Interesting timing for this. For some reason, I can get to.au sites no problem, but cannot get to cnn.com or google.com. So Australia goes high-bandwidth, and half of America drops off the net.
Konqueror is nice, but it's still a bit unfinished. The Java part works, once in a while, most stuff will not work. I've yet to be able to open my.yahoo.com with Konqueror. It will be very very nice, when it's done...
Tell ya what, the day Gnome looks as good as KDE2 is the day I start using it. Right now, it's ugly. It's far better looking than nasty old CDE, but it's got a long way to go until it looks like something I want on my desktop. Yes, I am into pretty GUIs. If I just wanted functionality, I would use CDE. But both are ugly, almost depressing in the long-term view. I want something that makes my day more interesting, and something that makes my friends go "Wow, check that out, that's cool. What are you using?" I have not had KDE2 crash once in the last two weeks I've been using it. Konqueror has been pretty solid, but it freaks out on things like my.yahoo.com, I've still not been able to get it to load that site. But, it's very promising.
I left out that detail, it was definitely audited by several third parties.
I and a few other people WERE/ARE held personally liable. Not for it getting hacked for any reason, but if it got hacked and it turned out to be due to negligence on our part. Such as doing or not doing something that would allow the system to be compromised. Any piece of the system implemented had to be first approved by security auditors/analysts, etc.
OK, on further thought, the Subject title of "If you build them like I do..." was a bit cocky. I deserve shit for saying something arrogant like that...:)
What exactly are you trying to say? Come up with a magically non-existent solution? All I did was reply that the 40-bit problem doesn't have to be a problem if the SysAdmin is clued enough to make the webserver only talk to full 128-bit browsers. I didn't say it was a magic fix that makes all your problems go away, did I?
You've said in other posts (Yes, you, your points are redundant and identifiable, even if you are posting as an AC) the same point about system admins who know this or that are rare. What exactly are you trying to say. If you have a good point, say it. Just saying "Pretty much everybody is a moron" is just restating the obvious.
Why does what I said piss you off so much? Maybe cut back on the methamphetamines a bit!
Buffer Overrun, don't ya mean "Remotely exploitable buffer overrun". See my previous message for more on those...
Certificates? Sure, I've been to a lot of classes and read a lot of books, but certificates? Give me a break, I respect them no more than you do.
Banks will like me better? Wow! I can't wait, I'd just love to cut my hair short again and start wearing a suit again for half the money.
All I was pointing out is that Internet Banking can be done, securely. To the point that your biggest weakness is social engineering.
Good people are rare, I dunno where I rank, but I know that if you think that buffer overflows are the scariest thing out there, then...
Ack! I've responded to two flames. I know what that is gonna get me, this is going to be most entertaining. I wonder how long until it digresses into spelling flames and Nazi comparisons?:)
> Would you trust a system designed by a person which has the above homepage (ooze.bloomnet.com) he clearly has obvisous mental problems.
Haha. Of course, I design a play website called "Reflective Puddle of Leaking Mental Ooze" - yep, that definitely points out my mental problems!:) (actually, there's a history to the whole ridiculous name. I needed a DNS entry to point to my IP, my friend who admins DNS for bloomnet just set up three stupid names pointing at it, out of the blue, one of them ooze, so I took it and ran with it. It's not supposed to be anything serious, I do it for fun, just enjoy it and laugh, jeez.:)
Oh fuck, remotely exploitable buffer overflows! Oh shit, the world is going to end! I've never heard of a non-remotely exploitable overflow. AS typical wannabe security guy, they always freak out about buffer overflows. Sure, they are a theoretical weakness, but come on, the chances of overflowing a buffer with obnoxious code and then actually getting the CPU's intruction pointer to execute them with an authorized user ID is just about impossible. The web server account itself does not have enough power to get into anything, it can't even modify files. Gimme a break, is that the best you can come up with. Typical skript kiddie trick.
