09/19/2003
VeriSign said Thursday that it would respond to technical complaints over its recent move to redirect Internet users who enter nonexistent or misspelled domain names to its Web site, but it said it would not pull the plug on the service. Criticism has been growing over the company's surprise decision to take control of unassigned.com and.net domain names, which has confused antispam utilities and drawn angry denunciations of the company's business practices from frustrated network administrators.
"There is a lot of fiction about the actual technology and the service," VeriSign spokesman Brian O'Shaughnessy said. "What we are doing is trying to determine fact and fiction and we're doing so by reaching out to the technology community and helping them to understand exactly what is fact and fiction."
VeriSign would not disclose what changes it might make to address technical complaints about its SiteFinder service.
O'Shaughnessy said the service has been embraced by end users. "We've seen nothing but very positive results from the Internet community," he said. "Usage is extraordinary. Both individual users and enterprises are giving very positive feedback."
VeriSign's new policy is intended to generate more advertising revenue from additional visitors to its network of Web sites. But the change has had the side effect of rewiring a portion of the Internet that software designers always had expected to behave a certain way. That can snarl anti-spam mechanisms that check to see if the sender's domain exists, complicate the analysis of network problems and possibly even pollute search engine results. Because VeriSign will become a central destination for mistyped e-mail and Web traffic, its move also raises serious privacy questions.
In response, the Internet's technical community has developed a patch to BIND, the workhorse utility that implements the Domain Name System protocols. It's designed to counteract VeriSign's change by blocking traffic to its SiteFinder site and returning the same "domain not found" error message as before.
When asked why VeriSign did not inform the Internet's technical organisations of the change in advance, O'Shaughnessy replied: "There's not much I can add except to say that our testing and the resources we've applied toward this have been in accordance with prevailing industry standards for new products and services."
Neither the Internet Corporation for Assigned Names and Numbers (ICANN), which in principle oversees VeriSign's actions as a domain name registrar, nor the U.S. Department of Commerce, which has a contract with VeriSign that grants it a government-granted monopoly over.com and.net, has responded to repeated requests for comment since Tuesday.
O'Shaughnessy said there's no need for any outside organisation to get involved. "There's some religiousness that's been brought to bear here besides the technical reality," he said. "We're fully compliant with every RFC," O'Shaughnessy said in reference to the technical standards that govern the Internet.
Original article: http://www.zdnet.com.au/newstech/ebusiness/story/0,2000048590,20278764,00.htm
I have found that you can file a LOT of stuff under Miscellaneous.
Also, If you start creating sub-folders under deleted items to categorize your trash, you need professional help.
At the press conference, The National Aeronautics and Space Administration (NASA) will announce that they are changing their acronym to: "Needs Another Seven Astronauts."
Question: What if, during the course of discovery or another time, you find that the code was originally under the GPL?
Answer from attorney: "...well, let's use an example. Let's say you have a hundred files, and you put one of your hundred files under the GPL. That doesn't mean you've lost the rights to your other 99 files. So I don't think it's going to have an impact."
So, I guess that means that if lines of 'their' code is used in, say, 20 files used in Linux - where Linux has thousands of files, that this gives SCO the right to ALL OF LINUX?!!
The babbling of this lawyer is comical. You can tell he's trying to defend an issue on some pretty thin claims.
Here is his "Lawyer Profile" from the Boies, Schiller & Flexner LLP:
Mark J. Heise is a partner in the Miami, Florida office. His main practice areas are complex commercial litigation and class actions.
Since joining Boies, Schiller & Flexner LLP, Mr. Heise has represented The SCO Group in its significant intellectual property claims involving the licensing of the UNIX source code. A case that has become increasingly dificult to pursue ever since he broke the lead on his pencil. Mr. Heise is also involved in numerous class actions, including as lead counsel in a case against the City of Miami on behalf of persons who paid an unconstitutional parking tax.
A lawyer that is fighting the world on the use of 'unlicenced Linux' products while simultaneously fighting parking tickets. Sounds like a winner to me!
