Here are my headers, if you'd like to compare... no idea what's going on but I definitely did not get it on time. And the Date header is late too so I doubt it's just that it took their mail server 3 days to send out all their mail:)
Received: from delivery.pens.microsoft.com ([207.46.239.106]) by
redacted.myserver.com (8.11.6/8.11.6) with ESMTP id g1FFWrH08680 for
<jamie@mccarthy.vg>; Fri, 15 Feb 2002 10:32:54 -0500
Received: from tkmsftddsq03 ([10.201.232.135]) by
delivery.pens.microsoft.com with Microsoft SMTPSVC(5.0.2195.3651);
Fri, 15 Feb 2002 07:33:02 -0800
Reply-To: <3_25598_49103BFC-EA1D-4AA3-A1F7-F957B901CAD1_V G@Newsletters.Microsoft.com>
From: "Microsoft"
<0_25598_49103BFC-EA1D-4AA3-A1F7-F957B901CAD1_V G@Newsletters.Microsoft.com>
To: <jamie@mccarthy.vg>
Subject: Microsoft Security Bulletin MS02-005
Date: Fri, 15 Feb 2002 07:33:02 -0800
Message-Id: <7df801c1b636$0e09ff70$87e8c90a@tkmsftddsq03> ;
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Mailer: Microsoft CDO for Windows 2000
Thread-Index: AcG2NgfOqr2I0ZX1Smi+i9X6FSULLw==
Content-Class: urn:content-classes:message
X-Mimeole: Produced By Microsoft MimeOLE V5.50.4522.1200
X-Originalarrivaltime: 15 Feb 2002 15:33:02.0403 (UTC) FILETIME=[0E180930:
01C1B636]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by redacted.myserver
.com id g1FFWrH08680
Status:
Bruce Schneier wrote in this month's Crypto-Gram, sent out this morning sometime:
"Anyone remember Scott Culp... touting how fast Microsoft was at patching problems? There's a new vulnerability in IE that Microsoft is busy ignoring."
This was the first I'd heard of it, though I've gone to microsoft.com and asked to be put on Microsoft's mailing list for security alerts. About three hours later, the email finally arrived from Microsoft, four days late:
To: jamie@mccarthy.vg
Subject: Microsoft Security Bulletin MS02-005
Date: Fri, 15 Feb 2002 07:33:02 -0800
Title: 11 February 2002 Cumulative Patch for Internet Explorer
Date: 11 February 2002
Software: Internet Explorer
Impact: Run Code of Attacker's Choice
Max Risk: Critical
Bulletin: MS02-005
This is a cumulative patch that, when installed, eliminates all
previously discussed security vulnerabilities affecting IE 5.01, 5.5
and IE 6. In addition, it eliminates the following six newly
discovered vulnerabilities...
What Microsoft didn't mention was that, before I got its security alert, someone had posted to bugtraq this assessment of their patch:
From: Thor Larholm <Thor @ (no spam) jubii . dk>
To: "'bugtraq@securityfocus.com'" Subject: Update on the MS02-005 patch, holes still remain
Date: Tue, 12 Feb 2002 15:25:11 +0100
...2 critical vulnerabilities are still remaining.
1. codebase localpath
Allows execution of arbitrary commands.
Publicly known since January 10th 2002.
Severity: Critical.
2. XMLHTTP
Allows reading of local files.
Publicly known since December 15th 2001.
Severity: Critical for homeusers.
Myth II was actually an extremely enjoyable game; I've been playing it for years. Not much in the last few months, been too busy, but it's a great workhorse strategy/tactics game.
If you think it was "movies on computer," you probably weren't a very good player. Ah, the joys of King of the Hill on Venice, with the WW2 plugin... your squad gets torn apart in about 5 minutes but you can still hold the flag long enough to win. "Woot" and stuff.
In fact it was Bungie's networking code for Myth II that was
so good
it was originally a replacement for, and later became a new version of, Apple's net gaming library (NetSprockets).
