The two big differences are that in this attack I can't exploit it as easily over the network and that the default case is secure on Linux so developer have to go out of their way to make themselves insecure (although a lot do, because it is the most "obvious" way to change the location from which libraries are loaded).
Nmap does what it does very well. It would be a strange day that I stop using it for pentesting, in fact more likely I'll adopt some of the other tools the project has developed. Ncat in particular sounds great simply because it unifies multiple functions I currently use from other tools. The other thing I like is the NSE, great for quickly cooking up a scanner for 0day threats as we saw with Conficker check they produced.
If you want a Free Software vulnerability scanner, then support OpenVAS. The project is making quiet progress (cleaning up the code base, redesigning the architecture and most importantly adding new NVTs) and has just had a second DevCon in Germany with 16 developers from 4 continents making the trip. Nothings ever perfect but it now has NVT that are not in Nessus so if you're not using it, you're probably missing out. It's worth noting that we at OpenVAS like the nmap developments so much that a couple of the OpenVAS developers are looking to actively contribute and we're considering libnmap as a replacement for the rather fragile port / service discovery functionality we inherited.
Imagine if/. servers got seized everytime someone saw fit to post comments with the addresses related to the "bad guy" in response to a story. Indymedia had already pulled said comments, does/. even have such a facility? I find some of what gets put on Indymedia to be massively disagreeable, OTOH I'm not a big fan of servers being pulled at random either.
I know of efforts in this regard that date back 3 years or so, although I'm not aware of whether these projects are still online. There are some good discussions about the idea at http://ibneko.livejournal.com/668715.html and http://www.dragoslungu.com/2007/06/22/google-md5-hash-search-engine/. My interest is that I'm attempting to get Google to index such hashes at http://www.nth-dimension.org.uk/utils/ghash.php. In my case I'm actually attempting to get Google to cache my hashes to minimise my storage costs as rainbow tables take a fair bit of disk space to store although the idea hasn't been particularly successful due to Google algorithms:(.
I find it amusing that the author of this story attributes the misunderstandings to the fact that the operator may be an Indian. It's just as likely that it's due to him being an American. English is an international language and as such both oral and written English can be expected to vary between regions. Hell, as an Englishmen I could rag on the poor spelling many Americans have (it's colour m'kay), but I'd be wrong to do so.
Not just in CSS URL attributes tags actually, see Misunderstanding Javascript injection. Interesting to note that this appears to have been fixed in IE 7, although I haven't carried out any detailed testing yet.
Funny, I've met folks from Newbridge who now work for Alcatel who seemed fairly happy with the arrangements. Also, when they took TiMetra and their product became the base for Alcatel's 7750 SR range, Basil Alwan, the CEO of TiMetra ended up heading Alcatel's IP division.
You forgot "make exceptionally good high end routers". Service routers that can work at layers 2 and 3, excellent HA capabilities that are ideal for building large MPLS clouds. Having had the pleasure of testing these babies, they rock! And they sell pretty well too.
You're comparing average term against maximum proposed term. Look at it this way, in theory a DoS or system compromise may cost millions of pounds worth of damage or could result in the loss of life.
Now in an ideal world, the legal system would use existing fraud, theft and manslaughter laws to convict said attacker, but since politicians aren't as clueful of computing as/. geeks they deem to offences to be somehow different.
From a technical perspective, "../" is clearly understood to be a method of directory traversal which is a known class of vulnerability. However he did more than that as I understand it.
I agree justice wasn't done, but the law (as it stands) was enforced correctly. This was reflected during sentencing and is what gives rise to the statement "The law is an ass". This is actually one of the reasons the law needs updating.
The new bill give more precise definitions of what should be considered illegal (which I support) but doesn't go far enough in discussing intent or server operators obligations in defining unauthorised access.
That's not exactly what happened... In that case, the individual concerned acknowledged that he tried things that could be construed as an attempt to compromise the system. The judge acknowledged that his intent wasn't to cause loss, but could not find him innocent and as a result gave him the most lenient sentence he could. In relation to this new law, I think the intent aspect could do with clarification.
As a UK pen tester and developer of security software, this bill directly affects me. My initial response was outrage, but having discussed this with colleagues over the last month or so, I can see the counter point that UK computer security law is in need of updates.
Given that the UK government runs a scheme for accreditation of pen testers and that this bill has been drafted in consultation with industry leaders, I feel it is unlikely that our activities will be deemed illegal. My understanding is that providing that you can demonstrate that you wrote the tool in good conscience for reasons other than the compromise of systems without authorisation then you'll be okay.
Having said this, personally I'll be pressing my bosses for a precise legal explanation of the consequences of these changes to the law in relation to the work I'm currently engaged in.
Slashdot Mirror
You can check out a blog post I wrote on a similar attack that could be used against Linux (and other POSIX-alikes):
http://www.nth-dimension.org.uk/blog.php?id=87
The two big differences are that in this attack I can't exploit it as easily over the network and that the default case is secure on Linux so developer have to go out of their way to make themselves insecure (although a lot do, because it is the most "obvious" way to change the location from which libraries are loaded).
Disclosure: I am an OpenVAS developer...
Nmap does what it does very well. It would be a strange day that I stop using it for pentesting, in fact more likely I'll adopt some of the other tools the project has developed. Ncat in particular sounds great simply because it unifies multiple functions I currently use from other tools. The other thing I like is the NSE, great for quickly cooking up a scanner for 0day threats as we saw with Conficker check they produced.
