Actually, I own a few domains and using sales@[theirdomain.com] or info@[theirdomain.com] isn't super great because just by registering the name, you get spam at those addresses. (I/dev/null those addresses)
Amen to that,
I was in our school's CS department. They were so freekin rigid. I took a class one semester where I learned about B trees, hash tables and the evils of recursion. What do you know, the next class in the CS track, I am forced to create a senseless program where recursion is required. I did the program non-recursively because it was immensely faster. By this time, re-writing the code would have taken WAY too much time. I argued that nonrecursive is better because it's faster and my professor decides that I should be cast into the pit and suffer a failing grade on the project simply on the basis that recursion is required. It dropped my grade at least a full letter grade and as a result (combined with a few other experiences) I dropped out of the CS program.
I am now in the IT program. There is still some of the same crap, but I might be able to work with the professors. We'll see.
The issue described in this advisory is the practicability of resetting an established TCP connection by sending suitable TCP packets with the RST (Reset) or SYN (Synchronise) flags set.
The packets need to have source and destination IP addresses that match the established connection as well as the same source and destination TCP ports.
The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a design feature of TCP according to RFC 793, but a reset attack is only possible at all because the source IP address and TCP port can be forged or "spoofed".
Although denial of service using crafted TCP packets is a well known weakness of TCP, until recently it was believed that a successful denial of service attack was not achievable in practice. The reason for this is that the receiving TCP implementation checks the sequence number of the RST or SYN packet, which is a 32 bit number, giving a probability of 1/232 of guessing the sequence number correctly (assuming a random distribution).
The discoverer of the practicability of the RST attack was Paul A. Watson, who describes his research in his paper "Slipping In The Window: TCP Reset Attacks", presented at the CanSecWest 2004 conference. He noticed that the probability of guessing an acceptable sequence number is much higher than 1/232 because the receiving TCP implementation will accept any sequence number in a certain range (or "window") of the expected sequence number. The window makes TCP reset attacks practicable.
I understand that security by obscurity isn't the same as good security; however, there is a need to eliminate software identification information commonly seen in the bottom of the page of web applications. It makes googling for an exploit trivial.
interviewer: You know it seems to me somebody with your curiosity, your interest and your skill could make for themselves a pretty profitable career as a security expert, obviously.
Adrian: There's things that I've really learned from the process of my crimes and one of them is that the security industry is a dishonest profession. It relies on people's fear; it relies on manufacturing fear by hyping up the vulnerabilities that have no real world applications and forcing people to pay more money to defend against them. It's really not something that I'm interrested in supporting or being a part of. It's not something that I could feel proud of. There's nobody in the security industry that I could point at and say "yea, they're good people. They've done good."
I don't know if I agree with that sentiment, I just think it's interresting that someone in his situation would say that.
The NSA is doing LOTS to help with educating those who want to learn about security. The problem is that our education system needs to broaden its teaching and require all CS and IT students to have SOME knowledge of security. Many programmers (students and non-students) don't have an idea of what a buffer overflow or XSS attack is.
As the three page summary says, we need to teach security when you START to learn to program.
Too often I hear that schools are not teaching of security. Almost no high school teachers who teach programming even consider security (if they even understand the issues). In college, many schools offer an optional security class. What is up with that. At my school, the assembly language course doesn't even deal with security. New initiatives need to be taken to bring security out of the closet.
Well, since we're on the topic of recycled sound effects, The Evil Dead (1982) has a sound of eerie wind wich is used in many other movies. It is mentioned in another
NPR interview The reference is about 8 and a half minutes into the clip.
Wilhelm recorded a whole series of screams in the studio for use, but the one has stood out more than any other.
That's a bunch of bunk. If you READ the article, you will clearly see that the origin of this scream is unknown. It didn't even come from the actor of the character who player Wilhelm.
Slashdot Mirror
If you still want to use google, but are getting blocked (like me), try using Google Personalized
Works like a charm. (but a little bit slow)
read the NYT article. It has a few good details.