A PhD in Computer Science is the most worthless degree if you are planning to get a job in the IT industry. The only thing a PhD is good for in the computer industry is doing research and being a professor at a university, or doing research for companies that can afford to have a PhD on their R&D team.
My brother got his PhD from the University of Minnesota. He is now a professor at Tulane University in New Orleans. He teaches 3 classes a year, and the remainder of his time is performing research and writing papers. He does get paid very handsomely for it, I must say. He stated that when he was going to school, that he was basically dedicating his life to one of working in academia.
Outside of Academia, a PhD in Computer Science is not a very valuable degree.
However,
I once had an employee that had dual masters degrees in Geology and Information Systems. He got his degree in Geology, then realized that he couldn't feed a family as a geologist (unless he wanted to feed them rocks) So he got his MIS degree. He couldn't find a job ANYWHERE (so I hired him:)).
It wasn't long before I got him in touch with someone from Texaco Oil Corp. where we got him an interview and now he is working for Texaco, making 6 figures, helping them develop new methods for using computers in searching and drilling for oil.
So, my advice would be that if you get a Ph.D be prepared to work in a research role. A second degree in a complimentary field might work better for you. If you choose a second degree, use that degree to get you into the IT industry in a particular field you're interested in.
This is really interesting. Worms have been released to exploit machines and spread. This is the first known worm to actually try and repair damage.
There was some talk on the Full Disclosure lists of releasing a worm such as this. Now it appears that someone has done it. Kudo's to them. Now the question becomes: Do we let this worm just run freely out there? Do we try to stop it?
Past worms haven't been able to load updates like this simply because the vulnerabilities weren't as big as the RPC/DCOM vulnerability that is being used on this exploit/patch.
The whole internet worm thing has become rather booring. The security community has already learned the lesson to be taught: patch your machines. It looks like there is now something new to take notice of with the Nachi worm.
Now we need to come up with phrases such as: Are you a good worm, or a bad worm? Or White worms vs. Black worms.
I know, this goes against everything/. stands for but I read the article and now I'm posting.
Is it me or is Cringely a bloomin idiot? He starts off talking about outsourcing then Apple, then back to India. He states that using more Macs in the office would decrease TCO without giving any numbers or any statements to back up that opinion. And it isn't even his opinion! He got the idea from a reader, no less!
Macs reduce IT head count while Linux probably increases IT head count, simple as that.
I didn't come up with this very smart idea, it came from a reader.
Whomever gave this guy a pulpit needs to be shot. This guy obviously uses a Mac.
The entire power grid is managed by an extensive
SCADA network. SCADA (supervisory control and data acquisition) networks monitor the operation of power grids and other networks such as water tank levels and other utilities, etc.
I know that SCADA networks run on Wintel based machines and use RPC services. I'm wondering if the power grid didn't actually get hit by the updated RPC/DCOM worm thats been going around.
It is my general feeling that the power failure could be SCADA related. If it was an attack or an accident I do not know, nor do I think the
appropriate information will ever be released to the public.
Just my speculation, I'm not trying to start any conspiracies here.
I predict that Microsoft Windows 2013 Server will lock up when you sneeze, gets exploited diurnally, and they'll still claim that security is their #1 priority.
I've recently done some security work for a large collection agency. I asked him what they do when they get someone on the line who is the victim of Identity theft? He stated that they [the debtors] all say that they're innocent victims of identity theft, its become the excuse du jour. Therefore they treat each collection as though its a legitamate debt and that *you* are the legitamate debtor.
Once you've been a victim, the onus is on you to clear it up. The dificulty is that once 'Joe Sixpack' discovers he's had his identity stolen, the credit cards are already 90 days past due. The only way to clear up the credit report at that point is to produce irrefutable evidence that you were actually a victim, and not a deadbeat debtor. So here's the rub; It is nearly impossible to collect that proof 90 days after the crime. (I swear, thats not my signature!)
