You know, this is pretty interesting. As we know, ElcomSoft had all or some (I can't remember) of their website hosted in America. They may have known that, but will everyone? If a Russian (or French or Japanese or whatever) registered company is providing web hosting services from Russia but colocating in the states, how is a customer to know where their data physically resides (aside from tracking down the IP's physical location)?
The internet, in a lot of ways, is a huge mesh. I live in Tokorozawa, Japan, but my domain is hosted in the states (I'm not even sure where - Florida I think). Does my content fall under the DMCA even if I setup through a Japanese company, pay in yen, and admin through a.jp URL?
aproxy - looks a little too simple, but it's perl! (English can be found via babelfish.)
tcpproxy - This one seems the most complete and designed for a firewalling environment.
I found a whole slew of different app "level" proxies (Quake, POP3, etc.), but most seemed a bit basic. Some of the POP3 ones were cool (proxy auth support).
I was not able to find a good udp proxy - with multi-source/multi-destination (proxy with an ACL). I've a small local port udp redirector (I have no idea where I got it) that I use on my home network, but it's not something I could use at work. So... there ya go.
Fast, reliable, application level proxies - with the ability to log at different levels (and run on linux).
Where can these be found?
Both generic tcp/udp proxies and application aware "smart" proxies (i.e. H.323, NetMeeting, RealAudio, etc.). I know a lot of this funationality exists in the kernel, but I'd love to have proxies for those pesky protocols that decide on random high ports. If it could see and understand the "conversation", it could then, on the fly, proxy the appropriate (randomly selected) ports.
If I am completely missing something here (i.e. I'm a moron?!), let me know. I can take it. I think??
WOW! Now maybe someone will create a "learning" game that will teach congress that they can't take money from the MPAA/RIAA/etc. and give them whatever they want.
Soon to follow this game's release - a "learning" simulation for the Patent Office (just guess)!
If Gore was given the election (he did win it, but he wasn't given the keys) would this case have been settled? If it were settled, would it have been so generous? (Even with the current changes, it is a sweetheart deal.)
Please. If if if if if... I thought we were done with this whole "If Gore won, the world would be perfect and rosey" bullshit. M$ was handing out cash to any fed who would take it, regardless of party affiliation. If Gore won, I seriously doubt ANYTHING would be different - and you can't prove otherwise.
BTW - I don't agree with this settlement either (in fact, I'm quite pissed about it). You're letting your political bias get in the way of any chance of clear thinking. I can't believe you were mod'ed to a 5 (currently), but I'll understand if I'm mod'ed to a -1.
Hasn't this been done to death by now? Why does this subject keep rearing its ugly head? I have friends (flesh and blood) and my friends have friends. Guess what? I bet my friends' friends have friends. Etc. etc. etc...
I think everything will be ok. Katz, you're (still) an over-hyping windback!
Real learning is demonstrated by the ability to teach, and communicate in a logical manner those principles and skills that comprise the coursework.
Coursework. OK. I see where you're coming from. I think Kyrex is coming from the real world, though. I think he's interested in furthering his career and not his mastery of the coursework. But... if you define true learning that way...
Kyrex obviously wants a "real" degree, but you suggest he cannot by testing out of courses. BULLSHIT. A degree is nothing more than a certificate -- period. MORONS get degrees everyday. Some of these MORONS are Ph.D.s and M.D.s. Did they get this "real" education you mentioned?
Kyrex: CLEP out of every course you can. The American university system is a money grubbing pig bastard. If you can get a fast-track to a BA or BS, DO IT. You'll save yourself some heartache and money.
FULL DISCLOSURE is a must in my opnion. If the "good guys" know about a vulnerability, the "bad guys" know or will know soon. Sitting on these announcements is shite. Let me know my 14 FTP servers are vulnerable. I don't care if a patch is available or not. At least I know and can relate this risk to my management. I'll let them decide what we should do (to include killing the servers until a patch is available or moving to an alternative).
SHITE. The "security community" scares me on this one. They chose to let a remotely exploitable (root?) vulnerablity ride for a week. A WEEK! Unbelievable!
