The duty for protecting ones house should be up to the homeowner then so if someone leaves their door unlocked you can enter and do whatever you want in the house. Or if someone leaves their car door unlocked you can go in and do whatever you want.
There is a lot you can do from a web browser or within a web page that is malicious, but Im sorry to disagree totally that it should be up to the site owner to protect their system and that no repercussion should fall on those that try to go around security. That to me is plain stupid.
I love it when the clueless talk like they know. Have you ever investigated an attempted intrusion or even a successful intrusion. You have to spend X amount of hours to go over the logs and see exactly what the offending IP did and then you go and try and correlate that with other traffic around the time to make sure that there weren't multiple sources involved. You also have to take the data collected and ensure it is protected as digital evidence.... Point is if you have ever investigated cyber crime then you know it is not a quick process and it costs a good deal of money in manhours and sometimes in equipment to build a solid case.
Oh and BTW are professional fighters held to a higher standard if they get into a non-sanctioned street brawl? Yes they are because they are trained to fight. All I was intimating was that this person is a so-called professional InfoSec Consultant which makes it hard for him to feign ignorance...
I find it laughable that you don't think SQL injection for the purposes of gaining access to information that you are not authorized to view is ok? So I can do a bit of SQL injection and have password files or credit card information brought forward... But that is alright since you think "Directory traversing IMO isn't trying to break into a system. Neither is SQL Injection or anything else."
Oh and BTW using the Window analogy is really off. The front page of the website is the Window and what this person did was try and get around that Window by using old exploits. Not everything is as straightforward as they want to make it.
After RTFA and then looking at the poll I amazed at the reaction. 87% of people think he should not have been convicted thus far because he "didn't cause any damage"
Its time to wake up people. First point: Yes he did cause damage. Money was spent investigating the intrusion which is monetary damages. Second Point: He very well could have caused damage had he successfully broken in. Do we not punish crackers now just because they didn't destroy data? Thirdly: He is a professional in the Information Security field! Of all people he should be held to a higher standard because of his career field.
How does this hurt the Penetration Testing career field as well lol (another piece of FUD in the article...) Professional penetration testers have to sign lengthy contracts that state what they are allowed to do in order to protect themselves from prosecution later on the road. Documentation is kept during the process of testing so the testers can show that at point X when they were attempting attack Y they did or did not shut down Server Z... What this guy did was attempt to break into a system that he had no prior consent to do so! Thats illegal and he being a security consultant would know that... I can't just arbitrarily attack a website because I think they might not be real. Sure people might sympathise with me if I was right, but that doesn't mean it makes it legal.
Actually yes it is if they can prove that you are purposely trying to drill down into directories that you know you shouldn't have access to. Its all about proving intent which can be hard. But for certain ppl (like a computer security consultant) I think it would be hard for him to feign ignorance in the eyes of judge/jury...
Moral of the story: Do not try to use the excuse of curiousity to break into another person's system? If he was concerned over the validity of the site in question he should have done web searches on it and/or other background checks. As a "security consultant" he should have known better and the judge IMO did the right thing. I don't see where this persons right are being violated here as he was the one who acted as an attacker in this scenario.
If you think this is ok then would it be ok for me to use the excuse "I think Slashdot might be leaking personal information about me so let me try to gain privileged access to the site..." No it wouldn't.
I went to the local Google maps and typed in al qaeda, terrorist, criminal, shifty, greedy and etc... Everytime it pointed to places in Kansas. I even typed in Osama Bin Laden and guess where it showed him at... You guessed it Kansas!
See all that money spent on Intel work and all we really need to do to track down all the badness in the world is use Google maps.
Ah I see so by giving control over to the UN it will magically put in place all the hardware, software and correctly configure the web to never fail? Hopefully this statement was made to be joke because otherwise it doesn't make a bit of sense. I picture the web now as a 100,000 foot long giant slinky that someone has twisted into oblivion. I don't even know if the web can be fixed at this point...
Holy crap! Now whenever someone refers to me as a total geek I am gonna whip out a printout of these comments and totally redeem myself! J/k lol thanks for the info. I was never that heavy into D&D but there are other games I can probably describe way too intimately. Hell I remember not too long ago having an argument about Dark Elves with someone and I remember ppl were around us like WTF are they talking about???
