phase 1) send extortion mail spoofed as the original posters address, bounced through atleast 5 countris(preferably ones that don't get along with US very well), proxies or even FTPs would work fine. phase 2) ??? phase 3) Profit!
"you have EVERY right to try and protect your money."
Except of course the legal right. I'm all for forcing security, but you can't rob a bank to prove their storage is insecure (and lets face it, some of the security probes done are very intrusive) You have no right to protect your money, but they have liability. If the bank loses your money, they're still responsible for it.
btw, does anyone know what the vuln was? I could use a new videocard.
Unless instead of wardriving, you hacked someones desktop and installed a daemon waiting for the next laptop sync, at which point it spreads to the laptop and notices a wireless card where it then sits and waits for the next wireless connection(preferably excluding one where it can access the original host machine), then sends the email/kiddy porn/nudies of bill gates/source code to aol/whatever.
No, its just more convienient. You could pull it via manually running the cgi/php, then ftp down the produced html, then render it in a HT renderer(do they still make standalone ones?)
"the number of times it's used has no impact on how much knowledge it has about the web and what it does about it."
Thats not entirely true, if you take it the other way. The more popular google became, the more spammers realised its worth the time it takes to figure out how to manipulate the search engine until their page is on top. Google was much more useful when it was still on the list of effecient and useful geek-only tools, now that everyone either uses it directly or uses it via proxy(like yahoo was), the results are often times spam.
"Or give it to government officials looking for terrorists and political opponents and the such?"
If they(not you) operate out of the United States, the US PATRIOT act says that the govt is allowed access to any comercial database they desire, denying them is a federal crime, telling someone you gave them access is a federal crime. Unlike most new scary laws, this has already been used atleast once. Can't remember any references, but I vaugely remember something about the US govt trying to find people that bought a lot of {food they found terrorists like}.
Its also a huge shame that such a useful feature(profiling) would be so missused. Its depressing when there is good tech that won't be used/develeoped due to a selfish and corrupt society/govt.
I wish Tiny or ZoneAlarm would release a branded version for isps that removes all output, maybe saving it to an encoded file to send to isps. I'm tired of people that arn't proper admins using firewalls then complaining to me about mundane stuff like a "portsweep attack!" or whatever fear mongering language they use now to scare people into registering.
You confuse Linux community with Open Source community. OpenBSD is also opensource, but that doesn't mean he announced the local vulns out there that would allow any user to bring down your server. You had to complain on the obsd mailinglist and have someone send you a patch, which is really pretty sad.
"Just because the proof of concept exploit was created DOESN'T MEAN IT WAS RELEASED! If Linus and one other guy are the only ones with the proof of concept exploit, there is no reason to fear the script kiddies yet."
No, but it means the exploit is valid and worth patching. Its not like a lack of code in the wild means the script kiddies don't have it, just that they're good at hiding it. If sysadmins of the world knew how long some ssh exploits were private.. scarey world.
I'm assuming you're more of a windows admin, where you don't patch until you notice a new admin account named 'zer0c00l' has been created?
"ALL hardware sites are influenced by advertisers as far as I'm concerned. Though I cannot prove this"
I can prove it purely on theory:
Give every product good reviews, manufacturers love you, consumers view you as a cheap shill and your site dies due to lack of userbase.
Give every product honest reviews ("this hardware is worthless" included), manufacturers refuse to supply you with demo hardware and you're stuck paying for your own equip and doing reviews weeks later than everyone else. your site dies due to users going elsewhere.
The only compromise is to favor certain companies and let them deal with the financial aspect(read: cooperate bribing), while trashing their competitors so as to appear like a real reviewer. Its easy to take any data and mangle it to say what you want, and thats all a payed off reviewer has to do.
Combine all of this, and you know that any review site still running is influenced by advertisers. Same with magazines/tv too.
No, We want our cake on equal terms. Why should google users get special treatment over slashdot users? Descriminating against a website filled with hackers is probably not the best idea, they're lucky the worst we're doing is sharing reg info (rather than, oh, say, registering dozens of accounts each killing any use in marketing the data)
Re:"grok" is from "Stranger in a Strange Land"
on
The Voice of Groklaw
·
· Score: 1
"Actually, it's English for someone who bites the heads off live chickens. I suppose some people might find that terribly attractive"
Anyone who finds it terribly attractive would have such specialised tastes that you wouldn't have to worry about them leaving you for someone else.
The same is mostly true for all of the lonely 'unique' types, too.
Hrm, My mistake. Misread the first post as 250GB and assumed yours was a typo.
2500GB is enough. I've seen a 2tb fileserver sitting on 100mbit network with plenty of people uploading all the legal backup copies you can imagine and it neve got filled.