"What is horrifying is that the comment was modded up to +3 interesting... this points to the real problem, that the general population isn't qualified to modify comments for relevance, but they do it anyway."
One comment and one moderator. From that you're drawing conclusions about "the general population" of Slashdot? Awfully anecdotal evidence to draw conclusions from... what were you saying about science?
How about looking at
the whole thread,
in which several readers (who have been moderated higher) point out the error, correct it, and provide three links to interesting websites about interstellar objects and distances. Or do you prefer to focus only on negative anecdotes?
"You mean that if I go out and get a Tivo, then they can tell exactly what commercials I watch?"
Yeah. Take a look at this report, which goes into some technical detail about what your TiVo sends back (they watched the modem line as data transferred):
and of course it's anonymized, traceable only to your zipcode.
The PrivacyFoundation.org report linked above broke the news that the way the anonymized data is FTP'd up to TiVo's homebase leaves a way that an insider employee (or an unscrupulous, lying company) could potentially correlate your syslog to your name, instead of just your zipcode. I've no idea whether TiVo has changed its practices after the report came out two years ago, but I'm not aware of them having done so.
"I think the bottleneck would become the device manufacturer. Unless a device like that could be put together from off-the-shelf commodity parts (like current PCs can--anybody can build one out of 100% legal parts), the manufacturer could be sued out of existance."
That's why I was thinking of an MP3 player sold with a wireless card intended for legitimate use connecting to a computer. It's hard to bust manufacturers for selling goods that can't be proven to be intended for illegitimate purposes.
The question is, how hard is it to switch the device into "sharing mode"? If it's just flipping a dipswitch, the manufacturer may be liable. If it's a complex program, the DMCA can be used to stop distribution of that program (like DeCSS). Is there a happy medium somewhere between the two? I think an almost-trivially-simple program might be a successful strategy, both technically and legally: get the manufacturer off the hook and yet leave the copyright holders unable to use the DMCA on something quite simple.
"I think we've managed to slashdot their nameserver. wininformant.com points at ns1/ns2.duke.com, and my traceroutes get stuck in a loop between s8-0-0.7513.den.iccx.net and Edge-Serial-1-1-Lov-CO.rmi.net."
It's not a slashdotting; the site went down shortly before Slashdot ran the story. I'd checked the link a few minutes before it went live, but we only confirmed it being down right as the story went up, so we couldn't take it back down again.
Hopefully they'll have it fixed soon.
If anyone cares, duke.com does provide their DNS and duke.com is currently unreachable. Duke.com also appears to provide a wide variety of Windows-related products such as magazines and email lists (according to Google's cache).
Iccx.net is their upstream provider and iccx appears to have a router misconfigured or something. And not that it matters, but...
$ HEAD 'http://www.iccx.net/'
200 OK
Cache-Control: private
Connection: Keep-Alive
Date: Mon, 04 Feb 2002 17:05:58 GMT
Server: Microsoft-IIS/4.0
...
Unfortunately, I can't find the original story anywhere in Google's cache. Sorry.
"So if you watch Space Ghost, and your brother watches 'I Love Lucy' and you both rate them highly, it would probably just go out and record some more shows of both categories, not necessarily trying to find some Space Ghost/I Love Lucy hybrid (scary thought)."
It seems to work that way. The pool of possible TV shows is large enough that any one person really only likes a very small percentage of them. And a family of four may like four times as much, but that's still a tiny fraction of the available programming. The algorithm doesn't freak out, it can treat a family of four just like a single person who has eclectic taste and watches a lot of TV.
It's kind of a moot point in my experience. The suggestions aren't as useful as the main point of Tivo -- which is season-passing your favorite shows and poking in keywords for things you know you're going to like. Tivo's suggestions are fun sometimes, both to browse through its whole list, and to be surprised by stuff it records when there's free hard drive space. But that's secondary.
