From memory, classic DNS poisoning goes something like the following:
Pick any DNS server which isn't authoritative for the domain which you wish to poison with the IP of your choosing. Something like your ISP's DNS server will work nicely.
Send a legitimate DNS request to the server for a domain which is authoritative under a server you are in control of, and which your choosen server (and any in-between it and your own server) won't already have in its cache.
When the request for the domain comes into your server, you have the sequence number which originated from your target DNS server. The idea with this sequence number is that your reply to the originating server contains the number, and hence the server knows which request is being replied to. Here is where the vulnerability comes in. Earlier versions of BIND use sequential sequence numbers in each request; nowadays pseudo-random numbers are used. What we're really after here is the next sequence number, or at least an idea of what it might be. In the case of sequential numbers, you have a rather small range of next sequence numbers. If your pseudo-RNG isn't cryptographically secure, it's possible to guess the next number in the sequence (for which you might want to make a few legitimate requests to your target server to observe the sequence).
Next up, make a request to your target server for the domain which you want to take control of. For this to work, your target DNS server must send out a further request for this domain. Since you have an idea of the sequence number which has been sent out with this request, you can now start flooding the target DNS server with false replies.
The ultimate goal is that you will hit the correct sequence number with your false reply before the legitimate reply comes in, hence poisoning the DNS. Further requests to your target server within the record timeout (which you may specify yourself in your false replies, so they can last quite a while) will be replied to with a cached version containing your poisoned IP.
Watch the requests come in for the content to your own IP, serve up appropriately.
Indeed it does; we have here a phone running Linux 2.6.x which lists "MS Outlook" as a part of its software collection. Mis-marketing any which way you look at it.
I'm just curious if anybody knows how long this patch took to be released.
Looking through Mozilla's Bugzilla, it would seem as if the bug was first realised on the 23rd of September in a comment to bug 240068, and then had a seperate security-sensitive -- and hence restricted access -- bug report opened yesterday. I'll leave others to comment on the acceptability.
Bugzilla links referring from Slashdot are blocked, so the above links will have to be manually opened unless your referrer header is obfuscated.
Amazing - that would be a great transfer rate if we're talking about full songs. Or when they say "tap" do they perhaps mean "holding their devices against a poster for a few minutes."??
No, we're talking more about tapping your device against the poster in order to get the unique rfid. Then you connect to the wifi or bluetooth wireless connection avaliable, and presumably use a custom protocol to request the song by giving the network the rfid.
Innovision says it's getting ready for when mobile users will be able to download music tracks by just tapping their device against a poster
Imagine also walking into a high street music shop with your MP3 player in hand where all of their CDs are embedded with rfid tags. Tap your MP3 player against a CD case to get the rfid tag, then your MP3 player connects to the store's wifi network and requests a sample of the album using the rfid tag.
Limit it to a couple of samples per person per unit time to avoid abuse, and you've got yourself a very powerful means of marketing CDs.
It's not so much the recording of the concert that's pending patent, it's the immediate duplication of the resultant recording to many audio CDs -- or "a plurality of media recorders" as CC puts it -- for reselling as soon as the concert has ended.
A great idea if you ask me, I've certainly never seen anything like it here in Scotland.
It's a nice concept, but I really can't see much need for linking a PDA to a hard disk, CD-ROM drive or whatever. Surely the "killer feature" of any PDA is that you can carry it about and get common tasks such as organisation done as quickly as possible. Anything more than this and a PDA will quickly become cumbersome due to the small screen size and limited input.
If you need to print something or save something big enough to require a hard drive, then surely you would be better off using the laptop or dekstop PC that's invariably located about such hardware?
The day that these robots can play capture the flag the way I used to play it as a kid, I will bow to the robots and call them my master. Wading through water, climbing trees, and jumping through thick gorse were all commonplace whilst clutching the opponents' frisbee (for flags were hard to come by).
When the robots can climb that oak to retrieve the frisbee that was skilfully thrown up at the start of the game, I think it's fair to say that the robots may just beat us at capture the flag! It's a game, not world domination.
Removing the language restriction would help more than removing the quotes. Second of two results, and in Spanish, but it's there. Still, this is an April fools somewhere along the line.
how the heck do you control the spin of individual baryons in a nucleus?
