only it just wouldnt be as cool for some reason.
I actually like the Line6 series of modelers. Ive worked with both the POD 2.0 and the BassPOD. Both are nice modelers. Their decent enough for live shows (although they really dont replace a nice high end amp) and the fact that you can get swap other peoples programmable models is a nice feature. The PRO model is a little too pricey though, but for home use and jam sessions the POD 2.0 is a good investment.
Very interesting. I am currently working on a project with a company that is using LumiLeds for a portable light. Being that these LEDS are very small and have about 120 Lumens a piece (not sure how many are in one bank on the light since Im not doing the engineering portion of the development, only the software for the control). If these things are as small as the Lumileds (the picture shows a scale compared to some coin/button, which is a little smaller that the Lumileds with the optics in place), or as bright, this might be a nice alternative. The companies web site was/. already, anyone have any information on this?
Thank you for sucking the meaning and inspiration out of a great mans speech to try and look intelligent and insightful over a syntax error. You must be a teacher, and in that case I pity your students.
I totally agree with that. Its like Kennedy said, we do it not becauase we can or should, we do it because its there. I personally like this guys mod, as long as it still plays X-Box games as well (I cant read Swedish, but Im pretty sure it does, otherwise it would be a step backwords, not fowards). Id like a case like that for my Freevo box, but Im not all that creative...
I think this is a great step towards educating technology students about platforms other than Windows. I think its even more interesting that they are doing robotics in high school. We had a similar program at the high school I went to where we did all sorts of stuff with electronics from robots to electronic repair. The courses counted towards credit with the local university. The program eventually grew to groom students into network engineers working on getting them prepped and ready for their Cisco certifications (maybe a few others at this point). Its good to see that with all the criticism of public schools, that some are still scrapping together enough money to do some interesting projects.
Well, that sounds like poor management. There's an old saying, the proper tool for the job. There are definitely tasks that can be performed quicker and easier in scripting languages such as Perl or even VBScript (particularly in Office documents, if you have VBScript enabled outside of that your asking for trouble (figured Id head that troll off at the pass)) that can be performed quicker and easier than in C, C++, or whatever. We used to have discussion with professors about C++ vs. Visual Basic, and how some tasks could be performed better in VB than in C++. This is a generalization excluding things such as code size and such. But I would have to agree that there is definitely a distinction between "programmers" and "scripters" in the eyes of management and employers. I guess they see things such as automated memory management, interpreters and scalar variables as being weaker than declared typed variables and compiling. Kind of reminds me of the Artist vs. Inker/Tracer argument from Chasing Amy/J&SB Strike Back.
No, I think I do remember correctly. The article is a criticism for the Racal RG7000 series and various other HSM modules that are supposed to be plug-in and go security for various ATMS (not just Citibanks CATS systems). This is independent of the software that runs the actual interface, hence an excerpt from Racals RG7000 brocure "you can just plug this unit without changes to exsisting software". Oh well, sucks to be a troll doesnt it...
This is not very suprising at all.Having worked for Citibank, I can vouch for their poor security and joke of a ethical hack process, Im not suprised that their ATM's (Global CATS is what they are called internaly) encryption scheme for PIN numbers is poor. If I remember correctly, its actually a VB app on a PC. The goal of the ATM was focused more on ease of use and accessibility, or so the training would lead you to believe. Im not exactly sure what the process is in the Branches for PIN assignment, but with the cluelessness of their CGTI (Citigroup Technical Infastrucutre) and their development team, I wouldnt be suprised if these boxes were more vunerable to other attacks. There used to be sites like citibanksucks.com and shitibank.com (I dont think they are still around, I think they were "silenced") that used to point out flaws in Citis systems. They arent the first to sweep bad press under the rug though.
1: Stay away from the girl up the street, she really is a tramp.
2: Smoke more pot... or is that less
3: Dont invest in Enron or Worldcom.
Seriously, nothing. I didnt make bad choices nor do I regret anything Ive done (except maybe item number 1). Without the life experiences Ive had, I wouldnt be where I am today, which is to say maybe not all that wealthy, but definitly happy. Now if I could give all my knowledge to my 12 year old self it would be a different story...
Actually I had, and this is an excellent recommendation. I had forgotten about it, even though I probally shouldnt have, definitly a good one to keep in mind.
