I have no God-given right to view the content, you have no God-given right to spawn popups or tabs on my machine. Deal?:-)
Deal. I infer (rightly or wrongly) that you believe i'm propagating some kind of popup advertising. Plainly and simply, I can't fucking stand popup ads. Google Toolbar is my friend, and any site that pops up despite its use is null-routed in my HOSTS file. Pain in the ass, but if that's what it takes, then so be it. I've sent some angry letters to advertisees before (one newspaper in New England comes to mind), but i've either gotten back a boilerplate "thank you for your inquiry" or, in the above case, a note that says "curious..."
Independent of that, my off-topic point in this is that I don't have an option: I have no choice as to what gets opened, new window or new tab. This lack of choice is unrelated to UA (user-agent) preference. *You* can select how you want to open popups (if you allow them at all), but on the design-side, I have no choice. This particular problem is annoying in another way too, in that AFAIK UA preferences (specifically in Moz) only allow new windows XOR new tabs for new windows/popups, and ne'er the twain shall meet. Haven't checked back recently, I probably need to upgrade to 1.0 too.
Designers didn't pay for my machine, why should they have any right to control what I do with it
You didn't pay for the content, why should you have any right to control what you can do with it?
As a designer, I want the ability to present something one way, take it or leave it. Yes, I should make my page so it works on every browser under every resolution, etc., but if I don't want to, then basically "screw you". (Please note: this is not "screw you autopr0n")
Just as above, the ability to change the Print layout is a *feature*, so you can create brilliant pages with ads all over them, and when your user prints out the page, the ads magically disappear and it gets formatted properly for printing. Read up on CSS, it's incredibly complicated but you can do some pretty brilliant stuff.
The Save As... i'm not so sure about, I think that might just be a failure of the browser itself. I tried WGET with the "retrieve page requisites" and it didn't get the images either, I feel that's a failure of WGET to properly parse the CSS to display the image.
I actually came across the opposite problem: In creating a catalog system, I wanted the ability to create a popup as a tab, independent of how the user specified "open popus as tabs". I can't do it: there is no openNewTab function, even as an extension under Moz. It'd be fine if there were several options (open tabs as tabs, as popups, open popups as popups, tabs), but as of yet, there is no way to even request anything but a popup, and I won't know if it's a popup or a new tab without poking around at attributes and whatnot. It's kind of annoying!
This is a *feature* of nearly all modern ECMAScript browsers: You can specify what happens when someone clicks on your page! This "feature" is how you (or more likely someone else) can create a swanky custom context-menu for a browser that matches the functionality in your OS. My goodness, the sky really IS falling!
Quit bitching, just because Google does it a little better than the average disable right-click page does... (right-click and hold it, hit enter for the Alert() and let go, your context menu will pop up)
WindowsUpdate uses document.contextMenu to disable right-clicking there too, but I don't see anyone bitching about Windows DRM for patch management, only for video/audio.
Oh, wait... M$ uses it, therefore it's evil. Bad Google! No cookie for you!
I was under the impression that you'd have to keep them in sync, that there was some kind of sequence to them.... you generate the next step every second. If you don't, you'll have to go through X steps when you authenticate, X = # of minutes since last authentication. Then instead of just knowing MD5(time), you would have to generate MD5(MD5(MD5(starttime))) 3 minutes later if you're trying to hack it.
If it's just some kind of hash of a timestamp, why wouldn't it allow you to enter your time on the card? No time-drift problems, no oscilator and it wouldn't have to be always-on, battery life would go up a lot.
Does my small small device show the same number as everyone else's? If so, how does this help with phishing, as long as Phisher Bob can get his hands on one?
If it doesn't show the same #, does AOL generate a new # every 60 seconds for every subscriber? Not sure, but that seems like a lot of work... Anyone know specs on the RSA algorithm used? From TFA:
Gartner analyst Avivah Litan believes a "very narrow set of consumers" -- perhaps 5 percent to 15 percent of AOL's 30 million subscribers -- would sign up, but "you have to start somewhere."
So they're talking about 25k key updates per second if they only have 5%. Is this a "you need a cluster of HAL-9001s to keep up" kind of problem, or is it more of a "that 486 you use as a doorstop could be useful again"?