Well according to the article, you fire X-rays at them and hope for the best. There's probably a more scientific reason (due to the high wavelength of X-ray radiation, blah blah blah), but that one worked for me.
I speed read the 23 pages, and basically it seems to (IANAL) boil down to the fact that search engines want to remain within the laws that are protecting them -- the DMCA safe harbours. Classified as an "information retrieval tool", search engines must make sure that they do not knowingly link to material that violates the DMCA. So when Sharman Networks comes along and tells Google that it is linking to material that violates the DMCA, the people at Google put on their best poker faces and cry "oh no, surely not!". Under the safe harbours, Google then has to remove this content, or they can be held responsible. The most interesting part of the paper points out that adopting this behaviour will never justify the safe harbour use:
... service providers, being risk-averse, will widely embrace the safe harbors in an attempt to avoid the uncertainty of liability outside them. Due to the widespread use of the safe harbor procedures, courts will not be given the opportunity to decide cases clarifying the liability of service providers, as service providers will err on the side of caution and liberally remove content in response to notifications. The resulting lack of judicial clarification will reinforce the use of these procedures, thus creating a self-perpetuating cycle.
Since they're currently experiencing a "server failure", I can't comment on the course content as such, but there are vital pieces of physics that simply cannot be taught from watching a movie. You can talk about conservation of energy in a car crash, sure. You can laugh at the physical impossibility of that bit in Hollow Man where the chick opens a door with an electromagnet. You could even try to talk about "time folding over" in Event Horizon.
The fact of the matter is however that physics is made interesting when you actually think about it yourself and realise why it is interesting. If someone makes a movie that makes relativity or quantum physics interesting enough to justify the cost of the movie, then I take my hat off to them.
This just sounds like another course to fill credits.
I couldn't agree more with the parent. Servers log our browsing, and there's nothing more to it. How this information is used isn't up to us; and once again there's nothing more to it. A9, Google, or <> could technically display a complete history of your searches. There's no cause for complaint here; we're basically disputing the lack of anonymity of the HTTP over TCP/IP.
This is synonymous somewhat to how a highstreet store could show you a list of all the items that you have purchased with a certain credit card, and even track your movements from store to store. Or how a mobile phone company could show you a map of your movement on a particular day.
The real gripe with these privacy concerns seems to be the deep-rooted notion people have that they are anonymous whilst browsing the Internet. This couldn't be further from the truth.
Well I went off and read the FAQ; and I noticed they mentioned setting your interests to Astronomy and then searching for ATM. Okay, I'll admit I've no clue what an ATM means to you astronomers, but I certainly do know I can use one to get my money out of the hole in the wall, and I can also stream nice fast multimedia over one.
Anyways, just for fun I went and set up my profile to prefer Computer Hardware, Financial Services, and Astronomy: something quite reasonable if I was working in technology for an investment banking company and happened to have a penchant for astronomy.
Yeah, it turns out this search is just as good personalised as it is non-personalised. Not that I'm surprised, but what I'm getting at is that the topics as they are at the moment are far too vague; there are many options that I have an interest in and may well be searching for at any time.
Not to say it doesn't work; I just think the topics need a slight re-think before it's 100% useful.
Indeed it would look like that to me as well. In the words of the Videobox site: "Just add a way to get your PC's Video & Audio signals to your living room
TV set to transform your Squeezebox into a Video Player."
It is a rather novel way to control things none the less, and with something like the suggested Trust Wireless Televiewer, you could stream video nicely through to your TV set from your PC sans-wires. In conclusion however, it doesn't look like a reason to rush out and buy a Squeezebox.
Apart from this article, I wasn't aware that Google's cache functions had been disabled at all in China. Indeed, it doesn't seem all that possible since the Chinese can surely still use the English version to the same devices.
The Chinese authorities however did at one point block both Google and Altavista - dubbed "The Chinese Firewall" by the press - due to the fact that sites that they explicitly blocked from viewing could be accessed through Google's cache.
String theory is just what it says on the tin - a theory. And this new theory is exactly that too - a theory. So a theory based upon a theory looks rather shaky to me... not even the Aardvark tome in sight yet.