Sounds like an interesting book. I'm always on the lookout for good books on program design methodologies and software development strategies. I've come across a few for OOAD and a using the Rational Unified Process that have caught my attention within the past three years (the titles of the two books escape me at the moment). Although neither are as heavily referenced as some of my programming books, they still had a good mind set for development life cycles and methodologies that I've used in projects that I'm working on, both large and small. Then I've read some total dogs that really sucked, such as System Analysis and Design Methods from McGraw-Hill. Although it had a few (and I mean very few) good points, most of the book was regurgitation of the garbage that they summarize in the first few chapters. The only thing that I'd give a plus is the follow along of a new analyst in a developing system and the interactions he has with the development team (which after about 3/4 of the book, I ended up just reading those, after all, it was kind of nostalgic to remember what it was like to be so eager to jump into a project that you'd spout out technologies and algorithms when you meet a customer for the first time, only to have them look at you real funny and have no clue what your talking about). Id be interested to hear what books the rest of the Slashdot community would recommend as real jewels on this subject.
Wow, for a company thats so great they patented the internet, keyword searches, and secure database transactions its suprising that their stock is only $17.86. I better hop on board before they invent the door knob, or oxygen. The funny thing is I seem to remember using keyword searches well before the Internet, and using secure database transactions. I cant comment on the other patents, but they sound pretty general in terms of E-Commerce, which is what Im getting from looking at these patents, can someone clarify this, I somehow doubt that they are patenting the internet.
When I was still doing laser shows, we did a a show for a party this guy threw, not sure if it was for his birthday or what. I missed the actual bash (had another gig elsewhere), but from what i understand, he threw a hell of a party. In addition to the laser show (dont remember if it was a custom show or the Pink Floyd show that we used to run), he had all sorts of props, he was in costume, and he staged a shooting where his wife burst in and shot him with a shotgun (he was wired to make it look like he was hit). Of course with out actually being there I couldnt vouch for it, but the show crew had nothing but nice things to say about the guy.
This would be dependent on the scope of the overall project, and the development methodology. In Structured programming I think it would be prudent to be mindful of the overall picture of the project as opposed to the "walls and windows" approach of OOAD (Object Oriented Analysis and Design). On a smaller project, of course you can be aware of the overall project, after all theres not much to look at, but on a large scale project its almost impossible to do that, thats why there are development teams assigned to a particular phase or portion of a project. I dont think the "black box" approach is the cause of poor security as much as poor programming. Its been a while since Ive read up on it, but Ive always been under the impression that the biggest problems in security and bugs are poor pointer handling and use of non-bounds checking string routines such as strcpy() as opposed to strncpy(). If theres security issues raised from the "black box" mentality, its due to poor management, design, the methodology, however if a developer is aware of the overall pictuer and can in some way increase security with that knowledge, I dont think it would be frowned upon.
Snort can, and has, be setup to monitor IM traffic. We used to watch IM traffic with a rule in snort, and the messages were in clear text. Unless theyve started encrypting their messages, Im sure you still can..
Its been a few days since I read the original article, but I don't seem to remember where the original allegation that they'd ripped off the Linux kernel came from, other than "the guy". Who is "the guy"? Is he an employee for Castle, possibly disgruntled, or is he just "the guy" sleeping on the couch? If there is a legitimate breach, than whoever holds the license should by all means fight. But I've always been under the impression that borrowing code from a GPL based package was acceptable, as long as credit is given where credit is due. If that's the case, and there was indeed a breach of the GPL, couldn't Castle just put the creators names in the credits, no harm, no foul? Any takes on this?
"I agree that it should be simpler to set up, but does Joe Sixpack really need to be designing databases?"
Absolutly, if Joe Sixpack works for a small freight, delivery or trucking company and needs to keep a small database of shipping, customers, destinations, and other small business related matters. Ive seen plenty of smaller companies (1 to 2 offices and handfull of employees) who do this with Access (mostly by means of the pre-built databases and templates, or a consultant/tech set one up for them). This is my point right here, instead of the "why would they" or the "should they be" mind set, it should be percieved from the "Ok, they are going to, so how can I make it easier for them".
I agree with you totally on both points. If the guy is a Linuxworld columnist, he probably has at least a basic understanding of the technical side of Linux and Linux app installs (there's not telling really, since he is a columnist, and in my opinion the old saying about those who cant teach applies more to columnist than to teachers these days). With that being said, if someone who has at least a basic understanding of Linux has that much difficulty installing something like this, than "Joe Sixpack" isn't going to be able to figure it out either. But this goes into the age old problem with Linux on the desktop, do the developers keep the mentality of "If you don't like it, fix it yourself, its open source", or do they take the mentality of "Well, I can figure it out, and the next developer can figure it out, but can the average person figure it out?" Once OS developers look at it in the later fashion, then we will start seeing real gains as far as usability. IMHO, that's the difference between Computer Science graduates and Information Systems graduates, one sees things in the more technical side, the other sees it in the usability (business wise, if its easier to use and provides functionality, then its more marketable) side. And ill make the assumption that most OS developers are CS people. Id be interested to hear others opinions on this.