Its a single player RPG that they crossed over from XBox that basically starts you off as a little boy in a town. Your family gets killed and you go into Hero training. What you do in game effects not only how you look (grow horns for doing bad stuff, get muscular from fighting, get tattoos...) but it also effects how the environment around you acts. For example I played and I went around killing and stealing from innocent villagers. Next thing you know people are groveling at my feet when I walk by them + I grew a cool set of devil horns and had bugs flying around my head lol.
Ok maybe I haven't played D&D in a long time, but is that a spaceship flying around in the second picture in the article??? They aren't allowed to put spaceships in D&D based games because well because I said so and thats that! Seriously WTF is that thing with the blue ring on it that looks like its flying?
"warm bodies are more annoying than you might think. people get hired JUST for the clearance." Yes this is semi true in that warm bodies can be annoying, but usually there is enough senior level experience to get the new folks spun up
"you can't put the shitty technologies you (didnt learn) on your resume." I'm not sure what you mean by this. If you are talking about not being able to put systems (both COTS and GOTS) that you worked with on your resume then you are wrong. Typically the software and hardware you work with in these environments are not classified and allowed to be put on a resume (even the custom built GOTS solutions.)
"because you spent years working in that environment, you are now stuck for life." Also not true as I know many ppl who have switched over from govt. to commercial with ease. You only get stuck (in commercial or govt.) if you don't have a willingness to go out and continue to learn about things that are not necessarily directly part of your current job. I personally like to move around within IT every few years to ensure I dont get "stuck."
"you have a thousand options open to you, but they are all working for a limited set of government customers in the 'same old environment' in a limited set of locations." Partially true once again. There are a lot of government agencies that you can be contracted out to, but I will agree that you often wind up rotating around between them... But lets say you worked as a contracter within FBI. Well there are FBI offices and contractor facilities working FBI projects all over the country. There really aren't a limited set of locations.
"if you maybe do work hard and come up with something cool, no one will know." Not true. Just because you work as lets say a software developer in a cleared position does not make the software you design classified... In most cases developers of new software or hardware can talk about what they have developed.
"yes the salaries are ridiculous, but theres a fucking dot-gov bust coming, you just can't see it." Big salaries and tons of jobs within this realm will be around a long time. Until the world population becomes a all-loving, all-hugging place there will be people needed to plan, develop, implement, test, operate, maintain and replace IT systems and software. Its just the way it is and the way it will be for a long time.
If they were giving an award out for phonetic metathesis then they would have to include GW Bush for the amount of time he has said "nucular" instead of nuclear.
From Wikipedia Phonetic Metathesis if interested:
asterix for asterisk comfterble for comfortable foilage for foliage intregal for integral julary for jewelry nucular for nuclear realator for realtor revelant for relevant
Will It Come With Standard Accessories?
on
Video iPod Oct 12?
·
· Score: -1, Flamebait
Like a cracked screen and an internal battery that dies in under a year's time?
Maybe its just me, but I dont see how it would be way easier to keep a list of good code and deny all else? So basically you create software that says only allow these programs to work. Then someone creates a worm that uses buffer overflow YYY against Windows version whatever to grab root. How did your list of good software stop this attack from occurring. The person is executing an attack and having an application that says your software or code is good wouldn't do any good in my opinion?
Firstly let me just say I thought this was going to be an initiative to create a working group to assist in identifying threats quicker, but as I RTFA I find out all this is really is just a control gate for naming malcode.
Now that being said I 100% agree that we need a methodology in place to ensure that malcode names follow a fixed format. There have been too many times that we have had to research viruses and it is annoying as all hell to see a worm as Variant B on one site and Variant C on another. It adds to the confusion during an outbreak, which in turn usually costs more research and fix time... But saying that I do not like the naming format because it doesn't clearly identify similar variants... On the site it shows an example of two variants of Zotob. One is CME-164 and one is CME-243. For tracking purposes I would much rather see something along the lines of Zotob-A being named CME-164A and Zotob-B being CME-164B. Or better yet as numbers don't stick in your head as well as words IMO stick to names like Zotob but ensure the major AV vendors follow the CMEI variant guidance...