"Maybe in that amount of time/dev/random WOULD churn out a bunch of helpful addresses."
It's not really a maybe, its just a matter of time.
power * time = X, where X can be anything.
An infinite amount of power would produce anything even if ran for only a msec. An infinite amount of time would produce anything even on the slowest machine(thats still capable of doing the task at hand, in this case generating randomness).
The problem comes in that we have no real source of random, but thats our problem, the theory is still sound.
Some quick proof of this: grep -i hello/dev/urandom
Leave this running overnight (or over the span of a few days..weeks...whatever) and eventually it will return a match.
"(it was the worm that shut down the machine after 60 seconds and you couldn't stop it... which one was that?)"
MSblast, and that error happens whenever RPCD crashes. Its like if Linux were to schedual a shutdown for +60seconds. In linux you could cancel it with shutdown -c (I think, I tend to consult my manpage before touching shutdown). In windows you can cancel it with shutdown -a, but not many people know this (I wasn't sure about it until the first round of rpc exploits and a friend tested it on me, giving me 60seconds to test my theory on canceling shutdowns.)
For the record, the proper way to handle "hey, my computer keeps rebooting, it says I have 60 seconds to reboot.." is to use that same rcp exploit blaster used to get to a command shell and pop up a notepad explaining why they should install linux. Atleast, thats what I did, and you don't see them running to me anymore when their windows is broke.
for $200 (and/or some 'favors' if local..) I'd setup a page for someone, complete with easy to update self management system and a 'this one is actually run by me!' tag, so take that as you will.
"How does the buyer of a new PC get it online at home without catching 3 worms in the first 10 seconds??"
Maybe mirosoft needs to add a quick windows update check to the bootprocess? Ping home giving a list of installed updates, if theres any more critical than prompt the user to install now before anything else loads.
My views on deadaim are pretty simple: When a program sucks so massively bad that theres a market in creating addon programs ot make it suck less, you shouldn't use the program at all. I'd rather just use irc, or gaim if I need contact with aim members.
Slashdot Mirror
phase 1) send extortion mail spoofed as the original posters address, bounced through atleast 5 countris(preferably ones that don't get along with US very well), proxies or even FTPs would work fine.
phase 2) ???
phase 3) Profit!
"you have EVERY right to try and protect your money."
Except of course the legal right. I'm all for forcing security, but you can't rob a bank to prove their storage is insecure (and lets face it, some of the security probes done are very intrusive)
You have no right to protect your money, but they have liability. If the bank loses your money, they're still responsible for it.
btw, does anyone know what the vuln was? I could use a new videocard.
Unless instead of wardriving, you hacked someones desktop and installed a daemon waiting for the next laptop sync, at which point it spreads to the laptop and notices a wireless card where it then sits and waits for the next wireless connection(preferably excluding one where it can access the original host machine), then sends the email/kiddy porn/nudies of bill gates/source code to aol/whatever.
No, its just more convienient. You could pull it via manually running the cgi/php, then ftp down the produced html, then render it in a HT renderer(do they still make standalone ones?)
#!/bin/bash
echo -e "Content-Type: text/plain\n\n"
env
"the number of times it's used has no impact on how much knowledge it has about the web and what it does about it."
Thats not entirely true, if you take it the other way. The more popular google became, the more spammers realised its worth the time it takes to figure out how to manipulate the search engine until their page is on top. Google was much more useful when it was still on the list of effecient and useful geek-only tools, now that everyone either uses it directly or uses it via proxy(like yahoo was), the results are often times spam.
"Or give it to government officials looking for terrorists and political opponents and the such?"
If they(not you) operate out of the United States, the US PATRIOT act says that the govt is allowed access to any comercial database they desire, denying them is a federal crime, telling someone you gave them access is a federal crime. Unlike most new scary laws, this has already been used atleast once. Can't remember any references, but I vaugely remember something about the US govt trying to find people that bought a lot of {food they found terrorists like}.
Its also a huge shame that such a useful feature(profiling) would be so missused. Its depressing when there is good tech that won't be used/develeoped due to a selfish and corrupt society/govt.
I wish Tiny or ZoneAlarm would release a branded version for isps that removes all output, maybe saving it to an encoded file to send to isps. I'm tired of people that arn't proper admins using firewalls then complaining to me about mundane stuff like a "portsweep attack!" or whatever fear mongering language they use now to scare people into registering.
You confuse Linux community with Open Source community. OpenBSD is also opensource, but that doesn't mean he announced the local vulns out there that would allow any user to bring down your server. You had to complain on the obsd mailinglist and have someone send you a patch, which is really pretty sad.