I've always found this to be an interesting argument and requirement for jobs myself. If a company were an EOE (Equal Opportunity Employer), wouldn't discriminating based on credit history be just as bad as discriminating based on race/ethnic group? I think it can easily be argued that this is yet another racist hiring policy based on the assumption that minority groups would be of lower financial status, which as anyone who got a credit card when they went to college would know is not exactly the case. I think it should be brought to the attention of the ACLU or something, its no more a company's policy what my credit history is than how many dogs I have, what size bed I sleep in, or any other matter that I don't feel they have a right to know. A company's argument that someone's credit history is a check of character is absurd. And since its illegal for creditors to call your job, the argument of distracting phone calls is BS. I agree with the poster, it really is none of their business.
Very little. I have, however, had situations where Ansi C++ compilers would compile a program (very simple console programs mind you), and Visual C++ would not. It would whine about the class definitions and such. Overall though, the sytax is almost the same.
Slashdot Mirror
whoops :) Minor oversight, I forgot about that....
Id have to agree with this. With the exception of the Emergency Recovery Console, in Win2k and WinXP, there isnt really a safe way that I can think of to clean out a infected Windows box the same way as the old Dos days (or even up to WinME). In Unix you could at least boot off a floppy or CD like Knoppix and mount the drive in some form of a safe manner. Ive heard that there is supposidly a way to do this with Windows, but since I have no real desire to go back to Windows nor do I support Windows, so I dont know the legitimacy of that statement nor have I checked. If a Win2k or winXP system is partitioned for FAT32, you could still boot off a floppy and run, but like you said, NTFS is a bitch. If theres some sort of corruption of the boot sector or fat table, mounting it secondary in another system would be suspect, and I have seen viruses that disable virus scanners (or at least attempt to) so installing one after the fact is only partially reliable, if at all. Anyone have any ideas on this?
A windows command prompt is only the beggining of the fun. Once there, you can install a hidden VNC server and get your remote desktop, as outlined in "Hacking Exposed" 2nd and 3rd editions in the section under Windows NT and Windows 2000. Also, if it is a Win2k box, you can enable the terminal service and run something like RT client or in linux Rdesktop to get a remote desktop. There are other things you can do with a command prompt to, such as install any other trojan along the lines of BO, or Sub7 for remote control havoc, not to mention things like run irc bots, zombies, or be really lame and set up crappy things like DDOS nodes. Or if you feel like cheating at SETI, you can set up a remote SETI client, or as some people saw, there was a virus/trojan that ran around and set up a Distributed.net client. Those are just basic examples of what you can do, and if there were a good Root kit for Windows, you could hide those processes. In truth, you could do all the same things you could do with a Windows root kit that can be done with a Unix one, only it just wouldnt be as cool for some reason.
I actually like the Line6 series of modelers. Ive worked with both the POD 2.0 and the BassPOD. Both are nice modelers. Their decent enough for live shows (although they really dont replace a nice high end amp) and the fact that you can get swap other peoples programmable models is a nice feature. The PRO model is a little too pricey though, but for home use and jam sessions the POD 2.0 is a good investment.
Very interesting. I am currently working on a project with a company that is using LumiLeds for a portable light. Being that these LEDS are very small and have about 120 Lumens a piece (not sure how many are in one bank on the light since Im not doing the engineering portion of the development, only the software for the control). If these things are as small as the Lumileds (the picture shows a scale compared to some coin/button, which is a little smaller that the Lumileds with the optics in place), or as bright, this might be a nice alternative. The companies web site was /. already, anyone have any information on this?
Thank you for sucking the meaning and inspiration out of a great mans speech to try and look intelligent and insightful over a syntax error. You must be a teacher, and in that case I pity your students.
I totally agree with that. Its like Kennedy said, we do it not becauase we can or should, we do it because its there. I personally like this guys mod, as long as it still plays X-Box games as well (I cant read Swedish, but Im pretty sure it does, otherwise it would be a step backwords, not fowards). Id like a case like that for my Freevo box, but Im not all that creative...
