Slashdot Mirror


User: billstewart

billstewart's activity in the archive.

Stories
0
Comments
7,948
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 7,948

  1. Ooohhh... Pizza..... Anchovies..... on uClinux Ported to the iPod · · Score: 1

    I'd like one with the little fishies on it. yeah, delivered. Like, here, man! oh, right - Antarctica!

  2. Re:Scarily Warhol-speed propagation on Slashback: Slammer, Frames, Pop-Ups · · Score: 1
    I did actually work on some parts of that network in a previous job. The big security advantage of SNA is that, unlike on the Internet where anybody can send packets to anybody else if there's no firewall in the way, in an SNA network people can only send stuff on their own networks after somebody's done lots of work making sure it's all connected right. Of course, these days lots of the SNA is really tunneled across IP, so it could also be carried on the Internet or a private network, but back when lots of banks still ran their ATMs on 9600 baud multi-drop circuits with 10-20 ATMs on them and various polling protocols, there wasn't anybody else's packet that could get on your wires.

    It was possible to port UUCP to run on top of it. Spectacularly bad idea, but possible....

  3. Paranoid followup to my own article on Slashback: Slammer, Frames, Pop-Ups · · Score: 2, Interesting
    It's even worse than it appears :-) If the percentage of systems vulnerable to Slammer / Sapphire had been much higher, they could still have been infected in the same amount of time or faster, because the infection only depends on the vulnerable machine being hit by the packet, so those 55 million attacks/second at peak could infect 55 million machines just as easily as one machine. (And of course, more infected machines means more attacks getting out, subject to ISP bandwidth bottlenecks, so the peak speed would probably have been even highter.)

    The main Warhol Worm / Flash Worm papers were concerned about worms that had some level of efficiency and coordination of their targets - first scan for targets over a long period of time, then take 10,000 zombies and give each one a partial list of targets to attack, and hauling around the list of targets turns out to slow the process significantly, in return for increased efficiency. This one just used random search and let it rip, so it didn't need the overhead of using a list, though it's possible that the perpetrator had some set of targets pre-planned, as opposed to just taking an 0wnzr'd Korean proxy server and spraypainting Korea with it to start off the process.

  4. Scarily Warhol-speed propagation on Slashback: Slammer, Frames, Pop-Ups · · Score: 4, Interesting
    At its peak, it was scanning about 100 times as many machines as it eventually infected (though the exact number of victims is very hard to determine.) Now, this is partly because the average victim could spray over 100 targets per second, since the infection method required just one amazingly fast packet, so you'd expect this kind of thing to happen ;-) But it felt a lot like A Fire Upon The Deep, where the computer virus found in the old library is becoming self-aware and jumping onto the escaping rocket ship - it was clearly Warhol speed. We don't know how many machines were really infected, because the random number generator was slightly buggy, so any given virus-detection point would only see hits from the numerically-nearby infected machines.

    It would probably have taken very little extra work to add an arbitrarily large payload to it, built as a second module. Leave the original scanner blasting away with the small packets, since most of them won't succeed in infecting a machine, but have a newly-infected machine contact the machine that infected it to fetch the second payload (and then forget where that one came from, to make later back-tracing harder).

    I doubt you'll see a detailed white paper about Bank of America's system; most big companies would consider that kind of thing proprietary, though almost any large financial company would have put together a large team to spend several days of argument, wrangling, and recrimination to find out what happened and make sure it doesn't happen again, but you'll only see a technical explanation if they decide that's the best public-relations move. Most of the guesses I've seen on the net (or at least the ones that sounded plausible to me :-) are that they were probably just using internet-based VPNs to support those ATMs, and got flooded out by the worm's volume, but didn't actually get infected. Hard to say whether the parts that got flooded were the little ends near each ATM, the big end near the bank, or somewhere in the middle like some ATM network service provider. Remember that 10-15000 IP addresses makes a much bigger target than a single IP address, so if there's anywhere that their connections are all visible, the traffic flood could be pretty heavy.

  5. Front Doors, not Back Doors. Admin work! on Shell Simulation Via CGI · · Score: 3, Insightful
    It's not a back door, it's a front door. The question is where you are once you walk in the door - chrooted jail, or do you have the run of the house? CGI always offered the possibility of doing lots of things that might be unsafe, and requires administration of systems in a way that restricts the options available to the browser to things that are either relatively safe to the system as a whole or only able to bother the user who installed this in his own directory. You should have done this anyway! And of course, if you're a user, you probably shouldn't install this application on a server you actually care much about until the security features get upgraded a bit.

