In my experience 'new' hardware such as this is always the last thing that people think about when it comes to security.
With all the media hype about wireless, a growing number of people are simply buying an access point and a couple of NICs, flicking through the manual, and then running default configurations, because the average user probably isn't aware that what they are doing *is* insecure, and has never heard of WEP. No doubt this (and newer ideas such as 802.11x) will be in the 'advanced' section at the back of the manual with bluntly technical instructions filled with acronyms and concepts that a non-IT savvy person would simply skip over.
Once it 'works', the majority set-it-and-forget-it - no different to the populous of home users running xDSL without a firewall, or those who never patch their boxes. A quick drive round your local residential area with a copy of Kismet proves this point for anyone with any doubt =)
On the flipside of the coin, in the corporate world, sales reps, engineers, and other 'road warriors' should really be given this advice from their support teams, and have their machines configured appropriately in advance by someone knowledgeable - they really can't be held responsible for the lack of action by the correct department.
I agree - but this isn't a law, its a group of companies deciding that they know best, and trying to force a 'standard' onto everyone else for no particular reason as far as I am concerned.
Whilst it remains a 'recommended practise' there will be those who will follow it, and those that won't, and all the time it will be completely unenforceable - so what is the point?
But, very soon, the Internet should turn into a penny post, with a levy of 1 cent per letter
What about us unfortunate not-for-profit types that run huge mailing lists? With reasonable traffic a list maintainer could be spending thousands of dollars per day.
Traditional 'penny post' is a unicast medium - each letter has only one recipient (unless a specific copy has been made by the sender.) A paper-based mailing list service would no doubt negotiate a special rate with the postal service to lower their costs - the exact opposite of the intended effect of this levy on spammers.
Well, the Full-Disclosure list that I am involved with was one of the ones that received the premature announcement, but I'm sure you'll agree that even with the follow-up it was far from anything that provided a remote exploit. The tone of the thread seemed to indicate that there was already interest in this 'in the wild' before it was disclosed to the lists in question, in any case. Kudos to the Sendmail team for getting the fix out so promptly.
Well, perhaps its because of one of the following reasons:
1) Too many programmers aren't granted adequate debugging time by companies who'd rather get any code to market on time rather than test it thoroughly and miss deadlines.
2) How many programmers do you know who actually know how to audit code for security issues? How many companies are going to invest time and effort (and money) in hiring these people (or training their own?)
3) As people learn new languages, do they learn secure practices too? No, they learn how to write functional code. For some, thats enough to get the job done.
"In an age where processing power is cheap, there's no excuse for a mail client written in C or C++."
How about portability? Or efficiency? Or the fact that the guys writing the code would rather work on the mail client than go and learn a new language first? If they are writing bad code in a language they have been using for years, why move the problem to an area where they have even less expertise?
Writing secure code is a black art to many, and we can only hope that peer review and open source will help to spread the word amongst today's developers.
Re:AlJazeera DNS and routing tampered with.
on
4l-j4z333ra 0wn3d
·
· Score: 2, Interesting
Confirmation of DDOS and DNS issues here (and here
A quick google reveals that there are already several open source ports of pkgadd/pkginfo etc available for Linux, but with Sun's foray into the Linux market, perhaps an 'official' port will happen sooner than you think.
Alternate roots are fine until you consider the problems caused to services like email with colliding MX records. Which is why we need to subvert ICANN rather than compete with it:-)
I think we'd all agree that the current domain name system is pretty messed up, and mostly due to the widespread commericalism of the internet in recent times. The likes of Vixie et al are more than qualified in my eyes, having contributed a great deal to the internet and its inner workings. But to be honest, I think giving them control of.org, or any other existing TLD is too little, too late, because these domains have already been corrupted.
Just as we have recognised that our current TCP/IP protocol has become outgrown by the online populace, and started to move toward IPV6, perhaps it is time for a full review of the entire TLD set we have on offer. IMHO the current system does not provide a wide enough taxonomy of the sites hosted under them. A.com is not necessarily commercial,.org no longer means non-profit - so why continue with this nomenclature?
How far we choose to take this is an entirely different debate - perhaps a.gnu is in order for open source projects, for instance. And even if we all agree that the system needs bringing up to code, the commercialism will still stand in the way of any changes.
The problem there is sites that begin life as a.org, gain popularity, and become commercial. Are they expected to give up their.org in that case? The equivalent.com may not be available by the time this happens.
I was always told the way to master pool etc was to picture another cue ball in line with the target, so that it was essentially a straight pot if you struck that imaginary ball directly with your cue.