The original SimCity had earthquakes if I recall correctly. Now once GTA gets fires, airplane crashes, tornadoes and godzilla terrorizing the streets I can finally ditch my Amiga!
A real-time form of HTML would be a completely new concept altogether. Although conceptually a good idea, it means developing a new client/server architecture.
The good thing about RSS is that it works over existing technology - the same way that people are excited about broadband over power lines - the technology is already in place.
Most of the spoilers are in previous articles from the looks of things. Can't see many spoilers in their "huge new spoiler filled photos" though - media manipulation perfected.
In Glasgow people seem to be used to the fact that you don't need to press the button. So much so that when it comes to a crossing where you do have to push the button, people just ignore it and will watch the stream of traffic go past them for 5 minutes. Great fun to watch.
As has been pointed many times before, this technique *has* been introduced into the newer Euro and Sterling notes. This PDF has an explaination of how this apparently works. It's not just Americans who can't fire up Photoshop CS for an extra few drinks at the weekend.
Slashdot Mirror
Earlier versions of BIND use sequential sequence numbers in each request; nowadays pseudo-random numbers are used. What we're really after here is the next sequence number, or at least an idea of what it might be. In the case of sequential numbers, you have a rather small range of next sequence numbers. If your pseudo-RNG isn't cryptographically secure, it's possible to guess the next number in the sequence (for which you might want to make a few legitimate requests to your target server to observe the sequence).
Indeed it does; we have here a phone running Linux 2.6.x which lists "MS Outlook" as a part of its software collection. Mis-marketing any which way you look at it.
Bugzilla links referring from Slashdot are blocked, so the above links will have to be manually opened unless your referrer header is obfuscated.
Amazing - that would be a great transfer rate if we're talking about full songs. Or when they say "tap" do they perhaps mean "holding their devices against a poster for a few minutes."??
No, we're talking more about tapping your device against the poster in order to get the unique rfid. Then you connect to the wifi or bluetooth wireless connection avaliable, and presumably use a custom protocol to request the song by giving the network the rfid.
Innovision says it's getting ready for when mobile users will be able to download music tracks by just tapping their device against a poster
Imagine also walking into a high street music shop with your MP3 player in hand where all of their CDs are embedded with rfid tags. Tap your MP3 player against a CD case to get the rfid tag, then your MP3 player connects to the store's wifi network and requests a sample of the album using the rfid tag.
Limit it to a couple of samples per person per unit time to avoid abuse, and you've got yourself a very powerful means of marketing CDs.
It's not so much the recording of the concert that's pending patent, it's the immediate duplication of the resultant recording to many audio CDs -- or "a plurality of media recorders" as CC puts it -- for reselling as soon as the concert has ended.
A great idea if you ask me, I've certainly never seen anything like it here in Scotland.
It's a nice concept, but I really can't see much need for linking a PDA to a hard disk, CD-ROM drive or whatever. Surely the "killer feature" of any PDA is that you can carry it about and get common tasks such as organisation done as quickly as possible. Anything more than this and a PDA will quickly become cumbersome due to the small screen size and limited input.
If you need to print something or save something big enough to require a hard drive, then surely you would be better off using the laptop or dekstop PC that's invariably located about such hardware?
Okay, I'll bite...
The day that these robots can play capture the flag the way I used to play it as a kid, I will bow to the robots and call them my master. Wading through water, climbing trees, and jumping through thick gorse were all commonplace whilst clutching the opponents' frisbee (for flags were hard to come by).
When the robots can climb that oak to retrieve the frisbee that was skilfully thrown up at the start of the game, I think it's fair to say that the robots may just beat us at capture the flag! It's a game, not world domination.
Once this story gets out
This is Slashdot. I think we can officially say that the story is out.
Removing the language restriction would help more than removing the quotes. Second of two results, and in Spanish, but it's there. Still, this is an April fools somewhere along the line.
how the heck do you control the spin of individual baryons in a nucleus?
Well according to the article, you fire X-rays at them and hope for the best. There's probably a more scientific reason (due to the high wavelength of X-ray radiation, blah blah blah), but that one worked for me.
