This entire thing is being "sold" as `cross-vendor problem'. Sure. Some vendors have a few small issues to solve in this area. Minor issues. For us, those issues are 1/50000 smaller than they are for other vendors. Post-3.5, we have fixes which make the problem even smaller.
But one vendor -- Cisco -- has an *UTTERLY GIGANTIC HUGE* issue in this regard, and as you can see, they have not yet made an announcement see..
You are being told "lots of people have a problem". By not seperating out the various problems combined in their notice, or the impact of those problems, you are not being told the whole truth.
More Theo: OpenBSD (and I am sure other systems too) have for some time contained partial countermeasures against these things.
OpenBSD has one other thing. The target port numbers have been random for quite some time. Instead of the Unix/Windows way of 1024,1025,1026,... adding 1 to the port number each time a new local socket is established... we have been doing random for quite some time. That means a random selection between 1024 and 49151. This makes both these attacks 48,000 times harder; unless you already know the remote port number in question, you must now send 48,000 more packets to effect a change.
At least one other free operating system incorporated our random port selection code today..
We've made a few post-3.5 changes of our own, since we are uncomfortable with the ACK-storm potention of the solutions being proposed by the UK and Cisco people; in-the window SYN or RST's cause ACK replies which are rate limited.
At least one other free operating system today incorporated the same changes......
*** I am 22, Single and work in technology. (read bling bling) *** I am fresh out of college (1yr) and don't know how to manage money (read bling bling) *** I AM your demographic.
At the very first lecture of the Software Tools and Systems Programming class that I took, we were carefully instructed that the best software tools are small programs that do one thing well and interface cleanly with the other tools. This sounds like a philosophy which is perfectly suited for the Open Source movement: if you have many contributers and they all create one (or several) small programs that do one thing well and interface cleanly with the other programs, a very clean and powerful system can come out of it. And I believe that this has been proven by the durability and longevity of the Unix operating system.
i fully agree that this is a problem. projects like FVWM have it right. with many different programs (taskmanager and so on) on top of their core. All modules have their own manpage and are configured in the core or separate.
I can't find the article on google right now, but the last time i read about this in between the reversal of earths magnetic pole it turns into a quadrupole or higher order for a couple of hundreds of years then it finishes.
Still we won't lose our magnetic field unless our core solidifies, but a field reversal or a higher order magnetic field will allow different polorization of solar winds and other EM noise that would be different that what we have now. We also might not be as well protected against the solar flares during the sun's cycle.
Also, who's to say that this is the source code that will be compiled on the voting terminals?
these are the same arguments for anything you don't compile yourself. Who is really to say that RedHat RPM's don't have a patch that opens them up. Because they don't show it in the source RPM? Because they're not microsoft? Sometimes you have to have a little trust.
It may be true that they want people to submit bug reports or other things they see wrong and they will closely look over and patch with their own patch. [tin_foil_hat] But with it being e-voting and used for US politics. i wouldn't be to surprised if some gov. agency makes them have a back door. [/tin_foil_hat]
So instead of getting 1000 emails we get 1000 messages to pick up emails. Then they start spoofing message sends and you have the same exact problem.
The problem is people click on them and it makes them profitable so they continue to do it. 99% of all spam preys on people who want to better themselves in dumb ass ways.
Correct me if I am wrong, but doesn't the GPL allow the sale of software. What would be wrong on making your software opensource, don't include configure files or something of the sort. Just all of the code you wrote. Then selling the binaries, packaged and sealed with support just like companies do now.
Then you have opensourced the software. Someone could look at your code and make contributions if they want, and you are still making money.
The great thing about opensource isn't the price. Its the ease of mind you can have that they are not hiding anything from you. Or the fact that you can look at the code and create another program that can be fully compatable with the OS program.
Hmm, you have all those companies like Eeye and such working nicely with MS to find holes in Windows. Seems like a kind of slap in the face to their credit.
To me, this sounds like a challenge to black hats.
Slashdot Mirror
There is always the mean time between failures.
I have a couple friends who are on their 2nd or 3rd PS2's because of failures.
3. A PS2 doesn't leave the toilet seat up.
:)
forgot to do the ol'crotch test huh
Theo Wrote:
Let me be more clear.
This entire thing is being "sold" as `cross-vendor problem'. Sure.
Some vendors have a few small issues to solve in this area. Minor
issues. For us, those issues are 1/50000 smaller than they are for
other vendors. Post-3.5, we have fixes which make the problem even
smaller.
But one vendor -- Cisco -- has an *UTTERLY GIGANTIC HUGE* issue in
this regard, and as you can see, they have not yet made an
announcement see..
You are being told "lots of people have a problem". By not seperating
out the various problems combined in their notice, or the impact of
those problems, you are not being told the whole truth.