Then, hit the real cue ball into the imaginary one.
For every company who have jumped on the latest (and greatest?) trend, and regularly use words like SOAP and 'e-Synergy', there will be many more who would like an 'old hand' in one department or other.
Why not take this time to go back and fill in holes in your knowledge? Maybe you don't know how to do x in a language you use regularly, or you can set something up but can't secure it. This is going to be far more productive in the long run.
Most of these technologies are so new it is going to be very hard to come across as an 'expert' in these fields because no-one has had enough real-world experience of them yet. Consolidate what you know.
I don't think that was a troll, to be honest.
I'd rather write a decent perl script any day.
PHP worries me in its complexity - with that many compile-time options to choose from there are bound to be many more security holes around the corner in some of the more obscure code.
That's not to say I disapprove of PHP, I just wouldn't use it myself.
Why not treat your loved ones this Father's Day with a free network card! Stocks are limited, so hurry!"
Not only did I get read of all those horrible Realtek cards that had been sitting in a box somewhere, but also several 100m of coax cable that was gathering dust.
The ensuing fight over the terminators was quite amusing too....
When RIP was on the horizon, I exchanged several communications with Richard Burden, MP. Despite the fact that he did actually answer my letters, there was very little actual substance to what was said.
What you must do, I learned, is to ask your MP who exactly is involved in the implementation of these plans, and talk to them directly. This eliminates a layer of obfuscation and lets you put more political pressure on the culprits.
Despite all the outcry, it still went ahead. I'd put money on the same happening again. Our current goverment is very much about doing what they want whether we want it or not, I'm afraid.
"But Italy's Green Party said it was ridiculous to spend such astronomic sums on the bridge when many Sicilians remained without a proper water supply and the island's roads are badly in need of modernisation."
Well, call me idealistic, but surely the building of the bridge itself will bring jobs to the area in the short term, and allow greater communication/commuting possibilities for Sicilian residents when completed?
This, therefore, will bring in wealth to the area - and hopefully the improvements that are needed will follow suit. However, the decision to fund this project through the use of tolls may impact on its success, at least from the Sicilian side.
This is the difference between 'consumer' software and 'professional' software - we've come to expect x new features and x new bugs with every release of say, MS Word, and they are probably not showstoppers. Plus the vendor is probably planning a big advertising campaign so the software has to be ready.
But on the flipside, people who need software like Veritas are using it predominately in mission-critical environments, and would probably agree that quality outweighs release timeliness. Its all very well getting it right on schedule, but if you then lose your entire storage network due to a few bugs, you'll wish it had been delayed in the first place.
In fact, I'd hypothesize that most non-free software that ships on time is driven purely by commercialism and a desire to get to market before the competition, rather than a real desire to keep the user base happy.
Slashdot Mirror
... I recall hex editing someone's keyboard mappings (Windows) so that the misplaced keys still generated the correct letters.
Hours of fun, especially for touch typists =)
I don't see what all the fuss is aboot.
You can find the original exploit here.
As far as your friend's firewall causing additional problems, remember the old saying that 'security = 1/usability'.
Refreshing to see someone with backups too =)
With all the media hype about wireless, a growing number of people are simply buying an access point and a couple of NICs, flicking through the manual, and then running default configurations, because the average user probably isn't aware that what they are doing *is* insecure, and has never heard of WEP. No doubt this (and newer ideas such as 802.11x) will be in the 'advanced' section at the back of the manual with bluntly technical instructions filled with acronyms and concepts that a non-IT savvy person would simply skip over.
Once it 'works', the majority set-it-and-forget-it - no different to the populous of home users running xDSL without a firewall, or those who never patch their boxes. A quick drive round your local residential area with a copy of Kismet proves this point for anyone with any doubt =)
On the flipside of the coin, in the corporate world, sales reps, engineers, and other 'road warriors' should really be given this advice from their support teams, and have their machines configured appropriately in advance by someone knowledgeable - they really can't be held responsible for the lack of action by the correct department.
I agree - but this isn't a law, its a group of companies deciding that they know best, and trying to force a 'standard' onto everyone else for no particular reason as far as I am concerned.
Whilst it remains a 'recommended practise' there will be those who will follow it, and those that won't, and all the time it will be completely unenforceable - so what is the point?
What about us unfortunate not-for-profit types that run huge mailing lists? With reasonable traffic a list maintainer could be spending thousands of dollars per day.
Traditional 'penny post' is a unicast medium - each letter has only one recipient (unless a specific copy has been made by the sender.) A paper-based mailing list service would no doubt negotiate a special rate with the postal service to lower their costs - the exact opposite of the intended effect of this levy on spammers.