Of course the flip side is that the security may be much better than this report leads you to believe. I'd imagine many gov't sysadmins have secured systems beyond what the paper pushers have speced out for them.
I've worked for or with the DoD for the past 10 years (both as active duty AF and now as a government contractor) - the last 5 working in security. Unfortunately, it has been my experience that your statement is exactly what you said - imagined. (I can really only speak on DoD - The AF and some nameless joint commands in particular.)
So many security problems exist at so many different levels, it's amazing no major infiltration has occured (that we know about anyway). Sure, IIS web servers all over the DoD are being defaced, but this is small potatos (and on par with the civilian sector). So many "mission critical" systems exist on the NIPRNET (Non-secure Internet Protocol Router NETwork - the DoD's chunk of the internet) with very very few competent administrators... it actually scares me. Patient tracking, Command and Control, Supply, Personnel, and etc. systems ride the NIPRNET. Glean enough information from these systems and you have the equivalent of classified information.
I said so many problems at so many different levels - What am I talking about? Example: The basics are not being followed. User education is horrendous. I know I could walk into most any secretary's office and find his/her password in minutes. How? Look under the keyboard, inside the monitor's control panel door, under the coffee cup on the desk, inside the top drawer, etc. etc. "Who cares? It's just a secretary. She/He couldn't possibly have access to important information." Well, they don't give secretaries to just any grunt. She's probably the secretary to at least a Colonel (O-6) and she probably has access to his email. What's more littered with sensitive information than a Colonel's or General's email.
Grab a phone book from any military facility (just look in the trash), get some names, call up the help desk. "This is Sgt Such-and-such... I've just locked myself out. I guess I've forgotten my password. Could you please reset it." "SURE. Your password is now P@ssW0rd. You'll be forced to change it when you next login." (YES, it really is this easy! - I know, I've done it during exercises.) Etc. etc. etc. Pick a basic security best practice and I can guaruntee it is not being followed at most DoD installations.
I've said this in many previous posts on/. and I'll say it again - MOST DOD ADMINISTRATORS ARE INCOMPETENT! The DoD isn't exactly paying top dollar for their personnel (that's why I'm a governement CONTRACTOR not an EMPLOYEE); Training for the grunts is next to SHITE; and a complete misunderstanding of information security bleeds throughout the top brass in the DoD.
It's pretty sad, but I keep banging away to make my little chunk of the DoD network(s) more secure. Wish me luck. I think I'll need it!
What do you know? A canned response. I got the same reply.
--
From: Jeanne Fourie "jeannef@thawte.com"
To: Michael E. C. Gauthier "gauthier@LICKDEEZNUTZ.mindless.com"
Subject: Re: No longer be issued to individuals???
Date: Mon, 29 Oct 2001 14:33:53 +0200
X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U)
Hi Mike
Thank you for emailing me with regard to your concern. Due to the
current international threat of terrorism we have been advised by our
parent company VeriSign to refrain from issuing developer certs to
individuals, for the mean while.
As you will be aware, there is a need right now for companies like
ourselves to be extremely cautious in all aspects that concern security
and encryption.
Developer certs are issued to individuals based on verification of
passports and drivers licenses. These documents are however easily
forged and we have therefore had to take the executive decision of not
issuing certs where the verification process may be questionable.
We are positive that we will be able to resume this service in the near
future. I do apologize for any inconvenience that this may have caused
you.
You know, I'm always amazed at how quickly people resort to personal attacks. I attacked, if you even want to call it that, the GAME CUBE. Not you, your people, your tribe, or even your whore of a mother... oh wait, that would be a personal attack -- sorry about that.
It must have felt good calling me dim and retarded as an Anonymous Coward. I guess the AC title sort of fits you.
...and, in my opinion, it's ASS. I was in a Toys-R-Us last night in Saitama watching the kids play. Sure, it looks better than the N64, but same shit, different console. I felt the same way about the PS2. A-S-S! FPS and Strategy games are me. Luigi, racing, and stupid Anime adventures... umm... NO!