Since they're currently experiencing a "server failure", I can't comment on the course content as such, but there are vital pieces of physics that simply cannot be taught from watching a movie. You can talk about conservation of energy in a car crash, sure. You can laugh at the physical impossibility of that bit in Hollow Man where the chick opens a door with an electromagnet. You could even try to talk about "time folding over" in Event Horizon.
The fact of the matter is however that physics is made interesting when you actually think about it yourself and realise why it is interesting. If someone makes a movie that makes relativity or quantum physics interesting enough to justify the cost of the movie, then I take my hat off to them.
This just sounds like another course to fill credits.
That's over 66000 reloads of the front page every second.
Yes, I'm ignoring the obvious latency, but we can only dream.
I couldn't agree more with the parent. Servers log our browsing, and there's nothing more to it. How this information is used isn't up to us; and once again there's nothing more to it. A9, Google, or <> could technically display a complete history of your searches. There's no cause for complaint here; we're basically disputing the lack of anonymity of the HTTP over TCP/IP.
This is synonymous somewhat to how a highstreet store could show you a list of all the items that you have purchased with a certain credit card, and even track your movements from store to store. Or how a mobile phone company could show you a map of your movement on a particular day.
The real gripe with these privacy concerns seems to be the deep-rooted notion people have that they are anonymous whilst browsing the Internet. This couldn't be further from the truth.
Well I went off and read the FAQ; and I noticed they mentioned setting your interests to Astronomy and then searching for ATM. Okay, I'll admit I've no clue what an ATM means to you astronomers, but I certainly do know I can use one to get my money out of the hole in the wall, and I can also stream nice fast multimedia over one.
Anyways, just for fun I went and set up my profile to prefer Computer Hardware, Financial Services, and Astronomy: something quite reasonable if I was working in technology for an investment banking company and happened to have a penchant for astronomy.
Yeah, it turns out this search is just as good personalised as it is non-personalised. Not that I'm surprised, but what I'm getting at is that the topics as they are at the moment are far too vague; there are many options that I have an interest in and may well be searching for at any time.
Not to say it doesn't work; I just think the topics need a slight re-think before it's 100% useful.
Indeed it would look like that to me as well. In the words of the Videobox site: "Just add a way to get your PC's Video & Audio signals to your living room TV set to transform your Squeezebox into a Video Player."
It is a rather novel way to control things none the less, and with something like the suggested Trust Wireless Televiewer, you could stream video nicely through to your TV set from your PC sans-wires. In conclusion however, it doesn't look like a reason to rush out and buy a Squeezebox.
Apart from this article, I wasn't aware that Google's cache functions had been disabled at all in China. Indeed, it doesn't seem all that possible since the Chinese can surely still use the English version to the same devices.
The Chinese authorities however did at one point block both Google and Altavista - dubbed "The Chinese Firewall" by the press - due to the fact that sites that they explicitly blocked from viewing could be accessed through Google's cache.
String theory is just what it says on the tin - a theory. And this new theory is exactly that too - a theory. So a theory based upon a theory looks rather shaky to me... not even the Aardvark tome in sight yet.
The original SimCity had earthquakes if I recall correctly. Now once GTA gets fires, airplane crashes, tornadoes and godzilla terrorizing the streets I can finally ditch my Amiga!
More importantly, anyone got the schematics for these thumb-sized hamsters?
A real-time form of HTML would be a completely new concept altogether. Although conceptually a good idea, it means developing a new client/server architecture. The good thing about RSS is that it works over existing technology - the same way that people are excited about broadband over power lines - the technology is already in place.
Most of the spoilers are in previous articles from the looks of things. Can't see many spoilers in their "huge new spoiler filled photos" though - media manipulation perfected.
In Glasgow people seem to be used to the fact that you don't need to press the button. So much so that when it comes to a crossing where you do have to push the button, people just ignore it and will watch the stream of traffic go past them for 5 minutes. Great fun to watch.
As has been pointed many times before, this technique *has* been introduced into the newer Euro and Sterling notes. This PDF has an explaination of how this apparently works. It's not just Americans who can't fire up Photoshop CS for an extra few drinks at the weekend.