Oh, yah, 128-bit SSL is bad. Actually, it's not the greatest possible, but it's the best you're going to get without requiring every user to install some proprietary bit of code on every machine, whether NT, Mac, Linux, whatever. It encrypts it hard enough that it's not going to get cracked before the mandatory password expiration kicks in. Beyond that, what are you going to do besides "wow, User A transfered X dollars from account Y to account Z" Yippee. Boring...
Generally funds transfer is only between your own accounts. The Bill Paying features are a bit of a weak link, if someone grabbed your password, they could set up a one-shot (or if they were stupid, a multi-shot) bill payment to whomever. By the time you got your statement, it'd probably be too late. However, a good bank will confirm with you any new bill paying additions over a certain amount (Anywhere from $500 to $5000).
> 3. browser ssl - it doesn't matter if the site's key is 128-bit; if the browser functions at 40-bit, then that's the key size used for encryption. This is a problem with all ssl-based connections.
If it's a half-way intelligent banking system, they'll have the system set up to ONLY accept 128-bit browsers. If you can hit your bank with an old version of 40-bit Netscape, time to bail!
My last job (I left earlier this year, the creative design part was over and I got bored doing routine administration) was an Internet Systems Engineer for a large bank/credit card company/merchant processor.
We built that system as impenetrable as we could. Extreme security, multi-level DMZ design, black IP, major intrusion detectors, dead-end fake IP subnets, quite a few traps and, uh, planted 'distraction', and of course 128-bit SSL. It's been running for almost two years now, and noone has come close to hacking it. The firewalls and intrusion detection software usually record several attempts per day, usually just script kiddies, once in a while a 'real' cracker. But nobody has ever got in, and if someone did, I would definitely be one of the first to know.
We even hired some top-of-the-line, extremely good professional hackers, and they were only able to gleam the tiniest amount of information about the topology of the network.
The only bad thing about the bank site is that the HTML coders have made one of the ugliest, lamest sites I've ever seen. They sure could have done a better job, but it's at least usuable and extremely secure.
I use it myself, and feel safe doing so, especially as I implemented a lot of the security myself, very very carefully, as if I made an idiot mistake I would be held PERSONALLY liable. Kinda scary knowing how many billions of dollars are in that bank, and it's my ass if they get through. But I'd be very very surprised (and very respectful of the person) if anybody actually got through!
I don't know about other banks, but this one is tight. (Sorry, I cannot disclose which bank it is without written permission from them, or I'd be happy and proud to tell you.)
As far as the one bank someone was talking about that didn't even use SSL - you'd better find yourself a new bank - FAST!
Yah, but what about database generated info where the data doesn't go stale quickly at all.
Like my MessageBase web discussion code, it's all database driven, but once a message gets posted, it's pretty much there for life. I've noticed that none of the search engines will even touch an ASP (Yah, ASP, once I get my Java skills improved, I'll be changing it to JSP). I've watched the logs when the googlebot comes visiting, and is doesn't even go there. Seems kind of wasteful and incomplete.
You'd think there was some kind of a way/need/demand for this kind of a thing with most things these days (Slashdot included) being database generated. I take it that the search engines only hit the old archived Slasdot stories, rather than the newest content?
A single site, recording my activity in their own log for their own purposes? I don't have a problem with that.
I have a huge concern if they then sell their log information to a tracking company which aggregates a lot of logs to then track my activity across the next.
Same here, I cannot access peacefire.org from work... This is my first job in years that I have not been the proxy admin, or I'd just override that entry. I guess I'll have to wait till I get home...
That sounds like a good idea. I have a shitload of unused storage, it would be cool to start archiving endangered sites.
What is the best Linux software for mirroring a site (Something you give the base URL, and it recursively sucks down everything from every local link on the site) - I've been looking but a lot of them don't deal with JSP/ASP/etc type sites.
I'm bettering more on Jesse Ventura running as a Libertarian. He definitely will get my vote unless he gets weird in the next four years. He shoulda ran this year.
Oops, there should be '-two or three second pause-' between "Hi" and "You've reached..." in the fourth paragraph. I put that between greater than and less than symbols, and./ ate it, thinking it was a strange html tag.