More Theo:
OpenBSD (and I am sure other systems too) have for some time contained
partial countermeasures against these things.
OpenBSD has one other thing. The target port numbers have been random
for quite some time. Instead of the Unix/Windows way of
1024,1025,1026,... adding 1 to the port number each time a new local
socket is established... we have been doing random for quite some
time. That means a random selection between 1024 and 49151. This
makes both these attacks 48,000 times harder; unless you already know
the remote port number in question, you must now send 48,000 more
packets to effect a change.
At least one other free operating system incorporated our random port
selection code today..
We've made a few post-3.5 changes of our own, since we are
uncomfortable with the ACK-storm potention of the solutions being
proposed by the UK and Cisco people; in-the window SYN or RST's cause
ACK replies which are rate limited.
At least one other free operating system today incorporated the same
changes......
Someone finally found out they have no buisness model.
Seems like a lot of people bitching about Ogg support. Didn't see this link posted
http://wiki.xiph.org/VorbisHardware
*** I am 22, Single and work in technology. (read bling bling)
:D
*** I am fresh out of college (1yr) and don't know how to manage money (read bling bling)
*** I AM your demographic.
And I Demand WAV format.
Give this guy enough blue screens and he'll be begging for penguin.
:)
the author enjoys being a spam zombie also i'm sure
I've got an iso for you at http// .... :D
The key is WXY8....
wow... i wish i didn't have a job. then i could post longer than 2 fragmented sentences as a reply.
Perhaps all software patches should be about 1GB in size, mostly consisting of random crap, with the little patch embedded deep inside. ;)
:)
I've got dialup you insensitive clod
At the very first lecture of the Software Tools and Systems Programming class that I took, we were carefully instructed that the best software tools are small programs that do one thing well and interface cleanly with the other tools. This sounds like a philosophy which is perfectly suited for the Open Source movement: if you have many contributers and they all create one (or several) small programs that do one thing well and interface cleanly with the other programs, a very clean and powerful system can come out of it. And I believe that this has been proven by the durability and longevity of the Unix operating system.
i fully agree that this is a problem. projects like FVWM have it right. with many different programs (taskmanager and so on) on top of their core. All modules have their own manpage and are configured in the core or separate.
I beleive he said it best:
This entirely misses the point.
I can't find the article on google right now, but the last time i read about this in between the reversal of earths magnetic pole it turns into a quadrupole or higher order for a couple of hundreds of years then it finishes.
Still we won't lose our magnetic field unless our core solidifies, but a field reversal or a higher order magnetic field will allow different polorization of solar winds and other EM noise that would be different that what we have now. We also might not be as well protected against the solar flares during the sun's cycle.
Time to get my gps jammer working
http://www.phrack.org/show.php?p=60&a=13
I've been using Windows for years without a virus scanner, and not once have I found a virus infecting my computer.
So your the one who wants to sell me V1@gra.
Also, who's to say that this is the source code that will be compiled on the voting terminals?
these are the same arguments for anything you don't compile yourself. Who is really to say that RedHat RPM's don't have a patch that opens them up. Because they don't show it in the source RPM? Because they're not microsoft? Sometimes you have to have a little trust.
It may be true that they want people to submit bug reports or other things they see wrong and they will closely look over and patch with their own patch.
[tin_foil_hat]
But with it being e-voting and used for US politics. i wouldn't be to surprised if some gov. agency makes them have a back door.
[/tin_foil_hat]
So instead of getting 1000 emails we get 1000 messages to pick up emails. Then they start spoofing message sends and you have the same exact problem.
The problem is people click on them and it makes them profitable so they continue to do it. 99% of all spam preys on people who want to better themselves in dumb ass ways.
Is there a privacy statement that forbids encrypted email?
I've already got 2 of them. Although the one on the left doesn't work as good. :-)
In IN at my cottage, we call those japanese beetles. The are terrible. They eat all the leaves on our grapes and there are thousands of them.
Heh, i thought the same way until i landed a great job here. now im stuck :) at least until grad school is done
Correct me if I am wrong, but doesn't the GPL allow the sale of software. What would be wrong on making your software opensource, don't include configure files or something of the sort. Just all of the code you wrote. Then selling the binaries, packaged and sealed with support just like companies do now.
Then you have opensourced the software. Someone could look at your code and make contributions if they want, and you are still making money.
The great thing about opensource isn't the price. Its the ease of mind you can have that they are not hiding anything from you. Or the fact that you can look at the code and create another program that can be fully compatable with the OS program.
Hmm, you have all those companies like Eeye and such working nicely with MS to find holes in Windows. Seems like a kind of slap in the face to their credit.
To me, this sounds like a challenge to black hats.
IANAL but because there are so many other software products that have this, can't it be concidered prior art?
What is this from... Bizarro land?