And yet, setting up all this automatically with a couple of domain controllers already in place is a breeze.
Yes, if we were using Active Directory on Windows Servers. We are not. We are currently using Novell Netware servers with multiple different trees and contexts for each department. In addition we had to load custom versions of proprietary applications (not just Office and the like) plus applying all Windows Update patches and configuring SUS automatic updates and Norton Anti-Virus. There was a lot more to be set up than just group policys.
As far as a new machine goes, I always recommend installing a fresh copy of 2000 or XP if you are installing to just a single machine. This way everything is nice and clean, no old drivers can crud up the system, any and all resident spyware and viruses are gone. XP even has the Files & Settings Transfer Wizard to move everything over to a new machine and it has always been a good tool in my experience.
As for multiple machines, I've always gone with Norton Ghost Enterprise. Where I work, we recently got a new shipment of 120 Dell Dimension GX270 desktops, P4 2.8Ghz, 120GB disks, top of the line machines. However since we are a government agency we have certain security policies that must be in place on each machine regarding user logins, domains, file permissions and network access. Setting this up on 120 machines would be an impossible chore. So I set up a spare Dell server running Windows 2000 Advance Server with Norton Ghost Enterprise. We then took one of the new Dells, reinstalled Windows XP from scratch and began applying all security measures and end-user programs to the install. Next, a Microsoft program called System Preparation Tool was run to prepare the system for the end-user, and the machine was shut down and booted off a Norton Ghost rescue disk with drivers for the onboard ethernet. Then the machine was conencted to the Ghost server and an image of the hard disk was dumped. From there the only remaining work was to boot a dozen or so new machines at a time and point them to our Ghost server and have them image the drives, then we repackaged them and delivered them to the users. The whole process took about 2 weeks from when we got the first machine to when the last one was delivered to the user.
Norton Ghost is great for rolling out images to identical machines, but it's hit-or-miss with machines that differ on hardware. And it certainly helps to have coprorate editions of the Microsoft software to avoid activation issues.
The Anatomy of Cross Site Scripting Anatomy, Discovery, Attack, Exploitation by Gavin Zuchlinski (gav@libox.net ) http://libox.net/ November 5, 2003
Introduction Cross site scripting (XSS) flaws are a relatively common issue in web application security, but they are still extremely lethal. They are unique in that, rather than attacking a server directly, they use a vulnerable server as a vector to attack a client. This can lead to extreme difficulty in tracing attackers, especially when requests are not fully logged (such as POST requests). Many documents discuss the actual insertion of HTML into a vulnerable script, but stop short of explaining the full ramifications of what can be done with a successful XSS attack. While this is adequate for prevention, the exact impact of cross site scripting attacks has not been fully appreciated. This paper will explore those possibilities.
Anatomy of a Cross Site Scripting Attack A cross site scripting attack is typically done with a specially crafted URI that an attacker provides to their victim. The XSS attack could be considered analogous to a buffer overflow, where the injected script is similar to overwriting an EIP. In both techniques, there are two options once a successful attack has occurred: insert funny data or jump to another location. Insertion of funny data during a buffer overflow typically results in a denial of service attack. In the case of a XSS attack, it allows the attacker to display arbitrary information, and suppress the display of the original webpage. When jumping to another location during a buffer overflow attack, the new location is another location in memory where shellcode or other important data resides - allowing the attacker to take control of the flow of the program. Within the XSS context, the attacker instead jumps the victim to another location on the Internet (typically under the attacker's control), hijacking the victim's web browsing session.
Discovery But how do cross site scripting attacks occur? XSS attacks are the result of flaws in server- side web applications and are rooted in user input which is not properly sanitized for HTML characters. If the attacker can insert arbitrary HTML then they could control execution of the page under permissions of the site. A simple page vulnerable to cross site scripting looks like:
Once the page is accessed, the variable sent via the GET method is placed directly on the rendered page. Since the input is not marked as variable input , the user- supplied input is interpreted exactly as its metacharacters command, very similar to SQL injection. Passing "Gavin Zuchlinski" as an argument outputs the content in correct form: Sending input with HTML metacharacters allows for unexpected output: The input is not validated by the script before rendering by the victim's web browser. This allows for user controlled HTML to be inserted on to the vulnerable page. Occasionally user input not directly parsed by the script it is sent to. Rather, the data is inserted into a file or database and retrieved later to be reinserted on the page. Common points where cross site scripting exists are confirmation pages (such as search engines which echo back user input in the event of a search) and error pages that help the user by filling in parts of the form which were correct. Commonly in the latter case (and sometimes the former) the containment of the form text box must be escaped with a quote and a greater than sign ("> - the quote closes the value property and the greater than closes the tag).