In other words, you'll be too busy fighting over whose season passes get to be highest on the priority list to care:)
"I don't know of all the other hypocritical actions made by TrustE offhand, but if any of you remember (I know there were quite a few), please post them."
Claim: NASA spent millions of dollars developing an "astronaut pen" that would work in outer space; the Soviets solved the same problem by simply using pencils.
Here's Robert Heinlein on nuclear waste. Expanded Universe, 1980, pp. 566-7. The President of the United States is speaking to one of her advisors:
She touched a switch. "Get me the head of the U.S. Engineers. How would you dispose of nuclear power plant wastes? Rocket them onto the Moon as someone urged last week? Why wouldn't the Sun be better? We may want to go back to the Moon someday."
"Oh, my, no! Neither one, Ma'am."
"Why not? Some of those byproducts are poisonous for hundreds of years, so I've heard. No?"
"You heard correctly. But the really rough ones have short half-lives. The ones with long half-lives -- hundreds, even thousands of years, or longer -- are simple to handle. But don't throw away any of it, Ma'am. Not where you can't recover it easily."
"Why not? We're speaking of wastes. I assume that we have extracted anything we can use."
"Yes, Ma'am, anything we can use. But our great grandchildren are going to hate you. Do you know the only use the ancient Romans had for petroleum? Medicine, that's all. I don't know how those isotopic wastes will be used next century... any more than those old Romans could guess how very important oil would become. But I certainly wouldn't throw those so-called wastes into the Sun!
"Basically, I think AC's who are modded up should be saved in the archive."
ACs, whether modded up or down, are saved in the archive, along with every other comment that gets posted. Here's a
sample archived story, chosen at random, with a couple of score:-1 and AC posts near the top.
I don't think we're guaranteeing that this will always be true, but so far, every comment posted to Slashdot since we made the switch to the 2.2 codebase is still available on Slashdot. Except for the handful we lost in a database crash dagnabbit.
"good to see an actual Slashdot 'celebrity' reading the posts below +4 (aka 'slumming')"
We compared notes last night on IRC and it seems we all independently settled on "Threshold 0, Newest First."
BTW, "Adolf Hitler" is an apropos choice for the person to (sarcastically) voice your concerns. Hitler was known for being a voracious reader, going through two or even three books a day. But whatever the subject matter was, he only took away what was relevant to his world-view. Namely, whatever he thought related to racial purity or racial struggle, his people vs. the other peoples of the world, and in particular the Jews. He's a good symbol for that kind of insular ignorance.
This is a valid concern and something we've thought about. I don't think it's going to happen this way. If it were a matter of blocking out newspapers or magazines you do or don't want to see, that's something that someone can legitimately do. There are only a few hundred weekly magazines at my newsstand and I can quickly learn which ones challenge my views and which don't. Book jacket blurbs make it easy for me to skip books that would challenge me, if that's my goal.
But there are tens of thousands of readers that participate in Slashdot on any given day, and they don't come with cover photos or jacket blurbs. You won't be able to classify them as "liberal" vs. "conservative" or whatever your preferred dichotomy is. You'll probably be able to block out small niche groups if you really want to, but it'll be much harder to eliminate a mode of thought with any popularity.
(And even if you could -- other readers who aren't as rigid in their biases would at least get to see all the opposing camps patting themselves on the back. You don't wear the blinders unless you put them on yourself.)
Fundamentally this is a human social problem, not a Slashdot problem, but my best guess is that Slashdot's social model will not exacerbate it. And if it's bad, we'll make it better. Nothing's cast in stone. We want a vibrant, challenging forum with lots of points of view too ya know -- the better the discussions, the better for us too.
That's why it asks you "are you sure you want to do this?" You have to click twice. And formkeys prevent trolls from forcing you into "one-click shopping."
"Washington 19 Oct 99 Republican presidential candidate Gary Bauer called on Gov. George W. Bush to reverse his position calling for an ease on supercomputer export controls."