    (Obviously if your hosting provider uses a Windows system instead of Unix, the answer to "where are you" is "Probably nowhere interesting", though it can probably be adapted to support Windows command line services as well.)

  6. GNU/Deutschland ? on Corporate KDE · · Score: 1
    Verzeihen Sie mir. But it had to be said.

    Arrgh - I don't remember the grammar well enough, and Babelfish is blocked by our firewall's content filter. Sigh.

  7. AOL's content-only service on AOL Not Alone In Subscriber Decline · · Score: 1

    For many people, the big value about AOL is not just the dialup access, it's the content - Instant Messaging with their friends, chat rooms, cheerful People-Magazine-style news, etc. MSN may have a little bit of this, and as far as I know Earthlink has none of it that isn't openly web-accessible. A while back AOL started offering a content-only account for about $10 for people who had their own ISP connections, which meant that if you had broadband or a real dialup provider, you could still get your AOL and keep your AOL email. Not sure if that's still the case or not.

  8. Mail forwarders like pobox.com on AOL Not Alone In Subscriber Decline · · Score: 1
    I started using pobox.com about five years ago, just to deal with this problem. For a fairly low price, you get an email address with them, and they forward it to whatever ISP you're using. This lets you keep the same address forever, though now that spammers have taken over the world it may be time to get a domain name instead. Pobox.com was started by a couple of students in their dorm rooms, and rapidly expanded to a real business.

    Fastmail.fm has a nice tagged email feature using subdomains - not only can you get mail at username+tag@fastmail.fm, but tag@username.fastmail.fm translates to the same thing, so you can give everybody an email address like that and trash any addresses used by spammers. Like many of the newer web mail systems, they also let you retrieve mail from them with IMAP, and can fetch mail from other systems with POP or IMAP.

    I haven't actually gotten rid of the Netcom->Mindspring->Earthlink dialup account I used back when I got the pobox.com account, though with broadband and work-provided dialup for my laptop it's about time to.

  9. Re:Yo, Starbucks Bashers... on Tampering with Taste Buds for Better Coffee? · · Score: 1
    It's nice to hear there were some oases of coffee culture in LA, but they were few and far between - for the most part, coffee in hotels and restaurants there was really appallingly bad before Starbucks. Maybe as a local you'd find the good places, but as a traveller, it was pretty depressing (plus my mother-in-law isn't a coffee drinker, so when I stayed with her the choice was instant or tea until a Starbucks opened around the corner.)

    One of the last holdouts against good coffee seems to be Sacramento - it's possible to find it there, mainly at ethnic restaurants, but overall there appears to be a conspiracy not to sell any coffee strong enough to wake up a state bureaucrat, which is probably not such a bad thing. (And the weakest coffee I've had there was in fact at the cafeteria in a state office building.)

  10. My notation was apparently not clear. on VeriSign Changes DNS Servers: No ASCII Needed · · Score: 1

    When I used "aa", "AA", etc., I wasn't referring to the Danish AA = Å (Duhh - I should have thought of that problem; I've been to Århus/Aarhus and Aalborg/Ålborg); I was referring to two bytes which could be interpreted as two single-byte characters or one double-byte character, demonstrating that this can lead you to do the wrong thing. I probably should have used xy/XY/Xy/xY or some U+4-digits instead.

  11. Re:Isn't it called "monosodium glutasmate"? on Tampering with Taste Buds for Better Coffee? · · Score: 1

    McD's changed to vegetable oil long before that, but made up for it by adding beef fat to the frozen fries so they'd still taste somewhat the same, which was a big surprise to all of us who don't like animal corpses in our food. The people who did the "long live the new fries" in the late 90s were Burger King, and it was more than just switching to vegetable oil, it was some sort of pre-preparation of the potatoes before freezing that made them turn greasy and terrible when fried. So instead of being not quite as good as McD's, they were now much worse. This was disappointing, because Burger King's veggie whoppers are a good vegetarian fast food (not their new veggie-burgers, which are the lamest veggie-burger I've had so far, just their regular Whopper without the meat.) It turns out they've also got some kind of chicken extract in their fries, so there are multiple reasons not to eat them. In-n-Out Burger's fries start by taking an actual potato that you can watch them cut and dump in a fryer, though depending on how long they sit around before you get yours, they can still get limp; perhaps the various meat fat treatments help them survive that better.