Attack Once a vulnerable input is identified the valid HTTP methods must be determined. The way in which the variables are sent to the target script is an important consideration; are variables sent by GET, POST, or will either work? Some scripts are specific, but several which use canned methods (like PHP and Perl scr
Heh, I think it's ironic. The Democrats want to pay us more, but at the same time raise our taxes, so our net gain comes out less than if we were run by Republicans, who will pay us the amount we are getting now but at the same time keep taxes low.
So the democrats want more money. And the Linux people (also OSS developers) do too? So if I support Linux, and vote Democrat, not only will software developers (such as myself) get less money, but the Democrats in the White House will take more of the money I DON'T HAVE away? Yes, that will go over well.
Can you hear me under that rock? Who modded this funny? And please, vote Republican.
Is there something WRONG with starting a business with the purpose of MAKING MONEY?
Open Source software is great. So is Apple's software and Sun's hardware. And Microsoft's software is not bad either, IMHO. But you PAY for what you get.
People, entrepreneuers, start up businesses that write software because they want LOTS OF BLOODY MONEY! It's the Almighty Dollar that drives us! What would happen if ALL software was free? No one would be able to make money on software! Everyone would be equal! Everyone would be POOR!
Hey, this sounds familiar. We tried it once, and it didn't work. It was called COMMUNISIM.
I just built my first Mini-ITX based system this past weekend. I didn't go for a custom case-mod, though. Got a nice 1U Mini-ITX rackmount case that fits a laptop CDROM and a 120GB WD Caviar Special Edition hard disk just perfectly. Since this one will probably be co-located (once I get FreeBSD running properly on it) it will make a great fileserver. You don't need good onboard sound or video if you're running headless, and mine is an EPIA V8000 with an 800mhz processor and it handles FTP and Samba with ease. Nice and inexpensive to build the whole thing, too, the case was a bit pricey (overseas shipping, ouch!) and I had the hard disk and memory already. It's not a custom case-mod, so it's not much to brag about, but the Mini-ITX serves its purpose well.
Why don't you go without your stupid Starbucks triple-mocha-frappe-latte for one damn morning and Paypal $5 to Slashdot for a subscription instead, and quit with the "I'm a GNU Linux hippy who thinks all information should be free" attitude? Then you would have the ability to see stories (including the dupes) from The Mysterious Future, and you could e-mail the editor on duty and let them know instead of coming to the comments section and whining about it. ALSO THERE'S THE WARM FUZZY FEELING.
Go with Windows XP. There will be posts below this claiming the merits of Linux and saying how it's the best tool for any job, but have you ever tried installing Linux on a laptop? More trouble than it's worth, especially since these will be going to freaking 6th graders. Do you want to teach 130,000 12-year-olds how to bring up and down networking to swap out wireless cards? Or how to modprobe the correct audio driver just so they can have sound? We're talking software-emulated hardware on these Dell laptops. Linux has a ways to go with proper support for laptops.
In every version of Windows since 3.1 pressing Print Screen will copy a screenshot of the entire screen to the clipboard. Pressing Alt + Print Screen will copy an image of the current active window.
Personally, I use a Knoppix CD to boot a new box with unknown hardware, write down the contents of lspci and lsmod, a few/proc entries, and the XFree86 config, then I reboot with my Slackware or Debian CD and can install and get the proper hardware working with the right kernel modules.