Nobody wants to help you, because true deadbeat debtors are claiming victim status as well. Credit card companies won't help, they want their money. Essentially, nobody is on your side. When you have finally obtained irrefutable evidence, you must prove and prove again to every entity your victim status. The credit card company (or whomever the debt is owed to), the company that is holding the debt (collection agencies) et al, and THEN you must convince the Credit Bureaus (all three of them).
This is why getting the ID stolen is such a pain. I know, I was once a victim.
Switching gears here...
I performed a security audit on a College last year. I was horrified to discover that even today they are using the students Social Security Numbers as the Student ID's. I realize this is nothing new, but the fact that this information is used in such an open forum is staggering. Professors post student grades on tests under the "Student ID's" so you don't know who got the A's, and who got the F's. Take that list of SSN#'s, correlate to names, figure out where they live and you've got a whole slate full of pristine credit reports.
The examinations of the code so far indicate that the worm is coded to DoS the windowsupdate site from the 15th of August onwards through the end of the year.
The question now becomes; Should we really worry about stopping this?
The security community has been saying for nearly a month that people needed to update their machines. We watched as the hacker community perfected their code for the RPC/DCOM vulnerability and posted their work on hacker sites and discussion groups. Yet the more we begged and pleaded people to update their machines, the more I heard "Aw, they're just hyping the FUD factor."
Let it be suffice to say that if a company is trying to sell you something based upon the FUD factor, treat the information as suspect. I agree, vendors whose software doesn't sell on its own laurels hype the hell out of the FUD factor and give the industry a bad reputation. But don't lump these vendors in with the security consultants that are trying to provide a free service and free advise based upon information that is going around in the security community.
When you get security information, consider the source. Is the security information provided with a sales pitch attached? If so, google the information to determine if it is FUD or legetimate. If it's legit, it'll pay to listen.
1) Go to Microsoftsucks.org and get a free anonymous email address.
2) Next, go to No-ID.com, an anonymous remailer that masks the source of emails.
3) Email messages to the college and software creators, notifying that they have 2 months to fix the problem before you post the vulnerability to the Full Disclosure mailing list.
They will be able to reply to your emails using the remailer service. You WILL remain completely anonymous and your integrity will never have an opportunity to be called into question.
This is a debate that has been taking place in the security industry for some time now. Does Full Disclosure hurt or help the industry. I am of the position that full disclosure helps.
If bugs are kept secret, the secrets get held in the hands of the few. The unethical hacker [cracker] will eventually exploit the code and use it to their advantage.
If it weren't for FD, we'd have more 0day exploits because companies would not feel the pressure to release timely updates. It chews up development cycles to go back and put an emergency fix in place for insecure code, test
it, and release it. Do you think companies would do this voluntarily? I think not. Too expensive. They'll include it with their next major update
and charge for the upgrade or some crap like that.
I say the medicine is bad, but the disease is worse. Full Disclosure is the
Medicine, bad coding the disease.
We are going to continue down this road of FD debate until software vendors (M$ et al.) start
writing secure code. I have said it many times; Requiring patches to achieve security is fundamentally flawed. Coders need to write secure code. The onus is on them. Don't blame the
hackers/crackers for airing their dirty laundry. If M$ or whoever loses market share because they consistantly release insecure code that is repeatedly being compromised then that is
their fault.
It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really
think he would have done that if we didn't have the Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the
exploits secret, or keeping the information reserved for the security elite.
Send a confidential email to the network administrators and to the company that created the software. State that you will give them adequate time to respond and to release a patch. State that the exploit will undergo full disclosure in two months, or if they request extra time, ask them what measures are being taken to insure the integrity of the information being stored on these computers. If you can hack into the system to raise your grades, others could hack in to lower the hard earned grades of others. Hell, at that point, they should start selling diplomas at the bookstore.
I just barely got down the practice of having cyber while typing with one hand... You mean to tell me that I'm now going to have to cyber using MORSE CODE!?
On the other hand, when typing with a keyboard my hand has to search around for the keys when typing single handedly. With morse code, I can pound out the cyber love code with one finger, or a toe. Imagine the possibilities!