I don't know if you have any grounds with just a warning, unless an evacuation has been ordered. Even then you might not have anything, I don't know details of Florida law.
This is, however, the perfect opportunity to tell a story about MY employer and emergency situations.
Here in Maryland, about two years ago, we had one heck of a storm. There were two feet of snow on the ground, with more expected. All schools were closed for 2 or 3 days, and the governor declared a state of emergency after a couple of National Guard Humvees got stuck. With that announcement came a notice that nobody was allowed to drive on state roads (for about a day), and anyone found driving would be ticketed.
And our office was open.
Fortunately, after most everyone who had taken the day off complained, HR decided to write off that day and not dock pay/sick leave/vacation time. For a time, however, everyone faced the prospect of (a) breaking the law or (b) losing a day's pay/leave
I'm thinking something purely evil, like cycling display modes or monitor power status once every two seconds. Not ten times a second, the monitor wouldn't keep up, it would always be in flux, but if you let it sleep, then wake it up, then let it sleep, then wake it up....... probably wouldn't take a lot to get a nice loud *ZAP*
Another option is setting display modes to something insane, a 500Hz refresh rate would be a sight to see, assuming it's possible... I know you can set it to something your monitor doesn't like (Window$ will even tell you which ones it doesn't like), but I don't remember how far rates can be tweaked beyond 60/70/72/75Hz.
Even just overclocking your video card, which can be done in software could be suitably evil. Nothing obvious, but every once in a while your computer just straight freezes up. If you (evil you) get lucky, you might even manage to fry something when the boss installs that ridiculous "3D multimedia presentation software" he just bought!
Otherwise, as someone said above, change a couple numbers on a spreadsheet by four, don't ruin anything, just screw with it. If it changed different cells by 10% everytime you opened/saved it, you'd never track it down, 'cause "I saw cell A2 change last time, but I fixed it and the #s STILL don't add up right dammit!"
2. I love the fact that this worm drops itself as BLING.EXE
3. This worm uses carnivore network sniffer and checks for the following strings
As Taco said, I'm surprised it's taken this long. Considering it uses 5 patched vulnerabilities I'd say you deserve what you get in this case.
4. This is particularly... clever? It does all kinds of things that I would put in as feature requests for the perfect worm
It has 6 paths of infection: 5 vulnerabilities (as above) plus open shares
It attempts to steal CD keys for some games.
It installs a network sniffer
It has an interface with 26 commands that the bad guys can use on an 0wned box
It can log keystrokes
It doesn't destory anything all by itself, although it probably crashes some boxen through the exploits (was that just Sasser, or is that part of the LSASS flaw?) It still sucks, but it's just an expected evolution.
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
So that's all it takes to be a security expert these days? No f'ing wonder there are so many security problems these days
Also, it lightens my heart and makes me feel all warm and fuzzy that it only took "as many as 70,000 pieces of mail" in a day to get Comcast to shut her down.
I am a consumer, and I even know that DEC == Digital Equipment Corporation. So there.
Back around 1997 I was considering a DEC Alpha instead of a Wintel as my desktop machine. It was running at 500MHz (i think?) versus 233MHz for the Pentium I eventually bought.
I figured it was much faster in native Alpha mode, and that I could emulate as fast as I could afford at the time. Also, it came with NT, which was a necessity as I had neither the time nor the desire to learn a brand-new OS just to use my word processor.
In the end, I just went with status-quo, upgraded from a 486/33 WfW3.11 to a Win98 Pentium 233 with that new-fangled EmEmEx stuff in it.
(Back thereabouts I installed an early Slackware, maybe 1 or 2, and FreeBSD 2, both of which were a pain in the ass. StarOffice was either just released or hadn't been created yet, and I still used Netscape as my browser of choice. I was also playing with the 1481 beta of NT5, if that gives you a better timescale)
...but it'll take 98 billion-billion years for the same computer to do 128-bit SSL.
Yea, I remembered Moore's Law after I started writing that, so I included that little disclaimer to keep from having to factor him in. Also, I forgot to mention that RSA keyspace isn't really 1:1 with symmetric keyspace, so 1 bit of RSA is more like 0.8 bits or so of DES / IDEA / whatever, don't remember the equivalencies. In either case, use RSA-4096 to make brute-force impossible for anything but quantum computers, and hope that nobody breaks RSA itself.