If you want a Free Software vulnerability scanner, then support OpenVAS. The project is making quiet progress (cleaning up the code base, redesigning the architecture and most importantly adding new NVTs) and has just had a second DevCon in Germany with 16 developers from 4 continents making the trip. Nothings ever perfect but it now has NVT that are not in Nessus so if you're not using it, you're probably missing out. It's worth noting that we at OpenVAS like the nmap developments so much that a couple of the OpenVAS developers are looking to actively contribute and we're considering libnmap as a replacement for the rather fragile port / service discovery functionality we inherited.
Imagine if /. servers got seized everytime someone saw fit to post comments with the addresses related to the "bad guy" in response to a story. Indymedia had already pulled said comments, does /. even have such a facility? I find some of what gets put on Indymedia to be massively disagreeable, OTOH I'm not a big fan of servers being pulled at random either.
No, that's an off by one...
What about this case - http://www.indymedia.org/fbi/ - or is it okay when it's friends in the war on terror?
DNSMasq?
I know of efforts in this regard that date back 3 years or so, although I'm not aware of whether these projects are still online. There are some good discussions about the idea at http://ibneko.livejournal.com/668715.html and http://www.dragoslungu.com/2007/06/22/google-md5-hash-search-engine/. My interest is that I'm attempting to get Google to index such hashes at http://www.nth-dimension.org.uk/utils/ghash.php. In my case I'm actually attempting to get Google to cache my hashes to minimise my storage costs as rainbow tables take a fair bit of disk space to store although the idea hasn't been particularly successful due to Google algorithms :(.
The irony of the situation is that the German government actively sponsors work on security tools such as GPG, OpenVAS, BOSS.
I find it amusing that the author of this story attributes the misunderstandings to the fact that the operator may be an Indian. It's just as likely that it's due to him being an American. English is an international language and as such both oral and written English can be expected to vary between regions. Hell, as an Englishmen I could rag on the poor spelling many Americans have (it's colour m'kay), but I'd be wrong to do so.
Here in the UK, under the Police and Justice Bill, I'd be breaking the law by "Making, supplying or obtaining articles for use in offence under section 1 or 3". Section 1 and section 3 are references to the preexisting Computer Misuse Act of 1990. The implications of a statement like that are scary.
Well, you can write plugins for Konqi, be they DCOP based service menus ala konqil.icio.us, or direct C++ extensions ala Digg.com plugin for Konqueror.
Rather than be disappointed he discloses the vulnerabilities he is working on.
Maybe they could farm it out to the mechanical turk...
Seriously though, is it not the problem that so many FOSS projects rely on FN, a network what relies on a single point of failure to survive?
Not just in CSS URL attributes tags actually, see Misunderstanding Javascript injection. Interesting to note that this appears to have been fixed in IE 7, although I haven't carried out any detailed testing yet.
No, Sun's DReaM project.
Funny, I've met folks from Newbridge who now work for Alcatel who seemed fairly happy with the arrangements. Also, when they took TiMetra and their product became the base for Alcatel's 7750 SR range, Basil Alwan, the CEO of TiMetra ended up heading Alcatel's IP division.
You forgot "make exceptionally good high end routers". Service routers that can work at layers 2 and 3, excellent HA capabilities that are ideal for building large MPLS clouds. Having had the pleasure of testing these babies, they rock! And they sell pretty well too.
You're comparing average term against maximum proposed term. Look at it this way, in theory a DoS or system compromise may cost millions of pounds worth of damage or could result in the loss of life.
/. geeks they deem to offences to be somehow different.
Now in an ideal world, the legal system would use existing fraud, theft and manslaughter laws to convict said attacker, but since politicians aren't as clueful of computing as
Most people? Got statistics (and I don't mean votes carried out by The Sun) to back this up.
From a technical perspective, "../" is clearly understood to be a method of directory traversal which is a known class of vulnerability. However he did more than that as I understand it.
I agree justice wasn't done, but the law (as it stands) was enforced correctly. This was reflected during sentencing and is what gives rise to the statement "The law is an ass". This is actually one of the reasons the law needs updating.
The new bill give more precise definitions of what should be considered illegal (which I support) but doesn't go far enough in discussing intent or server operators obligations in defining unauthorised access.
That's not exactly what happened... In that case, the individual concerned acknowledged that he tried things that could be construed as an attempt to compromise the system. The judge acknowledged that his intent wasn't to cause loss, but could not find him innocent and as a result gave him the most lenient sentence he could. In relation to this new law, I think the intent aspect could do with clarification.
As a UK pen tester and developer of security software, this bill directly affects me. My initial response was outrage, but having discussed this with colleagues over the last month or so, I can see the counter point that UK computer security law is in need of updates.
Given that the UK government runs a scheme for accreditation of pen testers and that this bill has been drafted in consultation with industry leaders, I feel it is unlikely that our activities will be deemed illegal. My understanding is that providing that you can demonstrate that you wrote the tool in good conscience for reasons other than the compromise of systems without authorisation then you'll be okay.
Having said this, personally I'll be pressing my bosses for a precise legal explanation of the consequences of these changes to the law in relation to the work I'm currently engaged in.
No, that's American football. You know, the one the rest of the world doesn't give a stuff about.
Cookies.... screw cookies, XSS is about so much more. As an example how about clipboard stealing, unfixed by Microsoft since 2002. :)