Actually, I own a few domains and using sales@[theirdomain.com] or info@[theirdomain.com] isn't super great because just by registering the name, you get spam at those addresses. (I /dev/null those addresses)
Phone surveyors use caps lock as it is very easy to quickly check spelling and grammer errors. Caps lock is not dead, just underused.
Amen to that,
I was in our school's CS department. They were so freekin rigid. I took a class one semester where I learned about B trees, hash tables and the evils of recursion. What do you know, the next class in the CS track, I am forced to create a senseless program where recursion is required. I did the program non-recursively because it was immensely faster. By this time, re-writing the code would have taken WAY too much time. I argued that nonrecursive is better because it's faster and my professor decides that I should be cast into the pit and suffer a failing grade on the project simply on the basis that recursion is required. It dropped my grade at least a full letter grade and as a result (combined with a few other experiences) I dropped out of the CS program.
I am now in the IT program. There is still some of the same crap, but I might be able to work with the professors. We'll see.
The issue described in this advisory is the practicability of resetting an established TCP connection by sending suitable TCP packets with the RST (Reset) or SYN (Synchronise) flags set.
The packets need to have source and destination IP addresses that match the established connection as well as the same source and destination TCP ports.
The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a design feature of TCP according to RFC 793, but a reset attack is only possible at all because the source IP address and TCP port can be forged or "spoofed".
Although denial of service using crafted TCP packets is a well known weakness of TCP, until recently it was believed that a successful denial of service attack was not achievable in practice. The reason for this is that the receiving TCP implementation checks the sequence number of the RST or SYN packet, which is a 32 bit number, giving a probability of 1/232 of guessing the sequence number correctly (assuming a random distribution).
The discoverer of the practicability of the RST attack was Paul A. Watson, who describes his research in his paper "Slipping In The Window: TCP Reset Attacks", presented at the CanSecWest 2004 conference. He noticed that the probability of guessing an acceptable sequence number is much higher than 1/232 because the receiving TCP implementation will accept any sequence number in a certain range (or "window") of the expected sequence number. The window makes TCP reset attacks practicable.
I understand that security by obscurity isn't the same as good security; however, there is a need to eliminate software identification information commonly seen in the bottom of the page of web applications. It makes googling for an exploit trivial.
The NPR interview has an interresting comment.
interviewer: You know it seems to me somebody with your curiosity, your interest and your skill could make for themselves a pretty profitable career as a security expert, obviously.
Adrian: There's things that I've really learned from the process of my crimes and one of them is that the security industry is a dishonest profession. It relies on people's fear; it relies on manufacturing fear by hyping up the vulnerabilities that have no real world applications and forcing people to pay more money to defend against them. It's really not something that I'm interrested in supporting or being a part of. It's not something that I could feel proud of. There's nobody in the security industry that I could point at and say "yea, they're good people. They've done good."
I don't know if I agree with that sentiment, I just think it's interresting that someone in his situation would say that.
The NSA is doing LOTS to help with educating those who want to learn about security. The problem is that our education system needs to broaden its teaching and require all CS and IT students to have SOME knowledge of security. Many programmers (students and non-students) don't have an idea of what a buffer overflow or XSS attack is.
As the three page summary says, we need to teach security when you START to learn to program.
Too often I hear that schools are not teaching of security. Almost no high school teachers who teach programming even consider security (if they even understand the issues). In college, many schools offer an optional security class. What is up with that. At my school, the assembly language course doesn't even deal with security. New initiatives need to be taken to bring security out of the closet.
Hey is there anyway I could get an iso from you? Thanks
Well, since we're on the topic of recycled sound effects, The Evil Dead (1982) has a sound of eerie wind wich is used in many other movies. It is mentioned in another NPR interview The reference is about 8 and a half minutes into the clip.
Wilhelm recorded a whole series of screams in the studio for use, but the one has stood out more than any other.
That's a bunch of bunk. If you READ the article, you will clearly see that the origin of this scream is unknown. It didn't even come from the actor of the character who player Wilhelm.