Regardless, as long as processing speed doubles in less than half the time it takes to exhaust the keyspace, you might as well hold off on starting to try to brute-force the key.
I don't understand this line... If you're talking about starting from scratch for a single processor, then yes that's true. But if it's gonna take 132 years to brute-force, there's no better time than now to start. Moreso, even, if you go parallel, then you can just add on a new processor whenever you like, double-the-speed or not, and cut that time in half (or better) with just one additional box.
Presentations of Mr. Sinus, which was previously known as Mr. Sinus Theater 3000, have Pollet, Egerton and Erler sitting in the cinema's front row, poking fun at chosen movies by making silly comments and signing songs.
I have to say that in this case, I agree that the big corporation is probably in the right. Three guys trying to cash in on MST3K fame, literally using the same acronym and doing the exact same thing, heckling bad movies. They're not making fun of MST3K, they're just ripping off their format.
While I would certainly watch, and probably laugh heartily, methinks they might lose this one.
Alamo Drafthouse approached us maybe about a year ago about licensing Mr. Sinus
This is interesting because the Drafthouse apparently saw the similarity and tried to nip it in the bud (a.k.a. cover their ass) with a license, but is still presenting the group and allowing them to continue with the same format/name.
Slight correction: AFAIK RSA-512 was not broken, it was brute-forced. There is a huge difference between the two.
Breaking a combination lock is figuring out that you can hear the tumblers go *click* when you hit the right number. It will take you twenty seconds and five tries to get the right combination.
Brute-Forcing a combination lock is trying every combination from 00-00-00 through 99-99-99 until you get the right one. You will get the right combination, it will just take you long enough that someone will notice you.
Just to give you back a little bit of a warm-fuzzy feeling about RSA strength, realize that every bit added doubles the brute-force keyspace. So if you can brute-force 40-bit SSL in 10 seconds, you can do 41-bit SSL in 20 seconds, but it'll take 98 billion-billion years for the same computer to do 128-bit SSL.
For the combo lock analogy, it would be adding on another number to guess, a 4 number lock instead of 3, which would give you 100x as much work (original amount of work to get numbers A-B-C with D=00, then lather, rinse, repeat until D=99). If the combo lock were truly broken instead, it would take you about a minute and seven tries, instead of 100x as long.
Just a quick follow-up, yesterday I got 11k hits, and between/cloud.jpg,/favicon.ico and plain/, you leeches racked up 3.6GB in traffic. Congrats!
That was on a single 600k JPG. On one of at least two mirrors. With a pr0n server name.
It almost hurts to think how much traffic other video / distro sites take when they get slashdotted...
I think i'll plot some pretty graphs to illustrate the/. effect, maybe submit it as a story (with a non-pr0n site) and see how bad the real-deal is. Not 'till next month, though... can't afford another one of those for a few days. =)
Actually, it's mostly to keep hits down so I don't get slashdotted myself.
The average business user can't justify clicking on a link for wetsexygirl.com, even if it really IS a mirror for slashdot (which they're not supposed to visit during work, anyway).
If I posted with a "legitimate" site name then anyone in the universe could click and I'd be looking at a many-gig bill.
Eventually there will be some wet, sexy girls there, but since my current hosting provide (Pair networks) doesn't allow pr0n, it'll have to be whenever I change hosts (at least another year).
Also, it's just nice to be able to mess with y'all. Same thing here for Total Cost of 0wnership, but it's a temporary mirror, so that stuff is already gone.
Does it bother anyone else that this page has 65 ads on it? It frickin' hurts to read, it's almost as bad as http://www.seizurerobots.com/!
Also it bugs me that this guy has to rant and rave about Java, but he can only come up with eight "uncool reasons" to debunk. C'mon man, the standard Top Ten list has TEN items.
Slashdot Mirror
I have no God-given right to view the content, you have no God-given right to spawn popups or tabs on my machine. Deal? :-)
Deal. I infer (rightly or wrongly) that you believe i'm propagating some kind of popup advertising. Plainly and simply, I can't fucking stand popup ads. Google Toolbar is my friend, and any site that pops up despite its use is null-routed in my HOSTS file. Pain in the ass, but if that's what it takes, then so be it. I've sent some angry letters to advertisees before (one newspaper in New England comes to mind), but i've either gotten back a boilerplate "thank you for your inquiry" or, in the above case, a note that says "curious..."