"Just because the proof of concept exploit was created DOESN'T MEAN IT WAS RELEASED! If Linus and one other guy are the only ones with the proof of concept exploit, there is no reason to fear the script kiddies yet."
No, but it means the exploit is valid and worth patching. Its not like a lack of code in the wild means the script kiddies don't have it, just that they're good at hiding it. If sysadmins of the world knew how long some ssh exploits were private.. scarey world.
I'm assuming you're more of a windows admin, where you don't patch until you notice a new admin account named 'zer0c00l' has been created?
"ALL hardware sites are influenced by advertisers as far as I'm concerned. Though I cannot prove this"
I can prove it purely on theory:
Give every product good reviews, manufacturers love you, consumers view you as a cheap shill and your site dies due to lack of userbase.
Give every product honest reviews ("this hardware is worthless" included), manufacturers refuse to supply you with demo hardware and you're stuck paying for your own equip and doing reviews weeks later than everyone else. your site dies due to users going elsewhere.
The only compromise is to favor certain companies and let them deal with the financial aspect(read: cooperate bribing), while trashing their competitors so as to appear like a real reviewer. Its easy to take any data and mangle it to say what you want, and thats all a payed off reviewer has to do.
Combine all of this, and you know that any review site still running is influenced by advertisers. Same with magazines/tv too.
"Too bad a full computer can't do what a GameBoy can do. Fit in your pocket."
I bet you could fit multiple shuttle cases in XXXL cargo pants. YMMV
No, We want our cake on equal terms. Why should google users get special treatment over slashdot users? Descriminating against a website filled with hackers is probably not the best idea, they're lucky the worst we're doing is sharing reg info (rather than, oh, say, registering dozens of accounts each killing any use in marketing the data)
"Actually, it's English for someone who bites the heads off live chickens. I suppose some people might find that terribly attractive"
Anyone who finds it terribly attractive would have such specialised tastes that you wouldn't have to worry about them leaving you for someone else.
The same is mostly true for all of the lonely 'unique' types, too.
Hrm, My mistake. Misread the first post as 250GB and assumed yours was a typo.
2500GB is enough. I've seen a 2tb fileserver sitting on 100mbit network with plenty of people uploading all the legal backup copies you can imagine and it neve got filled.
It's much better when you run your own server (see my slashdot name)
Maybe if all you're doing is storing it. Start editing and 250GB really is a good start, maybe sufficient if you delete your sources when done.
Lets say you're making a CS movie, assume 25fps at 800x600 for maybe 15 minutes. It adds up quick.
"Maybe in that amount of time /dev/random WOULD churn out a bunch of helpful addresses."
/dev/urandom
It's not really a maybe, its just a matter of time.
power * time = X, where X can be anything.
An infinite amount of power would produce anything even if ran for only a msec.
An infinite amount of time would produce anything even on the slowest machine(thats still capable of doing the task at hand, in this case generating randomness).
The problem comes in that we have no real source of random, but thats our problem, the theory is still sound.
Some quick proof of this: grep -i hello
Leave this running overnight (or over the span of a few days..weeks...whatever) and eventually it will return a match.
Not sure about their BBS, but ExecPC still runs some great quakeworld servers that are pretty well populated.
"(it was the worm that shut down the machine after 60 seconds and you couldn't stop it... which one was that?)"
MSblast, and that error happens whenever RPCD crashes. Its like if Linux were to schedual a shutdown for +60seconds. In linux you could cancel it with shutdown -c (I think, I tend to consult my manpage before touching shutdown). In windows you can cancel it with shutdown -a, but not many people know this (I wasn't sure about it until the first round of rpc exploits and a friend tested it on me, giving me 60seconds to test my theory on canceling shutdowns.)
For the record, the proper way to handle "hey, my computer keeps rebooting, it says I have 60 seconds to reboot.." is to use that same rcp exploit blaster used to get to a command shell and pop up a notepad explaining why they should install linux. Atleast, thats what I did, and you don't see them running to me anymore when their windows is broke.
You're evil, now I want the perfect combo of skittles and a bottle of tropical sprite (the real skittlebreu)
for $200 (and/or some 'favors' if local..) I'd setup a page for someone, complete with easy to update self management system and a 'this one is actually run by me!' tag, so take that as you will.
"How does the buyer of a new PC get it online at home without catching 3 worms in the first 10 seconds??"
Maybe mirosoft needs to add a quick windows update check to the bootprocess? Ping home giving a list of installed updates, if theres any more critical than prompt the user to install now before anything else loads.
My views on deadaim are pretty simple: When a program sucks so massively bad that theres a market in creating addon programs ot make it suck less, you shouldn't use the program at all. I'd rather just use irc, or gaim if I need contact with aim members.