Being a computer expert, there was one line in the movie that just drove me nuts. "The virus is spreading, but the firewalls are holding up!"
When the 'internet' was becoming self-aware I just sat there and shook my head and thought, no way in hell would this ever happen with Microsoft products running on 80% of the machines out there... but then I remembered Clippit.
We don't need to worry about Skynet or whatever, we just need to obliterate that fucking paper clip and we'll save the world.
Slashdot Mirror
09/19/2003 VeriSign said Thursday that it would respond to technical complaints over its recent move to redirect Internet users who enter nonexistent or misspelled domain names to its Web site, but it said it would not pull the plug on the service. Criticism has been growing over the company's surprise decision to take control of unassigned .com and .net domain names, which has confused antispam utilities and drawn angry denunciations of the company's business practices from frustrated network administrators.
"There is a lot of fiction about the actual technology and the service," VeriSign spokesman Brian O'Shaughnessy said. "What we are doing is trying to determine fact and fiction and we're doing so by reaching out to the technology community and helping them to understand exactly what is fact and fiction."
VeriSign would not disclose what changes it might make to address technical complaints about its SiteFinder service.
O'Shaughnessy said the service has been embraced by end users. "We've seen nothing but very positive results from the Internet community," he said. "Usage is extraordinary. Both individual users and enterprises are giving very positive feedback."
VeriSign's new policy is intended to generate more advertising revenue from additional visitors to its network of Web sites. But the change has had the side effect of rewiring a portion of the Internet that software designers always had expected to behave a certain way. That can snarl anti-spam mechanisms that check to see if the sender's domain exists, complicate the analysis of network problems and possibly even pollute search engine results. Because VeriSign will become a central destination for mistyped e-mail and Web traffic, its move also raises serious privacy questions.
In response, the Internet's technical community has developed a patch to BIND, the workhorse utility that implements the Domain Name System protocols. It's designed to counteract VeriSign's change by blocking traffic to its SiteFinder site and returning the same "domain not found" error message as before.
When asked why VeriSign did not inform the Internet's technical organisations of the change in advance, O'Shaughnessy replied: "There's not much I can add except to say that our testing and the resources we've applied toward this have been in accordance with prevailing industry standards for new products and services."
Neither the Internet Corporation for Assigned Names and Numbers (ICANN), which in principle oversees VeriSign's actions as a domain name registrar, nor the U.S. Department of Commerce, which has a contract with VeriSign that grants it a government-granted monopoly over .com and .net, has responded to repeated requests for comment since Tuesday.
O'Shaughnessy said there's no need for any outside organisation to get involved. "There's some religiousness that's been brought to bear here besides the technical reality," he said. "We're fully compliant with every RFC," O'Shaughnessy said in reference to the technical standards that govern the Internet.
Original article: http://www.zdnet.com.au/newstech/ebusiness/story/0 ,2000048590,20278764,00.htm
I have found that you can file a LOT of stuff under Miscellaneous. Also, If you start creating sub-folders under deleted items to categorize your trash, you need professional help.
At the press conference, The National Aeronautics and Space Administration (NASA) will announce that they are changing their acronym to: "Needs Another Seven Astronauts."
Answer from attorney: "...well, let's use an example. Let's say you have a hundred files, and you put one of your hundred files under the GPL. That doesn't mean you've lost the rights to your other 99 files. So I don't think it's going to have an impact."
So, I guess that means that if lines of 'their' code is used in, say, 20 files used in Linux - where Linux has thousands of files, that this gives SCO the right to ALL OF LINUX?!!
The babbling of this lawyer is comical. You can tell he's trying to defend an issue on some pretty thin claims.
Here is his "Lawyer Profile" from the Boies, Schiller & Flexner LLP:
Mark J. Heise is a partner in the Miami, Florida office. His main practice areas are complex commercial litigation and class actions.