Independent of that, my off-topic point in this is that I don't have an option: I have no choice as to what gets opened, new window or new tab. This lack of choice is unrelated to UA (user-agent) preference. *You* can select how you want to open popups (if you allow them at all), but on the design-side, I have no choice. This particular problem is annoying in another way too, in that AFAIK UA preferences (specifically in Moz) only allow new windows XOR new tabs for new windows/popups, and ne'er the twain shall meet. Haven't checked back recently, I probably need to upgrade to 1.0 too.
Designers didn't pay for my machine, why should they have any right to control what I do with it
You didn't pay for the content, why should you have any right to control what you can do with it?
As a designer, I want the ability to present something one way, take it or leave it. Yes, I should make my page so it works on every browser under every resolution, etc., but if I don't want to, then basically "screw you". (Please note: this is not "screw you autopr0n")
Just as above, the ability to change the Print layout is a *feature*, so you can create brilliant pages with ads all over them, and when your user prints out the page, the ads magically disappear and it gets formatted properly for printing. Read up on CSS, it's incredibly complicated but you can do some pretty brilliant stuff.
The Save As... i'm not so sure about, I think that might just be a failure of the browser itself. I tried WGET with the "retrieve page requisites" and it didn't get the images either, I feel that's a failure of WGET to properly parse the CSS to display the image.
I actually came across the opposite problem: In creating a catalog system, I wanted the ability to create a popup as a tab, independent of how the user specified "open popus as tabs". I can't do it: there is no openNewTab function, even as an extension under Moz. It'd be fine if there were several options (open tabs as tabs, as popups, open popups as popups, tabs), but as of yet, there is no way to even request anything but a popup, and I won't know if it's a popup or a new tab without poking around at attributes and whatnot. It's kind of annoying!
What the hell is wrong with you people?
This is a *feature* of nearly all modern ECMAScript browsers: You can specify what happens when someone clicks on your page! This "feature" is how you (or more likely someone else) can create a swanky custom context-menu for a browser that matches the functionality in your OS. My goodness, the sky really IS falling!
Quit bitching, just because Google does it a little better than the average disable right-click page does... (right-click and hold it, hit enter for the Alert() and let go, your context menu will pop up)
WindowsUpdate uses document.contextMenu to disable right-clicking there too, but I don't see anyone bitching about Windows DRM for patch management, only for video/audio.
Oh, wait... M$ uses it, therefore it's evil. Bad Google! No cookie for you!
http://www.blackboxvoting.org.nyud.net:8090/baxter /baxterVPR.mov
Although it's pretty weak... just a bunch of cuts of a monkey and a computer.
Best.... insult.... ever!
I was under the impression that you'd have to keep them in sync, that there was some kind of sequence to them.... you generate the next step every second. If you don't, you'll have to go through X steps when you authenticate, X = # of minutes since last authentication. Then instead of just knowing MD5(time), you would have to generate MD5(MD5(MD5(starttime))) 3 minutes later if you're trying to hack it.
If it's just some kind of hash of a timestamp, why wouldn't it allow you to enter your time on the card? No time-drift problems, no oscilator and it wouldn't have to be always-on, battery life would go up a lot.
If it doesn't show the same #, does AOL generate a new # every 60 seconds for every subscriber? Not sure, but that seems like a lot of work... Anyone know specs on the RSA algorithm used? From TFA: So they're talking about 25k key updates per second if they only have 5%. Is this a "you need a cluster of HAL-9001s to keep up" kind of problem, or is it more of a "that 486 you use as a doorstop could be useful again"?
AmEx provides SmartCard readers for its Blue line, with a program already embedded in the chip on the card.
Pretty cool.
I don't know if you have any grounds with just a warning, unless an evacuation has been ordered. Even then you might not have anything, I don't know details of Florida law.
This is, however, the perfect opportunity to tell a story about MY employer and emergency situations.