Googling around, I see a lot of right-wing wackiness attacking both Bush Jr. and Clinton for proposing (and actually doing, respectively) the lifting of supercomputer restrictions. One 1999 report called "RED FLAGS OF TREASON" suggests that China is pretending to know more about supercomputers than it really does, so that the gullible Americans will let down their guard and sell them the supercomputers they can't make themselves.
Now that Apple sells "supercomputer" laptops and Cringely is
writing
about building a clustered supercomputer in his garage, the restrictions of the 80s and 90s seem a little silly...
"I didn't finish the whole thing, but I was suprised to not read about FRANK DRAKE and the DRAKE EQUATION."
Get your paws off me, you damn dirty karma whore:)
Frank Drake actually shows up, but his last name isn't used. Seth couldn't be talking about anyone else; this would be Project Ozma:
"When Frank did the first experiment in 1960, that's the way it was done. He just had a little motor that essentially turned the knob on the receiver and turned it up and down the dial, very slowly, you see, so the frequency was changing. And you could just look at the output. And he had a loudspeaker connected to it."
The Newsbytes article is a little confusing... it leads by claiming Microsoft "will" patch the flaw. But if you keep reading, you see that they originally did not consider it a flaw at all (which explains the slow response time). Then it turns out a beta of the patch has been tested internally, but then we see this:
"A Microsoft spokesperson said the company does not currently have any information to share on the issue and declined to discuss the status of the browser patch."
In other words, "no comment." Sounds to me exactly like "refusing to provide any information." So what was incorrect about Michael's writeup?
"So, as much as we want to believe that security through obscurity doesn't work, the vast majority of users have been safer because this sploit didn't show up on BUGTRAQ."
Bad troll, no donut. Two exploits were posted to bugtraq on Nov. 28 and 29, though not by the vulnerability's original discoverer.
The vulnerability was posted to Bugtraq on Nov. 26. One person
tried to reproduce it the same day and failed. Its discoverer, Jouko
Pynnonen, pointed out on bugtraq later the same day that:
Some details needed for reproducing and exploiting
the flaw were left out of my posting because there is no good
workaround or a patch available, and the flaw could be quite easily
used maliciously. Using those details it would be relatively easy to
create a worm that infects a system when a user "opens" a plain text
file from an infected website, for instance. For the same reason
there wasn't any test page URL included in my posting. That, and
technical details will be published later.
Considering Microsoft's obstructionist response ("it's not a
vulnerability, we'll fix it when we fix it, stop asking questions"),
Jouko has been very kind not to publish any additional information
about his discovery.
Nevertheless, other people tried to reproduce the exploit and
succeeded. Jonathan G. Lampe posted on Nov. 29:
I have confirmed Jouko Pynnonen's and StatiC's findings that IE 5.5 sp 2
allows executables to run as soon as a user has elected to open what
appears to be a normally harmless ".txt" file. (IE 5.5 trusts the filename
provided in the link over the filename suggested by the header's filename
tag and/or the use of an "application/octet-stream" content type.)
Here is the ASP equivalent code to StatiC's php tidbit...
I'd say the odds are pretty good that this is already being
exploited in the wild.
There was some discussion of whether IE6 was vulnerable in the
same way as IE5; the published exploit didn't seem to work on IE6.
Jouko had originally commented that "Internet Explorer 6 is
exploitable in a slightly different way, but the effect is the same."
Slashdot Mirror
This was the first I'd heard of it, though I've gone to microsoft.com and asked to be put on Microsoft's mailing list for security alerts. About three hours later, the email finally arrived from Microsoft, four days late:
What Microsoft didn't mention was that, before I got its security alert, someone had posted to bugtraq this assessment of their patch:
If you'd just eliminated the extraneous <BR> tags, you'd have been fine. <LI> breaks the line, so your <BR>s were overkill.
