Personally, I signed a three year contract, and I'm happy with it.
I checked out the service beforehand with a cheaper handset, verified reception where it's important to me, then negotiated. Got a $599 phone for $99, and got $15/month (Unlimited E&W) free.
By the end of the contract, I'll have saved $1040. If I want to cancel, it's only $20/month for remaining months, so as long as I stuck out the service for about 9 months, I come out ahead no matter what.
Oh christ. Even my Windoze servers automatically stop write caching during a power outage, and shut themselves down when my UPS batteries run out (45-60 minutes on my last field test)
You can't tell me that "big corporations" don't have the basics covered insofar as the servers shutting themselves down when the UPSes are ready to drop off?
The owner *is* partially responsible, if they didnt take proper precautions that their SUV wouldnt be used improperly.. (same for the firearm, or baseball bat)
To what extent? What level of security is sufficent?
And in a corporate environment, who is responsible? -- Since I don't believe you can charge a corporation with a criminal offense, this becomes even more important since you could potentially be responsible for thousands of PCs.
What part of "the right of the people to keep and bear arms, shall not be infringed" do you not understand
The same applies if you have a malicious user at the keyboard. The user could easily forge up some logs showing a proxy/DDoS-client/whatever being installed without their knowledge.
Ignoring the idiocy of ISPs keeping packet logs in any meaningful sense...
They MIGHT be helpful to determine whether or not the attack was initated by the PC in question, not the USER in question. $50 NAT router will make this even more difficult, although sequence numbers will help a little.
However, that isn't the point.
How are ISP logs useful in determining if I initated the DoS, if my brother/roommate/girlfriend/dog initated the DoS, or if a trojan did the dirty work?
Take a Linksys BEFSR11/41 running 1.44.2z, Dec 13 2002, with a completely default configuration, the following URL should enable a DMZ on 192.168.0.100 all without opening up a dialog the user sees.
Next drop URLs into an almost-invisibly small FRAMEs, and have the main frame show one of those annoying "Site loading" things with a 5 second redirect to the next page of the site, target _TOP
Unless you already logged in to the router during that browser session, in which case no password prompt will show up.
True. What are the odds though? -- I'm pretty careful about logging out anyway though, I doubt you'd catch me except possibly on 150, which is a WAP11 not a router.
I'd be more worried about people that leave the default password though, this might become a real issue at some point. The question is, what would you want to do if you building this type of exploit into a website, other then disable the router completely?
Couldn't a bit of JavaScript click the "submit" link for you? Or any old link with onClick/submit junk, it wouldn't even need to be a button or look like a form.
You're welcome to try and come up with a URL or form that will do so to my linksys routers (192.168.0.5-7,150) -- As soon as I see the password prompt, I'll know something isn't right.
If girlfriend or kids or visitors happen to stumble across it, they won't know the password, so no harm done.
Not only a test, even just something simple as an eBay auction with someone who doesn't understand proxy-bidding and waits until the last 30 seconds to bid.
I'm also curious, if anybody knows, what stage does this interfere with the request?
Does it pass the correct HTTP GET request to the correct server and return a redirect (discarding the correct content), or does it handle the entire TCP session internally? Or worse, does it redirect the entire HTTP session to Belkin's server, allowing Belkin to log the URL (and possibly putting Belkin in violation of wiretrap laws?)
Does it give you the ability to return to your previous session, or would my grandmother, who doesn't understand the "back" button, have to start over? -- And if it does attempt to get you back to where you started, does it both GET and POST types of forms?
Slashdot Mirror
Personally, I signed a three year contract, and I'm happy with it.
I checked out the service beforehand with a cheaper handset, verified reception where it's important to me, then negotiated. Got a $599 phone for $99, and got $15/month (Unlimited E&W) free.
By the end of the contract, I'll have saved $1040. If I want to cancel, it's only $20/month for remaining months, so as long as I stuck out the service for about 9 months, I come out ahead no matter what.
So basically you're saying you've never had sex.