Here in Maryland, about two years ago, we had one heck of a storm. There were two feet of snow on the ground, with more expected. All schools were closed for 2 or 3 days, and the governor declared a state of emergency after a couple of National Guard Humvees got stuck. With that announcement came a notice that nobody was allowed to drive on state roads (for about a day), and anyone found driving would be ticketed.
And our office was open.
Fortunately, after most everyone who had taken the day off complained, HR decided to write off that day and not dock pay/sick leave/vacation time. For a time, however, everyone faced the prospect of
(a) breaking the law
or
(b) losing a day's pay/leave
Fun times.
I'm thinking something purely evil, like cycling display modes or monitor power status once every two seconds. Not ten times a second, the monitor wouldn't keep up, it would always be in flux, but if you let it sleep, then wake it up, then let it sleep, then wake it up....... probably wouldn't take a lot to get a nice loud *ZAP*
Another option is setting display modes to something insane, a 500Hz refresh rate would be a sight to see, assuming it's possible... I know you can set it to something your monitor doesn't like (Window$ will even tell you which ones it doesn't like), but I don't remember how far rates can be tweaked beyond 60/70/72/75Hz.
Even just overclocking your video card, which can be done in software could be suitably evil. Nothing obvious, but every once in a while your computer just straight freezes up. If you (evil you) get lucky, you might even manage to fry something when the boss installs that ridiculous "3D multimedia presentation software" he just bought!
Otherwise, as someone said above, change a couple numbers on a spreadsheet by four, don't ruin anything, just screw with it. If it changed different cells by 10% everytime you opened/saved it, you'd never track it down, 'cause "I saw cell A2 change last time, but I fixed it and the #s STILL don't add up right dammit!"
2. I love the fact that this worm drops itself as BLING.EXE
3. This worm uses carnivore network sniffer and checks for the following strings
As Taco said, I'm surprised it's taken this long. Considering it uses 5 patched vulnerabilities I'd say you deserve what you get in this case.
4. This is particularly... clever? It does all kinds of things that I would put in as feature requests for the perfect worm
- It has 6 paths of infection: 5 vulnerabilities (as above) plus open shares
- It attempts to steal CD keys for some games.
- It installs a network sniffer
- It has an interface with 26 commands that the bad guys can use on an 0wned box
- It can log keystrokes
It doesn't destory anything all by itself, although it probably crashes some boxen through the exploits (was that just Sasser, or is that part of the LSASS flaw?) It still sucks, but it's just an expected evolution.I'm still waiting for the really bad one...
Zombie victim Carty took matters into her own hands: She did research on how to clean up and protect her PC and diligently updates programs that scan her computer for various types of malicious code. Her PC now runs clean. "I had no clue at Christmas that I would become a security expert," she says.
So that's all it takes to be a security expert these days? No f'ing wonder there are so many security problems these days
Also, it lightens my heart and makes me feel all warm and fuzzy that it only took "as many as 70,000 pieces of mail" in a day to get Comcast to shut her down.
The article also describes a 2.5 hour documentary by Kevin Burns that traces the origins of the saga.
Did anyone else mis-read that as Ken Burns and think Only 2.5 hours? That must be one of his short films!
I am a consumer, and I even know that DEC == Digital Equipment Corporation. So there.
Back around 1997 I was considering a DEC Alpha instead of a Wintel as my desktop machine. It was running at 500MHz (i think?) versus 233MHz for the Pentium I eventually bought.
I figured it was much faster in native Alpha mode, and that I could emulate as fast as I could afford at the time. Also, it came with NT, which was a necessity as I had neither the time nor the desire to learn a brand-new OS just to use my word processor.
In the end, I just went with status-quo, upgraded from a 486/33 WfW3.11 to a Win98 Pentium 233 with that new-fangled EmEmEx stuff in it.
(Back thereabouts I installed an early Slackware, maybe 1 or 2, and FreeBSD 2, both of which were a pain in the ass. StarOffice was either just released or hadn't been created yet, and I still used Netscape as my browser of choice. I was also playing with the 1481 beta of NT5, if that gives you a better timescale)
...but it'll take 98 billion-billion years for the same computer to do 128-bit SSL.
Yea, I remembered Moore's Law after I started writing that, so I included that little disclaimer to keep from having to factor him in. Also, I forgot to mention that RSA keyspace isn't really 1:1 with symmetric keyspace, so 1 bit of RSA is more like 0.8 bits or so of DES / IDEA / whatever, don't remember the equivalencies. In either case, use RSA-4096 to make brute-force impossible for anything but quantum computers, and hope that nobody breaks RSA itself.