If you think it was "movies on computer," you probably weren't a very good player. Ah, the joys of King of the Hill on Venice, with the WW2 plugin... your squad gets torn apart in about 5 minutes but you can still hold the flag long enough to win. "Woot" and stuff.
In fact it was Bungie's networking code for Myth II that was so good it was originally a replacement for, and later became a new version of, Apple's net gaming library (NetSprockets).
gotta post something to test code... ignore pls
One comment and one moderator. From that you're drawing conclusions about "the general population" of Slashdot? Awfully anecdotal evidence to draw conclusions from... what were you saying about science?
How about looking at the whole thread, in which several readers (who have been moderated higher) point out the error, correct it, and provide three links to interesting websites about interstellar objects and distances. Or do you prefer to focus only on negative anecdotes?
Yeah. Take a look at this report, which goes into some technical detail about what your TiVo sends back (they watched the modem line as data transferred):
http://www.privacyfoundation.org/privacywatch/ report.asp?id=62&action=0
Your TiVo machine basically just sends its syslog home every night, complete with information like this:
Except it's transmitted in a form that looks like this:
and of course it's anonymized, traceable only to your zipcode.
The PrivacyFoundation.org report linked above broke the news that the way the anonymized data is FTP'd up to TiVo's homebase leaves a way that an insider employee (or an unscrupulous, lying company) could potentially correlate your syslog to your name, instead of just your zipcode. I've no idea whether TiVo has changed its practices after the report came out two years ago, but I'm not aware of them having done so.
That's why I was thinking of an MP3 player sold with a wireless card intended for legitimate use connecting to a computer. It's hard to bust manufacturers for selling goods that can't be proven to be intended for illegitimate purposes.
The question is, how hard is it to switch the device into "sharing mode"? If it's just flipping a dipswitch, the manufacturer may be liable. If it's a complex program, the DMCA can be used to stop distribution of that program (like DeCSS). Is there a happy medium somewhere between the two? I think an almost-trivially-simple program might be a successful strategy, both technically and legally: get the manufacturer off the hook and yet leave the copyright holders unable to use the DMCA on something quite simple.
Thanks. I updated the story. Geez I love Slashdot sometimes, y'all don't let me get away with anything.
It's not a slashdotting; the site went down shortly before Slashdot ran the story. I'd checked the link a few minutes before it went live, but we only confirmed it being down right as the story went up, so we couldn't take it back down again.
Hopefully they'll have it fixed soon.
If anyone cares, duke.com does provide their DNS and duke.com is currently unreachable. Duke.com also appears to provide a wide variety of Windows-related products such as magazines and email lists (according to Google's cache).
Iccx.net is their upstream provider and iccx appears to have a router misconfigured or something. And not that it matters, but...
$ HEAD 'http://www.iccx.net/'
200 OK
Cache-Control: private
Connection: Keep-Alive
Date: Mon, 04 Feb 2002 17:05:58 GMT
Server: Microsoft-IIS/4.0
...
Unfortunately, I can't find the original story anywhere in Google's cache. Sorry.
It seems to work that way. The pool of possible TV shows is large enough that any one person really only likes a very small percentage of them. And a family of four may like four times as much, but that's still a tiny fraction of the available programming. The algorithm doesn't freak out, it can treat a family of four just like a single person who has eclectic taste and watches a lot of TV.
It's kind of a moot point in my experience. The suggestions aren't as useful as the main point of Tivo -- which is season-passing your favorite shows and poking in keywords for things you know you're going to like. Tivo's suggestions are fun sometimes, both to browse through its whole list, and to be surprised by stuff it records when there's free hard drive space. But that's secondary.
In other words, you'll be too busy fighting over whose season passes get to be highest on the priority list to care :)
http://slashdot.org/search.pl?query=truste &op=stories&sort=1
I ran the TrustE "vs." Real story here in 1999, and I spent a little while summing up their history-to-date.
Claim: NASA spent millions of dollars developing an "astronaut pen" that would work in outer space; the Soviets solved the same problem by simply using pencils.