Yeah, but that doesn't prove a cover-up. Perhaps the gov bought all the satellite imaging simply to acquire maximum visibility into that region. Their blocking the ability of anyone else to buy them was probably just a move to, in fact, protect national security. The likes of CNN and the rest of the media whores will show damn near anything, regardless of the impact on U.S. intelligence. Hell, the damn congress can't even keep its collective mouths shut. What makes you think anyone else can?
>Yes, there's no way that dedicated terrorists would bother to watch arabian news stations that do broadcast this stuff.
Ummm... I'm curios. Is this sarcasm? Are you suggesting there is a movement in the U.S. government to cover up any opposing views of what's happening in this "war".
> They made it clear that they were unhappy that the networks were showing this stuff and implied that they those doing so were putting their own greedy motives above the safety of Americans. The media are obviously being unsufficiently patriotic.
I think I agree with this comment, but I'm still unsure it's not sarcasm? I'm really not trying to be an ass, I'm just a little confused. Then again, I'm confused often when reading/.
The military already has NIPRNET which is encrypted but relies on public internet channels
Gotta correct you here. The NIPRNET is NOT encrypted (while WAN links may be, this is bulk encryption to secure all data that may be muxed down one line). The NIPRNET is accessable from the internet, but it is a completely seperate network. There are several (growing all the time, unfortunately) internet/NIPRNET demarcation points control by DISA (Defense Inforamtion Systems Agency). These make the NIPRNET accessible by and part of the internet, however, these can be shutdown to create a completely independent network.
Slashdot Mirror
You know, this is pretty interesting. As we know, ElcomSoft had all or some (I can't remember) of their website hosted in America. They may have known that, but will everyone? If a Russian (or French or Japanese or whatever) registered company is providing web hosting services from Russia but colocating in the states, how is a customer to know where their data physically resides (aside from tracking down the IP's physical location)?
The internet, in a lot of ways, is a huge mesh. I live in Tokorozawa, Japan, but my domain is hosted in the states (I'm not even sure where - Florida I think). Does my content fall under the DMCA even if I setup through a Japanese company, pay in yen, and admin through a .jp URL?
OK... apparently, I am a moron... well, maybe not a moron, but LAZY. I got off my arse and did some poking around. Look what I found.
I found a few application level proxies -
OpenGateKeeper H.323 Proxy
ftp.proxy - This looks very well done.
smtp.proxy - done by the same guy as tcpproxy below.
For the generic tcp proxy -
nportredird - This looks very promising.
aproxy - looks a little too simple, but it's perl! (English can be found via babelfish.)
tcpproxy - This one seems the most complete and designed for a firewalling environment.
I found a whole slew of different app "level" proxies (Quake, POP3, etc.), but most seemed a bit basic. Some of the POP3 ones were cool (proxy auth support).
I was not able to find a good udp proxy - with multi-source/multi-destination (proxy with an ACL). I've a small local port udp redirector (I have no idea where I got it) that I use on my home network, but it's not something I could use at work. So... there ya go.
Fast, reliable, application level proxies - with the ability to log at different levels (and run on linux).
Where can these be found?
Both generic tcp/udp proxies and application aware "smart" proxies (i.e. H.323, NetMeeting, RealAudio, etc.). I know a lot of this funationality exists in the kernel, but I'd love to have proxies for those pesky protocols that decide on random high ports. If it could see and understand the "conversation", it could then, on the fly, proxy the appropriate (randomly selected) ports.
If I am completely missing something here (i.e. I'm a moron?!), let me know. I can take it. I think??
Will it make use of "force feedback?"
We can only hope!
PATENT OFFICE: gives stupid patent to XYZ Inc. on "their" method of powering on a PC using a unique device called the "power button".
FORCE FEEDBACK: ZZZZZWAPP!
PATENT OFFICE: OUCH! Uhhhh... nevermind. Our mistake. Repeal that last patent.
WOW! Now maybe someone will create a "learning" game that will teach congress that they can't take money from the MPAA/RIAA/etc. and give them whatever they want.
Soon to follow this game's release - a "learning" simulation for the Patent Office (just guess)!
If Gore was given the election (he did win it, but he wasn't given the keys) would this case have been settled? If it were settled, would it have been so generous? (Even with the current changes, it is a sweetheart deal.)