Regardless, as long as processing speed doubles in less than half the time it takes to exhaust the keyspace, you might as well hold off on starting to try to brute-force the key.
I don't understand this line... If you're talking about starting from scratch for a single processor, then yes that's true. But if it's gonna take 132 years to brute-force, there's no better time than now to start. Moreso, even, if you go parallel, then you can just add on a new processor whenever you like, double-the-speed or not, and cut that time in half (or better) with just one additional box.
Presentations of Mr. Sinus, which was previously known as Mr. Sinus Theater 3000, have Pollet, Egerton and Erler sitting in the cinema's front row, poking fun at chosen movies by making silly comments and signing songs.
I have to say that in this case, I agree that the big corporation is probably in the right. Three guys trying to cash in on MST3K fame, literally using the same acronym and doing the exact same thing, heckling bad movies. They're not making fun of MST3K, they're just ripping off their format.
While I would certainly watch, and probably laugh heartily, methinks they might lose this one.
Alamo Drafthouse approached us maybe about a year ago about licensing Mr. Sinus
This is interesting because the Drafthouse apparently saw the similarity and tried to nip it in the bud (a.k.a. cover their ass) with a license, but is still presenting the group and allowing them to continue with the same format/name.
Slight correction: AFAIK RSA-512 was not broken, it was brute-forced. There is a huge difference between the two.
Breaking a combination lock is figuring out that you can hear the tumblers go *click* when you hit the right number. It will take you twenty seconds and five tries to get the right combination.
Brute-Forcing a combination lock is trying every combination from 00-00-00 through 99-99-99 until you get the right one. You will get the right combination, it will just take you long enough that someone will notice you.
Just to give you back a little bit of a warm-fuzzy feeling about RSA strength, realize that every bit added doubles the brute-force keyspace. So if you can brute-force 40-bit SSL in 10 seconds, you can do 41-bit SSL in 20 seconds, but it'll take 98 billion-billion years for the same computer to do 128-bit SSL.
For the combo lock analogy, it would be adding on another number to guess, a 4 number lock instead of 3, which would give you 100x as much work (original amount of work to get numbers A-B-C with D=00, then lather, rinse, repeat until D=99). If the combo lock were truly broken instead, it would take you about a minute and seven tries, instead of 100x as long.
or here if you want a straight shot...
Just a quick follow-up, yesterday I got 11k hits, and between /cloud.jpg, /favicon.ico and plain /, you leeches racked up 3.6GB in traffic. Congrats!
/. effect, maybe submit it as a story (with a non-pr0n site) and see how bad the real-deal is. Not 'till next month, though... can't afford another one of those for a few days. =)
That was on a single 600k JPG. On one of at least two mirrors. With a pr0n server name.
It almost hurts to think how much traffic other video / distro sites take when they get slashdotted...
I think i'll plot some pretty graphs to illustrate the
Actually, it's mostly to keep hits down so I don't get slashdotted myself.
The average business user can't justify clicking on a link for wetsexygirl.com, even if it really IS a mirror for slashdot (which they're not supposed to visit during work, anyway).
If I posted with a "legitimate" site name then anyone in the universe could click and I'd be looking at a many-gig bill.
Eventually there will be some wet, sexy girls there, but since my current hosting provide (Pair networks) doesn't allow pr0n, it'll have to be whenever I change hosts (at least another year).
Also, it's just nice to be able to mess with y'all. Same thing here for Total Cost of 0wnership, but it's a temporary mirror, so that stuff is already gone.
This site looks like a meltdown waiting to happen...
Current cloud temporary mirror. Be aware that this won't update hourly as the site one does...
Does it bother anyone else that this page has 65 ads on it? It frickin' hurts to read, it's almost as bad as http://www.seizurerobots.com/!
Also it bugs me that this guy has to rant and rave about Java, but he can only come up with eight "uncool reasons" to debunk. C'mon man, the standard Top Ten list has TEN items.
Aww, come on... do you really have to Ask Slashdot where to find audio editing tools that can be scripted?
All your base are belong to us!