Re:Waste of time and source of FUD for Microsoft
on
Dell Offering "Open" PC
·
· Score: 3, Insightful
While I agree for the most part this isn't much of a savings and the average home user probably won't bit on this, but there was one point in the article that is a truth and that is companies who use Dell will often have their own software licensing and baseline which means they wind up removing the OS that comes with the box. But a couple posts down someone mentions the cost savings between a naked OS and one with Windows and the savings are really not much. Additionally I wouldn't be surprised if Dell already caters to companies who make large purchases from that to give them "open" boxes... All-in-all this doesn't seem like that big of a deal to me.
Ok I read that and the first image that popped into my mind was Johnny 5 wearing black pants and a white button down shirt knocking on peoples doors at 7AM in the morning to pass on the word... Now that would be scary especially when he points his shoulder-mounted laser beam at you!
Screw making these little robots that point at something. I'm waiting to see when we develop our first Evangelion damn it!!! Lets see what a sniper can do against a giant killer robot with a huge vibrating knife thingy!
Here is what you do. You graduate as a computer or electrical engineering student. You move to Northern VA. You contact a big defense contracter like Lockheed or Northrupp. You get them to hire you contingent upon you getting a clearance. You work on project X when you get your clearance. You now hate your job but guess what you have a clearance so you can basically be a warm body to fill a slot and have about a thousand options open to you. (Btw I hate the warm body slot filling thing but god do I see it all the time!)
I wonder if he will finger through his Rolodex and use all of the hobbit extras to play the little freakish alien guys that run away from you on easy...
I have to wonder if they do erase them. I mean most ppl just keep the key or toss it after they check out. And because its a simple magnetic strip the data will be resident on it unless someone physically demagnitizes it or deguasses it.
I still don't even know why we do the signature thing in the US anymore as no one ever checks it really. (I know some ppl look at the back of the card but how often do you really see someone verify that the signature matches. Instead of moving directly to RFID why dont we do what the UK does and instead of a signature we require the buyer to enter a PIN in whenever they want to use their card. Seems to be a very simple concept that would make it much more difficult for the common crooks to use stolen CC's?
Slashdot Mirror
The duty for protecting ones house should be up to the homeowner then so if someone leaves their door unlocked you can enter and do whatever you want in the house. Or if someone leaves their car door unlocked you can go in and do whatever you want.
There is a lot you can do from a web browser or within a web page that is malicious, but Im sorry to disagree totally that it should be up to the site owner to protect their system and that no repercussion should fall on those that try to go around security. That to me is plain stupid.
I love it when the clueless talk like they know. Have you ever investigated an attempted intrusion or even a successful intrusion. You have to spend X amount of hours to go over the logs and see exactly what the offending IP did and then you go and try and correlate that with other traffic around the time to make sure that there weren't multiple sources involved. You also have to take the data collected and ensure it is protected as digital evidence.... Point is if you have ever investigated cyber crime then you know it is not a quick process and it costs a good deal of money in manhours and sometimes in equipment to build a solid case.
Oh and BTW are professional fighters held to a higher standard if they get into a non-sanctioned street brawl? Yes they are because they are trained to fight. All I was intimating was that this person is a so-called professional InfoSec Consultant which makes it hard for him to feign ignorance...
I find it laughable that you don't think SQL injection for the purposes of gaining access to information that you are not authorized to view is ok? So I can do a bit of SQL injection and have password files or credit card information brought forward... But that is alright since you think "Directory traversing IMO isn't trying to break into a system. Neither is SQL Injection or anything else."
Oh and BTW using the Window analogy is really off. The front page of the website is the Window and what this person did was try and get around that Window by using old exploits. Not everything is as straightforward as they want to make it.
After RTFA and then looking at the poll I amazed at the reaction. 87% of people think he should not have been convicted thus far because he "didn't cause any damage"
Its time to wake up people. First point: Yes he did cause damage. Money was spent investigating the intrusion which is monetary damages. Second Point: He very well could have caused damage had he successfully broken in. Do we not punish crackers now just because they didn't destroy data? Thirdly: He is a professional in the Information Security field! Of all people he should be held to a higher standard because of his career field.