Almost all telemarketing operations use a system called a 'predictive dialer'. What that means is a computer dials a list of numbers, but only at the rate that of the current average of the time it takes for the actual telemarketer to complete the call (Including both sales and hangups). It dials the number, listens to the way the phone is answered, then switches the call to a waiting telemarketer if it is determined to be a person on the line.
How does it do that? It listens for a pattern in the sound when answered. Typically, an answering machine has a message like "Hi, you've reached so & so, please leave a message" - basically a long, uninterrupted pattern of sound. When a person answers, they generally just say "Hello?" and wait for a reply - a quick pulse of sound, then nothing.
That's what the predictive dialer listens for - a quick pulse. If a long string, then it hangs up, so they don't waste their phone bill on an answering machine.
How do you take advantage of this? Instead of putting "Hi, you've reached so & so, please leave a message", instead put something like "Hi" "you've reached so & so, please leave a message"
This will fool the dialer into thinking it's a real person, and transfer the call to a telemarketer. Sure, the telemarketer will hang up, but you've just consumed an extra five or ten seconds of their time, and a few cents of connect time. This impeded the amount of time they can spend bothering other people, and when it happens in the thousands, it can actually have an effect.
I disagree. I think that if a person wants to ping away anywhere, that's no problem at all. But reselling that data, especially for a profit, basically to further destroy what "privacy" we still have, is a bad thing.
It's the reselling part. It's sorta like if Napster was charging for downloads of songs they do not own. Not the same as the free sharing going on with Napster.
I don't want some advertiser sending me a bunch of targeted spam based on where else my IP has shown up on web server logs. In fact, I don't want large entity tracking where I go on the net, any more than I want someone to follow me around and take notes on where I walk.
Pinging/tracerouting alone, for their original diagnostic purposes, shouldn't be illegal.
However, doing the same to provide unauthorized/unsolicted information on individuals should be highly illegal. It's about the same as calling everyone in the phone book and recording the way the phone is answered for resale (What reason someone would have for that I can't guess, but it's more to make a point)
Just installed Linux-Mandrake 7.2 the other night. One of my first thoughts were "Wow, I think Linux is finally ready for the desktop!"
Why? It comes with KDE 2.0, which comes with the whole KOffice suite, which makes StarOffice look primitive. Next, compare KSpread against Microsoft Excel - looks/works just as good! I'd say the KDE 2.0 GUI looks better than the Windows interface, and even has some added functionality! And the best thing - the scroll wheel on your mouse finally works!
As far as quick power-off, Mandrake 7.2 comes with ReiserFS as a partition option. ReiserFS is a journaling filesystem - power it off, and it come right back up - without having to do an FSCK! It works a lot like a transaction log on a database.
I just got done installing Linux Mandrake 7.2 on my system with KDE 2.0 and Konqueror 2.0. It totally rocks, and so far has not crashed like Netscape 6 does every five minutes.
It rules!:)
(Besides it doesn't get along with all the IE color codes I have in my game below - a lot of stuff comes up black on black, but that's my fault and I'll get it fixed ASAP!:)
Slashdot Mirror
Interesting timing for this. For some reason, I can get to .au sites no problem, but cannot get to cnn.com or google.com. So Australia goes high-bandwidth, and half of America drops off the net.
Isn't that the frat the guys in Animal House were members of?
Konqueror is nice, but it's still a bit unfinished. The Java part works, once in a while, most stuff will not work. I've yet to be able to open my.yahoo.com with Konqueror. It will be very very nice, when it's done...
Tell ya what, the day Gnome looks as good as KDE2 is the day I start using it. Right now, it's ugly. It's far better looking than nasty old CDE, but it's got a long way to go until it looks like something I want on my desktop. Yes, I am into pretty GUIs. If I just wanted functionality, I would use CDE. But both are ugly, almost depressing in the long-term view. I want something that makes my day more interesting, and something that makes my friends go "Wow, check that out, that's cool. What are you using?" I have not had KDE2 crash once in the last two weeks I've been using it. Konqueror has been pretty solid, but it freaks out on things like my.yahoo.com, I've still not been able to get it to load that site. But, it's very promising.