Since joining Boies, Schiller & Flexner LLP, Mr. Heise has represented The SCO Group in its significant intellectual property claims involving the licensing of the UNIX source code. A case that has become increasingly dificult to pursue ever since he broke the lead on his pencil. Mr. Heise is also involved in numerous class actions, including as lead counsel in a case against the City of Miami on behalf of persons who paid an unconstitutional parking tax.
A lawyer that is fighting the world on the use of 'unlicenced Linux' products while simultaneously fighting parking tickets. Sounds like a winner to me!
My brother got his PhD from the University of Minnesota. He is now a professor at Tulane University in New Orleans. He teaches 3 classes a year, and the remainder of his time is performing research and writing papers. He does get paid very handsomely for it, I must say. He stated that when he was going to school, that he was basically dedicating his life to one of working in academia.
Outside of Academia, a PhD in Computer Science is not a very valuable degree.
However, :)).
I once had an employee that had dual masters degrees in Geology and Information Systems. He got his degree in Geology, then realized that he couldn't feed a family as a geologist (unless he wanted to feed them rocks) So he got his MIS degree. He couldn't find a job ANYWHERE (so I hired him
It wasn't long before I got him in touch with someone from Texaco Oil Corp. where we got him an interview and now he is working for Texaco, making 6 figures, helping them develop new methods for using computers in searching and drilling for oil.
So, my advice would be that if you get a Ph.D be prepared to work in a research role. A second degree in a complimentary field might work better for you. If you choose a second degree, use that degree to get you into the IT industry in a particular field you're interested in.
There was some talk on the Full Disclosure lists of releasing a worm such as this. Now it appears that someone has done it. Kudo's to them. Now the question becomes: Do we let this worm just run freely out there? Do we try to stop it?
Past worms haven't been able to load updates like this simply because the vulnerabilities weren't as big as the RPC/DCOM vulnerability that is being used on this exploit/patch.
The whole internet worm thing has become rather booring. The security community has already learned the lesson to be taught: patch your machines. It looks like there is now something new to take notice of with the Nachi worm.
Now we need to come up with phrases such as: Are you a good worm, or a bad worm? Or White worms vs. Black worms.
They probably use WD40 or 10w30 for massage, and wheel bearing grease as anal lube.
I can just see a patient dying because they went out of cell phone range.
Is it me or is Cringely a bloomin idiot? He starts off talking about outsourcing then Apple, then back to India. He states that using more Macs in the office would decrease TCO without giving any numbers or any statements to back up that opinion. And it isn't even his opinion! He got the idea from a reader, no less!
Macs reduce IT head count while Linux probably increases IT head count, simple as that.
I didn't come up with this very smart idea, it came from a reader.
Whomever gave this guy a pulpit needs to be shot. This guy obviously uses a Mac.
Just go into the document properties section. This is why I publish everything to Adobe Acrobat before posting online.
I know that SCADA networks run on Wintel based machines and use RPC services. I'm wondering if the power grid didn't actually get hit by the updated RPC/DCOM worm thats been going around.
It is my general feeling that the power failure could be SCADA related. If it was an attack or an accident I do not know, nor do I think the appropriate information will ever be released to the public.
Just my speculation, I'm not trying to start any conspiracies here.
Just put cellophane over your head, be sure to cover your nose and mouth.
Stare at your laptop screen and it'll start spinning & rotating. It doesn't work for very long though. My frags dropped after a bit, dunno why.
This explains why so many of the vegetarians I've met are such fucking idiots!
Once you've been a victim, the onus is on you to clear it up. The dificulty is that once 'Joe Sixpack' discovers he's had his identity stolen, the credit cards are already 90 days past due. The only way to clear up the credit report at that point is to produce irrefutable evidence that you were actually a victim, and not a deadbeat debtor. So here's the rub; It is nearly impossible to collect that proof 90 days after the crime. (I swear, thats not my signature!)