How does this hurt the Penetration Testing career field as well lol (another piece of FUD in the article...) Professional penetration testers have to sign lengthy contracts that state what they are allowed to do in order to protect themselves from prosecution later on the road. Documentation is kept during the process of testing so the testers can show that at point X when they were attempting attack Y they did or did not shut down Server Z... What this guy did was attempt to break into a system that he had no prior consent to do so! Thats illegal and he being a security consultant would know that... I can't just arbitrarily attack a website because I think they might not be real. Sure people might sympathise with me if I was right, but that doesn't mean it makes it legal.
You will probably have to register your patents through Microsoft!
Actually yes it is if they can prove that you are purposely trying to drill down into directories that you know you shouldn't have access to. Its all about proving intent which can be hard. But for certain ppl (like a computer security consultant) I think it would be hard for him to feign ignorance in the eyes of judge/jury...
Moral of the story: Do not try to use the excuse of curiousity to break into another person's system? If he was concerned over the validity of the site in question he should have done web searches on it and/or other background checks. As a "security consultant" he should have known better and the judge IMO did the right thing. I don't see where this persons right are being violated here as he was the one who acted as an attacker in this scenario.
If you think this is ok then would it be ok for me to use the excuse "I think Slashdot might be leaking personal information about me so let me try to gain privileged access to the site..." No it wouldn't.
I went to the local Google maps and typed in al qaeda, terrorist, criminal, shifty, greedy and etc... Everytime it pointed to places in Kansas. I even typed in Osama Bin Laden and guess where it showed him at... You guessed it Kansas!
See all that money spent on Intel work and all we really need to do to track down all the badness in the world is use Google maps.
Ah I see so by giving control over to the UN it will magically put in place all the hardware, software and correctly configure the web to never fail? Hopefully this statement was made to be joke because otherwise it doesn't make a bit of sense. I picture the web now as a 100,000 foot long giant slinky that someone has twisted into oblivion. I don't even know if the web can be fixed at this point...
Holy crap! Now whenever someone refers to me as a total geek I am gonna whip out a printout of these comments and totally redeem myself! J/k lol thanks for the info. I was never that heavy into D&D but there are other games I can probably describe way too intimately. Hell I remember not too long ago having an argument about Dark Elves with someone and I remember ppl were around us like WTF are they talking about???
Its a single player RPG that they crossed over from XBox that basically starts you off as a little boy in a town. Your family gets killed and you go into Hero training. What you do in game effects not only how you look (grow horns for doing bad stuff, get muscular from fighting, get tattoos...) but it also effects how the environment around you acts. For example I played and I went around killing and stealing from innocent villagers. Next thing you know people are groveling at my feet when I walk by them + I grew a cool set of devil horns and had bugs flying around my head lol.
Ok maybe I haven't played D&D in a long time, but is that a spaceship flying around in the second picture in the article??? They aren't allowed to put spaceships in D&D based games because well because I said so and thats that! Seriously WTF is that thing with the blue ring on it that looks like its flying?
Actually...
"warm bodies are more annoying than you might think. people get hired JUST for the clearance."
Yes this is semi true in that warm bodies can be annoying, but usually there is enough senior level experience to get the new folks spun up
"you can't put the shitty technologies you (didnt learn) on your resume."
I'm not sure what you mean by this. If you are talking about not being able to put systems (both COTS and GOTS) that you worked with on your resume then you are wrong. Typically the software and hardware you work with in these environments are not classified and allowed to be put on a resume (even the custom built GOTS solutions.)
"because you spent years working in that environment, you are now stuck for life."
Also not true as I know many ppl who have switched over from govt. to commercial with ease. You only get stuck (in commercial or govt.) if you don't have a willingness to go out and continue to learn about things that are not necessarily directly part of your current job. I personally like to move around within IT every few years to ensure I dont get "stuck."
"you have a thousand options open to you, but they are all working for a limited set of government customers in the 'same old environment' in a limited set of locations."
Partially true once again. There are a lot of government agencies that you can be contracted out to, but I will agree that you often wind up rotating around between them... But lets say you worked as a contracter within FBI. Well there are FBI offices and contractor facilities working FBI projects all over the country. There really aren't a limited set of locations.
"if you maybe do work hard and come up with something cool, no one will know."