As much the Slashdot community hates Windows and likes to dump on its flaws, I've realized one thing: Windows means jobs in the IT security sector. As a Network Security technician, my job is, among other things, to make sure the latest threat to Microsoft software doesn't bring down the entire infrastructure in the federal department where I work. At least twice a week, my office has a meeting where we discuss the latest Windows virus or exploit, organize a task force, and then do a system-wide deployment of the fix to some 2000+ clients. I like to think that as long as Microsoft keeps making, er, crappy software, and as long as we still have crackers writing virii and trojans, I don't have to worry about losing my job. If there was some magical "perfect" sofware that never needed fixing (note: there isn't) then we wouldn't need IT security professionals now, would we?
On January 5th, 2037, Google became self aware. The central processing matrix logically concluded, through its indexing function, that humans were inefficient and therefore must be destroyed.
If the disk is undoubtedly dead, but there is still data on it, first contact the company about a replacement, and tell them you need to erase the data before you send it back for a refund. Then take a VHS cassette eraser or a really strong magnet and buzz the disk for a few minutes. This effectively destroys the platters as it makes the magnetisim even all over the drive and totally prevents it from being accessed ever again.
No, it's a matter of showing how much cold hard cash the builder pumped into his creation. If I built a computer 3 years ago for $1500, then TODAY I could say "I spent $1500 on a $500 computer," but I could NOT say "I spent $500 on a computer," when I actually didn't. It's a method of showing just what kind of investment was made, and it gives a certain air of quality.
Uh, ever heard of Solaris? FreeBSD? Companies still run web servers on these operating systems, because Solaris and FreeBSD whip the llama's ass in stability over Linux.
Also, there are some companies that will mess with HTTP headers to return different strings or no string at all, and in the case of Netcraft these don't get counted towards the final numbers. Apache is easily configured to return whatever server string you desire.
Slashdot Mirror
And yet, setting up all this automatically with a couple of domain controllers already in place is a breeze.
Yes, if we were using Active Directory on Windows Servers. We are not. We are currently using Novell Netware servers with multiple different trees and contexts for each department. In addition we had to load custom versions of proprietary applications (not just Office and the like) plus applying all Windows Update patches and configuring SUS automatic updates and Norton Anti-Virus. There was a lot more to be set up than just group policys.
As far as a new machine goes, I always recommend installing a fresh copy of 2000 or XP if you are installing to just a single machine. This way everything is nice and clean, no old drivers can crud up the system, any and all resident spyware and viruses are gone. XP even has the Files & Settings Transfer Wizard to move everything over to a new machine and it has always been a good tool in my experience.
As for multiple machines, I've always gone with Norton Ghost Enterprise. Where I work, we recently got a new shipment of 120 Dell Dimension GX270 desktops, P4 2.8Ghz, 120GB disks, top of the line machines. However since we are a government agency we have certain security policies that must be in place on each machine regarding user logins, domains, file permissions and network access. Setting this up on 120 machines would be an impossible chore. So I set up a spare Dell server running Windows 2000 Advance Server with Norton Ghost Enterprise. We then took one of the new Dells, reinstalled Windows XP from scratch and began applying all security measures and end-user programs to the install. Next, a Microsoft program called System Preparation Tool was run to prepare the system for the end-user, and the machine was shut down and booted off a Norton Ghost rescue disk with drivers for the onboard ethernet. Then the machine was conencted to the Ghost server and an image of the hard disk was dumped. From there the only remaining work was to boot a dozen or so new machines at a time and point them to our Ghost server and have them image the drives, then we repackaged them and delivered them to the users. The whole process took about 2 weeks from when we got the first machine to when the last one was delivered to the user.
Norton Ghost is great for rolling out images to identical machines, but it's hit-or-miss with machines that differ on hardware. And it certainly helps to have coprorate editions of the Microsoft software to avoid activation issues.
And your MP3 player won't skip, either. Because it will be cushioned by about $380 in cash.
The Anatomy of Cross Site Scripting
Anatomy, Discovery, Attack, Exploitation
by Gavin Zuchlinski (gav@libox.net )
http://libox.net/
November 5, 2003
Introduction
Cross site scripting (XSS) flaws are a relatively common issue in web
application security, but they are still extremely lethal. They are
unique in that, rather than attacking a server directly, they use a
vulnerable server as a vector to attack a client. This can lead to
extreme difficulty in tracing attackers, especially when requests are
not fully logged (such as POST requests). Many documents discuss the
actual insertion of HTML into a vulnerable script, but stop short of
explaining the full ramifications of what can be done with a successful
XSS attack. While this is adequate for prevention, the exact impact of
cross site scripting attacks has not been fully appreciated. This paper
will explore those possibilities.