Please. If if if if if... I thought we were done with this whole "If Gore won, the world would be perfect and rosey" bullshit. M$ was handing out cash to any fed who would take it, regardless of party affiliation. If Gore won, I seriously doubt ANYTHING would be different - and you can't prove otherwise.
BTW - I don't agree with this settlement either (in fact, I'm quite pissed about it). You're letting your political bias get in the way of any chance of clear thinking. I can't believe you were mod'ed to a 5 (currently), but I'll understand if I'm mod'ed to a -1.
FLAME ON?
Hasn't this been done to death by now? Why does this subject keep rearing its ugly head? I have friends (flesh and blood) and my friends have friends. Guess what? I bet my friends' friends have friends. Etc. etc. etc...
I think everything will be ok. Katz, you're (still) an over-hyping windback!
Wow. Maybe you should go by raving_ass? I say this because you're spewing lots of shite. Lots of shite!
Real learning is demonstrated by the ability to teach, and communicate in a logical manner those principles and skills that comprise the coursework.
Coursework. OK. I see where you're coming from. I think Kyrex is coming from the real world, though. I think he's interested in furthering his career and not his mastery of the coursework. But... if you define true learning that way...
Kyrex obviously wants a "real" degree, but you suggest he cannot by testing out of courses. BULLSHIT. A degree is nothing more than a certificate -- period. MORONS get degrees everyday. Some of these MORONS are Ph.D.s and M.D.s. Did they get this "real" education you mentioned?
Kyrex: CLEP out of every course you can. The American university system is a money grubbing pig bastard. If you can get a fast-track to a BA or BS, DO IT. You'll save yourself some heartache and money.
Yes you are the only person thinking that.
FULL DISCLOSURE is a must in my opnion. If the "good guys" know about a vulnerability, the "bad guys" know or will know soon. Sitting on these announcements is shite. Let me know my 14 FTP servers are vulnerable. I don't care if a patch is available or not. At least I know and can relate this risk to my management. I'll let them decide what we should do (to include killing the servers until a patch is available or moving to an alternative).
SHITE. The "security community" scares me on this one. They chose to let a remotely exploitable (root?) vulnerablity ride for a week. A WEEK! Unbelievable!
I'm glad Redhat made this "mistake".
Call me a troll, but this looks rather useless, if not stupid.
That's not funny. Must of been moderated by morons.
Of course the flip side is that the security may be much better than this report leads you to believe. I'd imagine many gov't sysadmins have secured systems beyond what the paper pushers have speced out for them.
I've worked for or with the DoD for the past 10 years (both as active duty AF and now as a government contractor) - the last 5 working in security. Unfortunately, it has been my experience that your statement is exactly what you said - imagined. (I can really only speak on DoD - The AF and some nameless joint commands in particular.)
So many security problems exist at so many different levels, it's amazing no major infiltration has occured (that we know about anyway). Sure, IIS web servers all over the DoD are being defaced, but this is small potatos (and on par with the civilian sector). So many "mission critical" systems exist on the NIPRNET (Non-secure Internet Protocol Router NETwork - the DoD's chunk of the internet) with very very few competent administrators... it actually scares me. Patient tracking, Command and Control, Supply, Personnel, and etc. systems ride the NIPRNET. Glean enough information from these systems and you have the equivalent of classified information.
I said so many problems at so many different levels - What am I talking about? Example: The basics are not being followed. User education is horrendous. I know I could walk into most any secretary's office and find his/her password in minutes. How? Look under the keyboard, inside the monitor's control panel door, under the coffee cup on the desk, inside the top drawer, etc. etc. "Who cares? It's just a secretary. She/He couldn't possibly have access to important information." Well, they don't give secretaries to just any grunt. She's probably the secretary to at least a Colonel (O-6) and she probably has access to his email. What's more littered with sensitive information than a Colonel's or General's email.
Grab a phone book from any military facility (just look in the trash), get some names, call up the help desk. "This is Sgt Such-and-such... I've just locked myself out. I guess I've forgotten my password. Could you please reset it." "SURE. Your password is now P@ssW0rd. You'll be forced to change it when you next login." (YES, it really is this easy! - I know, I've done it during exercises.) Etc. etc. etc. Pick a basic security best practice and I can guaruntee it is not being followed at most DoD installations.