I think this is a great step towards educating technology students about platforms other than Windows. I think its even more interesting that they are doing robotics in high school. We had a similar program at the high school I went to where we did all sorts of stuff with electronics from robots to electronic repair. The courses counted towards credit with the local university. The program eventually grew to groom students into network engineers working on getting them prepped and ready for their Cisco certifications (maybe a few others at this point). Its good to see that with all the criticism of public schools, that some are still scrapping together enough money to do some interesting projects.
Well, that sounds like poor management. There's an old saying, the proper tool for the job. There are definitely tasks that can be performed quicker and easier in scripting languages such as Perl or even VBScript (particularly in Office documents, if you have VBScript enabled outside of that your asking for trouble (figured Id head that troll off at the pass)) that can be performed quicker and easier than in C, C++, or whatever. We used to have discussion with professors about C++ vs. Visual Basic, and how some tasks could be performed better in VB than in C++. This is a generalization excluding things such as code size and such. But I would have to agree that there is definitely a distinction between "programmers" and "scripters" in the eyes of management and employers. I guess they see things such as automated memory management, interpreters and scalar variables as being weaker than declared typed variables and compiling. Kind of reminds me of the Artist vs. Inker/Tracer argument from Chasing Amy/J&SB Strike Back.
No, I think I do remember correctly. The article is a criticism for the Racal RG7000 series and various other HSM modules that are supposed to be plug-in and go security for various ATMS (not just Citibanks CATS systems). This is independent of the software that runs the actual interface, hence an excerpt from Racals RG7000 brocure "you can just plug this unit without changes to exsisting software". Oh well, sucks to be a troll doesnt it...
This is not very suprising at all.Having worked for Citibank, I can vouch for their poor security and joke of a ethical hack process, Im not suprised that their ATM's (Global CATS is what they are called internaly) encryption scheme for PIN numbers is poor. If I remember correctly, its actually a VB app on a PC. The goal of the ATM was focused more on ease of use and accessibility, or so the training would lead you to believe. Im not exactly sure what the process is in the Branches for PIN assignment, but with the cluelessness of their CGTI (Citigroup Technical Infastrucutre) and their development team, I wouldnt be suprised if these boxes were more vunerable to other attacks. There used to be sites like citibanksucks.com and shitibank.com (I dont think they are still around, I think they were "silenced") that used to point out flaws in Citis systems. They arent the first to sweep bad press under the rug though.
1: Stay away from the girl up the street, she really is a tramp.
2: Smoke more pot... or is that less
3: Dont invest in Enron or Worldcom.
Seriously, nothing. I didnt make bad choices nor do I regret anything Ive done (except maybe item number 1). Without the life experiences Ive had, I wouldnt be where I am today, which is to say maybe not all that wealthy, but definitly happy. Now if I could give all my knowledge to my 12 year old self it would be a different story...
Actually I had, and this is an excellent recommendation. I had forgotten about it, even though I probally shouldnt have, definitly a good one to keep in mind.
Sounds like an interesting book. I'm always on the lookout for good books on program design methodologies and software development strategies. I've come across a few for OOAD and a using the Rational Unified Process that have caught my attention within the past three years (the titles of the two books escape me at the moment). Although neither are as heavily referenced as some of my programming books, they still had a good mind set for development life cycles and methodologies that I've used in projects that I'm working on, both large and small. Then I've read some total dogs that really sucked, such as System Analysis and Design Methods from McGraw-Hill. Although it had a few (and I mean very few) good points, most of the book was regurgitation of the garbage that they summarize in the first few chapters. The only thing that I'd give a plus is the follow along of a new analyst in a developing system and the interactions he has with the development team (which after about 3/4 of the book, I ended up just reading those, after all, it was kind of nostalgic to remember what it was like to be so eager to jump into a project that you'd spout out technologies and algorithms when you meet a customer for the first time, only to have them look at you real funny and have no clue what your talking about). Id be interested to hear what books the rest of the Slashdot community would recommend as real jewels on this subject.
Wow, for a company thats so great they patented the internet, keyword searches, and secure database transactions its suprising that their stock is only $17.86. I better hop on board before they invent the door knob, or oxygen. The funny thing is I seem to remember using keyword searches well before the Internet, and using secure database transactions. I cant comment on the other patents, but they sound pretty general in terms of E-Commerce, which is what Im getting from looking at these patents, can someone clarify this, I somehow doubt that they are patenting the internet.