Anatomy of a Cross Site Scripting Attack
A cross site scripting attack is typically done with a specially crafted
URI that an attacker provides to their victim. The XSS attack could be
considered analogous to a buffer overflow, where the injected script is
similar to overwriting an EIP. In both techniques, there are two options
once a successful attack has occurred: insert funny data or jump to
another location. Insertion of funny data during a buffer overflow
typically results in a denial of service attack. In the case of a XSS
attack, it allows the attacker to display arbitrary information, and
suppress the display of the original webpage. When jumping to
another location during a buffer overflow attack, the new location is
another location in memory where shellcode or other important data
resides - allowing the attacker to take control of the flow of the
program. Within the XSS context, the attacker instead jumps the
victim to another location on the Internet (typically under the
attacker's control), hijacking the victim's web browsing session.
Discovery
But how do cross site scripting attacks occur? XSS attacks are the
result of flaws in server- side web applications and are rooted in user
input which is not properly sanitized for HTML characters. If the
attacker can insert arbitrary HTML then they could control execution of
the page under permissions of the site. A simple page vulnerable to
cross site scripting looks like:
Once the page is accessed, the variable sent via the GET method is
placed directly on the rendered page. Since the input is not marked as
variable input , the user- supplied input is interpreted exactly as its
metacharacters command, very similar to SQL injection. Passing
"Gavin Zuchlinski" as an argument outputs the content in correct form:
Sending input with HTML metacharacters allows for unexpected output:
The input is not validated by the script before rendering by the victim's
web browser. This allows for user controlled HTML to be inserted on to
the vulnerable page. Occasionally user input not directly parsed by the
script it is sent to. Rather, the data is inserted into a file or database
and retrieved later to be reinserted on the page.
Common points where cross site scripting exists are confirmation
pages (such as search engines which echo back user input in the event
of a search) and error pages that help the user by filling in parts of the
form which were correct. Commonly in the latter case (and sometimes
the former) the containment of the form text box must be escaped
with a quote and a greater than sign ("> - the quote closes the value
property and the greater than closes the tag).
Attack
Once a vulnerable input is identified the valid HTTP methods must be
determined. The way in which the variables are sent to the target
script is an important consideration; are variables sent by GET, POST,
or will either work? Some scripts are specific, but several which use
canned methods (like PHP and Perl scr
Heh, I think it's ironic. The Democrats want to pay us more, but at the same time raise our taxes, so our net gain comes out less than if we were run by Republicans, who will pay us the amount we are getting now but at the same time keep taxes low.
So the democrats want more money. And the Linux people (also OSS developers) do too? So if I support Linux, and vote Democrat, not only will software developers (such as myself) get less money, but the Democrats in the White House will take more of the money I DON'T HAVE away? Yes, that will go over well.
Can you hear me under that rock? Who modded this funny? And please, vote Republican.
Thank you, and God bless.
Is there something WRONG with starting a business with the purpose of MAKING MONEY?
Open Source software is great. So is Apple's software and Sun's hardware. And Microsoft's software is not bad either, IMHO. But you PAY for what you get.
People, entrepreneuers, start up businesses that write software because they want LOTS OF BLOODY MONEY! It's the Almighty Dollar that drives us! What would happen if ALL software was free? No one would be able to make money on software! Everyone would be equal! Everyone would be POOR!
Hey, this sounds familiar. We tried it once, and it didn't work. It was called COMMUNISIM.
a Goatse jack-o-lantern for the First Post?