Status: False.
[...]
ACs, whether modded up or down, are saved in the archive, along with every other comment that gets posted. Here's a sample archived story, chosen at random, with a couple of score:-1 and AC posts near the top.
I don't think we're guaranteeing that this will always be true, but so far, every comment posted to Slashdot since we made the switch to the 2.2 codebase is still available on Slashdot. Except for the handful we lost in a database crash dagnabbit.
We compared notes last night on IRC and it seems we all independently settled on "Threshold 0, Newest First."
BTW, "Adolf Hitler" is an apropos choice for the person to (sarcastically) voice your concerns. Hitler was known for being a voracious reader, going through two or even three books a day. But whatever the subject matter was, he only took away what was relevant to his world-view. Namely, whatever he thought related to racial purity or racial struggle, his people vs. the other peoples of the world, and in particular the Jews. He's a good symbol for that kind of insular ignorance.
But there are tens of thousands of readers that participate in Slashdot on any given day, and they don't come with cover photos or jacket blurbs. You won't be able to classify them as "liberal" vs. "conservative" or whatever your preferred dichotomy is. You'll probably be able to block out small niche groups if you really want to, but it'll be much harder to eliminate a mode of thought with any popularity.
(And even if you could -- other readers who aren't as rigid in their biases would at least get to see all the opposing camps patting themselves on the back. You don't wear the blinders unless you put them on yourself.)
Fundamentally this is a human social problem, not a Slashdot problem, but my best guess is that Slashdot's social model will not exacerbate it. And if it's bad, we'll make it better. Nothing's cast in stone. We want a vibrant, challenging forum with lots of points of view too ya know -- the better the discussions, the better for us too.
Good point, thanks. We'll address this.
That's why it asks you "are you sure you want to do this?" You have to click twice. And formkeys prevent trolls from forcing you into "one-click shopping."
"Washington 19 Oct 99 Republican presidential candidate Gary Bauer called on Gov. George W. Bush to reverse his position calling for an ease on supercomputer export controls."
Googling around, I see a lot of right-wing wackiness attacking both Bush Jr. and Clinton for proposing (and actually doing, respectively) the lifting of supercomputer restrictions. One 1999 report called "RED FLAGS OF TREASON" suggests that China is pretending to know more about supercomputers than it really does, so that the gullible Americans will let down their guard and sell them the supercomputers they can't make themselves.
Now that Apple sells "supercomputer" laptops and Cringely is writing about building a clustered supercomputer in his garage, the restrictions of the 80s and 90s seem a little silly...
Get your paws off me, you damn dirty karma whore :)
Frank Drake actually shows up, but his last name isn't used. Seth couldn't be talking about anyone else; this would be Project Ozma:
Yes they will. Please read down to paragraph 5 before posting, thanks.
"Universal Music is the most aggressive in its anti-piracy efforts, saying that all of its CDs will be copy-protected by mid-2002."
In other words, "no comment." Sounds to me exactly like "refusing to provide any information." So what was incorrect about Michael's writeup?
Bad troll, no donut. Two exploits were posted to bugtraq on Nov. 28 and 29, though not by the vulnerability's original discoverer.
The vulnerability was posted to Bugtraq on Nov. 26. One person tried to reproduce it the same day and failed. Its discoverer, Jouko Pynnonen, pointed out on bugtraq later the same day that:
Considering Microsoft's obstructionist response ("it's not a vulnerability, we'll fix it when we fix it, stop asking questions"), Jouko has been very kind not to publish any additional information about his discovery.
Nevertheless, other people tried to reproduce the exploit and succeeded. Jonathan G. Lampe posted on Nov. 29:
I'd say the odds are pretty good that this is already being exploited in the wild.
There was some discussion of whether IE6 was vulnerable in the same way as IE5; the published exploit didn't seem to work on IE6. Jouko had originally commented that "Internet Explorer 6 is exploitable in a slightly different way, but the effect is the same."