I've said this in many previous posts on /. and I'll say it again - MOST DOD ADMINISTRATORS ARE INCOMPETENT! The DoD isn't exactly paying top dollar for their personnel (that's why I'm a governement CONTRACTOR not an EMPLOYEE); Training for the grunts is next to SHITE; and a complete misunderstanding of information security bleeds throughout the top brass in the DoD.
It's pretty sad, but I keep banging away to make my little chunk of the DoD network(s) more secure. Wish me luck. I think I'll need it!
What do you know? A canned response. I got the same reply.
--
From: Jeanne Fourie "jeannef@thawte.com"
To: Michael E. C. Gauthier "gauthier@LICKDEEZNUTZ.mindless.com"
Subject: Re: No longer be issued to individuals???
Date: Mon, 29 Oct 2001 14:33:53 +0200
X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U)
Hi Mike
Thank you for emailing me with regard to your concern. Due to the
current international threat of terrorism we have been advised by our
parent company VeriSign to refrain from issuing developer certs to
individuals, for the mean while.
As you will be aware, there is a need right now for companies like
ourselves to be extremely cautious in all aspects that concern security
and encryption.
Developer certs are issued to individuals based on verification of
passports and drivers licenses. These documents are however easily
forged and we have therefore had to take the executive decision of not
issuing certs where the verification process may be questionable.
We are positive that we will be able to resume this service in the near
future. I do apologize for any inconvenience that this may have caused
you.
Regards
Jeanne
Save the pity for someone who wants it.
You know, I'm always amazed at how quickly people resort to personal attacks. I attacked, if you even want to call it that, the GAME CUBE. Not you, your people, your tribe, or even your whore of a mother... oh wait, that would be a personal attack -- sorry about that.
It must have felt good calling me dim and retarded as an Anonymous Coward. I guess the AC title sort of fits you.
SIGNED... as a Non-AC.Kir (aka Michael Gauthier)
...and, in my opinion, it's ASS. I was in a Toys-R-Us last night in Saitama watching the kids play. Sure, it looks better than the N64, but same shit, different console. I felt the same way about the PS2. A-S-S! FPS and Strategy games are me. Luigi, racing, and stupid Anime adventures... umm... NO!
FLAME ON!
Yeah, but that doesn't prove a cover-up. Perhaps the gov bought all the satellite imaging simply to acquire maximum visibility into that region. Their blocking the ability of anyone else to buy them was probably just a move to, in fact, protect national security. The likes of CNN and the rest of the media whores will show damn near anything, regardless of the impact on U.S. intelligence. Hell, the damn congress can't even keep its collective mouths shut. What makes you think anyone else can?
No?
>Yes, there's no way that dedicated terrorists would bother to watch arabian news stations that do broadcast this stuff.
Ummm... I'm curios. Is this sarcasm? Are you suggesting there is a movement in the U.S. government to cover up any opposing views of what's happening in this "war".
> They made it clear that they were unhappy that the networks were showing this stuff and implied that they those doing so were putting their own greedy motives above the safety of Americans. The media are obviously being unsufficiently patriotic.
I think I agree with this comment, but I'm still unsure it's not sarcasm? I'm really not trying to be an ass, I'm just a little confused. Then again, I'm confused often when reading /.
What the hell is this all about? I was not prompting garbage like this. WTF?
SUH-WEET CRAP!
The military already has NIPRNET which is encrypted but relies on public internet channels
Gotta correct you here. The NIPRNET is NOT encrypted (while WAN links may be, this is bulk encryption to secure all data that may be muxed down one line). The NIPRNET is accessable from the internet, but it is a completely seperate network. There are several (growing all the time, unfortunately) internet/NIPRNET demarcation points control by DISA (Defense Inforamtion Systems Agency). These make the NIPRNET accessible by and part of the internet, however, these can be shutdown to create a completely independent network.
Cool?
> As an aside, when's the last time anyone used a .mil address? They're still valid TLDs, right?)
Just curious. What did you mean by that?
Chicken and the egg?
You are correct, sir.