Well, the Full-Disclosure list that I am involved with was one of the ones that received the premature announcement, but I'm sure you'll agree that even with the follow-up it was far from anything that provided a remote exploit. The tone of the thread seemed to indicate that there was already interest in this 'in the wild' before it was disclosed to the lists in question, in any case. Kudos to the Sendmail team for getting the fix out so promptly.
Well, perhaps its because of one of the following reasons:
1) Too many programmers aren't granted adequate debugging time by companies who'd rather get any code to market on time rather than test it thoroughly and miss deadlines.
2) How many programmers do you know who actually know how to audit code for security issues? How many companies are going to invest time and effort (and money) in hiring these people (or training their own?)
3) As people learn new languages, do they learn secure practices too? No, they learn how to write functional code. For some, thats enough to get the job done.
"In an age where processing power is cheap, there's no excuse for a mail client written in C or C++."
How about portability? Or efficiency? Or the fact that the guys writing the code would rather work on the mail client than go and learn a new language first? If they are writing bad code in a language they have been using for years, why move the problem to an area where they have even less expertise?
Writing secure code is a black art to many, and we can only hope that peer review and open source will help to spread the word amongst today's developers.
Confirmation of DDOS and DNS issues here (and here
A quick google reveals that there are already several open source ports of pkgadd/pkginfo etc available for Linux, but with Sun's foray into the Linux market, perhaps an 'official' port will happen sooner than you think.
Alternate roots are fine until you consider the problems caused to services like email with colliding MX records. Which is why we need to subvert ICANN rather than compete with it :-)
Just as we have recognised that our current TCP/IP protocol has become outgrown by the online populace, and started to move toward IPV6, perhaps it is time for a full review of the entire TLD set we have on offer. IMHO the current system does not provide a wide enough taxonomy of the sites hosted under them. A .com is not necessarily commercial, .org no longer means non-profit - so why continue with this nomenclature?
How far we choose to take this is an entirely different debate - perhaps a .gnu is in order for open source projects, for instance. And even if we all agree that the system needs bringing up to code, the commercialism will still stand in the way of any changes.
The problem there is sites that begin life as a .org, gain popularity, and become commercial. Are they expected to give up their .org in that case? The equivalent .com may not be available by the time this happens.
Then, hit the real cue ball into the imaginary one.
Sorry, I was trying to be sarcastic. At least this way you should get a +1 informative for your reply :-)
do you think they'll notice in competitions?
Why not take this time to go back and fill in holes in your knowledge? Maybe you don't know how to do x in a language you use regularly, or you can set something up but can't secure it. This is going to be far more productive in the long run.
Most of these technologies are so new it is going to be very hard to come across as an 'expert' in these fields because no-one has had enough real-world experience of them yet. Consolidate what you know.
Step 1: Satisfy people's base urges in an easy and discreet manner.
Step 2: We don't know
Step 3: Mega-Profit
???
PHP worries me in its complexity - with that many compile-time options to choose from there are bound to be many more security holes around the corner in some of the more obscure code.
That's not to say I disapprove of PHP, I just wouldn't use it myself.
"Dear All,
Why not treat your loved ones this Father's Day with a free network card! Stocks are limited, so hurry!"
Not only did I get read of all those horrible Realtek cards that had been sitting in a box somewhere, but also several 100m of coax cable that was gathering dust.
The ensuing fight over the terminators was quite amusing too....
What you must do, I learned, is to ask your MP who exactly is involved in the implementation of these plans, and talk to them directly. This eliminates a layer of obfuscation and lets you put more political pressure on the culprits.
Despite all the outcry, it still went ahead. I'd put money on the same happening again. Our current goverment is very much about doing what they want whether we want it or not, I'm afraid.
Well, call me idealistic, but surely the building of the bridge itself will bring jobs to the area in the short term, and allow greater communication/commuting possibilities for Sicilian residents when completed?
This, therefore, will bring in wealth to the area - and hopefully the improvements that are needed will follow suit. However, the decision to fund this project through the use of tolls may impact on its success, at least from the Sicilian side.
Will they be casting a sight spell at some point, or relying on braille, I wonder ...
But on the flipside, people who need software like Veritas are using it predominately in mission-critical environments, and would probably agree that quality outweighs release timeliness. Its all very well getting it right on schedule, but if you then lose your entire storage network due to a few bugs, you'll wish it had been delayed in the first place.
In fact, I'd hypothesize that most non-free software that ships on time is driven purely by commercialism and a desire to get to market before the competition, rather than a real desire to keep the user base happy.