Now, if we could just get some Rishathra going! :)
I and a few other people WERE/ARE held personally liable. Not for it getting hacked for any reason, but if it got hacked and it turned out to be due to negligence on our part. Such as doing or not doing something that would allow the system to be compromised. Any piece of the system implemented had to be first approved by security auditors/analysts, etc.
OK, on further thought, the Subject title of "If you build them like I do..." was a bit cocky. I deserve shit for saying something arrogant like that... :)
You've said in other posts (Yes, you, your points are redundant and identifiable, even if you are posting as an AC) the same point about system admins who know this or that are rare. What exactly are you trying to say. If you have a good point, say it. Just saying "Pretty much everybody is a moron" is just restating the obvious.
Why does what I said piss you off so much? Maybe cut back on the methamphetamines a bit!
Certificates? Sure, I've been to a lot of classes and read a lot of books, but certificates? Give me a break, I respect them no more than you do.
Banks will like me better? Wow! I can't wait, I'd just love to cut my hair short again and start wearing a suit again for half the money.
All I was pointing out is that Internet Banking can be done, securely. To the point that your biggest weakness is social engineering.
Good people are rare, I dunno where I rank, but I know that if you think that buffer overflows are the scariest thing out there, then...
Ack! I've responded to two flames. I know what that is gonna get me, this is going to be most entertaining. I wonder how long until it digresses into spelling flames and Nazi comparisons? :)
Let the games begin :)
Haha. Of course, I design a play website called "Reflective Puddle of Leaking Mental Ooze" - yep, that definitely points out my mental problems! :) (actually, there's a history to the whole ridiculous name. I needed a DNS entry to point to my IP, my friend who admins DNS for bloomnet just set up three stupid names pointing at it, out of the blue, one of them ooze, so I took it and ran with it. It's not supposed to be anything serious, I do it for fun, just enjoy it and laugh, jeez. :)
Oh fuck, remotely exploitable buffer overflows! Oh shit, the world is going to end! I've never heard of a non-remotely exploitable overflow. AS typical wannabe security guy, they always freak out about buffer overflows. Sure, they are a theoretical weakness, but come on, the chances of overflowing a buffer with obnoxious code and then actually getting the CPU's intruction pointer to execute them with an authorized user ID is just about impossible. The web server account itself does not have enough power to get into anything, it can't even modify files. Gimme a break, is that the best you can come up with. Typical skript kiddie trick.
Oh, yah, 128-bit SSL is bad. Actually, it's not the greatest possible, but it's the best you're going to get without requiring every user to install some proprietary bit of code on every machine, whether NT, Mac, Linux, whatever. It encrypts it hard enough that it's not going to get cracked before the mandatory password expiration kicks in. Beyond that, what are you going to do besides "wow, User A transfered X dollars from account Y to account Z" Yippee. Boring...
But hey, it was funny. Good flame. I liked it. :)
Generally funds transfer is only between your own accounts. The Bill Paying features are a bit of a weak link, if someone grabbed your password, they could set up a one-shot (or if they were stupid, a multi-shot) bill payment to whomever. By the time you got your statement, it'd probably be too late. However, a good bank will confirm with you any new bill paying additions over a certain amount (Anywhere from $500 to $5000).
If it's a half-way intelligent banking system, they'll have the system set up to ONLY accept 128-bit browsers. If you can hit your bank with an old version of 40-bit Netscape, time to bail!
We built that system as impenetrable as we could. Extreme security, multi-level DMZ design, black IP, major intrusion detectors, dead-end fake IP subnets, quite a few traps and, uh, planted 'distraction', and of course 128-bit SSL. It's been running for almost two years now, and noone has come close to hacking it. The firewalls and intrusion detection software usually record several attempts per day, usually just script kiddies, once in a while a 'real' cracker. But nobody has ever got in, and if someone did, I would definitely be one of the first to know.
We even hired some top-of-the-line, extremely good professional hackers, and they were only able to gleam the tiniest amount of information about the topology of the network.
The only bad thing about the bank site is that the HTML coders have made one of the ugliest, lamest sites I've ever seen. They sure could have done a better job, but it's at least usuable and extremely secure.