Not true. Just because you work as lets say a software developer in a cleared position does not make the software you design classified... In most cases developers of new software or hardware can talk about what they have developed.
"yes the salaries are ridiculous, but theres a fucking dot-gov bust coming, you just can't see it."
Big salaries and tons of jobs within this realm will be around a long time. Until the world population becomes a all-loving, all-hugging place there will be people needed to plan, develop, implement, test, operate, maintain and replace IT systems and software. Its just the way it is and the way it will be for a long time.
If they were giving an award out for phonetic metathesis then they would have to include GW Bush for the amount of time he has said "nucular" instead of nuclear.
From Wikipedia Phonetic Metathesis if interested:
asterix for asterisk
comfterble for comfortable
foilage for foliage
intregal for integral
julary for jewelry
nucular for nuclear
realator for realtor
revelant for relevant
Like a cracked screen and an internal battery that dies in under a year's time?
Maybe its just me, but I dont see how it would be way easier to keep a list of good code and deny all else? So basically you create software that says only allow these programs to work. Then someone creates a worm that uses buffer overflow YYY against Windows version whatever to grab root. How did your list of good software stop this attack from occurring. The person is executing an attack and having an application that says your software or code is good wouldn't do any good in my opinion?
Firstly let me just say I thought this was going to be an initiative to create a working group to assist in identifying threats quicker, but as I RTFA I find out all this is really is just a control gate for naming malcode.
Now that being said I 100% agree that we need a methodology in place to ensure that malcode names follow a fixed format. There have been too many times that we have had to research viruses and it is annoying as all hell to see a worm as Variant B on one site and Variant C on another. It adds to the confusion during an outbreak, which in turn usually costs more research and fix time... But saying that I do not like the naming format because it doesn't clearly identify similar variants... On the site it shows an example of two variants of Zotob. One is CME-164 and one is CME-243. For tracking purposes I would much rather see something along the lines of Zotob-A being named CME-164A and Zotob-B being CME-164B. Or better yet as numbers don't stick in your head as well as words IMO stick to names like Zotob but ensure the major AV vendors follow the CMEI variant guidance...
While I agree for the most part this isn't much of a savings and the average home user probably won't bit on this, but there was one point in the article that is a truth and that is companies who use Dell will often have their own software licensing and baseline which means they wind up removing the OS that comes with the box. But a couple posts down someone mentions the cost savings between a naked OS and one with Windows and the savings are really not much. Additionally I wouldn't be surprised if Dell already caters to companies who make large purchases from that to give them "open" boxes... All-in-all this doesn't seem like that big of a deal to me.
Ok I read that and the first image that popped into my mind was Johnny 5 wearing black pants and a white button down shirt knocking on peoples doors at 7AM in the morning to pass on the word... Now that would be scary especially when he points his shoulder-mounted laser beam at you!
Screw making these little robots that point at something. I'm waiting to see when we develop our first Evangelion damn it!!! Lets see what a sniper can do against a giant killer robot with a huge vibrating knife thingy!
Here is what you do. You graduate as a computer or electrical engineering student. You move to Northern VA. You contact a big defense contracter like Lockheed or Northrupp. You get them to hire you contingent upon you getting a clearance. You work on project X when you get your clearance. You now hate your job but guess what you have a clearance so you can basically be a warm body to fill a slot and have about a thousand options open to you. (Btw I hate the warm body slot filling thing but god do I see it all the time!)
I wonder if he will finger through his Rolodex and use all of the hobbit extras to play the little freakish alien guys that run away from you on easy...
I have to wonder if they do erase them. I mean most ppl just keep the key or toss it after they check out. And because its a simple magnetic strip the data will be resident on it unless someone physically demagnitizes it or deguasses it.
I still don't even know why we do the signature thing in the US anymore as no one ever checks it really. (I know some ppl look at the back of the card but how often do you really see someone verify that the signature matches. Instead of moving directly to RFID why dont we do what the UK does and instead of a signature we require the buyer to enter a PIN in whenever they want to use their card. Seems to be a very simple concept that would make it much more difficult for the common crooks to use stolen CC's?
And this whole time I thought the Burning Man Festival was a tribute to Great White's Rhode Island performance!