  12. Re:Black Coffee on Tampering with Taste Buds for Better Coffee? · · Score: 1

    "It is by caffeine alone I set my mind in motion.
    It is by the Beans of Java that thoughts acquire speed,
    the hands acquire shaking, the shaking becomes a warning.
    It is by caffeine alone I set my mind in motion."
    -- National Lampoon's "Doon"
  13. Re:ATM networks do this on A New Protocol For Faster Web Services? · · Score: 1
    Disclaimer: Or you can ask me for details - I do this stuff as my day job at a major telecomm carrier, and since we can sell you any kind of network you want, I can usually be pretty objective about comparisons.

    While ATM is more important for voice and video applications than pure data, it's also valuable for environments where some applications are more latency sensitive than others, such as database queries. In a local area network, I agree that ATM isn't going to win compared to Ethernets; standard CSMA Ethernet is less efficient for most applications, but the fact that a 100 Mbps interface card costs $10 makes up for that, and ATM-to-the-desktop was pretty much dead before anybody deployed any of it.

    But in a wide area network, what matters isn't how much bandwidth you consume, it's how much bandwidth you _buy_ and how efficiently you can use it to meet your application needs, and ATM and frame relay networks can often do that quite well. Yes, there's ~15 percent overhead on your ATM packets, but that gives you and your carrier a lot of flexibility in tuning performance, and in balancing what kinds of switching and routing goes where. You've probably noticed that most DSL equipment is running ATM, which is one of the main reasons you can get DSL internet service from a large number of ISPs, even though most of them use a telco or Covad to provide the access.

    Fragmentation at Layer 2, which ATM is, is a much different issue than fragmentation at Layer 3. You really, really don't want fragmentation at layer 3, because that typically adds 20 bytes of IP header, but ATM only adds 5 bytes of layer 2 header per 48-byte data payload, and in return you get the ability to interleave different data streams, which matters a lot if you're trying to mix big file transfer packets and smaller interactive-application packets (whether voice or telnet or whatever.) On big pipes, you won't notice, but on a 56kbps connection, you'd really rather not have your voice packet stuck behind a 1500-byte ftp packet (which takes about 200ms), and even on a T1 line, voice is happier if you don't have to wait for more than one ATM cell (about 1/3 ms) as opposed to the ~10ms for the big packet. With two PVCs, you can do this (at least at one end of the connection; some routers are too dumb to interleave ATM cells from IP packets on different PVCs.)

    As far as the problem of losing one cell trashing your whole packet goes, modern ATM switches usually have big enough buffers to handle a multiple TCP sessions well,
    and the early packet discard / partial packet discard capabilities let you trash the remaining half of a packet if you overflow a buffer (which is basically the same thing that happens on an IP router if there's not room for a whole packet.) Before EPD/PPD, there was the "sandblasting" problem, where a switch would lose one or two cells from a lot of packets instead of lots of cells from a small number of packets, which was obviously a Bad Thing, but it isn't a problem now.

  14. Yo, Starbucks Bashers... on Tampering with Taste Buds for Better Coffee? · · Score: 1
    Sure, it's politically correct here in San Francisco, where we've always had good coffee, to bash Starbucks for being yuppie-attractants, and I prefer Peet's coffees and local-character coffee houses to mass-production too, but do you remember what coffee was like in most of the US before Starbucks got there? Tasteless brownish water made in a percolator was pretty much the standard. People even used instant coffee at home. And if you wanted decaf, it was always Sanka instant... Starbucks changed that, and in doing so pushed other businesses to improve their coffee (as well as introducing the concept that you can charge somebody $2-3 for a cup instead of $0.50, which made it possible for them to ...PROFIT!!) Even 5-6 years ago, the only way to get decent coffee in LA was to go to Starbucks; part of the problem is the water, which gets covered up by coffee flavor when you make espresso, as opposed to Mexican-style weaker coffee, but most of it was attitude of the coffee-makers.

    The other people who get credit for significantly improving Americans' coffee are the marketers of Mr. Coffee, which got us to use drip-filter coffee instead of percolators or instant.