I use it myself, and feel safe doing so, especially as I implemented a lot of the security myself, very very carefully, as if I made an idiot mistake I would be held PERSONALLY liable. Kinda scary knowing how many billions of dollars are in that bank, and it's my ass if they get through. But I'd be very very surprised (and very respectful of the person) if anybody actually got through!
I don't know about other banks, but this one is tight. (Sorry, I cannot disclose which bank it is without written permission from them, or I'd be happy and proud to tell you.)
As far as the one bank someone was talking about that didn't even use SSL - you'd better find yourself a new bank - FAST!
Like my MessageBase web discussion code, it's all database driven, but once a message gets posted, it's pretty much there for life. I've noticed that none of the search engines will even touch an ASP (Yah, ASP, once I get my Java skills improved, I'll be changing it to JSP). I've watched the logs when the googlebot comes visiting, and is doesn't even go there. Seems kind of wasteful and incomplete.
You'd think there was some kind of a way/need/demand for this kind of a thing with most things these days (Slashdot included) being database generated. I take it that the search engines only hit the old archived Slasdot stories, rather than the newest content?
A single site, recording my activity in their own log for their own purposes? I don't have a problem with that.
I have a huge concern if they then sell their log information to a tracking company which aggregates a lot of logs to then track my activity across the next.
Same here, I cannot access peacefire.org from work... This is my first job in years that I have not been the proxy admin, or I'd just override that entry. I guess I'll have to wait till I get home...
What is the best Linux software for mirroring a site (Something you give the base URL, and it recursively sucks down everything from every local link on the site) - I've been looking but a lot of them don't deal with JSP/ASP/etc type sites.
See previous post.
I'm bettering more on Jesse Ventura running as a Libertarian. He definitely will get my vote unless he gets weird in the next four years. He shoulda ran this year.
I should have previewed, sorry! :)
How does it do that? It listens for a pattern in the sound when answered. Typically, an answering machine has a message like "Hi, you've reached so & so, please leave a message" - basically a long, uninterrupted pattern of sound. When a person answers, they generally just say "Hello?" and wait for a reply - a quick pulse of sound, then nothing.
That's what the predictive dialer listens for - a quick pulse. If a long string, then it hangs up, so they don't waste their phone bill on an answering machine.
How do you take advantage of this? Instead of putting "Hi, you've reached so & so, please leave a message", instead put something like "Hi" "you've reached so & so, please leave a message"
This will fool the dialer into thinking it's a real person, and transfer the call to a telemarketer. Sure, the telemarketer will hang up, but you've just consumed an extra five or ten seconds of their time, and a few cents of connect time. This impeded the amount of time they can spend bothering other people, and when it happens in the thousands, it can actually have an effect.
Do it, try it!
It's the reselling part. It's sorta like if Napster was charging for downloads of songs they do not own. Not the same as the free sharing going on with Napster.
I don't want some advertiser sending me a bunch of targeted spam based on where else my IP has shown up on web server logs. In fact, I don't want large entity tracking where I go on the net, any more than I want someone to follow me around and take notes on where I walk.
However, doing the same to provide unauthorized/unsolicted information on individuals should be highly illegal. It's about the same as calling everyone in the phone book and recording the way the phone is answered for resale (What reason someone would have for that I can't guess, but it's more to make a point)
Why? It comes with KDE 2.0, which comes with the whole KOffice suite, which makes StarOffice look primitive. Next, compare KSpread against Microsoft Excel - looks/works just as good! I'd say the KDE 2.0 GUI looks better than the Windows interface, and even has some added functionality! And the best thing - the scroll wheel on your mouse finally works!
As far as quick power-off, Mandrake 7.2 comes with ReiserFS as a partition option. ReiserFS is a journaling filesystem - power it off, and it come right back up - without having to do an FSCK! It works a lot like a transaction log on a database.
It rules! :)
(Besides it doesn't get along with all the IE color codes I have in my game below - a lot of stuff comes up black on black, but that's my fault and I'll get it fixed ASAP! :)