Nobody wants to help you, because true deadbeat debtors are claiming victim status as well. Credit card companies won't help, they want their money. Essentially, nobody is on your side. When you have finally obtained irrefutable evidence, you must prove and prove again to every entity your victim status. The credit card company (or whomever the debt is owed to), the company that is holding the debt (collection agencies) et al, and THEN you must convince the Credit Bureaus (all three of them).
This is why getting the ID stolen is such a pain. I know, I was once a victim.
Switching gears here...
I performed a security audit on a College last year. I was horrified to discover that even today they are using the students Social Security Numbers as the Student ID's. I realize this is nothing new, but the fact that this information is used in such an open forum is staggering. Professors post student grades on tests under the "Student ID's" so you don't know who got the A's, and who got the F's. Take that list of SSN#'s, correlate to names, figure out where they live and you've got a whole slate full of pristine credit reports.
Can you say, touche'?
The question now becomes; Should we really worry about stopping this?
Let it be suffice to say that if a company is trying to sell you something based upon the FUD factor, treat the information as suspect. I agree, vendors whose software doesn't sell on its own laurels hype the hell out of the FUD factor and give the industry a bad reputation. But don't lump these vendors in with the security consultants that are trying to provide a free service and free advise based upon information that is going around in the security community.
When you get security information, consider the source. Is the security information provided with a sales pitch attached? If so, google the information to determine if it is FUD or legetimate. If it's legit, it'll pay to listen.
Regardless, people, patch your *#&($*@& machines!
2) Next, go to No-ID.com, an anonymous remailer that masks the source of emails.
3) Email messages to the college and software creators, notifying that they have 2 months to fix the problem before you post the vulnerability to the Full Disclosure mailing list.
They will be able to reply to your emails using the remailer service. You WILL remain completely anonymous and your integrity will never have an opportunity to be called into question.
If bugs are kept secret, the secrets get held in the hands of the few. The unethical hacker [cracker] will eventually exploit the code and use it to their advantage.
If it weren't for FD, we'd have more 0day exploits because companies would not feel the pressure to release timely updates. It chews up development cycles to go back and put an emergency fix in place for insecure code, test it, and release it. Do you think companies would do this voluntarily? I think not. Too expensive. They'll include it with their next major update and charge for the upgrade or some crap like that.
I say the medicine is bad, but the disease is worse. Full Disclosure is the Medicine, bad coding the disease.
We are going to continue down this road of FD debate until software vendors (M$ et al.) start writing secure code. I have said it many times; Requiring patches to achieve security is fundamentally flawed. Coders need to write secure code. The onus is on them. Don't blame the hackers/crackers for airing their dirty laundry. If M$ or whoever loses market share because they consistantly release insecure code that is repeatedly being compromised then that is their fault.
It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really think he would have done that if we didn't have the Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the exploits secret, or keeping the information reserved for the security elite.
Send a confidential email to the network administrators and to the company that created the software. State that you will give them adequate time to respond and to release a patch. State that the exploit will undergo full disclosure in two months, or if they request extra time, ask them what measures are being taken to insure the integrity of the information being stored on these computers. If you can hack into the system to raise your grades, others could hack in to lower the hard earned grades of others. Hell, at that point, they should start selling diplomas at the bookstore.
On the other hand, when typing with a keyboard my hand has to search around for the keys when typing single handedly. With morse code, I can pound out the cyber love code with one finger, or a toe. Imagine the possibilities!
Screw this, I'm getting a webcam...
Leave it to NASA and the government to research the hell out of what is a painfully obvious cause to the accident.
Rumor has it that NASA is changing its acronym to "Needs Another Seven Astronauts"...
When the 'internet' was becoming self-aware I just sat there and shook my head and thought, no way in hell would this ever happen with Microsoft products running on 80% of the machines out there... but then I remembered Clippit.
We don't need to worry about Skynet or whatever, we just need to obliterate that fucking paper clip and we'll save the world.
I worked my ass off for Cowboy Neal and all I got was this lousy T-Shirt.
I wrote this late at night last night when I was quite tired. I'd just come home from the opening of Terminator 3 (a pretty good flic).
Cheers!