    Briefly getting sort of back to the original topic, remember Kava instant coffee, which didn't get rid of bitterness, but got rid of acidity, for people who didn't want the acids in their stomach and maybe didn't like the taste? It was instant coffee with some alkali like potassium hydroxide added, and was absolutely the worst stuff I'd had that claimed to be coffee.

  15. There are standards for those things. on VeriSign Changes DNS Servers: No ASCII Needed · · Score: 3, Interesting
    We've been dealing with internationalization for more than a decade - applications either support UTF8 or Unicode or CP850 or some similar standard for handling them, or else they don't, and most operating systems provide some hook for inputting them. (That won't help 7-bit-character implementations of vi, but too bad :-) Windows has their Character Map application, so I can go get an Å and a å and cut&paste them into my document.

    The real problem is that the DNS standards say that capital and lower-case letters are equivalent, so example.com and EXAMPLE.COM and ExAmPlE.com all get the same result, and DNS lookups translate everything to the same case before looking it up. To handle single-byte international character sets wouldn't have been that difficult - either define a mapping from uppercase to lowercase, or else require that users translate all of those things by hand. But Unicode's two-byte characters make this fail badly - if the bytes happen to be aa, changing them to AA gets you an entirely unrelated character, and vice versa, but the DNS standards force this to be done, because they don't know about double-byte characters. The most serious problems this causes are that only about 1/4 of the characters are valid in DNS, which makes far too many words unavailable - it's bad enough that aa and AA and aA and Aa all become aa, but the chances of a 10-letter word being available are way too low (and think about the trademark problems of coke.com vs. COKE.com vs. CoKe.com etc.) Other problems include the chance that you can't display reverse DNS names properly (because the database has the wrong case in it) or alternatively that the canonical forward and reverse DNS names are different, which is annoying enough for 7-bit character sets where only the case is different, but when the letters change entirely, it's really bad.

  16. Re:All nonascii domains resolve to 198.41.1.35 on VeriSign Changes DNS Servers: No ASCII Needed · · Score: 1
    As near as I can tell by reading the Verisign documentation, they're doing this to redirect web page requests using a browser plugin, but they're not doing anything about email - so your email client can't resolve username@ChineseServerName.com, and even if it did, 198.41.1.35 probably won't accept it. (And if they _did_ accept it, they'd be the World's Largest Open SMTP Relay, which has its own entertainment value.)

    Spectacularly broken, but fortunately it only works for people who use Verisign's IE plugin, which makes it much harder to sell these domain names.

  17. Email fails on VeriSign Changes DNS Servers: No ASCII Needed · · Score: 4, Insightful

    At least the way I read the document, it does only support web servers, which means that SMTP email fails, as well as all the other services. So you can have http://MyChineseServerName.com but not postmaster@MyChineseServerName.com, which is spectacularly broken.

  18. Processor is too fast on A Commodore 64 For The New Millenium · · Score: 1

    It's 20 MHz when the original was 1 MHz. Doesn't this mean that the Space Invaders will come down and kick your ass before you can shoot them, and the cars will run over Frogger before you can get him across the road?

  19. Bushnell's Lion & Compass Restaurant on Father of Video Games turning 60 · · Score: 1
    There's a restaurant off 101 in Sunnyvale called the "Lion & Compass", started by Nolan Bushnell in the early 80s because he was frustrated by the lack of good reastaurants in the area. There's a magazine article in the back hallway talking about how the place was the mid-80s computer boom hangout for engineers talking about ideas and venture capitalists talking about how to fund them, which was entertainingly reminiscent of so many places here in Silicon Valley in the late 90s boom. the food was pretty good, though it was more for carnivores than for vegetarians.

    And it was an amazing contrast to Chuck E. Cheese, which is pure evil, in the Disneyland-plus-bad-pizza variety.