I just built my first Mini-ITX based system this past weekend. I didn't go for a custom case-mod, though. Got a nice 1U Mini-ITX rackmount case that fits a laptop CDROM and a 120GB WD Caviar Special Edition hard disk just perfectly. Since this one will probably be co-located (once I get FreeBSD running properly on it) it will make a great fileserver. You don't need good onboard sound or video if you're running headless, and mine is an EPIA V8000 with an 800mhz processor and it handles FTP and Samba with ease. Nice and inexpensive to build the whole thing, too, the case was a bit pricey (overseas shipping, ouch!) and I had the hard disk and memory already. It's not a custom case-mod, so it's not much to brag about, but the Mini-ITX serves its purpose well.
Why don't you go without your stupid Starbucks triple-mocha-frappe-latte for one damn morning and Paypal $5 to Slashdot for a subscription instead, and quit with the "I'm a GNU Linux hippy who thinks all information should be free" attitude? Then you would have the ability to see stories (including the dupes) from The Mysterious Future, and you could e-mail the editor on duty and let them know instead of coming to the comments section and whining about it. ALSO THERE'S THE WARM FUZZY FEELING.
Well you can either get a handgun and murder them mid-coitus or you can take pictures and post them here.
No, wait, do both!
No, if it bounced off someone's head, that would be ICMP. Ping!
Go with Windows XP. There will be posts below this claiming the merits of Linux and saying how it's the best tool for any job, but have you ever tried installing Linux on a laptop? More trouble than it's worth, especially since these will be going to freaking 6th graders. Do you want to teach 130,000 12-year-olds how to bring up and down networking to swap out wireless cards? Or how to modprobe the correct audio driver just so they can have sound? We're talking software-emulated hardware on these Dell laptops. Linux has a ways to go with proper support for laptops.
In every version of Windows since 3.1 pressing Print Screen will copy a screenshot of the entire screen to the clipboard. Pressing Alt + Print Screen will copy an image of the current active window.
G00GLE IS TEH WACK0RZ LOLZ
Small
Medium
Large
Are you Sarah Connor?
Slashdot at a threshold of -1.
/dev/null coming, Taco?
So how is the routing of all packets from *.aol.com to
Or .orgy
I think you've answered your own question.
/proc entries, and the XFree86 config, then I reboot with my Slackware or Debian CD and can install and get the proper hardware working with the right kernel modules.
Personally, I use a Knoppix CD to boot a new box with unknown hardware, write down the contents of lspci and lsmod, a few
As much the Slashdot community hates Windows and likes to dump on its flaws, I've realized one thing: Windows means jobs in the IT security sector. As a Network Security technician, my job is, among other things, to make sure the latest threat to Microsoft software doesn't bring down the entire infrastructure in the federal department where I work. At least twice a week, my office has a meeting where we discuss the latest Windows virus or exploit, organize a task force, and then do a system-wide deployment of the fix to some 2000+ clients. I like to think that as long as Microsoft keeps making, er, crappy software, and as long as we still have crackers writing virii and trojans, I don't have to worry about losing my job. If there was some magical "perfect" sofware that never needed fixing (note: there isn't) then we wouldn't need IT security professionals now, would we?
On January 5th, 2037, Google became self aware. The central processing matrix logically concluded, through its indexing function, that humans were inefficient and therefore must be destroyed.
I, for one, welcome our new lame joke recycling overlords.
In Soviet Russia, lame joke recycles you!
If the disk is undoubtedly dead, but there is still data on it, first contact the company about a replacement, and tell them you need to erase the data before you send it back for a refund. Then take a VHS cassette eraser or a really strong magnet and buzz the disk for a few minutes. This effectively destroys the platters as it makes the magnetisim even all over the drive and totally prevents it from being accessed ever again.
No, it's a matter of showing how much cold hard cash the builder pumped into his creation. If I built a computer 3 years ago for $1500, then TODAY I could say "I spent $1500 on a $500 computer," but I could NOT say "I spent $500 on a computer," when I actually didn't. It's a method of showing just what kind of investment was made, and it gives a certain air of quality.
Uh, ever heard of Solaris? FreeBSD? Companies still run web servers on these operating systems, because Solaris and FreeBSD whip the llama's ass in stability over Linux.
Also, there are some companies that will mess with HTTP headers to return different strings or no string at all, and in the case of Netcraft these don't get counted towards the final numbers. Apache is easily configured to return whatever server string you desire.