When I was still doing laser shows, we did a a show for a party this guy threw, not sure if it was for his birthday or what. I missed the actual bash (had another gig elsewhere), but from what i understand, he threw a hell of a party. In addition to the laser show (dont remember if it was a custom show or the Pink Floyd show that we used to run), he had all sorts of props, he was in costume, and he staged a shooting where his wife burst in and shot him with a shotgun (he was wired to make it look like he was hit). Of course with out actually being there I couldnt vouch for it, but the show crew had nothing but nice things to say about the guy.
This would be dependent on the scope of the overall project, and the development methodology. In Structured programming I think it would be prudent to be mindful of the overall picture of the project as opposed to the "walls and windows" approach of OOAD (Object Oriented Analysis and Design). On a smaller project, of course you can be aware of the overall project, after all theres not much to look at, but on a large scale project its almost impossible to do that, thats why there are development teams assigned to a particular phase or portion of a project. I dont think the "black box" approach is the cause of poor security as much as poor programming. Its been a while since Ive read up on it, but Ive always been under the impression that the biggest problems in security and bugs are poor pointer handling and use of non-bounds checking string routines such as strcpy() as opposed to strncpy(). If theres security issues raised from the "black box" mentality, its due to poor management, design, the methodology, however if a developer is aware of the overall pictuer and can in some way increase security with that knowledge, I dont think it would be frowned upon.
Snort can, and has, be setup to monitor IM traffic. We used to watch IM traffic with a rule in snort, and the messages were in clear text. Unless theyve started encrypting their messages, Im sure you still can..
Its been a few days since I read the original article, but I don't seem to remember where the original allegation that they'd ripped off the Linux kernel came from, other than "the guy". Who is "the guy"? Is he an employee for Castle, possibly disgruntled, or is he just "the guy" sleeping on the couch? If there is a legitimate breach, than whoever holds the license should by all means fight. But I've always been under the impression that borrowing code from a GPL based package was acceptable, as long as credit is given where credit is due. If that's the case, and there was indeed a breach of the GPL, couldn't Castle just put the creators names in the credits, no harm, no foul? Any takes on this?
Hehehe Im reminded of an old Married with Children episode with Bud Bundy jumping up and down, arms flailing screaming "I am not a troll!"
"I agree that it should be simpler to set up, but does Joe Sixpack really need to be designing databases?"
Absolutly, if Joe Sixpack works for a small freight, delivery or trucking company and needs to keep a small database of shipping, customers, destinations, and other small business related matters. Ive seen plenty of smaller companies (1 to 2 offices and handfull of employees) who do this with Access (mostly by means of the pre-built databases and templates, or a consultant/tech set one up for them). This is my point right here, instead of the "why would they" or the "should they be" mind set, it should be percieved from the "Ok, they are going to, so how can I make it easier for them".
I agree with you totally on both points. If the guy is a Linuxworld columnist, he probably has at least a basic understanding of the technical side of Linux and Linux app installs (there's not telling really, since he is a columnist, and in my opinion the old saying about those who cant teach applies more to columnist than to teachers these days). With that being said, if someone who has at least a basic understanding of Linux has that much difficulty installing something like this, than "Joe Sixpack" isn't going to be able to figure it out either. But this goes into the age old problem with Linux on the desktop, do the developers keep the mentality of "If you don't like it, fix it yourself, its open source", or do they take the mentality of "Well, I can figure it out, and the next developer can figure it out, but can the average person figure it out?" Once OS developers look at it in the later fashion, then we will start seeing real gains as far as usability. IMHO, that's the difference between Computer Science graduates and Information Systems graduates, one sees things in the more technical side, the other sees it in the usability (business wise, if its easier to use and provides functionality, then its more marketable) side. And ill make the assumption that most OS developers are CS people. Id be interested to hear others opinions on this.
"Japanese are more smart "
Especially in grammar....
I've always found this to be an interesting argument and requirement for jobs myself. If a company were an EOE (Equal Opportunity Employer), wouldn't discriminating based on credit history be just as bad as discriminating based on race/ethnic group? I think it can easily be argued that this is yet another racist hiring policy based on the assumption that minority groups would be of lower financial status, which as anyone who got a credit card when they went to college would know is not exactly the case. I think it should be brought to the attention of the ACLU or something, its no more a company's policy what my credit history is than how many dogs I have, what size bed I sleep in, or any other matter that I don't feel they have a right to know. A company's argument that someone's credit history is a check of character is absurd. And since its illegal for creditors to call your job, the argument of distracting phone calls is BS. I agree with the poster, it really is none of their business.
Very little. I have, however, had situations where Ansi C++ compilers would compile a program (very simple console programs mind you), and Visual C++ would not. It would whine about the class definitions and such. Overall though, the sytax is almost the same.