Oh christ. Even my Windoze servers automatically stop write caching during a power outage, and shut themselves down when my UPS batteries run out (45-60 minutes on my last field test)
You can't tell me that "big corporations" don't have the basics covered insofar as the servers shutting themselves down when the UPSes are ready to drop off?
And isn't it a DMCA violation to even try and decode the encryption?
Too many assholes replied with "don't forget the bullets for the silver egg"
heh. True enough
Of course, opening a letter addressed to someone other then yourself is, as I understand it, a criminal offense.
IANAL, and I'm not an American, so I might be on crack here.
Pay your lawyer and he will dress up in a chicken suit...
Well, it depends on the system.
It could be as simple as Windows NTFS audit logs, or it might be something more interesting.
With Windows you can audit almost all drive activity, registry access, and any number of other "Security" related events.
And in a corporate environment, who is responsible? -- Since I don't believe you can charge a corporation with a criminal offense, this becomes even more important since you could potentially be responsible for thousands of PCs.
Apparently the "not"
The difficult trick here is proving the driver, the individual(s) which caused the computer to act the way it did.
The same applies if you have a malicious user at the keyboard. The user could easily forge up some logs showing a proxy/DDoS-client/whatever being installed without their knowledge.
Ignoring the idiocy of ISPs keeping packet logs in any meaningful sense...
They MIGHT be helpful to determine whether or not the attack was initated by the PC in question, not the USER in question. $50 NAT router will make this even more difficult, although sequence numbers will help a little.
However, that isn't the point.
How are ISP logs useful in determining if I initated the DoS, if my brother/roommate/girlfriend/dog initated the DoS, or if a trojan did the dirty work?
20KG of dried pig turds. Yippie!
Next drop URLs into an almost-invisibly small FRAMEs, and have the main frame show one of those annoying "Site loading" things with a 5 second redirect to the next page of the site, target _TOP(No, there shouldn't be a space between 10 0, it should be 100 -- slashdot doesn't love me)
When the browser hits the "next page", it will trigger some classic windows exploits (for education purposes only, of course)
You could turn off ZoneAlarm and PC-Cillin too if you wanted.
Unless you already logged in to the router during that browser session, in which case no password prompt will show up.
True. What are the odds though? -- I'm pretty careful about logging out anyway though, I doubt you'd catch me except possibly on 150, which is a WAP11 not a router.
I'd be more worried about people that leave the default password though, this might become a real issue at some point. The question is, what would you want to do if you building this type of exploit into a website, other then disable the router completely?
Given that the router doesn't operate this way out of the box, you'd probably have a tough sell.
You could easily have purchased the router many moons ago, and just started experiencing the problem now, post-upgrade
Well fuck. It was bound to happen I suppose... A funny "Soviet Russia" joke. Will wonders never cease?
Redmond?
Return it to where? The store?
"Our return policy is 30 days, you purchased your product 31+ days ago, no refund!"
You're expecting a bit much from someone in public relations. She probably doesn't have a clue.
Couldn't a bit of JavaScript click the "submit" link for you? Or any old link with onClick/submit junk, it wouldn't even need to be a button or look like a form.
You're welcome to try and come up with a URL or form that will do so to my linksys routers (192.168.0.5-7,150) -- As soon as I see the password prompt, I'll know something isn't right.
If girlfriend or kids or visitors happen to stumble across it, they won't know the password, so no harm done.
*shrugs*
Not only a test, even just something simple as an eBay auction with someone who doesn't understand proxy-bidding and waits until the last 30 seconds to bid.
I'm also curious, if anybody knows, what stage does this interfere with the request?
Does it pass the correct HTTP GET request to the correct server and return a redirect (discarding the correct content), or does it handle the entire TCP session internally? Or worse, does it redirect the entire HTTP session to Belkin's server, allowing Belkin to log the URL (and possibly putting Belkin in violation of wiretrap laws?)
Does it give you the ability to return to your previous session, or would my grandmother, who doesn't understand the "back" button, have to start over? -- And if it does attempt to get you back to where you started, does it both GET and POST types of forms?
What if the web request was for something timing sensative?