  20. Still crap. on The Always-Encrypted Firewire Hard Drive · · Score: 1

    The encryption isn't strong enough to keep out a skilled professional or a medium-sized group of annoyed amateurs. Therefore it offers no benefit over simply using its authentication token device as a password substitute, which is good enough to keep out unskilled amateurs. Meanwhile, the fact that they're even bothering to use 40-bit encryption, and that they're claiming it's military-grade security, and that it's good enough for several sets of users who might have actual security needs that this clearly isn't good enough for is a strong indication that these guys are at best technically clueless, or else blatantly dishonest. So you could buy one of these as a n IDE-to-Firewire/USB2 adapter, but I'd be worried about the thing losing my data as well as not keeping it secure when the CIA spooks sneak through my windows at night to steal the evidence I've collected about the Roswell aliens. Also, it's not subpoena-proof, because the key is (at least apparently) kept in the little key-frob, rather than being something you enter yourself, so any court that can force you to turn over the drive can force you to turn over the key-frob (as opposed to forcing you to tell them a password, which you can argue about.)

  21. Re:DES weaknesses on The Always-Encrypted Firewire Hard Drive · · Score: 1

    It's straightforward - if you're talking about brute-force search, a 56-bit key takes 2**56 attempts to cover all the possible values, which a 40-bit key only takes 2**40, so thats 1/2**16 times as many. There are some subtleties; it's easy to get by with 2**55 tests for DES, and on the average either method hits the jackpot after trying about half the keys. Depending on how you get from 40-bit keys to 56-bit, e.g. using a strong slow hash, or setting the low or high or non-middle 16 bits to some constant like 0s, or using some fixed 16 extra bits that you'll happlily give the cops, or 16 bits from the serial number, you may require some extra computation, and you'll probably annoy the keysearch order that otherwise makes keyscheduling efficient, but even then it's not a huge impact compared to dropping the keysize to 40 bits.

  22. Re:DES weaknesses on The Always-Encrypted Firewire Hard Drive · · Score: 1
    Longer blocks are good, but birthday attacks only matter when someone can construct a problem where they let the attacker do something useful; that's highly unlikely for most disk encryption algorithms, which are used to haul around large sectors of disk space, e.g. 512-8192 bytes. 35GB may be enough that you'd have two 64-bit blocks of disk that have identical cyphertext and different plaintext, but it's not useful to anybody.

    As fast as safe operation modes goes, the nice thing about 40/56/64-bit encryption is that you scarcely have to worry about whether something else is the Weakest Link instead :-(.

  23. It doesn't come with the drive :-) on The Always-Encrypted Firewire Hard Drive · · Score: 1

    It's just an enclosure for the drive, with a controller. Bring your own IDE.

  24. DES weaknesses on The Always-Encrypted Firewire Hard Drive · · Score: 4, Interesting
    3DES is just fine - as you say, DES hasn't been cracked, it's just been brute-forced, and 3DES increases the brute-force work by 2**56, which means it'd take about 2**56 days to brute-force instead of about 1 day. The only reasons not to use 3DES are that it's 3 times slower than DES (no big deal here), or that you trust AES well enough to use it instead (about 10 times faster than 3DES), or that you don't have enough room in some existing protocol to store a 112-bit or 168-bit key, in which case you should probably fix your protocol instead.

    "40-bit DES", on the other hand, is either a well-designed crock or poorly-designed crock, which is pretty trivial to crack. The only reason to use such any 40-bit key is to comply with anti-Communist US export regulations that got dropped a few years ago, largely due to the EFF's DES-cracker machine and the internet distributed DES crack effort, both of which emphasized the weakness of 16-bit DES.

    On a technical note, cracking well-designed 40-bit DES subsets is not 2**16 times faster than cracking 56-bit DES, or John Gilmore could do it in 3 minutes in his basement. DES has two main phases, a key-scheduling phase and an S-box phase, and the DES cracking efforts took advantage of some interesting work by Peter Trei on key scheduling, which found a search order that makes each key-schedule a simple modification of the previous one, instead if its normal relatively slow calculation. So a 40-bit DES crack might take 5-10 times as long per key as a 56-bit DES crack, unless the 40-bit subset was designed to avoid that. On the other hand, the EFF and Internet DES cracks were in 1998, and computers have gotten about 8-10 times faster since then...

  25. Rest Of World's Got US Beat on some of those on Giant Sucking Noise · · Score: 1

    Well, the rest of the world's got the US beat on some of those too. Creative accounting practices? We're way late to that game, and there's lots and lots of competition? Monopoly Building? The French and Brits invented their versions of it, and the Indians learned it from the Brits - think about VSNL, the World's Least Competent Big Phone Company. Entertainment? India's got a similar size movie industry, though a smaller export market. Some of the rest of those are still Yankee-dominated though.